[PATCH] D44232: [SimplifyCFG] Create attribute to disable select formation.
Matt Morehouse via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Mar 8 11:03:27 PST 2018
morehouse added a comment.
In https://reviews.llvm.org/D44232#1031682, @hfinkel wrote:
> Shouldn't be too much work. Just turn the logic in CodeGenPrepare::optimizeSelectInst into a utility function, add an aggressive mode, and call it.
Well that's easier than I thought. Thanks for the insight.
> I took a quite look at the bug report, but I'm still not exactly sure what's going on. Can you explain? Is the problem that the coverage instrumentation looks at the arguments to a comparison, somehow, but doesn't look through boolean operations?
The coverage instrumentation passes both arguments of every comparison to a `__sanitizer_cov_trace[_const]_cmp` callback. The callbacks are implemented in libFuzzer. libFuzzer uses a simple (but effective) heuristic that searches the program input for either argument to the comparison and then mutates matches to be close (-1, ==, or +1) to the other argument.
In the bug report, if `x > 16 && x < 32` had been translated into a comparison with 16 and a comparison with 32, and if `x` were found in the program input, libFuzzer would be able to quickly find `x==17` or `x==31` to take the true branch. But instead, `x > 16 && x < 32` is translated to a single unsigned comparison between `x - 17` and 15, thereby defeating our heuristic.
https://reviews.llvm.org/D44232
More information about the llvm-commits
mailing list