Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning a different SDNode #65340

Merged
merged 2 commits into from
Sep 6, 2023
Merged

[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning a different SDNode #65340

merged 2 commits into from
Sep 6, 2023

Conversation

jayfoad
Copy link
Contributor

@jayfoad jayfoad commented Sep 5, 2023

SITargetLowering::adjustWritemask calls SelectionDAG::UpdateNodeOperands
to update an EXTRACT_SUBREG node in-place to refer to a new IMAGE_LOAD
instruction, before we delete the old IMAGE_LOAD instruction. But in
UpdateNodeOperands can do CSE on the fly and return a different
EXTRACT_SUBREG node, so the original EXTRACT_SUBREG node would still
exist and would refer to the old deleted IMAGE_LOAD instruction. This
caused errors like:

t31: v3i32,ch = <<Deleted Node!>> # D:1
This target-independent node should have been selected!
UNREACHABLE executed at lib/CodeGen/SelectionDAG/InstrEmitter.cpp:1209!

Fix it by detecting the CSE case and replacing all uses of the original
EXTRACT_SUBREG node with the CSE'd one.

@jayfoad
[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning a diffe…
e05895d 
…rent SDNode

SITargetLowering::adjustWritemask calls SelectionDAG::UpdateNodeOperands
to update an EXTRACT_SUBREG node in-place to refer to a new IMAGE_LOAD
instruction, before we delete the old IMAGE_LOAD instruction. But in
UpdateNodeOperands can do CSE on the fly and return a different
EXTRACT_SUBREG node, so the original EXTRACT_SUBREG node would still
exist and would refer to the old deleted IMAGE_LOAD instruction. This
caused errors like:

t31: v3i32,ch = <<Deleted Node!>> # D:1
This target-independent node should have been selected!
UNREACHABLE executed at lib/CodeGen/SelectionDAG/InstrEmitter.cpp:1209!

Fix it by detecting the CSE case and replacing all uses of the original
EXTRACT_SUBREG node with the CSE'd one.
perlfu
perlfu reviewed Sep 6, 2023
View reviewed changes
Copy link
Contributor

@perlfu perlfu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code change LGTM, but lit test fails as-is.

llvm/test/CodeGen/AMDGPU/adjust-writemask-cse.ll Outdated Show resolved Hide resolved
@jayfoad jayfoad requested a review from a team as a code owner September 6, 2023 07:16
@jayfoad jayfoad merged commit 11171d8 into llvm:main Sep 6, 2023
1 of 2 checks passed
@jayfoad jayfoad deleted the adjust-writemask-cse branch September 6, 2023 11:51
@fmayer
Copy link
Contributor

