Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opt segfault in JumpThreadingPass #63013

Closed
cbeuw opened this issue May 30, 2023 · 1 comment
Closed

opt segfault in JumpThreadingPass #63013

cbeuw opened this issue May 30, 2023 · 1 comment
Assignees
@nikic
Labels
crash Prefer [crash-on-valid] or [crash-on-invalid] llvm:optimizations

Comments

@cbeuw
Copy link

cbeuw commented May 30, 2023
edited
Loading

Using -O2 with opt

https://godbolt.org/z/3K5EPaq8c

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: /opt/compiler-explorer/clang-16.0.0/bin/opt -o /app/output.s -S -O2 <source>
 #0 0x00005635155b04ff llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x34fa4ff)
 #1 0x00005635155adf74 SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f78a8555420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #3 0x000056351444e86b llvm::ObjectSizeOffsetVisitor::compute(llvm::Value*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x239886b)
 #4 0x0000563514451d46 llvm::ObjectSizeOffsetVisitor::visitPHINode(llvm::PHINode&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x239bd46)
 #5 0x000056351444e5d5 llvm::InstVisitor<llvm::ObjectSizeOffsetVisitor, std::pair<llvm::APInt, llvm::APInt>>::visit(llvm::Instruction&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x23985d5)
 #6 0x000056351444e66d llvm::ObjectSizeOffsetVisitor::computeImpl(llvm::Value*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x239866d)
 #7 0x000056351444eb86 llvm::ObjectSizeOffsetVisitor::compute(llvm::Value*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2398b86)
 #8 0x0000563514451e2b llvm::ObjectSizeOffsetVisitor::visitPHINode(llvm::PHINode&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x239be2b)
 #9 0x000056351444e5d5 llvm::InstVisitor<llvm::ObjectSizeOffsetVisitor, std::pair<llvm::APInt, llvm::APInt>>::visit(llvm::Instruction&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x23985d5)
#10 0x000056351444e66d llvm::ObjectSizeOffsetVisitor::computeImpl(llvm::Value*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x239866d)
#11 0x000056351444eb86 llvm::ObjectSizeOffsetVisitor::compute(llvm::Value*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2398b86)
#12 0x0000563514452172 llvm::getObjectSize(llvm::Value const*, unsigned long&, llvm::DataLayout const&, llvm::TargetLibraryInfo const*, llvm::ObjectSizeOpts) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x239c172)
#13 0x00005635142c6d79 llvm::BasicAAResult::aliasCheckRecursive(llvm::Value const*, llvm::LocationSize, llvm::Value const*, llvm::LocationSize, llvm::AAQueryInfo&, llvm::Value const*, llvm::Value const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2210d79)
#14 0x00005635142cc2e0 llvm::BasicAAResult::aliasCheck(llvm::Value const*, llvm::LocationSize, llvm::Value const*, llvm::LocationSize, llvm::AAQueryInfo&, llvm::Instruction const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x22162e0)
#15 0x00005635142cc573 llvm::BasicAAResult::alias(llvm::MemoryLocation const&, llvm::MemoryLocation const&, llvm::AAQueryInfo&, llvm::Instruction const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2216573)
#16 0x00005635142a48de llvm::AAResults::alias(llvm::MemoryLocation const&, llvm::MemoryLocation const&, llvm::AAQueryInfo&, llvm::Instruction const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x21ee8de)
#17 0x00005635142c2bd6 llvm::BasicAAResult::aliasPHI(llvm::PHINode const*, llvm::LocationSize, llvm::Value const*, llvm::LocationSize, llvm::AAQueryInfo&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x220cbd6)
#18 0x00005635142c6ce8 llvm::BasicAAResult::aliasCheckRecursive(llvm::Value const*, llvm::LocationSize, llvm::Value const*, llvm::LocationSize, llvm::AAQueryInfo&, llvm::Value const*, llvm::Value const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2210ce8)
#19 0x00005635142cc2e0 llvm::BasicAAResult::aliasCheck(llvm::Value const*, llvm::LocationSize, llvm::Value const*, llvm::LocationSize, llvm::AAQueryInfo&, llvm::Instruction const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x22162e0)
#20 0x00005635142cc573 llvm::BasicAAResult::alias(llvm::MemoryLocation const&, llvm::MemoryLocation const&, llvm::AAQueryInfo&, llvm::Instruction const*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2216573)
#21 0x00005635142a6965 llvm::AAResults::getModRefInfo(llvm::Instruction const*, std::optional<llvm::MemoryLocation> const&, llvm::AAQueryInfo&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x21f0965)
