LLVM UB Optimization

LLVM UB and Optimization
허규영 Software Engineer
https://twitter.com/bbvch13531
Using freeze instruction

• What is Unde
fi
ned Behavior
• UB and Optimization
• Poison Value
• Freeze Instruction

UB(Unde
fi
ned Behavior)
• Implementation De
fi
ned Behavior: 문서에 의해 정의된 동작
• Unspeci
fi
ed Behavior: 명시되지 않은 동작
• Unde
fi
ned Behavior

UB(Unde
fi
ned Behavior)
• Implementation De
fi
ned
• Unspeci
fi
ed Behavior
• Unde
fi
ned Behavior
컴파일러가 어떻게 동작할지 몰?루

2021년 정기 2회 정보처리기능사 실기문제
K O R E A
0 1 2 3 4
Access out of bounds
Memory Protection Violation
str

다른 정보처리기능사 문제
1. 55
2. 77
3. 121
4. 132
sum += *(p + i) ;
11
0
22
1
44 55
0
1
P
Access out of bounds

모 과학고등학교의 정보수행평가 문제
--y와 w+x+y-z 중 어떤 것이 먼저 실행될까요?
Sequence point rules
Order of evaluation
Between the previous and next sequence point a
scalar object must have its stored value modi
fi
ed at
most once by the evaluation of an expression,
Otherwise the behavior is unde
fi
ned.

How UB and Optimization related

output( p + a > p + b )
Peephole Optimization
output( a > b )
Optimize
int* p
int a
int b

output( a > b )
Optimize
0xFFFFFF00
int* p
0x100
int a
0x0
int b

output( a > b )
Optimize
0xFFFFFF00
int* p
0x100
int a
0x0
int b
0x0
False True
0x100 > 0x0
Over
fl
ow!

output( a > b )
Optimize
0xFFFFFF00
int* p
0x100
int a
0x0
int b
False True
0x100 > 0x0
Miscompilation
before optimize after optimize

output( a > b )
Optimize
Pointer Arithmetic Over
fl
ow is
Unde
fi
ned Behavior
UB
0x0
Over
fl
ow!

Loop Invariant Code Motion
...
for(i = 0; i < n; i++){
a[i] = p + 0x100
}
q = p + 0x100
for(i = 0; i < n; i++){
a[i] = q
}

...
for(i = 0; i < n; i++){
a[i] = p + 0x100
}
q = p + 0x100
for(i = 0; i < n; i++){
a[i] = q
}
0xFFFFFF00
p

...
for(i = 0; i < n; i++){
a[i] = p + 0x100
}
q = p + 0x100
for(i = 0; i < n; i++){
a[i] = q
}
UB
0x0
Over
fl
ow!

...
for(i = 0; i < n; i++){
a[i] = p + 0x100
}
q = p + 0x100
for(i = 0; i < n; i++){
a[i] = q
}
Miscompilation
Correct Program Wrong Program
when n = 0
UB

...
for(i = 0; i < n; i++){
a[i] = p + 0x100
}
q = p + 0x100
for(i = 0; i < n; i++){
a[i] = q
}
Poison Value
poison
when n = 0

De
fi
nition of Poison Value
poison is a special value that represents a violation of assumption
Each operation on poison value propergate poison or raise UB

Poison Propagation
p a p b
0xFFFFFF00 0x100
poison
0xFFFFFF00 0x0
poison
output
UB
Overflow!

