1====================================== 2LLVM IR Undefined Behavior (UB) Manual 3====================================== 4 5.. contents:: 6 :local: 7 :depth: 2 8 9Abstract 10======== 11This document describes the undefined behavior (UB) in LLVM's IR, including 12undef and poison values, as well as the ``freeze`` instruction. 13We also provide guidelines on when to use each form of UB. 14 15 16Introduction 17============ 18Undefined behavior (UB) is used to specify the behavior of corner cases for 19which we don't wish to specify the concrete results. UB is also used to provide 20additional constraints to the optimizers (e.g., assumptions that the frontend 21guarantees through the language type system or the runtime). 22For example, we could specify the result of division by zero as zero, but 23since we are not really interested in the result, we say it is UB. 24 25There exist two forms of undefined behavior in LLVM: immediate UB and deferred 26UB. The latter comes in two flavors: undef and poison values. 27There is also a ``freeze`` instruction to tame the propagation of deferred UB. 28The lattice of values in LLVM is: 29immediate UB > poison > undef > freeze(poison) > concrete value. 30 31We explain each of the concepts in detail below. 32 33 34Immediate UB 35============ 36Immediate UB is the most severe form of UB. It should be avoided whenever 37possible. 38Immediate UB should be used only for operations that trap in most CPUs supported 39by LLVM. 40Examples include division by zero, dereferencing a null pointer, etc. 41 42The reason that immediate UB should be avoided is that it makes optimizations 43such as hoisting a lot harder. 44Consider the following example: 45 46.. code-block:: llvm 47 48 define i32 @f(i1 %c, i32 %v) { 49 br i1 %c, label %then, label %else 50 51 then: 52 %div = udiv i32 3, %v 53 br label %ret 54 55 else: 56 br label %ret 57 58 ret: 59 %r = phi i32 [ %div, %then ], [ 0, %else ] 60 ret i32 %r 61 } 62 63We might be tempted to simplify this function by removing the branching and 64executing the division speculatively because ``%c`` is true most of times. 65We would obtain the following IR: 66 67.. code-block:: llvm 68 69 define i32 @f(i1 %c, i32 %v) { 70 %div = udiv i32 3, %v 71 %r = select i1 %c, i32 %div, i32 0 72 ret i32 %r 73 } 74 75However, this transformation is not correct! Since division triggers UB 76when the divisor is zero, we can only execute speculatively if we are sure we 77don't hit that condition. 78The function above, when called as ``f(false, 0)``, would return 0 before the 79optimization, and triggers UB after being optimized. 80 81This example highlights why we minimize the cases that trigger immediate UB 82as much as possible. 83As a rule of thumb, use immediate UB only for the cases that trap the CPU for 84most of the supported architectures. 85 86 87Time Travel 88----------- 89Immediate UB in LLVM IR allows the so-called time travelling. What this means 90is that if a program triggers UB, then we are not required to preserve any of 91its observable behavior, including I/O. 92For example, the following function triggers UB after calling ``printf``: 93 94.. code-block:: llvm 95 96 define void @fn() { 97 call void @printf(...) willreturn 98 unreachable 99 } 100 101Since we know that ``printf`` will always return, and because LLVM's UB can 102time-travel, it is legal to remove the call to ``printf`` altogether and 103optimize the function to simply: 104 105.. code-block:: llvm 106 107 define void @fn() { 108 unreachable 109 } 110 111 112Deferred UB 113=========== 114Deferred UB is a lighter form of UB. It enables instructions to be executed 115speculatively while marking some corner cases as having erroneous values. 116Deferred UB should be used for cases where the semantics offered by common 117CPUs differ, but the CPU does not trap. 118 119As an example, consider the shift instructions. The x86 and ARM architectures 120offer different semantics when the shift amount is equal to or greater than 121the bitwidth. 122We could solve this tension in one of two ways: 1) pick one of the x86/ARM 123semantics for LLVM, which would make the code emitted for the other architecture 124slower; 2) define that case as yielding ``poison``. 125LLVM chose the latter option. For frontends for languages like C or C++ 126(e.g., clang), they can map shifts in the source program directly to a shift in 127LLVM IR, since the semantics of C and C++ define such shifts as UB. 128For languages that offer strong semantics, they must use the value of the shift 129conditionally, e.g.: 130 131.. code-block:: llvm 132 133 define i32 @x86_shift(i32 %a, i32 %b) { 134 %mask = and i32 %b, 31 135 %shift = shl i32 %a, %mask 136 ret i32 %shift 137 } 138 139 140There are two deferred UB values in LLVM: ``undef`` and ``poison``, which we 141describe next. 142 143 144Undef Values 145------------ 146.. warning:: 147 Undef values are deprecated and should be used only when strictly necessary. 