search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.53k stars 11.79k forks source link

SDAG uses deleted node (UNREACHABLE executed at SelectionDAG/InstrEmitter.cpp:1209) #63312

Open chfast opened 1 year ago

chfast commented 1 year ago 
t225: ch = <<Deleted Node!>>
This target-independent node should have been selected!
UNREACHABLE executed at /root/llvm-project/llvm/lib/CodeGen/SelectionDAG/InstrEmitter.cpp:1209!
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.  Program arguments: /opt/compiler-explorer/clang-assertions-trunk/bin/llc -o /app/output.s -x86-asm-syntax=intel <source>
1.  Running pass 'Function Pass Manager' on module '<source>'.
2.  Running pass 'X86 DAG->DAG Instruction Selection' on function '@f'
 #0 0x00000000033e3648 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x33e3648)
 #1 0x00000000033e0d7c SignalHandler(int) Signals.cpp:0:0
 #2 0x00007f1ccc4e2420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #3 0x00007f1ccbfa500b raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b)
 #4 0x00007f1ccbf84859 abort (/lib/x86_64-linux-gnu/libc.so.6+0x22859)
 #5 0x000000000333762a (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x333762a)
 #6 0x0000000003230ea8 llvm::InstrEmitter::EmitSpecialNode(llvm::SDNode*, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register>>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x3230ea8)
 #7 0x00000000030cd3b9 llvm::ScheduleDAGSDNodes::EmitSchedule(llvm::MachineInstrBundleIterator<llvm::MachineInstr, false>&)::'lambda'(llvm::SDNode*, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register>>&)::operator()(llvm::SDNode*, bool, bool, llvm::DenseMap<llvm::SDValue, llvm::Register, llvm::DenseMapInfo<llvm::SDValue, void>, llvm::detail::DenseMapPair<llvm::SDValue, llvm::Register>>&) const ScheduleDAGSDNodes.cpp:0:0
 #8 0x00000000030d02ea llvm::ScheduleDAGSDNodes::EmitSchedule(llvm::MachineInstrBundleIterator<llvm::MachineInstr, false>&) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x30d02ea)
 #9 0x00000000031b73fc llvm::SelectionDAGISel::CodeGenAndEmitDAG() (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x31b73fc)
#10 0x00000000031ba858 llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x31ba858)
#11 0x00000000031bc552 llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) (.part.0) SelectionDAGISel.cpp:0:0
#12 0x0000000001bd3efc (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) X86ISelDAGToDAG.cpp:0:0
#13 0x00000000026c7e89 llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (.part.0) MachineFunctionPass.cpp:0:0
#14 0x0000000002c41f69 llvm::FPPassManager::runOnFunction(llvm::Function&) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x2c41f69)
#15 0x0000000002c421a1 llvm::FPPassManager::runOnModule(llvm::Module&) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x2c421a1)
#16 0x0000000002c429c2 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/opt/compiler-explorer/clang-assertions-trunk/bin/llc+0x2c429c2)
#17 0x0000000000760a72 compileModule(char**, llvm::LLVMContext&) llc.cpp:0:0
target triple = "x86_64-unknown-linux-gnu"

@G.2 = external global ptr
@G.9 = external global i32
@G.13 = external global i32
@G.16 = external global i64

define i32 @f(ptr %A, i64 %L8, ptr %G4) {
BB:
  %LGV17 = load i64, ptr @G.16, align 4
  %LGV1 = load i32, ptr @G.13, align 4
  %LGV = load i32, ptr @G.9, align 4
  %A1 = alloca ptr, i32 0, align 8
  %C18 = icmp ne i32 %LGV1, 0
  %L202 = load i64, ptr %A1, align 4
  store ptr undef, ptr %A1, align 8
  %RP = alloca i32, i32 0, align 4
  %L14 = load i16, ptr %RP, align 2
  %L83 = load i64, ptr %RP, align 4
  %0 = load i32, ptr %RP, align 4
  %G7 = getelementptr i32, ptr %A1, i64 %L8
  %L23 = load float, ptr %A1, align 4
  %L12 = load i64, ptr %G7, align 4
  %L34 = load i64, ptr %A1, align 4
  %G45 = getelementptr i8, ptr %A1, i64 %L34
  %L19 = load i64, ptr %G45, align 4
  %L6 = load i32, ptr null, align 4
  store i1 false, ptr %RP, align 1
  %B7 = or i32 %L6, %0
  %L13 = load i1, ptr null, align 1
  %L9 = load i8, ptr null, align 1
  %L5 = load double, ptr null, align 8
  %L26 = load i32, ptr null, align 4
  %L = load double, ptr %A, align 8
  %G1 = getelementptr ptr, ptr %A1, i1 true
  %L16 = load i64, ptr %G1, align 4
  %C6 = fcmp olt double %L, %L5
  store ptr null, ptr %A1, align 8
  %C12 = icmp ult i8 0, %L9
  store ptr null, ptr @G.2, align 8
  store ptr null, ptr %G1, align 8
  store i16 %L14, ptr %G45, align 2
  %B29 = xor i32 %L26, %LGV
  store i1 %C6, ptr null, align 1
  store i1 %C12, ptr %A, align 1
  %B18 = lshr i64 %L16, %LGV17
  %C25 = fcmp ord float 0.000000e+00, %L23
  store i64 %B18, ptr null, align 4
  store i32 0, ptr %A, align 4
  store i64 %L19, ptr null, align 4
  store i1 %C25, ptr %A, align 1
  %C24 = icmp ult i64 0, %L12
  store i1 %C24, ptr null, align 1
  store i1 %L13, ptr %G4, align 1
  store i1 %C18, ptr %A, align 1
  store i32 %B29, ptr null, align 4
  ret i32 %B7
}

