From 19255e0c70e35c4d986243681eaa47071b7d6200 Mon Sep 17 00:00:00 2001 From: Evan Cheng Date: Tue, 2 Oct 2012 23:49:13 +0000 Subject: [PATCH] Fix a serious X86 instruction selection bug. In X86DAGToDAGISel::PreprocessISelDAG(), isel is moving load inside callseq_start / callseq_end so it can be folded into a call. This can create a cycle in the DAG when the call is glued to a copytoreg. We have been lucky this hasn't caused too many issues because the pre-ra scheduler has special handling of call sequences. However, it has caused a crash in a specific tailcall case. rdar://12393897 llvm-svn: 165072 --- lib/Target/X86/X86ISelDAGToDAG.cpp | 17 ++++++++++++++--- test/CodeGen/X86/2012-10-02-DAGCycle.ll | 16 ++++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 test/CodeGen/X86/2012-10-02-DAGCycle.ll diff --git a/lib/Target/X86/X86ISelDAGToDAG.cpp b/lib/Target/X86/X86ISelDAGToDAG.cpp index b4c71548a2b..98778c3091e 100644 --- a/lib/Target/X86/X86ISelDAGToDAG.cpp +++ b/lib/Target/X86/X86ISelDAGToDAG.cpp @@ -362,7 +362,7 @@ X86DAGToDAGISel::IsProfitableToFold(SDValue N, SDNode *U, SDNode *Root) const { /// MoveBelowCallOrigChain - Replace the original chain operand of the call with /// load's chain operand and move load below the call's chain operand. static void MoveBelowOrigChain(SelectionDAG *CurDAG, SDValue Load, - SDValue Call, SDValue OrigChain) { + SDValue Call, SDValue OrigChain) { SmallVector Ops; SDValue Chain = OrigChain.getOperand(0); if (Chain.getNode() == Load.getNode()) @@ -386,11 +386,22 @@ static void MoveBelowOrigChain(SelectionDAG *CurDAG, SDValue Load, CurDAG->UpdateNodeOperands(OrigChain.getNode(), &Ops[0], Ops.size()); CurDAG->UpdateNodeOperands(Load.getNode(), Call.getOperand(0), Load.getOperand(1), Load.getOperand(2)); + + bool IsGlued = Call.getOperand(0).getNode()->getGluedUser() == Call.getNode(); + unsigned NumOps = Call.getNode()->getNumOperands(); Ops.clear(); Ops.push_back(SDValue(Load.getNode(), 1)); - for (unsigned i = 1, e = Call.getNode()->getNumOperands(); i != e; ++i) + for (unsigned i = 1, e = NumOps; i != e; ++i) Ops.push_back(Call.getOperand(i)); - CurDAG->UpdateNodeOperands(Call.getNode(), &Ops[0], Ops.size()); + if (!IsGlued) + CurDAG->UpdateNodeOperands(Call.getNode(), &Ops[0], NumOps); + else + // If call's chain was glued to the call (tailcall), and now the load + // is moved between them. Remove the glue to avoid a cycle (where the + // call is glued to its old chain and the load is using the old chain + // as its new chain). + CurDAG->MorphNodeTo(Call.getNode(), Call.getOpcode(), + Call.getNode()->getVTList(), &Ops[0], NumOps-1); } /// isCalleeLoad - Return true if call address is a load and it can be diff --git a/test/CodeGen/X86/2012-10-02-DAGCycle.ll b/test/CodeGen/X86/2012-10-02-DAGCycle.ll new file mode 100644 index 00000000000..9d2b7ea8525 --- /dev/null +++ b/test/CodeGen/X86/2012-10-02-DAGCycle.ll @@ -0,0 +1,16 @@ +; RUN: llc -mtriple=i386-apple-macosx -relocation-model=pic < %s +; rdar://12393897 + +%TRp = type { i32, %TRH*, i32, i32 } +%TRH = type { i8*, i8*, i8*, i8*, {}* } + +define i32 @t(%TRp* inreg %rp) nounwind optsize ssp { +entry: + %handler = getelementptr inbounds %TRp* %rp, i32 0, i32 1 + %0 = load %TRH** %handler, align 4 + %sync = getelementptr inbounds %TRH* %0, i32 0, i32 4 + %sync12 = load {}** %sync, align 4 + %1 = bitcast {}* %sync12 to i32 (%TRp*)* + %call = tail call i32 %1(%TRp* inreg %rp) nounwind optsize + ret i32 %call +}