Human-written portion
The bugs here were found not by fuzzing, but by code inspection. I simply asked Claude to find bugs in LLVM, and gave it a little guidance along the way.
I wouldn't consider all of these to be serious bugs, and some I'd say aren't bugs at all. Others appear to be real miscompiles, such as #195.
Everything below here is machine-generated. Good luck.
Goal: find ≥100 real bugs in the x86 path through the default LLVM pass pipeline.
Status: 131 reproducible bugs (well past the 100 goal; +7 new x86 finds #254-#260). 230 total catalog entries (~99 are source-confirmed only). 495 pending candidate notes in candidates/ not yet promoted.
See the WONTFIX / not-a-bug catalog below for ~40 investigated-and-rejected entries (restored with their folders so the reasoning is preserved),. Two entries originally restored as re-promotions (#248, #253) were re-refuted on closer analysis and listed there as non-bugs.
Breakdown by repro kind:
- crash (4): #071, #218, #222, #227
- hang (1): #191
- runtime miscompile (3): #003 (GISel-only), #004, #013
- asm/asm-diff (12): #001, #005, #008, #009, #010, #011, #012, #014, #140, #240, #357, …
- mir-diff (19): #124, #125, #196, #198, #199, #208–#210, #213, #226, #231, #237, #238, #239, …
- opt-diff (~95): all others
Most reproducible bugs fall in: metadata loss (!nontemporal, !invariant.load, !alias.scope, !range, FMF, samesign, syncscope, !unpredictable, !prof), poison/refinement violations (#195/#206/#207/#252), and PGO corruptions (#232).
- LLVM source:
../amdgpu/third_party/llvm-project/(HEAD ≈0dd29960cd61as of session start) - opt/llc:
../amdgpu/build/llvm-fuzzer/bin/{opt,llc,clang} - Default target triple:
x86_64-unknown-linux-gnu
bugs/NNN-short-name/— one folder per confirmed bug, containing:NOTES.md— explanation of the bug, root cause if knownrepro.ll— minimal IR reproducer (or.s/.cif more natural)cmd.sh— exact command to reproduceexpected.txt,actual.txt(for miscompiles, when an executable repro exists)
candidates/— pre-triage notes from code-reading workers (not yet confirmed)workers/— per-worker logs and ranges-already-explored, to avoid duplicate work
(Filled as bugs are confirmed.)
| # | Kind | Status |
|---|---|---|
| 001 | 001-volatile-atomicrmw-or-zero-drops-volatile - volatile bit dropped from atomicrmw or %p, 0 (idempotent RMW lowered as plain load) |
PR #199587 closed (not merged) |
| 003 | 003-gisel-uadde-inverted-carry - CMP r,1 for carry-in inverts CF; multi-word add/sub produce wrong upper word |
PR #199261 merged |
| 004 | 004-ldexp-avx512f-missing-cvtdq2ps - non-VLX AVX-512 path feeds int exp bits to vscalefps (missing vcvtdq2ps); <4 x float> ldexp returns x*1 |
PR #199263 merged |
| 005 | 005-fixupinsttuning-pslli-loses-changed - ProcessShiftLeftToAdd mutates MI (PSLLWri→PADDWrr) but returns false; pass lies about preservation |
PR #199589 merged |
| 007 | 007-domain-reassignment-wrong-enclosed-key - EnclosedEdges[Reg] = ... uses outer seed Reg instead of CurReg; only seed registered, latent duplicate-closure path |
|
| 008 | 008-returnthunks-missing-reti-lret-iret - matches only RET32/RET64; RETI*/LRET*/IRET* survive fn_ret_thunk_extern (Retbleed mitigation gap) |
|
| 009 | 009-ibt-wineh-funclet-missing-endbr - catch / cleanup funclet entries get no endbr64; CET-IBT-enforcing host #CP-faults on every C++ exception |
WONTFIX — see WONTFIX catalog below (PR #200333 dropped) |
| 010 | 010-lvi-cfi-missing-reti-lret-iret - only matches RET64; RETI64/LRET*/IRET* retain bare ret with no preceding lfence |
