[PATCH] D129745: Fix a stack overflow in ScalarEvolution.
Johannes Reifferscheid via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Jul 14 02:06:32 PDT 2022
jreiffers created this revision.
jreiffers added a reviewer: bkramer.
Herald added subscribers: javed.absar, hiraditya.
Herald added a project: All.
jreiffers requested review of this revision.
Herald added a project: LLVM.
Herald added a subscriber: llvm-commits.
Unfortunately, this overflow is extremely hard to reproduce reliably (in fact, I was unable to do so). The issue is that:
- getOperandsToCreate sometimes skips creating an SCEV for the LHS
- then, createSCEV is called for the BinaryOp
- ... which calls getNoWrapFlagsFromUB
- ... which under certain circumstances calls isSCEVExprNeverPoison
- ... which under certain circumstances requires the SCEVs of all operands
For certain deep dependency trees, this causes a stack overflow.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D129745
Files:
llvm/lib/Analysis/ScalarEvolution.cpp
Index: llvm/lib/Analysis/ScalarEvolution.cpp
===================================================================
--- llvm/lib/Analysis/ScalarEvolution.cpp
+++ llvm/lib/Analysis/ScalarEvolution.cpp
@@ -7240,7 +7240,8 @@
if (auto BO = MatchBinaryOp(U, DT)) {
bool IsConstArg = isa<ConstantInt>(BO->RHS);
switch (U->getOpcode()) {
- case Instruction::Add: {
+ case Instruction::Add:
+ case Instruction::Mul: {
// For additions and multiplications, traverse add/mul chains for which we
// can potentially create a single SCEV, to reduce the number of
// get{Add,Mul}Expr calls.
@@ -7253,30 +7254,24 @@
}
Ops.push_back(BO->RHS);
auto NewBO = MatchBinaryOp(BO->LHS, DT);
- if (!NewBO || (NewBO->Opcode != Instruction::Add &&
- NewBO->Opcode != Instruction::Sub)) {
+ if (!NewBO ||
+ (U->getOpcode() == Instruction::Add &&
+ (NewBO->Opcode != Instruction::Add &&
+ NewBO->Opcode != Instruction::Sub)) ||
+ (U->getOpcode() == Instruction::Mul &&
+ NewBO->Opcode != Instruction::Mul)) {
Ops.push_back(BO->LHS);
break;
}
- BO = NewBO;
- } while (true);
- return nullptr;
- }
-
- case Instruction::Mul: {
- do {
- if (BO->Op) {
- if (BO->Op != V && getExistingSCEV(BO->Op)) {
- Ops.push_back(BO->Op);
+ // CreateSCEV calls getNoWrapFlagsFromUB, which under certain conditions
+ // requires a SCEV for the LHS.
+ if (NewBO->Op && (NewBO->IsNSW || NewBO->IsNUW)) {
+ if (auto *I = dyn_cast<Instruction>(NewBO->Op);
+ I && programUndefinedIfPoison(I)) {
+ Ops.push_back(BO->LHS);
break;
}
}
- Ops.push_back(BO->RHS);
- auto NewBO = MatchBinaryOp(BO->LHS, DT);
- if (!NewBO || NewBO->Opcode != Instruction::Mul) {
- Ops.push_back(BO->LHS);
- break;
- }
BO = NewBO;
} while (true);
return nullptr;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D129745.444563.patch
Type: text/x-patch
Size: 2089 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20220714/68cc8de5/attachment.bin>
More information about the llvm-commits
mailing list