[llvm] [LVI][ValueTracking] Take UB-implying attributes into account in `isSafeToSpeculativelyExecute` (PR #137604)
Yingwei Zheng via llvm-commits
llvm-commits at lists.llvm.org
Tue Apr 29 11:32:55 PDT 2025
https://github.com/dtcxzyw updated https://github.com/llvm/llvm-project/pull/137604
>From 9e7d1ecf831df2047517eb4c105c092a7b409ce2 Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2333 at gmail.com>
Date: Mon, 28 Apr 2025 16:28:12 +0800
Subject: [PATCH 1/5] [CVP] Add pre-commit tests. NFC.
---
.../CorrelatedValuePropagation/pr137582.ll | 34 +++++++++++++++++++
1 file changed, 34 insertions(+)
create mode 100644 llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll
diff --git a/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll b/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll
new file mode 100644
index 0000000000000..ec58fd1fcce4a
--- /dev/null
+++ b/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll
@@ -0,0 +1,34 @@
+; NOTE: Assertions have been autogenerated by utils/update_test_checks.py UTC_ARGS: --version 5
+; RUN: opt < %s -passes=correlated-propagation -S | FileCheck %s
+
+; Make sure that the optimization does not introduce immediate UB.
+
+define i8 @test(i16 %x) {
+; CHECK-LABEL: define range(i8 -128, 1) i8 @test(
+; CHECK-SAME: i16 [[X:%.*]]) {
+; CHECK-NEXT: [[ENTRY:.*]]:
+; CHECK-NEXT: [[OR:%.*]] = or i16 [[X]], 1
+; CHECK-NEXT: [[CONV:%.*]] = trunc nuw nsw i16 [[OR]] to i8
+; CHECK-NEXT: [[MIN:%.*]] = call noundef i8 @llvm.smin.i8(i8 [[CONV]], i8 0)
+; CHECK-NEXT: [[COND:%.*]] = icmp eq i16 [[X]], 0
+; CHECK-NEXT: br i1 [[COND]], label %[[IF_END:.*]], label %[[IF_THEN:.*]]
+; CHECK: [[IF_THEN]]:
+; CHECK-NEXT: br label %[[IF_END]]
+; CHECK: [[IF_END]]:
+; CHECK-NEXT: [[RES:%.*]] = phi i8 [ [[MIN]], %[[ENTRY]] ], [ 0, %[[IF_THEN]] ]
+; CHECK-NEXT: ret i8 [[RES]]
+;
+entry:
+ %or = or i16 %x, 1
+ %conv = trunc i16 %or to i8
+ %min = call noundef i8 @llvm.smin.i8(i8 %conv, i8 0)
+ %cond = icmp eq i16 %x, 0
+ br i1 %cond, label %if.end, label %if.then
+
+if.then:
+ br label %if.end
+
+if.end:
+ %res = phi i8 [ %min, %entry ], [ 0, %if.then ]
+ ret i8 %res
+}
>From aea16f21e3a78d85a612049bb8f45fac9f1f1c5c Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2333 at gmail.com>
Date: Mon, 28 Apr 2025 16:44:25 +0800
Subject: [PATCH 2/5] [CVP][ValueTracking] Take UB-implying attrs into account
---
llvm/include/llvm/Analysis/ValueTracking.h | 25 +++++++++++----
llvm/lib/Analysis/LazyValueInfo.cpp | 3 +-
llvm/lib/Analysis/ValueTracking.cpp | 32 +++++++++++++------
.../CorrelatedValuePropagation/pr137582.ll | 2 +-
4 files changed, 44 insertions(+), 18 deletions(-)
diff --git a/llvm/include/llvm/Analysis/ValueTracking.h b/llvm/include/llvm/Analysis/ValueTracking.h
index f927838c843ac..bf43a6297da4a 100644
--- a/llvm/include/llvm/Analysis/ValueTracking.h
+++ b/llvm/include/llvm/Analysis/ValueTracking.h
@@ -539,6 +539,13 @@ bool isNotCrossLaneOperation(const Instruction *I);
/// move the instruction as long as the correct dominance relationships for
/// the operands and users hold.