fmayer commented Sep 6, 2023

This fails with ASAN

FAIL: LLVM :: CodeGen/AMDGPU/adjust-writemask-cse.ll (26993 of 77430)
******************** TEST 'LLVM :: CodeGen/AMDGPU/adjust-writemask-cse.ll' FAILED ********************
Exit Code: 2
Command Output (stderr):
--
+ : 'RUN: at line 2'
+ /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm_build_asan/bin/FileCheck /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/test/CodeGen/AMDGPU/adjust-writemask-cse.ll -check-prefix=GFX10
+ /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm_build_asan/bin/llc -march=amdgcn -mcpu=gfx1030 -stop-after=finalize-isel
=================================================================
==830589==ERROR: AddressSanitizer: use-after-poison on address 0x521000049f90 at pc 0x56385e350ae7 bp 0x7ffe99477540 sp 0x7ffe99477538
WRITE of size 8 at 0x521000049f90 thread T0
    #0 0x56385e350ae6 in removeFromList /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/CodeGen/SelectionDAGNodes.h:361:11
    #1 0x56385e350ae6 in set /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/CodeGen/SelectionDAGNodes.h:1217:22
    #2 0x56385e350ae6 in llvm::SelectionDAG::RemoveDeadNodes(llvm::SmallVectorImpl<llvm::SDNode*>&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:1016:11
    #3 0x56385e3500aa in llvm::SelectionDAG::RemoveDeadNodes() /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:985:3
    #4 0x563857c9fe37 in AMDGPUDAGToDAGISel::PostprocessISelDAG() /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Target/AMDGPU/AMDGPUISelDAGToDAG.cpp:3064:13
    #5 0x56385e4975e2 in llvm::SelectionDAGISel::DoInstructionSelection() /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1186:3
    #6 0x56385e492029 in llvm::SelectionDAGISel::CodeGenAndEmitDAG() /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:949:5
    #7 0x56385e48b04e in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1702:7
    #8 0x56385e4814a5 in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:482:3
    #9 0x563857c6cd73 in AMDGPUDAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Target/AMDGPU/AMDGPUISelDAGToDAG.cpp:135:28
    #10 0x56385c462dd0 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:13
    #11 0x56385d3de3e4 in llvm::FPPassManager::runOnFunction(llvm::Function&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1435:27
    #12 0x56385b5243ea in RunPassOnSCC /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:180:25
    #13 0x56385b5243ea in RunAllPassesOnSCC /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:470:9
    #14 0x56385b5243ea in (anonymous namespace)::CGPassManager::runOnModule(llvm::Module&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:535:18
    #15 0x56385d3e0412 in runOnModule /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1550:27
    #16 0x56385d3e0412 in llvm::legacy::PassManagerImpl::run(llvm::Module&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:535:44
    #17 0x563856b94361 in compileModule /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/tools/llc/llc.cpp:751:8
    #18 0x563856b94361 in main /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/tools/llc/llc.cpp:416:22
    #19 0x7fc4e6c2350f  (/lib/x86_64-linux-gnu/libc.so.6+0x2350f) (BuildId: d1704d25fbbb72fa95d517b883131828c0883fe9)
    #20 0x7fc4e6c235c8 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x235c8) (BuildId: d1704d25fbbb72fa95d517b883131828c0883fe9)
    #21 0x563856aa6664 in _start (/b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm_build_asan/bin/llc+0x77c5664)
0x521000049f90 is located 656 bytes inside of 4096-byte region [0x521000049d00,0x52100004ad00)
allocated by thread T0 here:
    #0 0x563856b7ff52 in operator new(unsigned long, std::align_val_t) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:107:3
    #1 0x5638570c8514 in Allocate /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/Support/AllocatorBase.h:92:12
    #2 0x5638570c8514 in StartNewSlab /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/Support/Allocator.h:339:42
    #3 0x5638570c8514 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::Allocate(unsigned long, llvm::Align) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/Support/Allocator.h:195:5
    #4 0x56385e36ab0c in Allocate /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/Support/Allocator.h:209:12
    #5 0x56385e36ab0c in Allocate<llvm::ConstantSDNode, llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096UL, 4096UL, 128UL> > /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/Support/Recycler.h:89:57
    #6 0x56385e36ab0c in Allocate<llvm::ConstantSDNode> /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/Support/RecyclingAllocator.h:43:47
    #7 0x56385e36ab0c in llvm::ConstantSDNode* llvm::SelectionDAG::newSDNode<llvm::ConstantSDNode, bool&, bool&, llvm::ConstantInt const*&, llvm::EVT&>(bool&, bool&, llvm::ConstantInt const*&, llvm::EVT&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/CodeGen/SelectionDAG.h:405:40
    #8 0x56385e36860c in llvm::SelectionDAG::getConstant(llvm::ConstantInt const&, llvm::SDLoc const&, llvm::EVT, bool, bool) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:1698:9
    #9 0x56385e36506e in getConstant /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:1600:10
    #10 0x56385e36506e in llvm::SelectionDAG::getConstant(unsigned long, llvm::SDLoc const&, llvm::EVT, bool, bool) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:1595:10
    #11 0x56385e29f19e in getTargetConstant /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/CodeGen/SelectionDAG.h:677:12
    #12 0x56385e29f19e in llvm::SelectionDAGBuilder::visitTargetIntrinsic(llvm::CallInst const&, unsigned int) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:4915:23
    #13 0x56385e2a8c68 in llvm::SelectionDAGBuilder::visitIntrinsicCall(llvm::CallInst const&, unsigned int) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:5970:5
    #14 0x56385e24284f in llvm::SelectionDAGBuilder::visitCall(llvm::CallInst const&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:8603:9
    #15 0x56385e215e93 in llvm::SelectionDAGBuilder::visit(llvm::Instruction const&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp:1191:3
    #16 0x56385e48daae in llvm::SelectionDAGISel::SelectBasicBlock(llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::Instruction, true, false, void>, false, true>, bool&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:691:12
    #17 0x56385e48b04e in llvm::SelectionDAGISel::SelectAllBasicBlocks(llvm::Function const&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1702:7
    #18 0x56385e4814a5 in llvm::SelectionDAGISel::runOnMachineFunction(llvm::MachineFunction&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:482:3
    #19 0x563857c6cd73 in AMDGPUDAGToDAGISel::runOnMachineFunction(llvm::MachineFunction&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Target/AMDGPU/AMDGPUISelDAGToDAG.cpp:135:28
    #20 0x56385c462dd0 in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:91:13
    #21 0x56385d3de3e4 in llvm::FPPassManager::runOnFunction(llvm::Function&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1435:27
    #22 0x56385b5243ea in RunPassOnSCC /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:180:25
    #23 0x56385b5243ea in RunAllPassesOnSCC /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:470:9
    #24 0x56385b5243ea in (anonymous namespace)::CGPassManager::runOnModule(llvm::Module&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/Analysis/CallGraphSCCPass.cpp:535:18
    #25 0x56385d3e0412 in runOnModule /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1550:27
    #26 0x56385d3e0412 in llvm::legacy::PassManagerImpl::run(llvm::Module&) /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:535:44
    #27 0x563856b94361 in compileModule /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/tools/llc/llc.cpp:751:8
    #28 0x563856b94361 in main /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/tools/llc/llc.cpp:416:22
    #29 0x7fc4e6c2350f  (/lib/x86_64-linux-gnu/libc.so.6+0x2350f) (BuildId: d1704d25fbbb72fa95d517b883131828c0883fe9)
SUMMARY: AddressSanitizer: use-after-poison /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/include/llvm/CodeGen/SelectionDAGNodes.h:361:11 in removeFromList
Shadow bytes around the buggy address:
  0x521000049d00: f7 f7 f7 04 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00
  0x521000049d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
  0x521000049e00: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
  0x521000049e80: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
  0x521000049f00: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 04 f7
=>0x521000049f80: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 04 f7 f7
  0x52100004a000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 04 f7 f7 f7
  0x52100004a080: f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00
  0x52100004a100: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
  0x52100004a180: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
  0x52100004a200: 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==830589==ABORTING
FileCheck error: '<stdin>' is empty.
FileCheck command line:  /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm_build_asan/bin/FileCheck /b/sanitizer-x86_64-linux-bootstrap-asan/build/llvm-project/llvm/test/CodeGen/AMDGPU/adjust-writemask-cse.ll -check-prefix=GFX10
--