#22 0x000056351440b9d2 llvm::findAvailablePtrLoadStore(llvm::MemoryLocation const&, llvm::Type*, bool, llvm::BasicBlock*, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, false, false, void>, false, false>&, unsigned int, llvm::AAResults*, bool*, unsigned int*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x23559d2)
#23 0x000056351440d631 llvm::FindAvailableLoadedValue(llvm::LoadInst*, llvm::BasicBlock*, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, false, false, void>, false, false>&, unsigned int, llvm::AAResults*, bool*, unsigned int*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2357631)
#24 0x00005635152a9962 llvm::JumpThreadingPass::simplifyPartiallyRedundantLoad(llvm::LoadInst*) (.part.0) JumpThreading.cpp:0:0
#25 0x00005635152b361c llvm::JumpThreadingPass::processBlock(llvm::BasicBlock*) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x31fd61c)
#26 0x00005635152b41bd llvm::JumpThreadingPass::runImpl(llvm::Function&, llvm::TargetLibraryInfo*, llvm::TargetTransformInfo*, llvm::LazyValueInfo*, llvm::AAResults*, llvm::DomTreeUpdater*, bool, std::unique_ptr<llvm::BlockFrequencyInfo, std::default_delete<llvm::BlockFrequencyInfo>>, std::unique_ptr<llvm::BranchProbabilityInfo, std::default_delete<llvm::BranchProbabilityInfo>>) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x31fe1bd)
#27 0x00005635152b5b1f llvm::JumpThreadingPass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x31ffb1f)
#28 0x000056351594b0e6 llvm::detail::PassModel<llvm::Function, llvm::JumpThreadingPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x38950e6)
#29 0x0000563512fd31c1 llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function>>, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function>>::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0xf1d1c1)
#30 0x0000563514313875 llvm::CGSCCToFunctionPassAdaptor::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x225d875)
#31 0x0000563512fc8926 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::CGSCCToFunctionPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0xf12926)
#32 0x000056351430bf84 llvm::PassManager<llvm::LazyCallGraph::SCC, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2255f84)
#33 0x0000563514ecd8e6 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::PassManager<llvm::LazyCallGraph::SCC, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2e178e6)
#34 0x000056351430fc1e llvm::DevirtSCCRepeatedPass::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2259c1e)
#35 0x0000563514ecd896 llvm::detail::PassModel<llvm::LazyCallGraph::SCC, llvm::DevirtSCCRepeatedPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&>::run(llvm::LazyCallGraph::SCC&, llvm::AnalysisManager<llvm::LazyCallGraph::SCC, llvm::LazyCallGraph&>&, llvm::LazyCallGraph&, llvm::CGSCCUpdateResult&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2e17896)
#36 0x000056351430d11b llvm::ModuleToPostOrderCGSCCPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x225711b)
#37 0x0000563514ed583d llvm::ModuleInlinerWrapperPass::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2e1f83d)
#38 0x0000563515948f76 llvm::detail::PassModel<llvm::Module, llvm::ModuleInlinerWrapperPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x3892f76)
#39 0x0000563514d74aa9 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module>>::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0x2cbeaa9)
#40 0x0000563512bce358 llvm::runPassPipeline(llvm::StringRef, llvm::Module&, llvm::TargetMachine*, llvm::TargetLibraryInfoImpl*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::StringRef, llvm::ArrayRef<llvm::PassPlugin>, llvm::opt_tool::OutputKind, llvm::opt_tool::VerifierKind, bool, bool, bool, bool, bool, bool) (/opt/compiler-explorer/clang-16.0.0/bin/opt+0xb18358)
#41 0x0000563512add83b main (/opt/compiler-explorer/clang-16.0.0/bin/opt+0xa2783b)
#42 0x00007f78a8003083 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24083)
#43 0x0000563512bc0b2e _start (/opt/compiler-explorer/clang-16.0.0/bin/opt+0xb0ab2e)
Compiler returned: 139

Using LLVM 16.0.0 from godbolt

LLVM (http://llvm.org/):
  LLVM version 16.0.0
  Optimized build.
  Default target: x86_64-unknown-linux-gnu
  Host CPU: skylake-avx512

For completeness, the LLVM IR was from the following Rust program written in custom Mid-level IR. It was machine generated and then minimised so not very readable and the variables and basic block labels are all out of order (they're parsed as arbitrary identifiers). Nonetheless LLVM shouldn't crash.

