From f3907ede5568aed23d701e891487feb6052d8adf Mon Sep 17 00:00:00 2001
From: Nicolai Haehnle <nhaehnle@gmail.com>
Date: Fri, 7 Oct 2016 08:40:14 +0000
Subject: [PATCH] AMDGPU: Fix use-after-free in SIOptimizeExecMasking

Summary:
There was a bug with sequences like

   s_mov_b64 s[0:1], exec
   s_and_b64 s[2:3]<def>, s[0:1], s[2:3]<kill>
   ...
   s_mov_b64_term exec, s[2:3]

because s[2:3] was defined and used in the same instruction, ending up with
SaveExecInst inside OtherUseInsts.

Note that the test case also exposes an unrelated bug.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98028

Reviewers: tstellarAMD, arsenm

Subscribers: kzhuravl, wdng, yaxunl, llvm-commits, tony-tye

Differential Revision: https://reviews.llvm.org/D25306

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283528 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Target/AMDGPU/SIOptimizeExecMasking.cpp |  5 ++-
 test/CodeGen/AMDGPU/branch-condition-and.ll | 39 +++++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 test/CodeGen/AMDGPU/branch-condition-and.ll

diff --git a/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp b/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
index 32a0db7265e..4d2f917278e 100644
--- a/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
+++ b/lib/Target/AMDGPU/SIOptimizeExecMasking.cpp
@@ -248,14 +248,17 @@ bool SIOptimizeExecMasking::runOnMachineFunction(MachineFunction &MF) {
         if (J->readsRegister(CopyFromExec, TRI)) {
           SaveExecInst = &*J;
           DEBUG(dbgs() << "Found save exec op: " << *SaveExecInst << '\n');
+          continue;
         } else {
           DEBUG(dbgs() << "Instruction does not read exec copy: " << *J << '\n');
           break;
         }
       }
 
-      if (SaveExecInst && J->readsRegister(CopyToExec, TRI))
+      if (SaveExecInst && J->readsRegister(CopyToExec, TRI)) {
+        assert(SaveExecInst != &*J);
         OtherUseInsts.push_back(&*J);
+      }
     }
 
     if (!SaveExecInst)
diff --git a/test/CodeGen/AMDGPU/branch-condition-and.ll b/test/CodeGen/AMDGPU/branch-condition-and.ll
new file mode 100644
index 00000000000..40a66c26675
--- /dev/null
+++ b/test/CodeGen/AMDGPU/branch-condition-and.ll
@@ -0,0 +1,39 @@
+; RUN: llc -march=amdgcn -verify-machineinstrs < %s | FileCheck -check-prefix=GCN %s
+; RUN: llc -march=amdgcn -mcpu=tonga -verify-machineinstrs < %s | FileCheck -check-prefix=GCN %s
+
+; This used to crash because during intermediate control flow lowering, there
+; was a sequence
+;       s_mov_b64 s[0:1], exec
+;       s_and_b64 s[2:3], s[0:1], s[2:3] ; def & use of the same register pair
+;       ...
+;       s_mov_b64_term exec, s[2:3]
+; that was not treated correctly.
+;
+; GCN-LABEL: {{^}}ham:
+; GCN-DAG: v_cmp_lt_f32_e64 [[OTHERCC:s\[[0-9]+:[0-9]+\]]],
+; GCN-DAG: v_cmp_lt_f32_e32 vcc,
+; GCN: s_and_b64 [[AND:s\[[0-9]+:[0-9]+\]]], vcc, [[OTHERCC]]
+; GCN: s_and_saveexec_b64 [[SAVED:s\[[0-9]+:[0-9]+\]]], [[AND]]
+; GCN: s_xor_b64 [[SAVED]], exec, [[SAVED]]
+;
+; TODO: The following sequence is a bug (missing s_endpgm)!
+;
+; GCN: s_branch [[BB:BB[0-9]+_[0-9]+]]
+; GCN: [[BB]]:
+; GCN-NEXT: .Lfunc_end0:
+define amdgpu_ps void @ham(float %arg, float %arg1) #0 {
+bb:
+  %tmp = fcmp ogt float %arg, 0.000000e+00
+  %tmp2 = fcmp ogt float %arg1, 0.000000e+00
+  %tmp3 = and i1 %tmp, %tmp2
+  br i1 %tmp3, label %bb4, label %bb5
+
+bb4:                                              ; preds = %bb
+  unreachable
+
+bb5:                                              ; preds = %bb
+  ret void
+}
+
+attributes #0 = { nounwind readonly "InitialPSInputAddr"="36983" }
+attributes #1 = { nounwind readnone }