[llvm-bugs] [Bug 63380] [SCCP] SCCP pass replaces vector with scalar constant, causing either crash or miscompilation

Sun, 18 Jun 2023 13:25:16 -0700

Issue 63380
Summary [SCCP] SCCP pass replaces vector with scalar constant, causing either crash or miscompilation
Labels
Assignees
Reporter Benjins 
    SCCP is sometimes able to reduce vector expressions to a constant. However, when it does this replacement, it does so using the scalar element type, instead of the vector type

[Minimal repro](https://godbolt.org/z/s6qcf3vPW) (this causes a crash with assertions when trying to replace `<4 x i32>` with an `i32`):

```llvm
define dso_local <4 x i32> @do_stuff(<4 x i32> %input) local_unnamed_addr {

  %ctlz.1 = tail call <4 x i32> @llvm.ctlz.v4i32(<4 x i32> %input, i1 false)
  %ctlz.2 = tail call <4 x i32> @llvm.ctlz.v4i32(<4 x i32> %ctlz.1, i1 true)
  %ctlz.3 = tail call <4 x i32> @llvm.ctlz.v4i32(<4 x i32> %ctlz.2, i1 true)

  ret <4 x i32> %ctlz.3
}

declare <4 x i32> @llvm.ctlz.v4i32(<4 x i32>, i1 immarg) #0
attributes #0 = { nocallback nofree nosync nounwind speculatable willreturn memory(none) }
```

When calculating a constant range, the range seems to be created based on the element type of the vector:
https://github.com/llvm/llvm-project/blob/59723e401bcad2650bcbfc39e7fe8479dfc7f62b/llvm/lib/Transforms/Utils/SCCPSolver.cpp#L45-L51

Then when a constant value is created from that, is has the type of the element, not the vector:
https://github.com/llvm/llvm-project/blob/59723e401bcad2650bcbfc39e7fe8479dfc7f62b/llvm/lib/Transforms/Utils/SCCPSolver.cpp#L912-L916

[Here is a minimal C++ Repro](https://godbolt.org/z/bGTqKK733): in this case, invalid IR was generated after replacing the vector with a scalar, and that led to invalid assembly being produced (assuming assertions are not enabled)

```cpp
#include <arm_neon.h>
#include <stdint.h>

uint32x4_t do_stuff(uint16_t InputScalar) {
	uint16x4_t InputVector_01 = vcreate_u16(InputScalar);
	uint32x4_t InputVector_02 = vshll_n_u16(InputVector_01, 0);

	uint32x4_t Clz_01 = vclzq_u32(InputVector_02);
	uint32x4_t Clz_02 = vclzq_u32(Clz_01);
	uint32x4_t Clz_03 = vclzq_u32(Clz_02);

 return Clz_03;
}
```

>From looking at the code, I don't think this is exclusive to `ctlz` (count leading zeros). However, I couldn't find another sequence that SCCP would reduce to a constant for a vector type

I have confirmed that this issue still repros on the latest trunk, 59723e401bcad2650bcbfc39e7fe8479dfc7f62b

For priority/triage purposes: this was not found in manually written code, but was found by a fuzzer to test SIMD codegen

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to