[llvm] Reland "[SimplifyCFG] Check if the return instruction causes undefined behavior" (PR #76656)
Quentin Dian via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 22 21:13:15 PST 2024
https://github.com/DianQK updated https://github.com/llvm/llvm-project/pull/76656
>From fa56ca0643f53d47822aedb1804529aea7738435 Mon Sep 17 00:00:00 2001
From: DianQK <dianqk at dianqk.net>
Date: Sun, 31 Dec 2023 19:55:53 +0800
Subject: [PATCH 1/2] Reland "[SimplifyCFG] Check if the return instruction
causes undefined behavior"
This relands commit b6a0be8ce3114d0c57e7a7d6c3c222986ca506ad.
Return undefined to a noundef return value is undefined.
Example:
```
define noundef i32 @test_ret_noundef(i1 %cond) {
entry:
br i1 %cond, label %bb1, label %bb2
bb1:
br label %bb2
bb2:
%r = phi i32 [ undef, %entry ], [ 1, %bb1 ]
ret i32 %r
}
```
---
llvm/lib/Transforms/Utils/SimplifyCFG.cpp | 14 ++
.../unreachable-eliminate-on-ret.ll | 122 ++++++++++++++++++
2 files changed, 136 insertions(+)
create mode 100644 llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll
diff --git a/llvm/lib/Transforms/Utils/SimplifyCFG.cpp b/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
index f3994b6cc39fef..c54b2208e797ee 100644
--- a/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
+++ b/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
@@ -7391,6 +7391,20 @@ static bool passingValueIsAlwaysUndefined(Value *V, Instruction *I, bool PtrValu
return passingValueIsAlwaysUndefined(V, GEP, PtrValueMayBeModified);
}
+ // Look through return.
+ if (ReturnInst *Ret = dyn_cast<ReturnInst>(Use)) {
+ bool HasNoUndefAttr =
+ Ret->getFunction()->hasRetAttribute(Attribute::NoUndef);
+ // Return undefined to a noundef return value is undefined.
+ if (isa<UndefValue>(C) && HasNoUndefAttr)
+ return true;
+ // Return null to a nonnull+noundef return value is undefined.
+ if (C->isNullValue() && HasNoUndefAttr &&
+ Ret->getFunction()->hasRetAttribute(Attribute::NonNull)) {
+ return !PtrValueMayBeModified;
+ }
+ }
+
// Look through bitcasts.
if (BitCastInst *BC = dyn_cast<BitCastInst>(Use))
return passingValueIsAlwaysUndefined(V, BC, PtrValueMayBeModified);
diff --git a/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll b/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll
new file mode 100644
index 00000000000000..e250a5d02c563c
--- /dev/null
+++ b/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll
@@ -0,0 +1,122 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
+; RUN: opt -passes=simplifycfg -simplifycfg-require-and-preserve-domtree=1 -S < %s | FileCheck %s
+
+define noundef i32 @test_ret_noundef(i1 %cond) {
+; CHECK-LABEL: @test_ret_noundef(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: ret i32 1
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %r = phi i32 [ undef, %entry ], [ 1, %bb1 ]
+ ret i32 %r
+}
+
+define i32 @test_ret(i1 %cond) {
+; CHECK-LABEL: @test_ret(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[COND:%.*]], i32 1, i32 undef
+; CHECK-NEXT: ret i32 [[SPEC_SELECT]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %r = phi i32 [ undef, %entry ], [ 1, %bb1 ]
+ ret i32 %r
+}
+
+define nonnull noundef ptr @test_ret_ptr_nonnull_noundef(i1 %cond, ptr %x) {
+; CHECK-LABEL: @test_ret_ptr_nonnull_noundef(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: call void @llvm.assume(i1 [[COND:%.*]])
+; CHECK-NEXT: ret ptr [[X:%.*]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %r = phi ptr [ null, %entry ], [ %x, %bb1 ]
+ ret ptr %r
+}
+
+define nonnull noundef ptr @test_ret_ptr_nonnull_noundef_gep_nonzero(i1 %cond, ptr %x) {
+; CHECK-LABEL: @test_ret_ptr_nonnull_noundef_gep_nonzero(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[COND:%.*]], ptr [[X:%.*]], ptr null
+; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds ptr, ptr [[SPEC_SELECT]], i64 12
+; CHECK-NEXT: ret ptr [[GEP]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %phi = phi ptr [ null, %entry ], [ %x, %bb1 ]
+ %gep = getelementptr inbounds ptr, ptr %phi, i64 12
+ ret ptr %gep
+}
+
+define nonnull ptr @test_ret_ptr_nonnull(i1 %cond, ptr %x) {
+; CHECK-LABEL: @test_ret_ptr_nonnull(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[COND:%.*]], ptr [[X:%.*]], ptr null
+; CHECK-NEXT: ret ptr [[SPEC_SELECT]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %r = phi ptr [ null, %entry ], [ %x, %bb1 ]
+ ret ptr %r
+}
+
+define noundef ptr @test_ret_ptr_noundef(i1 %cond, ptr %x) {
+; CHECK-LABEL: @test_ret_ptr_noundef(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[COND:%.*]], ptr [[X:%.*]], ptr null
+; CHECK-NEXT: ret ptr [[SPEC_SELECT]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %r = phi ptr [ null, %entry ], [ %x, %bb1 ]
+ ret ptr %r
+}
+
+define ptr @test_ret_ptr(i1 %cond, ptr %x) {
+; CHECK-LABEL: @test_ret_ptr(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[COND:%.*]], ptr [[X:%.*]], ptr null
+; CHECK-NEXT: ret ptr [[SPEC_SELECT]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %r = phi ptr [ null, %entry ], [ %x, %bb1 ]
+ ret ptr %r
+}
>From 8228e4843c93b2590488abdfa11583e9b7c30d58 Mon Sep 17 00:00:00 2001
From: DianQK <dianqk at dianqk.net>
Date: Sun, 31 Dec 2023 19:56:03 +0800
Subject: [PATCH 2/2] Reland "[SimplifyCFG] Improve the precision of
`PtrValueMayBeModified`"
This relands commit f890f010f6a70addbd885acd0c8d1b9578b6246f.
