Skip to content

[JumpThreading] Miscompilation: PHI loses per-edge value after threading #157061

New issue
New issue
Open
Open
[JumpThreading] Miscompilation: PHI loses per-edge value after threading#157061
Labels
llvm:optimizationsmiscompilation
@zitongzhoueric

Description

@zitongzhoueric
zitongzhoueric
opened on Sep 5, 2025

To reproduce: https://alive2.llvm.org/ce/z/C24xBT
alive-tv -passes=jump-threading produces:

@g = global 4 bytes, align 4

define i32 @f(ptr %p) {
entry:
  %x = load i64, ptr %p, align 8
  %m1 = and i64 %x, 64
  %c1 = icmp ne i64 %m1, 0
  %v_entry = add i32 0, 0
  br i1 %c1, label %then, label %end

then:
  %m2 = and i64 %x, 64
  %c2 = icmp ne i64 %m2, 0
  %v_then = load i32, ptr @g, align 4
  br i1 %c2, label %mid, label %end

mid:
  br label %end

end:
  %phi = phi i32 [ undef, %mid ], [ %v_then, %then ], [ %v_entry, %entry ]
  ret i32 %phi
}
=>
@g = global 4 bytes, align 4

define i32 @f(ptr %p) {
entry:
  %x = load i64, ptr %p, align 8
  %m1 = and i64 %x, 64
  %c1 = icmp ne i64 %m1, 0
  %v_entry = add i32 0, 0
  br i1 %c1, label %then, label %end

then:
  %m2 = and i64 %x, 64
  %c2 = icmp ne i64 %m2, 0
  %v_then = load i32, ptr @g, align 4
  br i1 %c2, label %end, label %end

end:
  %phi = phi i32 [ %v_then, %then ], [ %v_entry, %entry ], [ %v_then, %then ]
  ret i32 %phi
}
Transformation doesn't verify!

ERROR: Target is more poisonous than source

Example:
ptr %p = pointer(non-local, block_id=2, offset=0) / Address=#x08

Source:
i64 %x = #x0000000000000040 (64)
i64 %m1 = #x0000000000000040 (64)
i1 %c1 = #x1 (1)
i32 %v_entry = #x00000000 (0)
  >> Jump to %then
i64 %m2 = #x0000000000000040 (64)
i1 %c2 = #x1 (1)
i32 %v_then = poison
  >> Jump to %mid
  >> Jump to %end
i32 %phi = #x00000003 (3)	[based on undef]

SOURCE MEMORY STATE
===================
NON-LOCAL BLOCKS:
Block 0 >	size: 0	align: 4	alloc type: 0	alive: false	address: #x00
Block 1 >	size: 4	align: 4	alloc type: 0	alive: true	address: #x04
Contents:
poison

Block 2 >	size: 8	align: 1	alloc type: 0	alive: true	address: #x08
Contents:
1: #x00000000
0: #x00000040
*: poison


Target:
i64 %x = #x0000000000000040 (64)
i64 %m1 = #x0000000000000040 (64)
i1 %c1 = #x1 (1)
i32 %v_entry = #x00000000 (0)
  >> Jump to %then
i64 %m2 = #x0000000000000040 (64)
i1 %c2 = #x1 (1)
i32 %v_then = poison
  >> Jump to %end
i32 %phi = poison
Source value: #x00000003 (3)	[based on undef]
Target value: poison

Summary:
  0 correct transformations
  1 incorrect transformations
  0 failed-to-prove transformations
  0 Alive2 errors

Metadata

Metadata

Assignees

No one assigned

    Labels

    llvm:optimizationsmiscompilation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions