[llvm] [InstCombine] Simplify nonnull pointers (PR #128111)
Yingwei Zheng via llvm-commits
llvm-commits at lists.llvm.org
Fri Mar 7 08:03:46 PST 2025
dtcxzyw wrote:
> This is causing a probable miscompile.
>
> I'm working on a repro. Bisecting for the exact file and exact function that causes the miscompile when optimized; the IR diff looks like, before:
>
> ```
> ; Function Attrs: mustprogress nounwind uwtable
> define linkonce_odr dso_local void @_ZN3gvr21WST12GetTransformEv(ptr dead_on_unwind noalias writable sret(%"M") align 4 %0, ptr noundef nonnull align 8 dereferenceable(32) %1) unnamed_addr #0 comdat align 2 {
> %3 = getelementptr inbounds nuw i8, ptr %1, i64 16
> %4 = getelementptr inbounds nuw i8, ptr %1, i64 24
> %5 = load ptr, ptr %4, align 8, !tbaa !51, !nonnull !50, !noundef !50
> %6 = tail call noundef ptr @_ZNSt3__u19__shared_weak_count4lockEv(ptr noundef nonnull align 8 dereferenceable(24) %5) #12
> %7 = icmp eq ptr %6, null
> %8 = load ptr, ptr %3, align 8
> %9 = select i1 %7, ptr null, ptr %8
> %10 = load ptr, ptr %9, align 8, !tbaa !3
> %11 = getelementptr inbounds nuw i8, ptr %10, i64 24
> %12 = load ptr, ptr %11, align 8
> tail call void %12(ptr dead_on_unwind writable sret(%"M") align 4 %0, ptr noundef nonnull align 8 dereferenceable(112) %9) #12
> br i1 %7, label %21, label %13
>
> 13: ; preds = %2
> %14 = getelementptr inbounds nuw i8, ptr %6, i64 8
> %15 = atomicrmw add ptr %14, i64 -1 acq_rel, align 8
> %16 = icmp eq i64 %15, 0
> br i1 %16, label %17, label %21
>
> 17: ; preds = %13
> %18 = load ptr, ptr %6, align 8, !tbaa !3
> %19 = getelementptr inbounds nuw i8, ptr %18, i64 16
> %20 = load ptr, ptr %19, align 8
> tail call void %20(ptr noundef nonnull align 8 dereferenceable(24) %6) #12
> tail call void @_ZNSt3__u19__shared_weak_count14__release_weakEv(ptr noundef nonnull align 8 dereferenceable(24) %6) #12
> br label %21
>
> 21: ; preds = %2, %13, %17
> ret void
> }
> ```
>
> after:
>
> ```
> ; Function Attrs: mustprogress nounwind uwtable
> define linkonce_odr dso_local void @_ZN3gvr21WST12GetTransformEv(ptr dead_on_unwind noalias writable sret(%"M") align 4 %0, ptr noundef nonnull align 8 dereferenceable(32) %1) unnamed_addr #0 comdat align 2 {
> %3 = getelementptr inbounds nuw i8, ptr %1, i64 16
> %4 = getelementptr inbounds nuw i8, ptr %1, i64 24
> %5 = load ptr, ptr %4, align 8, !tbaa !51, !nonnull !50, !noundef !50
> %6 = tail call noundef ptr @_ZNSt3__u19__shared_weak_count4lockEv(ptr noundef nonnull align 8 dereferenceable(24) %5) #12
> %7 = load ptr, ptr %3, align 8
> %8 = load ptr, ptr %7, align 8, !tbaa !3
> %9 = getelementptr inbounds nuw i8, ptr %8, i64 24
> %10 = load ptr, ptr %9, align 8
> tail call void %10(ptr dead_on_unwind writable sret(%"M") align 4 %0, ptr noundef nonnull align 8 dereferenceable(112) %7) #12
> %11 = icmp eq ptr %6, null
> br i1 %11, label %20, label %12
>
> 12: ; preds = %2
> %13 = getelementptr inbounds nuw i8, ptr %6, i64 8
> %14 = atomicrmw add ptr %13, i64 -1 acq_rel, align 8
> %15 = icmp eq i64 %14, 0
> br i1 %15, label %16, label %20
>
> 16: ; preds = %12
> %17 = load ptr, ptr %6, align 8, !tbaa !3
> %18 = getelementptr inbounds nuw i8, ptr %17, i64 16
> %19 = load ptr, ptr %18, align 8
> tail call void %19(ptr noundef nonnull align 8 dereferenceable(24) %6) #12
> tail call void @_ZNSt3__u19__shared_weak_count14__release_weakEv(ptr noundef nonnull align 8 dereferenceable(24) %6) #12
> br label %20
>
> 20: ; preds = %2, %12, %16
> ret void
> }
> ```
>
> The clang invocation to reproduce is `clang -fno-exceptions -O3 '-std=gnu++20' pre.ii -emit-llvm -S -o case.ll`
>
> The entire preprocessed file that i'm reducing has other changes, but i thought i'd show the diff for the specific function will we have a completer reduced case.
IIRC this transformation is correct. If `%9` evaluates to null, we will hit a UB at the following load/call instructions.
https://github.com/llvm/llvm-project/pull/128111
More information about the llvm-commits
mailing list