The result value of `getelementptr inbounds (TY, null, not zero)` is a poison value.
We can think of it as undefined behavior.
---
llvm/lib/Transforms/Utils/SimplifyCFG.cpp | 11 ++-
.../SimplifyCFG/UnreachableEliminate.ll | 68 ++++++++++++++++++-
.../unreachable-eliminate-on-ret.ll | 21 +++++-
3 files changed, 96 insertions(+), 4 deletions(-)
diff --git a/llvm/lib/Transforms/Utils/SimplifyCFG.cpp b/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
index c54b2208e797ee..e6593075142803 100644
--- a/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
+++ b/llvm/lib/Transforms/Utils/SimplifyCFG.cpp
@@ -7386,7 +7386,16 @@ static bool passingValueIsAlwaysUndefined(Value *V, Instruction *I, bool PtrValu
// Look through GEPs. A load from a GEP derived from NULL is still undefined
if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(Use))
if (GEP->getPointerOperand() == I) {
- if (!GEP->isInBounds() || !GEP->hasAllZeroIndices())
+ // The current base address is null, there are four cases to consider:
+ // getelementptr (TY, null, 0) -> null
+ // getelementptr (TY, null, not zero) -> may be modified
+ // getelementptr inbounds (TY, null, 0) -> null
+ // getelementptr inbounds (TY, null, not zero) -> poison iff null is
+ // undefined?
+ if (!GEP->hasAllZeroIndices() &&
+ (!GEP->isInBounds() ||
+ NullPointerIsDefined(GEP->getFunction(),
+ GEP->getPointerAddressSpace())))
PtrValueMayBeModified = true;
return passingValueIsAlwaysUndefined(V, GEP, PtrValueMayBeModified);
}
diff --git a/llvm/test/Transforms/SimplifyCFG/UnreachableEliminate.ll b/llvm/test/Transforms/SimplifyCFG/UnreachableEliminate.ll
index 5ba43c055f9be1..757340527ec030 100644
--- a/llvm/test/Transforms/SimplifyCFG/UnreachableEliminate.ll
+++ b/llvm/test/Transforms/SimplifyCFG/UnreachableEliminate.ll
@@ -444,6 +444,28 @@ else:
define void @test9_gep_inbounds_nonzero(i1 %X, ptr %Y) {
; CHECK-LABEL: @test9_gep_inbounds_nonzero(
; CHECK-NEXT: entry:
+; CHECK-NEXT: [[TMP0:%.*]] = xor i1 [[X:%.*]], true
+; CHECK-NEXT: call void @llvm.assume(i1 [[TMP0]])
+; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds i8, ptr [[Y:%.*]], i64 12
+; CHECK-NEXT: [[TMP1:%.*]] = call ptr @fn_nonnull_noundef_arg(ptr [[GEP]])
+; CHECK-NEXT: ret void
+;
+entry:
+ br i1 %X, label %if, label %else
+
+if:
+ br label %else
+
+else:
+ %phi = phi ptr [ %Y, %entry ], [ null, %if ]
+ %gep = getelementptr inbounds i8, ptr %phi, i64 12
+ call ptr @fn_nonnull_noundef_arg(ptr %gep)
+ ret void
+}
+
+define void @test9_gep_inbounds_nonzero_null_defined(i1 %X, ptr %Y) #0 {
+; CHECK-LABEL: @test9_gep_inbounds_nonzero_null_defined(
+; CHECK-NEXT: entry:
; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[X:%.*]], ptr null, ptr [[Y:%.*]]
; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds i8, ptr [[SPEC_SELECT]], i64 12
; CHECK-NEXT: [[TMP0:%.*]] = call ptr @fn_nonnull_noundef_arg(ptr [[GEP]])
@@ -462,9 +484,30 @@ else:
ret void
}
+define void @test9_gep_inbounds_unknown_null(i1 %X, ptr %Y, i64 %I) {
+; CHECK-LABEL: @test9_gep_inbounds_unknown_null(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[TMP0:%.*]] = xor i1 [[X:%.*]], true
