[PATCH] D44232: [SimplifyCFG] Create attribute to disable select formation.

[Hal Finkel via Phabricator via llvm-commits]

hfinkel added a comment.

In https://reviews.llvm.org/D44232#1031642, @morehouse wrote:

> In https://reviews.llvm.org/D44232#1031563, @hfinkel wrote:
>
> > Another question: Do we actually want to disable select formation, or, do we want to expand all selects into control flow late in the pipeline (i.e., during instruction selection)? The issue here, as I understand it, is that fuzzing depends on control flow paths to differentiate executions. As a result, we really just don't want to have any selects (we don't want ones that the frontend might generate either).
>
>
> I don't think we could do it during instruction selection, since SanitizerCoverage instrumentation is inserted before that.  But if we could expand selects right before the SanitizerCoverage instrumentation happens (maybe even during the SanitizerCoverage pass?), that would provide even better coverage signal for fuzzing.  Of course, that would be significantly more work.


Shouldn't be too much work. Just turn the logic in CodeGenPrepare::optimizeSelectInst into a utility function, add an aggressive mode, and call it.

> Another concern comes from https://github.com/google/sanitizers/issues/893#issuecomment-350036791, where simplifyCFG takes two conditions and combines them into a single CMP, resulting in libFuzzer's TraceCMP heuristic becoming useless.  So we would probably still want to disable part of simplifyCFG to avoid that.

I took a quite look at the bug report, but I'm still not exactly sure what's going on. Can you explain? Is the problem that the coverage instrumentation looks at the arguments to a comparison, somehow, but doesn't look through boolean operations?


https://reviews.llvm.org/D44232