[llvm] [LAA] Be more careful when evaluating AddRecs at symbolic max BTC. (PR #106530)
Florian Hahn via llvm-commits
llvm-commits at lists.llvm.org
Thu Feb 20 12:44:09 PST 2025
================
@@ -219,13 +219,29 @@ static std::pair<const SCEV *, const SCEV *> getStartAndEndForAccess(
const SCEV *ScStart;
const SCEV *ScEnd;
+ auto &DL = Lp->getHeader()->getDataLayout();
+ Type *IdxTy = DL.getIndexType(PtrExpr->getType());
+ const SCEV *EltSizeSCEV = SE->getStoreSizeOfExpr(IdxTy, AccessTy);
if (SE->isLoopInvariant(PtrExpr, Lp)) {
ScStart = ScEnd = PtrExpr;
} else if (auto *AR = dyn_cast<SCEVAddRecExpr>(PtrExpr)) {
- const SCEV *Ex = PSE.getSymbolicMaxBackedgeTakenCount();
-
ScStart = AR->getStart();
- ScEnd = AR->evaluateAtIteration(Ex, *SE);
+ const SCEV *BTC = PSE.getBackedgeTakenCount();
+ if (!isa<SCEVCouldNotCompute>(BTC))
+ ScEnd = AR->evaluateAtIteration(BTC, *SE);
----------------
fhahn wrote:
The maximum size of an allocated object is half the pointer index space (in this case 2147483647) and the pointer past the object must also not wrap. The base pointer of the `inbounds` GEP must also be `inbounds`, so the last accessed address can be `P + 2147483646`, so the address one past the object is `P + 2147483647`
For the test above, the last accessed address would be `P + 2147483646 * 4`, so that would be UB.
I added variants to the new version of the PR that use GEPs of `i8`, where one case is valid and doesn't wrap (and has a correct upper bound) and one case where we just wrap by 1 and have an incorrect bound but the input is UB.
https://github.com/llvm/llvm-project/pull/128061/files#diff-c6a2d04947e1dbcdf611a1a351b05824360a86c5827c88867422d241f0fe6394
I hope I didn't miss anything
https://github.com/llvm/llvm-project/pull/106530
More information about the llvm-commits
mailing list