Rust custom MIR 
% rustc --crate-type=lib -Copt-level=2 llvm-segfault/272124-mir.rs
    #![feature(custom_mir, core_intrinsics)]
    extern crate core;
    use core::intrinsics::mir::*;

#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn24(mut _4: bool,mut _13: *mut (i128, bool)){
mir! {
let _24: (f64, (i16, bool), (f32, bool));
let _31: ((isize, bool),);
let _58: bool;
let _65: (usize, bool);
let _80: u16;
let _81: (u16, bool);
let _17: *const bool;
let _60: *const bool;
let _94: *const bool;
let _29: *mut (i128, bool);
let _62: *mut (i128, bool);
let _91: *mut u16;
let _95: *mut (isize, bool);
let _18: *mut (i128, bool);
let _19: *mut u16;
let _102: *mut u16;
let _108: *mut (i128, bool);
let _111: *mut (i128, bool);
let _136: *mut bool;
let _139: *mut (i128, bool);
let _152: *mut u16;
let _168: *mut u16;
{
    match _4 {
        true => bb1,
        _ => bb162
    }
}
bb1 = {
_18 = _13;
Goto(bb21)
}
bb21 = {
_29 = _18;
Goto(bb26)
}
bb26 = {
_60 = core::ptr::addr_of!(_58);
Goto(bb43)
}
bb43 = {
_19 = core::ptr::addr_of_mut!(_80);
_91 = _19;
_62 = _29;
Goto(bb49)
}
bb49 = {
_29 = _62;
_18 = _29;
_102 = _19;
Goto(bb64)
}
bb64 = {
(*_102) = _81.0;
_108 = _18;
Goto(bb71)
}
bb71 = {
Call(_94, bb74, core::intrinsics::arith_offset(_17, -9223372036854775808_isize))
}
bb74 = {
_17 = _60;
Goto(bb75)
}
bb75 = {
_65 = (7965716767070957183_usize, true);
_136 = _17 as *mut bool;
_139 = _62;
_111 = _139;
match _81.0 {
17880 => bb90,
_ => bb21
}
}
bb90 = {
(*_136) = (*_95).1;
match _81.0 {
2 => bb92,
17880 => bb95,
_ => bb71
}
}
    bb92 = {
    (*_18) = (130970262459226695022473665274451085234_i128, true);
    match (*_13).0 {
    130970262459226695022473665274451085234 => bb21,
    _ => bb1
    }
    }
bb95 = {
(*_29).1 = !_31.0.1;
match _65.0 {
7965716767070957183 => bb98,
_ => bb21
}
}
bb98 = {
_13 = _108;
match (*_111).0 {
1 => bb110,
_ => bb43
}
}
bb110 = {
match _81.0 {
6570 => bb116,
_ => bb75
}
}
bb116 = {
_102 = core::ptr::addr_of_mut!(_81.0);
_168 = _91;
match (*_62).0 {
0 => bb92,
20110871145320553751023625515671144585 => bb131,
_ => bb162
}
}
bb131 = {
match *_168 {
0 => bb116,
2 => bb92,
6570 => bb137,
_ => bb162
}
}
bb137 = {
(*_62) = (0, true);
match *_91 {
2 => bb71,
6570 => bb142,
_ => bb141
}
}
    bb141 = {
    Call(_24, bb49, fn47())
    }
bb142 = {
_62 = _111;
match *_19 {
2 => bb162,
4 => bb146,
_ => bb149,
}
}
    bb149 = {
    Call(_17, bb64, fn49())
    }
bb146 = {
(*_139).0 = (*_152) as i128;
match *_91 {
0 => bb131,
4 => bb162,
6570 => bb142,
_ => bb141
}
}
bb162 = {
    Return()
}
}
}
pub fn fn47() -> (f64, (i16, bool), (f32, bool)) {
    return (0., (0, false), (0., false))
}
pub fn fn49() -> *const bool {
    return std::ptr::null();
}
@EugeneZelenko EugeneZelenko added llvm:optimizations crash Prefer [crash-on-valid] or [crash-on-invalid] and removed new issue labels May 30, 2023
@cbeuw cbeuw mentioned this issue May 30, 2023
Closed
@Noratrieb Noratrieb mentioned this issue May 30, 2023
Closed
@nikic
Copy link
Contributor

