AMDGPU: Fix use-after-free in SIOptimizeExecMasking

Summary: There was a bug with sequences like s_mov_b64 s[0:1], exec s_and_b64 s[2:3]<def>, s[0:1], s[2:3]<kill> ... s_mov_b64_term exec, s[2:3] because s[2:3] was defined and used in the same instruction, ending up with SaveExecInst inside OtherUseInsts. Note that the test case also exposes an unrelated bug. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98028 Reviewers: tstellarAMD, arsenm Subscribers: kzhuravl, wdng, yaxunl, llvm-commits, tony-tye Differential Revision: https://reviews.llvm.org/D25306 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283528 91177308-0d34-0410-b5e6-96231b3b80d8
2025-01-18 16:03:17 +00:00 · 2016-10-07 08:40:14 +00:00 · 2016-10-07 08:40:14 +00:00 · f3907ede55
commit f3907ede55
parent a47cbd993e
2 changed files with 43 additions and 1 deletions
--- a/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
+++ b/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
@ -248,14 +248,17 @@ bool SIOptimizeExecMasking::runOnMachineFunction(MachineFunction &MF) {
        if (J->readsRegister(CopyFromExec, TRI)) {
          SaveExecInst = &*J;
          DEBUG(dbgs() << "Found save exec op: " << *SaveExecInst << '\n');
+          continue;
        } else {
          DEBUG(dbgs() << "Instruction does not read exec copy: " << *J << '\n');
          break;
        }
      }

-      if (SaveExecInst && J->readsRegister(CopyToExec, TRI))
+      if (SaveExecInst && J->readsRegister(CopyToExec, TRI)) {
+        assert(SaveExecInst != &*J);
        OtherUseInsts.push_back(&*J);
+      }
    }

    if (!SaveExecInst)
--- a/test/CodeGen/AMDGPU/branch-condition-and.ll
+++ b/test/CodeGen/AMDGPU/branch-condition-and.ll
@ -0,0 +1,39 @@
+; RUN: llc -march=amdgcn -verify-machineinstrs < %s | FileCheck -check-prefix=GCN %s
+; RUN: llc -march=amdgcn -mcpu=tonga -verify-machineinstrs < %s | FileCheck -check-prefix=GCN %s
+
+; This used to crash because during intermediate control flow lowering, there
+; was a sequence
+;       s_mov_b64 s[0:1], exec
+;       s_and_b64 s[2:3], s[0:1], s[2:3] ; def & use of the same register pair
+;       ...
+;       s_mov_b64_term exec, s[2:3]
+; that was not treated correctly.
+;
+; GCN-LABEL: {{^}}ham:
+; GCN-DAG: v_cmp_lt_f32_e64 [[OTHERCC:s\[[0-9]+:[0-9]+\]]],
+; GCN-DAG: v_cmp_lt_f32_e32 vcc,
+; GCN: s_and_b64 [[AND:s\[[0-9]+:[0-9]+\]]], vcc, [[OTHERCC]]
+; GCN: s_and_saveexec_b64 [[SAVED:s\[[0-9]+:[0-9]+\]]], [[AND]]
+; GCN: s_xor_b64 [[SAVED]], exec, [[SAVED]]
+;
+; TODO: The following sequence is a bug (missing s_endpgm)!
+;
+; GCN: s_branch [[BB:BB[0-9]+_[0-9]+]]
+; GCN: [[BB]]:
+; GCN-NEXT: .Lfunc_end0:
+define amdgpu_ps void @ham(float %arg, float %arg1) #0 {
+bb:
+  %tmp = fcmp ogt float %arg, 0.000000e+00
+  %tmp2 = fcmp ogt float %arg1, 0.000000e+00
+  %tmp3 = and i1 %tmp, %tmp2
+  br i1 %tmp3, label %bb4, label %bb5
+
+bb4:                                              ; preds = %bb
+  unreachable
+
+bb5:                                              ; preds = %bb
+  ret void
+}
+
+attributes #0 = { nounwind readonly "InitialPSInputAddr"="36983" }
+attributes #1 = { nounwind readnone }