https://godbolt.org/z/esb7eoc3v

When using a build with ASan this reports the following issue:

=================================================================                                                                                                                                                                                        
==689305==ERROR: AddressSanitizer: use-after-poison on address 0x62100003c9b4 at pc 0x555563315bf4 bp 0x7fffffffc540 sp 0x7fffffffc538                                                                                                                   
READ of size 4 at 0x62100003c9b4 thread T0                                                                                                                                                                                                               
    #0 0x555563315bf3 in getIROrder /blockchain/projects/llvm-project/llvm/include/llvm/CodeGen/SelectionDAGNodes.h:736:40                                                                                                                               
    #1 0x555563315bf3 in getNodeOrdering /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1810:27                                                                                                                   
    #2 0x555563315bf3 in (anonymous namespace)::src_ls_rr_sort::operator()(llvm::SUnit*, llvm::SUnit*) const /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:2665:26                                               
    #3 0x55556331564c in popFromQueueImpl<(anonymous namespace)::src_ls_rr_sort> /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1859:9                                                                            
    #4 0x55556331564c in llvm::SUnit* (anonymous namespace)::popFromQueue<(anonymous namespace)::src_ls_rr_sort>(std::vector<llvm::SUnit*, std::allocator<llvm::SUnit*>>&, (anonymous namespace)::src_ls_rr_sort&, llvm::ScheduleDAG*) /blockchain/projec
ts/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1877:10                                                                                                                                                                              
    #5 0x555563315e2c in (anonymous namespace)::RegReductionPriorityQueue<(anonymous namespace)::src_ls_rr_sort>::pop() /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1911:16                                    
    #6 0x5555632ee7c2 in (anonymous namespace)::ScheduleDAGRRList::PickNodeToScheduleBottomUp() /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1478:70                                                            
    #7 0x5555632e8e21 in ListScheduleBottomUp /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:1631:17                                                                                                              
    #8 0x5555632e8e21 in (anonymous namespace)::ScheduleDAGRRList::Schedule() /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/ScheduleDAGRRList.cpp:383:3                                                                                
    #9 0x555563628b26 in llvm::SelectionDAGISel::CodeGenAndEmitDAG() /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:965:16                                                                                         
    #10 0x55556361f547 in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1702:7                                                                
    #11 0x555563612d33 in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /blockchain/projects/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:482:3                                                                
    #12 0x55555eb30b17 in (anonymous namespace)::X86DAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /blockchain/projects/llvm-project/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:191:25                                                          
    #13 0x555560f97f92 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /blockchain/projects/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:13                                                                                     
    #14 0x55556231eb91 in llvm::FPPassManager::runOnFunction(llvm::Function&) /blockchain/projects/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1435:27                                                                                                
    #15 0x55556233d942 in llvm::FPPassManager::runOnModule(llvm::Module&) /blockchain/projects/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1481:16                                                                                                    
    #16 0x555562320d55 in runOnModule /blockchain/projects/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1550:27                                                                                                                                        
    #17 0x555562320d55 in llvm::legacy::PassManagerImpl::run(llvm::Module&) /blockchain/projects/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:535:44                                                                                                   
    #18 0x55555a3dabe1 in compileModule /blockchain/projects/llvm-project/llvm/tools/llc/llc.cpp:754:8                                                                                                                                                   
    #19 0x55555a3dabe1 in main /blockchain/projects/llvm-project/llvm/tools/llc/llc.cpp:416:22
llvmbot commented 1 year ago

@llvm/issue-subscribers-backend-x86

chfast commented 1 year ago

This has been "fixed" by https://github.com/llvm/llvm-project/commit/e6b85c30276d8e35ed302b2defd7d17637d6edb3, but I expect it only hidden the problem by modifying the DAG additionally. I will be able to report similar issues using my fuzzing corpus, but I'll do it separately.

The release 17 is still crashing but I don't think it make sense to backport the commit as it is not the proper fix.

RKSimon commented 1 year ago

@chfast Was the reported IR the original fuzz test or had it been reduced?

chfast commented 1 year ago

It was reduced with llvm-reduce, but I'm not sure I still have the original one.

chfast commented 1 year ago

Updated the description with a new test case.