fmayer added a commit that referenced this pull request Sep 6, 2023
@fmayer
Revert "[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning…
42a1d16 
… a different SDNode (#65340)"

This reverts commit 11171d8.

Broke ASAN bot.
@fmayer
Copy link
Contributor

fmayer commented Sep 6, 2023

Reverted in 42a1d16

@jayfoad jayfoad mentioned this pull request Sep 8, 2023
Merged
jayfoad added a commit that referenced this pull request Sep 8, 2023
@jayfoad
[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning a diffe…
8669a9f 
…rent SDNode (#65765)

SITargetLowering::adjustWritemask calls SelectionDAG::UpdateNodeOperands
to update an EXTRACT_SUBREG node in-place to refer to a new IMAGE_LOAD
instruction, before we delete the old IMAGE_LOAD instruction. But in
UpdateNodeOperands can do CSE on the fly and return a different
EXTRACT_SUBREG node, so the original EXTRACT_SUBREG node would still
exist and would refer to the old deleted IMAGE_LOAD instruction. This
caused errors like:

t31: v3i32,ch = <<Deleted Node!>> # D:1
This target-independent node should have been selected!
UNREACHABLE executed at lib/CodeGen/SelectionDAG/InstrEmitter.cpp:1209!

Fix it by detecting the CSE case and replacing all uses of the original
EXTRACT_SUBREG node with the CSE'd one.

Recommit with a fix for a use-after-free bug in the first version of
this patch (#65340) which was caught by asan.
avillega pushed a commit to avillega/llvm-project that referenced this pull request Sep 11, 2023
@jayfoad @avillega
[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning a diffe…
1b83b3e 
…rent SDNode (llvm#65340)

SITargetLowering::adjustWritemask calls SelectionDAG::UpdateNodeOperands
to update an EXTRACT_SUBREG node in-place to refer to a new IMAGE_LOAD
instruction, before we delete the old IMAGE_LOAD instruction. But in
UpdateNodeOperands can do CSE on the fly and return a different
EXTRACT_SUBREG node, so the original EXTRACT_SUBREG node would still
exist and would refer to the old deleted IMAGE_LOAD instruction. This
caused errors like:

t31: v3i32,ch = <<Deleted Node!>> # D:1
This target-independent node should have been selected!
UNREACHABLE executed at lib/CodeGen/SelectionDAG/InstrEmitter.cpp:1209!

Fix it by detecting the CSE case and replacing all uses of the original
EXTRACT_SUBREG node with the CSE'd one.
avillega pushed a commit to avillega/llvm-project that referenced this pull request Sep 11, 2023
@fmayer @avillega
Revert "[AMDGPU] Cope with SelectionDAG::UpdateNodeOperands returning…
b35f3ab 
… a different SDNode (llvm#65340)"

This reverts commit 11171d8.

Broke ASAN bot.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perlfu perlfu perlfu left review comments

@arsenm arsenm arsenm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jayfoad @fmayer @arsenm @perlfu