///
+/// If \p UseVariableInfo is true, the information from non-constant operands
+/// will be taken into account.
+///
+/// If \p AllowRefinement is true, UB-implying attributes and metadata will be
+/// ignored. The caller is responsible for correctly propagating them after
+/// hoisting.
+///
/// This method can return true for instructions that read memory;
/// for such instructions, moving them may change the resulting value.
bool isSafeToSpeculativelyExecute(const Instruction *I,
@@ -546,24 +553,29 @@ bool isSafeToSpeculativelyExecute(const Instruction *I,
AssumptionCache *AC = nullptr,
const DominatorTree *DT = nullptr,
const TargetLibraryInfo *TLI = nullptr,
- bool UseVariableInfo = true);
+ bool UseVariableInfo = true,
+ bool AllowRefinement = true);
inline bool isSafeToSpeculativelyExecute(const Instruction *I,
BasicBlock::iterator CtxI,
AssumptionCache *AC = nullptr,
const DominatorTree *DT = nullptr,
const TargetLibraryInfo *TLI = nullptr,
- bool UseVariableInfo = true) {
+ bool UseVariableInfo = true,
+ bool AllowRefinement = true) {
// Take an iterator, and unwrap it into an Instruction *.
- return isSafeToSpeculativelyExecute(I, &*CtxI, AC, DT, TLI, UseVariableInfo);
+ return isSafeToSpeculativelyExecute(I, &*CtxI, AC, DT, TLI, UseVariableInfo,
+ AllowRefinement);
}
/// Don't use information from its non-constant operands. This helper is used
/// when its operands are going to be replaced.
inline bool
-isSafeToSpeculativelyExecuteWithVariableReplaced(const Instruction *I) {
+isSafeToSpeculativelyExecuteWithVariableReplaced(const Instruction *I,
+ bool AllowRefinement = true) {
return isSafeToSpeculativelyExecute(I, nullptr, nullptr, nullptr, nullptr,
- /*UseVariableInfo=*/false);
+ /*UseVariableInfo=*/false,
+ AllowRefinement);
}
/// This returns the same result as isSafeToSpeculativelyExecute if Opcode is
@@ -586,7 +598,8 @@ isSafeToSpeculativelyExecuteWithVariableReplaced(const Instruction *I) {
bool isSafeToSpeculativelyExecuteWithOpcode(
unsigned Opcode, const Instruction *Inst, const Instruction *CtxI = nullptr,
AssumptionCache *AC = nullptr, const DominatorTree *DT = nullptr,
- const TargetLibraryInfo *TLI = nullptr, bool UseVariableInfo = true);
+ const TargetLibraryInfo *TLI = nullptr, bool UseVariableInfo = true,
+ bool AllowRefinement = true);
/// Returns true if the result or effects of the given instructions \p I
/// depend values not reachable through the def use graph.
diff --git a/llvm/lib/Analysis/LazyValueInfo.cpp b/llvm/lib/Analysis/LazyValueInfo.cpp
index e49e004a48a51..4418869dc4a78 100644
--- a/llvm/lib/Analysis/LazyValueInfo.cpp
+++ b/llvm/lib/Analysis/LazyValueInfo.cpp
@@ -1701,7 +1701,8 @@ ValueLatticeElement LazyValueInfoImpl::getValueAtUse(const Use &U) {
// of a cycle, we might end up reasoning about values from different cycle
// iterations (PR60629).