nikic commented May 31, 2023 

; RUN: opt -S -passes=jump-threading < %s
define void @test(i16 %_5.0._5.0.) {
start:
  br label %bb5

bb20:                                             ; preds = %bb19, %bb17, %bb17, %bb14, %bb13
  ret void

bb5:                                              ; preds = %bb16, %bb10, %bb10, %bb8, %start
  %_11.0 = phi ptr [ %_11.5, %bb16 ], [ null, %bb10 ], [ null, %bb8 ], [ null, %bb10 ], [ null, %start ]
  br label %bb8

bb8:                                              ; preds = %bb15, %bb9, %bb5
  %_6.sroa.0.0._6.sroa.0.0._6.sroa.0.0.8 = load i16, ptr null, align 2
  %i = icmp eq i16 %_6.sroa.0.0._6.sroa.0.0._6.sroa.0.0.8, 0
  br i1 %i, label %bb9, label %bb5

bb9:                                              ; preds = %bb8
  switch i16 %_6.sroa.0.0._6.sroa.0.0._6.sroa.0.0.8, label %bb8 [
    i16 1, label %bb10
    i16 0, label %bb13
  ]

bb10:                                             ; preds = %bb14, %bb13, %bb9
  %_2.7 = phi ptr [ %_11.0, %bb14 ], [ %_11.0, %bb13 ], [ null, %bb9 ]
  %i1 = getelementptr { i128, i8 }, ptr %_11.0, i64 0, i32 1
  store i8 0, ptr %i1, align 8
  %i2 = load i128, ptr %_2.7, align 8
  %i3 = icmp eq i128 %i2, 0
  br i1 %i3, label %bb5, label %bb5

bb13:                                             ; preds = %bb14, %bb9
  switch i128 0, label %bb20 [
    i128 0, label %bb10
    i128 1, label %bb14
  ]

bb14:                                             ; preds = %bb19, %bb13
  switch i16 %_5.0._5.0., label %bb20 [
    i16 0, label %bb13
    i16 2, label %bb10
    i16 1, label %bb15
  ]

bb15:                                             ; preds = %bb14
  switch i16 %_5.0._5.0., label %bb16 [
    i16 1, label %bb8
    i16 0, label %bb17
  ]

bb16:                                             ; preds = %bb19, %bb15
  %_11.5 = phi ptr [ null, %bb15 ], [ null, %bb19 ]
  br label %bb5

bb17:                                             ; preds = %bb19, %bb15
  switch i16 %_5.0._5.0., label %bb20 [
    i16 0, label %bb20
    i16 1, label %bb19
  ]

bb19:                                             ; preds = %bb17
  switch i16 %_5.0._5.0., label %bb16 [
    i16 0, label %bb14
    i16 1, label %bb20
    i16 6570, label %bb17
  ]
}

We're crashing because

llvm-project/llvm/lib/Analysis/MemoryBuiltins.cpp

Line 986 in 0157815

SizeOffsetType ObjectSizeOffsetVisitor::visitPHINode(PHINode &PN) {
assumes that phi nodes are non-empty.

@nikic nikic self-assigned this May 31, 2023
@nikic nikic closed this as completed in 1379127 May 31, 2023
@nikic nikic mentioned this issue Jul 5, 2023
Closed
veselypeta pushed a commit to veselypeta/cherillvm that referenced this issue Aug 27, 2024
@nikic @veselypeta
[MemoryBuiltins] Handle phi nodes without operands (PR63013)
1c57728 
Conservatively return unknown in this degenerate case. This is
hard to hit in practice, because such phis are usually optimized
away before they reach a getObjectSize() call.

Fixes llvm/llvm-project#63013.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikic nikic

Labels
crash Prefer [crash-on-valid] or [crash-on-invalid] llvm:optimizations
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nikic @cbeuw @EugeneZelenko