Global Value Numbering (GVN)
if(x == y) {
... use x ...
} else {
...
}
if(x == y) {
... use y ...
} else {
...
}
How to de
fi
ne when branching on poison value

if(x == y) {
... use x ...
} else {
...
}
if(x == y) {
... use y ...
} else {
...
}
How to de
fi
0 poison

if(x == y) {
... use x ...
} else {
...
}
if(x == y) {
... use y ...
} else {
...
}
How to de
fi
0 poison
Miscompilation

if(x == y) {
... use x ...
} else {
...
}
if(x == y) {
... use y ...
} else {
...
}
How to de
fi
poison

if(x == y) {
... use x ...
} else {
...
}
if(x == y) {
... use y ...
} else {
...
}
Branching on poison value is
Unde
fi
ned Behavior
UB

Loop Unswitching (LU)
while(n > 0) {
if(cond)
A
else
B
}
if(cond)
while(n > 0) {
{ A }
else
while(n > 0) {
{ B }

while(n > 0) {
if(cond)
A
else
B
}
if(cond)
while(n > 0) {
{ A }
else
while(n > 0) {
{ B }
poison
UB
Branching on poison is

while(n > 0) {
if(cond)
A
else
B
}
if(cond)
while(n > 0) {
{ A }
else
while(n > 0) {
{ B }
poison
UB
False
when n = 0

while(n > 0) {
if(cond)
A
else
B
}
if(cond)
while(n > 0) {
{ A }
else
while(n > 0) {
{ B }
poison
UB
False
when n = 0
Miscompilation

Unde
fi
ned Behavior

GVN + LU
Not Always
Unde
fi
ned Behavior

Inconsistency in LLVM
• SNU found miscompilation bug in LLVM when GVN+LU optimization
• Google reported a real-world bug due to GVN+LU inconsistance

Freeze instruction
y = freeze x
• if x is de
fi
ned value
• if x is poison value or undef
freeze x -> x
freeze x ->
which y is nondeterministic value
0
1
2
3
...

while(n > 0) {
if(cond)
A
else
B
}
if(cond)
while(n > 0) {
{ A }
else
while(n > 0) {
{ B }
New Approach

while(n > 0) {
if(cond)
A
else
B
}
if(freeze(cond))
while(n > 0) {
{ A }
else
while(n > 0) {
{ B }
poison
Nondet.
True / False
New Approach

if( poison )
if(freeze( poison ))
Global Value Numbering
Nondeterministic
UB
Using freeze intruction
Loop Unswitching

y = x * 2
Without freeze
y = x + x
Not exactly true, Details are missing

y = x * 2
y = x + x
undef
{ 0, 2, 4, 6 ... }
undef
{ 0, 1, 2, 3 ... }
Without freeze

y = x * 2
x' = freeze x
y = x' + x'
undef
{ 0, 2, 4, 6 ... }
Nondet.
{ 0, 2, 4, 6 ... }
Using freeze
{ 0, 1, 2, 3 ... }

a = x / y
b = x % y
a = x / y
b = x - (a * y)
New Approach
undef 1 undef

a = x / y
b = x % y
a = x / y
b = x - (a * y)
New Approach
undef 1 undef
undef undef

a = x / y
b = x - (a * y)
a = x / y
b = x % y
New Approach
undef 1
undef undef
undef

a = x / y
b = x % y
x' = freeze x
a = x' / y
b = x' - (a * y)
Let's assume x is N
N
undef 1
undef

a = x / y
b = x % y
x' = freeze x
a = x' / y
b = x' - (a * y)
Let's assume x is N
N
undef 1
N
1
undef

a = x / y
b = x % y
x' = freeze x
a = x' / y
b = x' - (a * y)
Let's assume x is N
N
undef 1
N
1
N
undef

a = x / y
b = x % y
x' = freeze x
a = x' / y
b = N - N = 0
Let's assume x is N
N
undef 1
N
1
undef

a = x / y
b = x % y
x' = freeze x
a = x' / y
b = 0
Let's assume x is N
N
undef 1
N
1
undef

• 2020 LLVM Developers’ Meeting: J. Lee “Undef and Poison: Present and
Future"
• What Every C Programmer Should Know About Unde
fi
ned Behavior
• Taming Unde
fi
ned Behavior in LLVM

LLVM UB Optimization

Recommended

More Related Content

Similar to LLVM UB Optimization (7)

More from 규영 허 (6)

Recently uploaded (20)

LLVM UB Optimization