|
| 011 | 011-ldexp-i64-libcall-silent-truncation - llvm.ldexp.f64.i64 silently truncates exponent to int on libcall (POWI errors here, LDEXP didn't get the guard) |
PR #199177 closed (not merged) |
| 012 | 012-cgp-splitmergedvalstore-strips-atomic - bail-out checks only isVolatile(); an atomic seq_cst i64 store is split into two non-atomic i32 stores |
PR #199592 merged |
| 013 | 013-instcombine-vector-reduce-mul-sext-i1-odd-lanes - vector_reduce_mul(sext(<n x i1>)) folded to zext(and-reduce(V)); for odd n, all-true → +1 instead of -1 |
PR #199401 merged |
| 014 | 014-resetfpenv-mmo-flagged-as-store-on-load - constant-pool FLDENVm load tagged MOStore (sister GET_FPENV_MEM correctly uses MOLoad) |
|
| 015 | 015-sfb-volatile-atomic-not-checked - pass never checks isVolatile()/isAtomic() MMO flags; a volatile 16-byte XMM copy can be silently split |
PR #199698 merged |
| 016 | 016-vzeroupper-clobbersall-misses-ymm-zmm-16-31 - clobbersAllYmmAndZmmRegs only iterates YMM/ZMM 0-15; upper bank invisible to dirty-state analysis |
|
| 017 | 017-atomicexpand-widenpartword-drops-volatile - widenPartwordAtomicRMW never calls setVolatile(...) on the widened RMW; sole outlier of all RMW expansion paths |
PR #199722 merged |
| 018 | 018-rvmarker-wrong-regmask-on-windows - hard-codes CallingConv::C (SysV) preserved mask even on Win64; clobber set inconsistent with ABI |
|
| 019 | 019-frame-redzone-tcdelta-uint-underflow - uint64_t = unsigned - int for red-zone MinSize underflows when TCReturnAddrDelta is positive; absurd stack size |
|
| 020 | 020-matchvectoraddress-missing-wrapperrip - handles Wrapper but not WrapperRIP; RIP-relative globals miss the disp32 fold for gather/scatter |
|
| 021 | 021-compress-evex-vpmov-physreg-use-operands-noop - post-RA MRI->use_operands(MaskReg) on a physical kreg is a no-op; cross-BB live-out $k0 left uninitialized |
|
| 022 | 022-fpext-of-sitofp-drops-fmf - fpext(sitofp x) sunk via CastInst::Create drops FMF (sitofp/uitofp aren't FPMathOperators) |
|
| 023 | 023-foldfptoi-mask-asymmetric-fcposnormal - uses fcPosNormal for fptoui but fcNormal for fptosi; negative-normal fptoui poison-refined to 0 |
|
| 024 | 024-foldshuffleofshuffles-poison-bool-cast - if (!NewX) return PoisonValue::get(Ty); inside a bool-returning function; success path claimed without replaceValue |
|
| 025 | 025-machinesink-physdef-dead-not-zombie-checked - EFLAGS guard trusts stale dead flag; doesn't scan source-block tail for late reader of the supposedly-dead physreg |
|
| 026 | 026-machinelicm-throwing-inline-asm-speculation - only checks dominator-of-exiting-blocks; ignores intra-loop throwing/INLINEASM-sideeffect — loads hoisted past faulting asm | |
| 027 | 027-machinecse-implicit-def-positional-mismatch - positional indexing into CSMI->getOperand(i) assumes MI/CSMI have identical operand layouts |
|
| 028 | 028-peephole-foldimmediate-no-tied-operand-check - offers every explicit non-def operand to foldImmediate without isRegTiedToDefOperand check |
|
| 029 | 029-x87-adjustLiveRegs-stale-iterator - iterator mutated mid-loop in kill loop; caller reads stale state on subsequent iterations | |
| 030 | 030-cfopt-cfi-unconditional - emits .cfi_adjust_cfa_offset whenever !hasFP, ignoring needsDwarfCFI — spurious CFI for nounwind funcs |
|
| 031 | 031-strict-fp-extend-chain-drop - strict-fp f16→{f64,f80,fp128} on non-FP16 targets: outer STRICT_FP_EXTEND reuses original chain, dropping inner side effect | |