if (!CurrI->hasOneUse() ||
- !isSafeToSpeculativelyExecuteWithVariableReplaced(CurrI))
+ !isSafeToSpeculativelyExecuteWithVariableReplaced(
+ CurrI, /*AllowRefinement=*/false))
break;
CurrU = &*CurrI->use_begin();
}
diff --git a/llvm/lib/Analysis/ValueTracking.cpp b/llvm/lib/Analysis/ValueTracking.cpp
index 1d3f8b7207a63..a7eb6c8feae0c 100644
--- a/llvm/lib/Analysis/ValueTracking.cpp
+++ b/llvm/lib/Analysis/ValueTracking.cpp
@@ -7201,20 +7201,19 @@ bool llvm::isNotCrossLaneOperation(const Instruction *I) {
!isa<CallBase, BitCastInst, ExtractElementInst>(I);
}
-bool llvm::isSafeToSpeculativelyExecute(const Instruction *Inst,
- const Instruction *CtxI,
- AssumptionCache *AC,
- const DominatorTree *DT,
- const TargetLibraryInfo *TLI,
- bool UseVariableInfo) {
+bool llvm::isSafeToSpeculativelyExecute(
+ const Instruction *Inst, const Instruction *CtxI, AssumptionCache *AC,
+ const DominatorTree *DT, const TargetLibraryInfo *TLI, bool UseVariableInfo,
+ bool AllowRefinement) {
return isSafeToSpeculativelyExecuteWithOpcode(Inst->getOpcode(), Inst, CtxI,
- AC, DT, TLI, UseVariableInfo);
+ AC, DT, TLI, UseVariableInfo,
+ AllowRefinement);
}
bool llvm::isSafeToSpeculativelyExecuteWithOpcode(
unsigned Opcode, const Instruction *Inst, const Instruction *CtxI,
AssumptionCache *AC, const DominatorTree *DT, const TargetLibraryInfo *TLI,
- bool UseVariableInfo) {
+ bool UseVariableInfo, bool AllowRefinement) {
#ifndef NDEBUG
if (Inst->getOpcode() != Opcode) {
// Check that the operands are actually compatible with the Opcode override.
@@ -7266,7 +7265,7 @@ bool llvm::isSafeToSpeculativelyExecuteWithOpcode(
return false;
}
case Instruction::Load: {
- if (!UseVariableInfo)
+ if (!UseVariableInfo || !AllowRefinement)
return false;
const LoadInst *LI = dyn_cast<LoadInst>(Inst);
@@ -7287,7 +7286,20 @@ bool llvm::isSafeToSpeculativelyExecuteWithOpcode(
// The called function could have undefined behavior or side-effects, even
// if marked readnone nounwind.
- return Callee && Callee->isSpeculatable();
+ if (!Callee || !Callee->isSpeculatable())
+ return false;
+ // Since the operands may be changed after hoisting, undefined behavior may
+ // be triggered by some UB-implying attributes.
+ if (!AllowRefinement) {
+ if (CI->hasRetAttr(Attribute::NoUndef) ||
+ CI->getRetDereferenceableBytes() > 0 ||
+ CI->getRetDereferenceableOrNullBytes() > 0 ||
+ any_of(CI->args(), [&](const Use &U) {
+ return CI->isPassingUndefUB(CI->getArgOperandNo(&U));
+ }))
+ return false;
+ }
+ return true;
}
case Instruction::VAArg:
case Instruction::Alloca:
diff --git a/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll b/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll
index ec58fd1fcce4a..7433606988285 100644
--- a/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll
+++ b/llvm/test/Transforms/CorrelatedValuePropagation/pr137582.ll
@@ -8,7 +8,7 @@ define i8 @test(i16 %x) {
; CHECK-SAME: i16 [[X:%.*]]) {
; CHECK-NEXT: [[ENTRY:.*]]:
; CHECK-NEXT: [[OR:%.*]] = or i16 [[X]], 1
-; CHECK-NEXT: [[CONV:%.*]] = trunc nuw nsw i16 [[OR]] to i8
+; CHECK-NEXT: [[CONV:%.*]] = trunc i16 [[OR]] to i8
; CHECK-NEXT: [[MIN:%.*]] = call noundef i8 @llvm.smin.i8(i8 [[CONV]], i8 0)
; CHECK-NEXT: [[COND:%.*]] = icmp eq i16 [[X]], 0
; CHECK-NEXT: br i1 [[COND]], label %[[IF_END:.*]], label %[[IF_THEN:.*]]
>From acf5b6714f9f2e669eaac331c021dca5ad0a18f5 Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2333 at gmail.com>
Date: Tue, 29 Apr 2025 12:58:05 +0800
Subject: [PATCH 3/5] [IR] Address review comments.