148 Uses of undef values should be restricted to representing loads of 149 uninitialized memory. This is the only part of the IR semantics that cannot 150 be replaced with alternatives yet (work in ongoing). 151 152An undef value represents any value of a given type. Moreover, each use of 153an instruction that depends on undef can observe a different value. 154For example: 155 156.. code-block:: llvm 157 158 define i32 @fn() { 159 %add = add i32 undef, 0 160 %ret = add i32 %add, %add 161 ret i32 %ret 162 } 163 164Unsurprisingly, the first addition yields ``undef``. 165However, the result of the second addition is more subtle. We might be tempted 166to think that it yields an even number. But it might not be! 167Since each (transitive) use of ``undef`` can observe a different value, 168the second addition is equivalent to ``add i32 undef, undef``, which is 169equivalent to ``undef``. 170Hence, the function above is equivalent to: 171 172.. code-block:: llvm 173 174 define i32 @fn() { 175 ret i32 undef 176 } 177 178Each call to this function may observe a different value, namely any 32-bit 179number (even and odd). 180 181Because each use of undef can observe a different value, some optimizations 182are wrong if we are not sure a value is not undef. 183Consider a function that multiplies a number by 2: 184 185.. code-block:: llvm 186 187 define i32 @fn(i32 %v) { 188 %mul2 = mul i32 %v, 2 189 ret i32 %mul2 190 } 191 192This function is guaranteed to return an even number, even if ``%v`` is 193undef. 194However, as we've seen above, the following function does not: 195 196.. code-block:: llvm 197 198 define i32 @fn(i32 %v) { 199 %mul2 = add i32 %v, %v 200 ret i32 %mul2 201 } 202 203This optimization is wrong just because undef values exist, even if they are 204not used in this part of the program as LLVM has no way to tell if ``%v`` is 205undef or not. 206 207Looking at the value lattice, ``undef`` values can only be replaced with either 208a ``freeze`` instruction or a concrete value. 209A consequence is that giving undef as an operand to an instruction that triggers 210UB for some values of that operand makes the program UB. For example, 211``udiv %x, undef`` is UB since we replace undef with 0 (``udiv %x, 0``), 212becoming obvious that it is UB. 213 214 215Poison Values 216------------- 217Poison values are a stronger form of deferred UB than undef. They still 218allow instructions to be executed speculatively, but they taint the whole 219expression DAG (with some exceptions), akin to floating point NaN values. 220 221Example: 222 223.. code-block:: llvm 224 225 define i32 @fn(i32 %a, i32 %b, i32 %c) { 226 %add = add nsw i32 %a, %b 227 %ret = add nsw i32 %add, %c 228 ret i32 %ret 229 } 230 231The ``nsw`` attribute in the additions indicates that the operation yields 232poison if there is a signed overflow. 233If the first addition overflows, ``%add`` is poison and thus ``%ret`` is also 234poison since it taints the whole expression DAG. 235 236Poison values can be replaced with any value of type (undef, concrete values, 237or a ``freeze`` instruction). 238 239 240Propagation of Poison Through Select 241------------------------------------ 242Most instructions return poison if any of their inputs is poison. 243A notable exception is the ``select`` instruction, which is poison if and 244only if the condition is poison or the selected value is poison. 245This means that ``select`` acts as a barrier for poison propagation, which 246impacts which optimizations can be performed. 247 248For example, consider the following function: 249 250.. code-block:: llvm 251 252 define i1 @fn(i32 %x, i32 %y) { 253 %cmp1 = icmp ne i32 %x, 0 254 %cmp2 = icmp ugt i32 %x, %y 255 %and = select i1 %cmp1, i1 %cmp2, i1 false 256 ret i1 %and 257 } 258 259It is not correct to optimize the ``select`` into an ``and`` because when 260``%cmp1`` is false, the ``select`` is only poison if ``%x`` is poison, while 261the ``and`` below is poison if either ``%x`` or ``%y`` are poison. 262 263.. code-block:: llvm 264 265 define i1 @fn(i32 %x, i32 %y) { 266 %cmp1 = icmp ne i32 %x, 0 267 %cmp2 = icmp ugt i32 %x, %y 268 %and = and i1 %cmp1, %cmp2 ;; poison if %x or %y are poison 269 ret i1 %and 270 } 271 272However, the optimization is possible if all operands of the values are used in 273the condition (notice the flipped operands in the ``select``): 274 275.. code-block:: llvm 276 277 define i1 @fn(i32 %x, i32 %y) { 278 %cmp1 = icmp ne i32 %x, 0 279 %cmp2 = icmp ugt i32 %x, %y 280 %and = select i1 %cmp2, i1 %cmp1, i1 false 281 ; ok to replace with: 282 %and = and i1 %cmp1, %cmp2 283 ret i1 %and 284 } 285 286 287The Freeze Instruction 288====================== 289Both undef and poison values sometimes propagate too much down an expression 290DAG. Undef values because each transitive use can observe a different value, 291and poison values because they make the whole DAG poison. 