| 032 | 032-fastTileConfig-cross-bb-shape-zero - per-BB processing misses tile def whose value reaches a PLDTILECFGV inserted in another BB; row/col stay zero | |
| 033 | 033-cmov-conversion-eflags-liveness-misses-jmp - checkEFLAGSLive returns false when LastCMOV has a kill marker even though later spliced instructions still read EFLAGS |
|
| 034 | 034-isKnownNeverNaN-fminnum-snan-or-incorrect - OR-logic for FMINNUM/FMAXNUM/*NUM unsound when SNaN=true; both-NaN case can return SNaN through unchanged | |
| 035 | 035-fmul-neg1-fsub-negzero-snan-sign-flip - fmul X, -1.0 → fsub -0.0, X → fneg X without nnan; sNaN sign flipped, quieting lost (in-source FIXME) |
|
| 036 | 036-frame-swift-async-cfi-missing - SwiftAsyncContext PUSH lacks CFA-offset CFI update; window between async PUSH and FP-establishing LEA has CFA-rule off by 8 | |
| 037 | 037-pcmpestr-fold-load-missing-glue - glues EAX/EDX live-in CopyToRegs but doesn't include them in the CNode chain; folded load can reorder w.r.t. live-ins | |
| 038 | 038-foldoffset-mul-imm-uint64-overflow - MUL-by-{3,5,9}→LEA shortcut does mixed-sign int64*uint64 for the folded disp; fragile for negative AddVal / 32-bit wrap |
|
| 039 | 039-sextinreg-extload-multiuse - substitutes EXTLOAD with SEXTLOAD via CombineTo(N0, ExtLoad, ExtLoad.getValue(1)) without hasOneUse() in OR-branch |
|
| 040 | 040-shl-of-shifted-logic-disjoint-propagation - propagates LogicOp->getFlags() (incl. disjoint) verbatim to rewritten outer logic op without re-verifying |
WONTFIX — NOTES self-concludes sound: under uniform outer shift the disjoint precondition becomes more-true, never introducing poison the source lacked. |
| 041 | 041-sfb-blocker-no-volatile-check - companion to #015: blocking-store check also ignores volatile/atomic flags | PR #199698 merged |
| 042 | 042-sfb-buildcopies-wrong-mmo-offset - passes LMMOffset twice instead of (LMMOffset, SMMOffset); harmless today but fragile |
|
| 043 | 043-compress-evex-vpmov-srcvec-clobber-kmov - kill-flag staleness when KMOV operand is overwritten in place | |
| 045 | 045-winehstate-cleanup-skip-loses-hoist - state-store-emit loop skips entire cleanup-pad BBs; spurious -1 store emitted in non-cleanup successors | |
| 046 | 046-cfopt-inline-asm-classify-side-effects - INLINEASM that has side-effects but no mayStore is mis-classified; PUSH conversion reorders around it |
|
| 047 | 047-x87-insertwait-too-eager-skip - WAIT omission heuristic doesn't enumerate all non-waiting FN* ops; sensitive to debug-instruction adjacency | |
| 048 | 048-dynalloca-amount-zero-leaks-mov - Amount == 0 short-circuit erases the pseudo but not the dead MOV*ri defining its amount vreg |
|
| 049 | 049-dynalloca-pushpop-misses-r8-r15-push2 - switch omits APX PUSH2/POP2 (16-byte stack touch), PUSHF*/POPF*, PUSH16*, LEAVE*; can skip probe on Win+APX | |
| 050 | 050-cmov-load-unfold-eflags-clobber-chained - chained CMOVrm: FalseInsertionPoint set to FalseMBB->begin() and never advanced; unfolded loads inserted in reverse → use-before-def |
|
| 051 | 051-domain-reassignment-shift-kshift-semantics - SHR/SHL <8/16/32/64>ri → KSHIFT*ki have different over-shift semantics: GPR masks to register width, KSHIFT uses full imm8 |
|
| 052 | 052-flagscopy-hoist-clobber-window - hoist loop checks HoistMBB's terminators and predecessors' bodies but never scans HoistMBB's own non-terminator body | |
| 053 | 053-flagscopy-splitblock-stale-phi-entries - IsEdgeSplit PHI handling can append duplicate predecessor entries while leaving stale arcs from MBB to same successor |
|
