search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.41k stars 11.74k forks source link

[X86] UNREACHABLE executed at llvm\lib\Target\X86\X86FlagsCopyLowering.cpp #75507

Open RKSimon opened 10 months ago

RKSimon commented 10 months ago

Reduced from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64822

define fastcc void @func() {
entry:
  br label %bb5

bb5:                                              ; preds = %entry
  %C33 = fcmp true float 0x36A0000000000000, 0x36A0000000000000
  %B43 = or i1 %C33, true
  br i1 %B43, label %overflow, label %bb7

bb7:                                              ; preds = %bb5
  br label %bb8

bb8:                                              ; preds = %bb8, %bb7
  %L7 = load i128, ptr null, align 4
  %C19 = icmp sgt i128 %L7, 18446744073709551616
  %G21 = getelementptr i128, ptr null, i1 %C19
  store ptr %G21, ptr undef, align 8
  br i1 %C19, label %bb8, label %BB2

BB2:                                              ; preds = %bb8
  unreachable

overflow:                                         ; preds = %bb5
  ret void
}

llc -mtriple=x86_64-- 

        .text
        .file   "fuzz.ll"
Unlowered EFLAGS copy!
UNREACHABLE executed at E:\llvm\llvm-project\llvm\lib\Target\X86\X86FlagsCopyLowering.cpp:706!
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: ninja\\bin\\llc -mtriple=x86_64-- fuzz.ll -o -
1.      Running pass 'Function Pass Manager' on module 'fuzz.ll'.
2.      Running pass 'X86 EFLAGS copy lowering' on function '@func'
Exception Code: 0x80000003
 #0 0x00007ff6f1cad7d5 HandleAbort E:\llvm\llvm-project\llvm\lib\Support\Windows\Signals.inc:424:0
 #1 0x00007ff862e51881 (C:\Windows\System32\ucrtbase.dll+0x71881)
 #2 0x00007ff862e52851 (C:\Windows\System32\ucrtbase.dll+0x72851)
 #3 0x00007ff6f1bcc087 llvm::llvm_unreachable_internal(char const *, char const *, unsigned int) E:\llvm\llvm-project\llvm\lib\Support\ErrorHandling.cpp:212:0
 #4 0x00007ff6f011cb72 `anonymous namespace'::X86FlagsCopyLoweringPass::runOnMachineFunction E:\llvm\llvm-project\llvm\lib\Target\X86\X86FlagsCopyLowering.cpp:706:0
llvmbot commented 10 months ago

@llvm/issue-subscribers-backend-x86

Author: Simon Pilgrim (RKSimon)

Reduced from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64822 ```ll define fastcc void @func() { entry: br label %bb5 bb5: ; preds = %entry %C33 = fcmp true float 0x36A0000000000000, 0x36A0000000000000 %B43 = or i1 %C33, true br i1 %B43, label %overflow, label %bb7 bb7: ; preds = %bb5 br label %bb8 bb8: ; preds = %bb8, %bb7 %L7 = load i128, ptr null, align 4 %C19 = icmp sgt i128 %L7, 18446744073709551616 %G21 = getelementptr i128, ptr null, i1 %C19 store ptr %G21, ptr undef, align 8 br i1 %C19, label %bb8, label %BB2 BB2: ; preds = %bb8 unreachable overflow: ; preds = %bb5 ret void } ``` llc -mtriple=x86_64-- fuzz.ll -o - ```asm .text .file "fuzz.ll" Unlowered EFLAGS copy! UNREACHABLE executed at E:\llvm\llvm-project\llvm\lib\Target\X86\X86FlagsCopyLowering.cpp:706! PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace. Stack dump: 0. Program arguments: ninja\\bin\\llc -mtriple=x86_64-- fuzz.ll -o - 1. Running pass 'Function Pass Manager' on module 'fuzz.ll'. 2. Running pass 'X86 EFLAGS copy lowering' on function '@func' Exception Code: 0x80000003 #0 0x00007ff6f1cad7d5 HandleAbort E:\llvm\llvm-project\llvm\lib\Support\Windows\Signals.inc:424:0 #1 0x00007ff862e51881 (C:\Windows\System32\ucrtbase.dll+0x71881) #2 0x00007ff862e52851 (C:\Windows\System32\ucrtbase.dll+0x72851) #3 0x00007ff6f1bcc087 llvm::llvm_unreachable_internal(char const *, char const *, unsigned int) E:\llvm\llvm-project\llvm\lib\Support\ErrorHandling.cpp:212:0 #4 0x00007ff6f011cb72 `anonymous namespace'::X86FlagsCopyLoweringPass::runOnMachineFunction E:\llvm\llvm-project\llvm\lib\Target\X86\X86FlagsCopyLowering.cpp:706:0 ```
e-kud commented 7 months ago

It's the same as https://github.com/llvm/llvm-project/issues/42534. COPY instruction is in the unreachable basic block:

# *** IR Dump Before X86 EFLAGS copy lowering (x86-flags-copy-lowering) ***:
# Machine code for function func: IsSSA, TracksLiveness

bb.0.entry:
  successors: %bb.5(0x80000000); %bb.5(100.00%)

  JMP_1 %bb.5

bb.6.bb5:
  successors: %bb.5(0x80000000), %bb.2(0x00000000); %bb.5(100.00%), %bb.2(0.00%)

  %0:gr8 = MOV8ri 1
  TEST8rr %0:gr8, %0:gr8, implicit-def $eflags
  JCC_1 %bb.5, 5, implicit $eflags
  JMP_1 %bb.2

bb.2.bb7:
; predecessors: %bb.6
  successors: %bb.3(0x80000000); %bb.3(100.00%)

bb.3.bb8:
; predecessors: %bb.2, %bb.3
  successors: %bb.3(0x80000000), %bb.4(0x00000000); %bb.3(100.00%), %bb.4(0.00%)

  %1:gr32 = MOV32r0 implicit-def dead $eflags
  %2:gr64 = SUBREG_TO_REG 0, killed %1:gr32, %subreg.sub_32bit
  CMP64rm %2:gr64, $noreg, 1, $noreg, 0, $noreg, implicit-def $eflags :: (load (s64) from `ptr null`, align 4)
  %4:gr64 = MOV32ri64 1
  %5:gr64 = SBB64rm %4:gr64(tied-def 0), $noreg, 1, $noreg, 8, $noreg, implicit-def $eflags, implicit $eflags :: (load (s64) from `ptr null` + 8, align 4)
  %6:gr64 = COPY $eflags
  %7:gr8 = SETCCr 12, implicit $eflags
  %8:gr32 = MOVZX32rr8 killed %7:gr8
  %9:gr64 = SUBREG_TO_REG 0, killed %8:gr32, %subreg.sub_32bit
  %10:gr64 = NEG64r %9:gr64(tied-def 0), implicit-def dead $eflags
  %11:gr64 = SHL64ri %10:gr64(tied-def 0), 4, implicit-def dead $eflags
  $eflags = COPY %6:gr64
  %12:gr64 = IMPLICIT_DEF
  MOV64mr killed %12:gr64, 1, $noreg, 0, $noreg, killed %11:gr64 :: (store (s64) into `ptr undef`)
  JCC_1 %bb.3, 12, implicit $eflags
  JMP_1 %bb.4

bb.4.BB2:
; predecessors: %bb.3

bb.5.overflow:
; predecessors: %bb.6, %bb.0

  RET 0

However I can't reproduce https://github.com/llvm/llvm-project/issues/42534 since llc 17.0.1, as there is no COPY $eflags instruction anymore: https://godbolt.org/z/Yjxo9s3as