[erlc] miscompilation with optimizations turned off

[RobinMorisset]

Describe the bug
On the following code:

f() ->
    try _V6 = (_V5 = bit_size(erlang:iolist_to_binary("a"))) rem 1 of
        _ ->
            _V5;
        _ ->
            _V6
    catch
        _ ->
            ok
    end.

wrapper0() ->
    io:write(f()).

Running it with the following commands:

erlc -W0 ~/minimized/test62768.erl
erl -pa . -noshell -s test62768 wrapper0 -s init stop

results in 8 being printed to the shell. But adding +no_bool_opt +no_ssa_opt to erlc makes it output 0 instead.

Expected behavior
I believe that 8 is the valid result:

• first _V5 is set to 8
• then _V6 is set to 8 rem 1 which is 0
• then _V6 is matched against the first pattern, which is _ so it is a match
• and so _V5 is returned.

Affected versions

• master
• master + compiler: Eliminate the Kernel Erlang intermediate representation #7240

Additional context
The following were tried and make the bug disappear:

• replacing the try/of/catch/end by case/of/end
• replacing the whole computation of _V5 by _V5 = 8
• only passing one of the two flags to erlc

[bjorng]

Yes, 8 is the correct result.

There is a bug in the register allocator in beam_ssa_pre_codegen. The bug is in the handling of unused phi nodes. Here is part of the output when the dprecg option is used:

3:
  %% _4: 24..24
  x0/_4 = phi { x1/_V6, ^10 }

  %% _V5: 24..27
  x0/_V5 = phi { x0/_2, ^10 }

  %% _17: 24..24
  x0/_17 = phi { x1/_V6, ^10 }

  %% @ssa_ignored: 25..25
  [25] z0/@ssa_ignored = kill_try_tag y0/@ssa_catch_tag
  %% Anno: #{deallocate => 1}
  [27] ret x0/_V5

Here the values of all three phi nodes end up in the same BEAM register (x0). The correct one (the middle one) is overwritten by the third phi node.

This bug it not normally exposed, because there are optimizations that remove assignments to variables that are never used, and there is another optimization that eliminates singled-valued phi nodes. The bug disappears when case is used because a case does not introduce the single-valued phi nodes in the first place.

There are several possible ways to fix this bug. I will do some more thinking before I create a pull request.

[RobinMorisset]

Here is another miscompilation that seems fairly similar:

f(_V0) ->
    try not (_V3 = (ok >= _V0)) of
        _V3 -> iolist_size(maybe 
            [] ?= _V3,
            <<>> ?= list_to_binary(ok)
        end);
        _ -> ok
    after
        ok
    end.

wrapper0() -> 
	io:write(catch f(ok)).

It prints ok by default (which I believe to be correct), but with +no_bool_opt +no_ssa_opt it prints {'EXIT',{badarg,[{erlang,iolist_size,[true], ....

master...bjorng:otp:bjorn/compiler/beam_ssa_pre_codegen/GH-7248 does not fix it, although it fixes the original testcase.

[RobinMorisset]

And another one:

f(_V1) ->
    try erlang:bump_reductions(_V1) of
        _V3 ->
            try not (_V4 = (_V3 andalso is_number(ok))) of
                _V4 ->
                    (_V5 = ok) andalso ok;
                _ ->
                    _V4
            catch
                _ ->
                    ok
            end
    after
        ok
    end.

wrapper0() ->
    io:write(catch f(2147483647)).

It prints false by default, but with +no_bool_opt +no_ssa_opt, it prints {'EXIT',{{badarg,ok}, ...

[bjorng]

Turned out that all single-valued phi nodes are problematic. The linked pull request has a more general solution (which is also simpler) than my previous attempt.