292There are some cases where it is important to stop such propagation. 293This is where the ``freeze`` instruction comes in. 294 295Take the following example function: 296 297.. code-block:: llvm 298 299 define i32 @fn(i32 %n, i1 %c) { 300 entry: 301 br label %loop 302 303 loop: 304 %i = phi i32 [ 0, %entry ], [ %i2, %loop.end ] 305 %cond = icmp ule i32 %i, %n 306 br i1 %cond, label %loop.cont, label %exit 307 308 loop.cont: 309 br i1 %c, label %then, label %else 310 311 then: 312 ... 313 br label %loop.end 314 315 else: 316 ... 317 br label %loop.end 318 319 loop.end: 320 %i2 = add i32 %i, 1 321 br label %loop 322 323 exit: 324 ... 325 } 326 327Imagine we want to perform loop unswitching on the loop above since the branch 328condition inside the loop is loop invariant. 329We would obtain the following IR: 330 331.. code-block:: llvm 332 333 define i32 @fn(i32 %n, i1 %c) { 334 entry: 335 br i1 %c, label %then, label %else 336 337 then: 338 %i = phi i32 [ 0, %entry ], [ %i2, %then.cont ] 339 %cond = icmp ule i32 %i, %n 340 br i1 %cond, label %then.cont, label %exit 341 342 then.cont: 343 ... 344 %i2 = add i32 %i, 1 345 br label %then 346 347 else: 348 %i3 = phi i32 [ 0, %entry ], [ %i4, %else.cont ] 349 %cond = icmp ule i32 %i3, %n 350 br i1 %cond, label %else.cont, label %exit 351 352 else.cont: 353 ... 354 %i4 = add i32 %i3, 1 355 br label %else 356 357 exit: 358 ... 359 } 360 361There is a subtle catch: when the function is called with ``%n`` being zero, 362the original function did not branch on ``%c``, while the optimized one does. 363Branching on a deferred UB value is immediate UB, hence the transformation is 364wrong in general because ``%c`` may be undef or poison. 365 366Cases like this need a way to tame deferred UB values. This is exactly what the 367``freeze`` instruction is for! 368When given a concrete value as argument, ``freeze`` is a no-op, returning the 369argument as-is. When given an undef or poison value, ``freeze`` returns a 370non-deterministic value of the type. 371This is not the same as undef: the value returned by ``freeze`` is the same 372for all users. 373 374Branching on a value returned by ``freeze`` is always safe since it either 375evaluates to true or false consistently. 376We can make the loop unswitching optimization above correct as follows: 377 378.. code-block:: llvm 379 380 define i32 @fn(i32 %n, i1 %c) { 381 entry: 382 %c2 = freeze i1 %c 383 br i1 %c2, label %then, label %else 384 385 386Writing Tests Without Undefined Behavior 387======================================== 388 389When writing tests, it is important to ensure that they don't trigger UB 390unnecessarily. Some automated test reduces sometimes use undef or poison 391values as dummy values, but this is considered a bad practice if this leads 392to triggering UB. 393 394For example, imagine that we want to write a test and we don't care about the 395particular divisor value because our optimization kicks in regardless: 396 397.. code-block:: llvm 398 399 define i32 @fn(i8 %a) { 400 %div = udiv i8 %a, poison 401 ... 402 } 403 404The issue with this test is that it triggers immediate UB. This prevents 405verification tools like Alive from validating the correctness of the 406optimization. Hence, it is considered a bad practice to have tests with 407unnecessary immediate UB (unless that is exactly what the test is for). 408The test above should use a dummy function argument instead of using poison: 409 410.. code-block:: llvm 411 412 define i32 @fn(i8 %a, i8 %dummy) { 413 %div = udiv i8 %a, %dummy 414 ... 415 } 416 417Common sources of immediate UB in tests include branching on undef/poison 418conditions and dereferencing undef/poison/null pointers. 419 420.. note:: 421 If you need a placeholder value to pass as an argument to an instruction 422 that may trigger UB, add a new argument to the function rather than using 423 undef or poison. 424 425 426Summary 427======= 428Undefined behavior (UB) in LLVM IR consists of two well-defined concepts: 429immediate and deferred UB (undef and poison values). 430Passing deferred UB values to certain operations leads to immediate UB. 431This can be avoided in some cases through the use of the ``freeze`` 432instruction. 433 434The lattice of values in LLVM is: 435immediate UB > poison > undef > freeze(poison) > concrete value. 436It is only valid to transform values from the left to the right (e.g., a poison 437value can be replaced with a concrete value, but not the other way around). 438 439Undef is now deprecated and should be used only to represent loads of 440uninitialized memory. 441