---
llvm/include/llvm/Analysis/ValueTracking.h | 21 ++++++++++-----------
llvm/include/llvm/IR/Instruction.h | 4 ++++
llvm/lib/Analysis/LazyValueInfo.cpp | 2 +-
llvm/lib/Analysis/ValueTracking.cpp | 19 +++++--------------
llvm/lib/IR/Instruction.cpp | 14 ++++++++++++++
5 files changed, 34 insertions(+), 26 deletions(-)
diff --git a/llvm/include/llvm/Analysis/ValueTracking.h b/llvm/include/llvm/Analysis/ValueTracking.h
index bf43a6297da4a..1f518c1025e26 100644
--- a/llvm/include/llvm/Analysis/ValueTracking.h
+++ b/llvm/include/llvm/Analysis/ValueTracking.h
@@ -542,9 +542,9 @@ bool isNotCrossLaneOperation(const Instruction *I);
/// If \p UseVariableInfo is true, the information from non-constant operands
/// will be taken into account.
///
-/// If \p AllowRefinement is true, UB-implying attributes and metadata will be
-/// ignored. The caller is responsible for correctly propagating them after
-/// hoisting.
+/// If \p IgnoreUBImplyingAttrs is true, UB-implying attributes and metadata
+/// will be ignored. The caller is responsible for correctly propagating them
+/// after hoisting.
///
/// This method can return true for instructions that read memory;
/// for such instructions, moving them may change the resulting value.
@@ -554,7 +554,7 @@ bool isSafeToSpeculativelyExecute(const Instruction *I,
const DominatorTree *DT = nullptr,
const TargetLibraryInfo *TLI = nullptr,
bool UseVariableInfo = true,
- bool AllowRefinement = true);
+ bool IgnoreUBImplyingAttrs = true);
inline bool isSafeToSpeculativelyExecute(const Instruction *I,
BasicBlock::iterator CtxI,
@@ -562,20 +562,19 @@ inline bool isSafeToSpeculativelyExecute(const Instruction *I,
const DominatorTree *DT = nullptr,
const TargetLibraryInfo *TLI = nullptr,
bool UseVariableInfo = true,
- bool AllowRefinement = true) {
+ bool IgnoreUBImplyingAttrs = true) {
// Take an iterator, and unwrap it into an Instruction *.
return isSafeToSpeculativelyExecute(I, &*CtxI, AC, DT, TLI, UseVariableInfo,
- AllowRefinement);
+ IgnoreUBImplyingAttrs);
}
/// Don't use information from its non-constant operands. This helper is used
/// when its operands are going to be replaced.
-inline bool
-isSafeToSpeculativelyExecuteWithVariableReplaced(const Instruction *I,
- bool AllowRefinement = true) {
+inline bool isSafeToSpeculativelyExecuteWithVariableReplaced(
+ const Instruction *I, bool IgnoreUBImplyingAttrs = true) {
return isSafeToSpeculativelyExecute(I, nullptr, nullptr, nullptr, nullptr,
/*UseVariableInfo=*/false,
- AllowRefinement);
+ IgnoreUBImplyingAttrs);
}
/// This returns the same result as isSafeToSpeculativelyExecute if Opcode is
@@ -599,7 +598,7 @@ bool isSafeToSpeculativelyExecuteWithOpcode(
unsigned Opcode, const Instruction *Inst, const Instruction *CtxI = nullptr,
AssumptionCache *AC = nullptr, const DominatorTree *DT = nullptr,
const TargetLibraryInfo *TLI = nullptr, bool UseVariableInfo = true,
- bool AllowRefinement = true);
+ bool IgnoreUBImplyingAttrs = true);
/// Returns true if the result or effects of the given instructions \p I
/// depend values not reachable through the def use graph.
diff --git a/llvm/include/llvm/IR/Instruction.h b/llvm/include/llvm/IR/Instruction.h
index 900384432d75d..d8069b2fb02a4 100644
--- a/llvm/include/llvm/IR/Instruction.h
+++ b/llvm/include/llvm/IR/Instruction.h
@@ -585,6 +585,10 @@ class Instruction : public User,
/// This should be used when speculating instructions.
void dropUBImplyingAttrsAndMetadata();
+ /// Return true if this instruction has UB-implying attributes
+ /// that can cause immediate undefined behavior.
