release/19.x: [DAGCombiner] Fix ReplaceAllUsesOfValueWith mutation bug in visitFREEZE (#104924) #105627
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@dtcxzyw What do you think about merging this PR to the release branch? |
|
@llvm/pr-subscribers-backend-aarch64 @llvm/pr-subscribers-llvm-selectiondag Author: None (llvmbot) ChangesBackport 278fc8e Requested by: @nikic Full diff: https://github.com/llvm/llvm-project/pull/105627.diff 2 Files Affected:
diff --git a/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp b/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
index aa9032ea2574c4..71cdec91e5f67a 100644
--- a/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
+++ b/llvm/lib/CodeGen/SelectionDAG/DAGCombiner.cpp
@@ -15680,13 +15680,16 @@ SDValue DAGCombiner::visitFREEZE(SDNode *N) {
}
}
- SmallSetVector<SDValue, 8> MaybePoisonOperands;
- for (SDValue Op : N0->ops()) {
+ SmallSet<SDValue, 8> MaybePoisonOperands;
+ SmallVector<unsigned, 8> MaybePoisonOperandNumbers;
+ for (auto [OpNo, Op] : enumerate(N0->ops())) {
if (DAG.isGuaranteedNotToBeUndefOrPoison(Op, /*PoisonOnly*/ false,
/*Depth*/ 1))
continue;
bool HadMaybePoisonOperands = !MaybePoisonOperands.empty();
- bool IsNewMaybePoisonOperand = MaybePoisonOperands.insert(Op);
+ bool IsNewMaybePoisonOperand = MaybePoisonOperands.insert(Op).second;
+ if (IsNewMaybePoisonOperand)
+ MaybePoisonOperandNumbers.push_back(OpNo);
if (!HadMaybePoisonOperands)
continue;
if (IsNewMaybePoisonOperand && !AllowMultipleMaybePoisonOperands) {
@@ -15698,7 +15701,18 @@ SDValue DAGCombiner::visitFREEZE(SDNode *N) {
// it could create undef or poison due to it's poison-generating flags.
// So not finding any maybe-poison operands is fine.
- for (SDValue MaybePoisonOperand : MaybePoisonOperands) {
+ for (unsigned OpNo : MaybePoisonOperandNumbers) {
+ // N0 can mutate during iteration, so make sure to refetch the maybe poison
+ // operands via the operand numbers. The typical scenario is that we have
+ // something like this
+ // t262: i32 = freeze t181
+ // t150: i32 = ctlz_zero_undef t262
+ // t184: i32 = ctlz_zero_undef t181
+ // t268: i32 = select_cc t181, Constant:i32<0>, t184, t186, setne:ch
+ // When freezing the t181 operand we get t262 back, and then the
+ // ReplaceAllUsesOfValueWith call will not only replace t181 by t262, but
+ // also recursively replace t184 by t150.
+ SDValue MaybePoisonOperand = N->getOperand(0).getOperand(OpNo);
// Don't replace every single UNDEF everywhere with frozen UNDEF, though.
if (MaybePoisonOperand.getOpcode() == ISD::UNDEF)
continue;
diff --git a/llvm/test/CodeGen/AArch64/dag-combine-freeze.ll b/llvm/test/CodeGen/AArch64/dag-combine-freeze.ll
new file mode 100644
index 00000000000000..4f0c3d0ce18006
--- /dev/null
+++ b/llvm/test/CodeGen/AArch64/dag-combine-freeze.ll
@@ -0,0 +1,31 @@
+; RUN: llc -mtriple aarch64 -o /dev/null %s
+
+; This used to fail with:
+; Assertion `N1.getOpcode() != ISD::DELETED_NODE &&
+; "Operand is DELETED_NODE!"' failed.
+; Just make sure we do not crash here.
+define void @test_fold_freeze_over_select_cc(i15 %a, ptr %p1, ptr %p2) {
+entry:
+ %a2 = add nsw i15 %a, 1
+ %sext = sext i15 %a2 to i32
+ %ashr = ashr i32 %sext, 31
+ %lshr = lshr i32 %ashr, 7
+ ; Setup an already frozen input to ctlz.
+ %freeze = freeze i32 %lshr
+ %ctlz = call i32 @llvm.ctlz.i32(i32 %freeze, i1 true)
+ store i32 %ctlz, ptr %p1, align 1
+ ; Here is another ctlz, which is used by a frozen select.
+ ; DAGCombiner::visitFREEZE will to try to fold the freeze over a SELECT_CC,
+ ; and when dealing with the condition operand the other SELECT_CC operands
+ ; will be replaced/simplified as well. So the SELECT_CC is mutated while
+ ; freezing the "maybe poison operands". This needs to be handled by
+ ; DAGCombiner::visitFREEZE, as it can't store the list of SDValues that
+ ; should be frozen in a separate data structure that isn't updated when the
+ ; SELECT_CC is mutated.
+ %ctlz1 = call i32 @llvm.ctlz.i32(i32 %lshr, i1 true)
+ %icmp = icmp ne i32 %lshr, 0
+ %select = select i1 %icmp, i32 %ctlz1, i32 0
+ %freeze1 = freeze i32 %select
+ store i32 %freeze1, ptr %p2, align 1
+ ret void
+}
|
…ZE (llvm#104924) In visitFREEZE we have been collecting a set/vector of MaybePoisonOperands that later was iterated over, applying a freeze to those operands. However, C-level fuzzy testing has discovered that the recursiveness of ReplaceAllUsesOfValueWith may cause later operands in the MaybePoisonOperands vector to be replaced when replacing an earlier operand. That would then turn up as Assertion `N1.getOpcode() != ISD::DELETED_NODE && "Operand is DELETED_NODE!"' failed. failures when trying to freeze those later operands. So we need to make sure that the vector with MaybePoisonOperands is mutated as well when needed. Or as the solution used in this patch, make sure to keep track of operand numbers that should be frozen instead of having a vector of SDValues. And then we can refetch the operands while iterating over operand numbers. The problem was seen after adding SELECT_CC to the set of operations including in "AllowMultipleMaybePoisonOperands". I'm not sure, but I guess that this could happen for other operations as well for which we allow multiple maybe poison operands. (cherry picked from commit 278fc8e)
|
@nikic (or anyone else). If you would like to add a note about this fix in the release notes (completely optional). Please reply to this comment with a one or two sentence description of the fix. When you are done, please add the release:note label to this PR. |
I've only seen this problem when SELECT_CC is involved, and that started happening after a patch that landed on trunk about a month ago. So this fixes a problem that otherwise would be introduced in LLVM 19.1.0, and then I guess it isn't interesting for release notes. Right? |
|
That's fine - I only really use the comment release notes for post-final anyway. |
We should disable the comment for RCs then :) |
yes I think that would be good. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 278fc8e
Requested by: @nikic