diff options
| author | Johannes Reifferscheid <jreiffers@google.com> | 2022-08-03 07:07:55 +0200 |
|---|---|---|
| committer | Johannes Reifferscheid <jreiffers@google.com> | 2022-08-03 11:08:01 +0200 |
| commit | 7ae5d00afaf39fae78e411cb44f665e1dc52b356 (patch) | |
| tree | 02f9035e1d0b79e312df9171f7348993c48a5809 /llvm | |
| parent | f4b9c0735e339b177d98fe69cf210eea00c0af62 (diff) | |
| download | llvm-7ae5d00afaf39fae78e411cb44f665e1dc52b356.zip llvm-7ae5d00afaf39fae78e411cb44f665e1dc52b356.tar.gz llvm-7ae5d00afaf39fae78e411cb44f665e1dc52b356.tar.bz2 | |
Fix a stack overflow in ScalarEvolution.
Unfortunately, this overflow is extremely hard to reproduce reliably (in fact, I was unable to do so). The issue is that:
- getOperandsToCreate sometimes skips creating an SCEV for the LHS
- then, createSCEV is called for the BinaryOp
- ... which calls getNoWrapFlagsFromUB
- ... which under certain circumstances calls isSCEVExprNeverPoison
- ... which under certain circumstances requires the SCEVs of all operands
For certain deep dependency trees, this causes a stack overflow.
Reviewed By: bkramer, fhahn
Differential Revision: https://reviews.llvm.org/D129745
Diffstat (limited to 'llvm')
| -rw-r--r-- | llvm/lib/Analysis/ScalarEvolution.cpp | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/llvm/lib/Analysis/ScalarEvolution.cpp b/llvm/lib/Analysis/ScalarEvolution.cpp index 5777592..f5f5e67 100644 --- a/llvm/lib/Analysis/ScalarEvolution.cpp +++ b/llvm/lib/Analysis/ScalarEvolution.cpp @@ -7289,7 +7289,8 @@ ScalarEvolution::getOperandsToCreate(Value *V, SmallVectorImpl<Value *> &Ops) { if (auto BO = MatchBinaryOp(U, DT)) { bool IsConstArg = isa<ConstantInt>(BO->RHS); switch (BO->Opcode) { - case Instruction::Add: { + case Instruction::Add: + case Instruction::Mul: { // For additions and multiplications, traverse add/mul chains for which we // can potentially create a single SCEV, to reduce the number of // get{Add,Mul}Expr calls. @@ -7302,30 +7303,24 @@ ScalarEvolution::getOperandsToCreate(Value *V, SmallVectorImpl<Value *> &Ops) { } Ops.push_back(BO->RHS); auto NewBO = MatchBinaryOp(BO->LHS, DT); - if (!NewBO || (NewBO->Opcode != Instruction::Add && - NewBO->Opcode != Instruction::Sub)) { + if (!NewBO || + (U->getOpcode() == Instruction::Add && + (NewBO->Opcode != Instruction::Add && + NewBO->Opcode != Instruction::Sub)) || + (U->getOpcode() == Instruction::Mul && + NewBO->Opcode != Instruction::Mul)) { Ops.push_back(BO->LHS); break; } - BO = NewBO; - } while (true); - return nullptr; - } - - case Instruction::Mul: { - do { - if (BO->Op) { - if (BO->Op != V && getExistingSCEV(BO->Op)) { - Ops.push_back(BO->Op); + // CreateSCEV calls getNoWrapFlagsFromUB, which under certain conditions + // requires a SCEV for the LHS. + if (NewBO->Op && (NewBO->IsNSW || NewBO->IsNUW)) { + if (auto *I = dyn_cast<Instruction>(NewBO->Op); + I && programUndefinedIfPoison(I)) { + Ops.push_back(BO->LHS); break; } } - Ops.push_back(BO->RHS); - auto NewBO = MatchBinaryOp(BO->LHS, DT); - if (!NewBO || NewBO->Opcode != Instruction::Mul) { - Ops.push_back(BO->LHS); - break; - } BO = NewBO; } while (true); return nullptr; |