+ bool hasUBImplyingAttrs() const LLVM_READONLY;
+
/// Determine whether the exact flag is set.
bool isExact() const LLVM_READONLY;
diff --git a/llvm/lib/Analysis/LazyValueInfo.cpp b/llvm/lib/Analysis/LazyValueInfo.cpp
index 4418869dc4a78..2a562484fc374 100644
--- a/llvm/lib/Analysis/LazyValueInfo.cpp
+++ b/llvm/lib/Analysis/LazyValueInfo.cpp
@@ -1702,7 +1702,7 @@ ValueLatticeElement LazyValueInfoImpl::getValueAtUse(const Use &U) {
// iterations (PR60629).
if (!CurrI->hasOneUse() ||
!isSafeToSpeculativelyExecuteWithVariableReplaced(
- CurrI, /*AllowRefinement=*/false))
+ CurrI, /*IgnoreUBImplyingAttrs=*/false))
break;
CurrU = &*CurrI->use_begin();
}
diff --git a/llvm/lib/Analysis/ValueTracking.cpp b/llvm/lib/Analysis/ValueTracking.cpp
index a7eb6c8feae0c..256e77b40a97f 100644
--- a/llvm/lib/Analysis/ValueTracking.cpp
+++ b/llvm/lib/Analysis/ValueTracking.cpp
@@ -7204,16 +7204,16 @@ bool llvm::isNotCrossLaneOperation(const Instruction *I) {
bool llvm::isSafeToSpeculativelyExecute(
const Instruction *Inst, const Instruction *CtxI, AssumptionCache *AC,
const DominatorTree *DT, const TargetLibraryInfo *TLI, bool UseVariableInfo,
- bool AllowRefinement) {
+ bool IgnoreUBImplyingAttrs) {
return isSafeToSpeculativelyExecuteWithOpcode(Inst->getOpcode(), Inst, CtxI,
AC, DT, TLI, UseVariableInfo,
- AllowRefinement);
+ IgnoreUBImplyingAttrs);
}
bool llvm::isSafeToSpeculativelyExecuteWithOpcode(
unsigned Opcode, const Instruction *Inst, const Instruction *CtxI,
AssumptionCache *AC, const DominatorTree *DT, const TargetLibraryInfo *TLI,
- bool UseVariableInfo, bool AllowRefinement) {
+ bool UseVariableInfo, bool IgnoreUBImplyingAttrs) {
#ifndef NDEBUG
if (Inst->getOpcode() != Opcode) {
// Check that the operands are actually compatible with the Opcode override.
@@ -7265,7 +7265,7 @@ bool llvm::isSafeToSpeculativelyExecuteWithOpcode(
return false;
}
case Instruction::Load: {
- if (!UseVariableInfo || !AllowRefinement)
+ if (!UseVariableInfo)
return false;
const LoadInst *LI = dyn_cast<LoadInst>(Inst);
@@ -7290,16 +7290,7 @@ bool llvm::isSafeToSpeculativelyExecuteWithOpcode(
return false;
// Since the operands may be changed after hoisting, undefined behavior may
// be triggered by some UB-implying attributes.
- if (!AllowRefinement) {
- if (CI->hasRetAttr(Attribute::NoUndef) ||
- CI->getRetDereferenceableBytes() > 0 ||
- CI->getRetDereferenceableOrNullBytes() > 0 ||
- any_of(CI->args(), [&](const Use &U) {
- return CI->isPassingUndefUB(CI->getArgOperandNo(&U));
- }))
- return false;
- }
- return true;
+ return IgnoreUBImplyingAttrs || !CI->hasUBImplyingAttrs();
}
case Instruction::VAArg:
case Instruction::Alloca:
diff --git a/llvm/lib/IR/Instruction.cpp b/llvm/lib/IR/Instruction.cpp
index e55a4b41e4d00..3ca1defeabc88 100644
--- a/llvm/lib/IR/Instruction.cpp
+++ b/llvm/lib/IR/Instruction.cpp
@@ -554,6 +554,20 @@ void Instruction::dropUBImplyingAttrsAndMetadata() {
dropUBImplyingAttrsAndUnknownMetadata(KnownIDs);
}
+bool Instruction::hasUBImplyingAttrs() const {
+ auto *CB = dyn_cast<CallBase>(this);
+ if (!CB)
+ return false;
+ // For call instructions, we also need to check parameter and return
+ // attributes that are can cause UB.