+; CHECK-NEXT: call void @llvm.assume(i1 [[TMP0]])
+; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds i8, ptr [[Y:%.*]], i64 [[I:%.*]]
+; CHECK-NEXT: [[TMP1:%.*]] = call ptr @fn_nonnull_noundef_arg(ptr [[GEP]])
+; CHECK-NEXT: ret void
+;
+entry:
+ br i1 %X, label %if, label %else
+
+if:
+ br label %else
+
+else:
+ %phi = phi ptr [ %Y, %entry ], [ null, %if ]
+ %gep = getelementptr inbounds i8, ptr %phi, i64 %I
+ call ptr @fn_nonnull_noundef_arg(ptr %gep)
+ ret void
+}
-define void @test9_gep_inbouds_unknown_null(i1 %X, ptr %Y, i64 %I) {
-; CHECK-LABEL: @test9_gep_inbouds_unknown_null(
+define void @test9_gep_inbounds_unknown_null_defined(i1 %X, ptr %Y, i64 %I) #0 {
+; CHECK-LABEL: @test9_gep_inbounds_unknown_null_defined(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[X:%.*]], ptr null, ptr [[Y:%.*]]
; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds i8, ptr [[SPEC_SELECT]], i64 [[I:%.*]]
@@ -484,6 +527,27 @@ else:
ret void
}
+define void @test9_gep_inbounds_unknown_null_call_noundef(i1 %X, ptr %Y, i64 %I) {
+; CHECK-LABEL: @test9_gep_inbounds_unknown_null_call_noundef(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[X:%.*]], ptr null, ptr [[Y:%.*]]
+; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds i8, ptr [[SPEC_SELECT]], i64 [[I:%.*]]
+; CHECK-NEXT: [[TMP0:%.*]] = call ptr @fn_noundef_arg(ptr [[GEP]])
+; CHECK-NEXT: ret void
+;
+entry:
+ br i1 %X, label %if, label %else
+
+if:
+ br label %else
+
+else:
+ %phi = phi ptr [ %Y, %entry ], [ null, %if ]
+ %gep = getelementptr inbounds i8, ptr %phi, i64 %I
+ call ptr @fn_noundef_arg(ptr %gep)
+ ret void
+}
+
define void @test9_gep_unknown_null(i1 %X, ptr %Y, i64 %I) {
; CHECK-LABEL: @test9_gep_unknown_null(
; CHECK-NEXT: entry:
diff --git a/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll b/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll
index e250a5d02c563c..924f98a46ab541 100644
--- a/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll
+++ b/llvm/test/Transforms/SimplifyCFG/unreachable-eliminate-on-ret.ll
@@ -55,7 +55,26 @@ define nonnull noundef ptr @test_ret_ptr_nonnull_noundef_gep_nonzero(i1 %cond, p
; CHECK-LABEL: @test_ret_ptr_nonnull_noundef_gep_nonzero(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[SPEC_SELECT:%.*]] = select i1 [[COND:%.*]], ptr [[X:%.*]], ptr null
-; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds ptr, ptr [[SPEC_SELECT]], i64 12
+; CHECK-NEXT: [[GEP:%.*]] = getelementptr ptr, ptr [[SPEC_SELECT]], i64 12
+; CHECK-NEXT: ret ptr [[GEP]]
+;
+entry:
+ br i1 %cond, label %bb1, label %bb2
+
+bb1:
+ br label %bb2
+
+bb2:
+ %phi = phi ptr [ null, %entry ], [ %x, %bb1 ]
+ %gep = getelementptr ptr, ptr %phi, i64 12
+ ret ptr %gep
+}
+
+define nonnull noundef ptr @test_ret_ptr_nonnull_noundef_gep_inbounds_nonzero(i1 %cond, ptr %x) {
+; CHECK-LABEL: @test_ret_ptr_nonnull_noundef_gep_inbounds_nonzero(
+; CHECK-NEXT: entry:
+; CHECK-NEXT: call void @llvm.assume(i1 [[COND:%.*]])
+; CHECK-NEXT: [[GEP:%.*]] = getelementptr inbounds ptr, ptr [[X:%.*]], i64 12
; CHECK-NEXT: ret ptr [[GEP]]
;
entry:
More information about the llvm-commits
mailing list