+ for (unsigned ArgNo = 0; ArgNo < CB->arg_size(); ArgNo++)
+ if (CB->isPassingUndefUB(ArgNo))
+ return true;
+ return CB->hasRetAttr(Attribute::NoUndef) ||
+ CB->getRetDereferenceableBytes() > 0 ||
+ CB->getRetDereferenceableOrNullBytes() > 0;
+}
+
bool Instruction::isExact() const {
return cast<PossiblyExactOperator>(this)->isExact();
}
>From 855d3c074b73e8c27bae5c32d72c41bc871f5724 Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2333 at gmail.com>
Date: Tue, 29 Apr 2025 12:59:49 +0800
Subject: [PATCH 4/5] [ValueTracking] Fix comment. NFC.
---
llvm/include/llvm/Analysis/ValueTracking.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/llvm/include/llvm/Analysis/ValueTracking.h b/llvm/include/llvm/Analysis/ValueTracking.h
index 1f518c1025e26..61dbb07e7128e 100644
--- a/llvm/include/llvm/Analysis/ValueTracking.h
+++ b/llvm/include/llvm/Analysis/ValueTracking.h
@@ -542,9 +542,8 @@ bool isNotCrossLaneOperation(const Instruction *I);
/// If \p UseVariableInfo is true, the information from non-constant operands
/// will be taken into account.
///
-/// If \p IgnoreUBImplyingAttrs is true, UB-implying attributes and metadata
-/// will be ignored. The caller is responsible for correctly propagating them
-/// after hoisting.
+/// If \p IgnoreUBImplyingAttrs is true, UB-implying attributes will be ignored.
+/// The caller is responsible for correctly propagating them after hoisting.
///
/// This method can return true for instructions that read memory;
/// for such instructions, moving them may change the resulting value.
>From 1c266917d4ad3962b2653f7ad24bba0126f7c87b Mon Sep 17 00:00:00 2001
From: Yingwei Zheng <dtcxzyw2333 at gmail.com>
Date: Wed, 30 Apr 2025 02:31:57 +0800
Subject: [PATCH 5/5] [InstCombine] Address review comments. NFC.
---
llvm/lib/IR/Instruction.cpp | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/llvm/lib/IR/Instruction.cpp b/llvm/lib/IR/Instruction.cpp
index 3ca1defeabc88..6f858110fb8ce 100644
--- a/llvm/lib/IR/Instruction.cpp
+++ b/llvm/lib/IR/Instruction.cpp
@@ -532,8 +532,8 @@ void Instruction::dropUBImplyingAttrsAndUnknownMetadata(
if (!CB)
return;
// For call instructions, we also need to drop parameter and return attributes
- // that are can cause UB if the call is moved to a location where the
- // attribute is not valid.
+ // that can cause UB if the call is moved to a location where the attribute is
+ // not valid.
AttributeList AL = CB->getAttributes();
if (AL.isEmpty())
return;
@@ -559,13 +559,13 @@ bool Instruction::hasUBImplyingAttrs() const {
if (!CB)
return false;
// For call instructions, we also need to check parameter and return
- // attributes that are can cause UB.
+ // attributes that can cause UB.
for (unsigned ArgNo = 0; ArgNo < CB->arg_size(); ArgNo++)
if (CB->isPassingUndefUB(ArgNo))
return true;
return CB->hasRetAttr(Attribute::NoUndef) ||
- CB->getRetDereferenceableBytes() > 0 ||
- CB->getRetDereferenceableOrNullBytes() > 0;
+ CB->hasRetAttr(Attribute::Dereferenceable) ||
+ CB->hasRetAttr(Attribute::DereferenceableOrNull);
}
bool Instruction::isExact() const {
More information about the llvm-commits
mailing list