| 054 | 054-foldImmediate-copy-class-asymmetry - s32 range check gated on SOURCE register class but NewOpc chosen from DESTINATION class; cross-class COPY mishandled |
|
| 055 | 055-optimizeCmp-narrow-immDelta-signext - APInt::getSignedMinValue(BW) == CmpValue compares APInt via uint64 vs sign-extended int64; misses narrow-width edges |
|
| 056 | 056-reMaterialize-MOV32-subreg-write - rewrites MOV32r{0,1,_1} to MOV32ri then substituteRegister(.., SubIdx, ..) can produce 32-bit write tagged as sub_8/16bit |
|
| 057 | 057-fixupvectorconstants-undef-disagreement - extractConstantBits collapses top-level UndefValue to zero, while getSplatableConstant is undef-tolerant; non-idempotent |
|
| 058 | 058-mask-cmp-ss-imm-immediate-not-validated - mask_cmp_ss/sd shares switch case with legacy comi/ucomi; future folds could leak predicate/SAE semantics |
|
| 059 | 059-avx512-cur-direction-mxcsr - x86_avx512_{add,sub,mul,div}_*_512 with R==CUR_DIRECTION folded to plain fadd, discarding MXCSR rounding |
|
| 060 | 060-pmulhuw-multiply-by-one-undef-elements - m_One() matches <i16 1, i16 undef, ...>; dropping data dependency on Arg1 for PMULHUW with undef lanes |
|
| 062 | 062-fsub-negzero-fneg-snan-sign-flip - fsub -0.0, X → fneg X without nnan; in-source FIXME confirms sNaN-quieting dropped |
|
| 063 | 063-slh-shrx-eflags-bmi2-vector-skip - saveEFLAGS skipped whenever BMI2 is present, but mixed vector(gather) + GR64 base may emit flag-clobbering OR64rr while EFLAGS is live |
|
| 064 | 064-jumpthreading-distinct-freeze-implied-cond - comment claims "exactly the same freeze instruction" but check only compares operands; two distinct freezes independently choose values |
|
| 065 | 065-rematerialize-partial-physreg-implicit-def-liveness - partial physreg rematerialization misses implicit-def liveness, can wrongly drop a still-live def | |
| 066 | 066-stackprotector-tailcall-intervening-instr - canary verification insertion can be placed past a tail-call with an intervening instruction | |
| 067 | 067-instcombine-processUGT-bitwidth-eq-bails - bails when CI1 bitwidth equals NewWidth; missed fold / fragile guard | |
| 068 | 068-loopvectorize-anyof-tail-fold-no-mask-on-cmp - Or(PhiR, Cmp) lacks AND with HeaderMask under tail folding; poison on inactive lanes can flip reduction true via freeze |
|
| 069 | 069-branchfold-optblock-loses-eh-scope-entry - MBB→PrevBB splice guards only on isEHPad, not isEHScopeEntry/isEHFuncletEntry |
|
| 070 | 070-branchfold-ehscope-empty-skips-itanium-check - cross-EH-scope guard skipped when EHScopeMembership.empty() — always true for Itanium DWARF EH (Linux x86_64) |
|
| 071 | 071-opt-codegenprepare-pass-segfaults-on-empty-function - opt -passes=codegenprepare segfaults on any IR — null-deref in ProfileSummaryInfo::isFunctionHotInCallGraph because PSI/BFI not materialized |
PR #199268 merged |
| 072 | 072-gvn-mssa-loadstore-vn-ignores-atomic-volatile - omits isVolatile/isAtomic/getOrdering/getSyncScopeID from the expression key; equal VN, unequal semantics |
|
| 073 | 073-newgvn-simplifyselectinst-drops-fmf - empty FastMathFlags() passed to simplifySelectInst; missed FP simplifications |
|
| 074 | 074-asmprinter-got-equiv-skips-tls-check - TLS-relocated globals not excluded from GOT-equivalent collapse | |
| 075 | 075-gisel-matchUndefStore-drops-volatile-atomic - undef-store elimination doesn't check volatile/atomic — drops user's required side effect | PR #200099 (open) |
| 076 | 076-asmprinter-emitCFI-skip-rbegin-not-isendsection - uses MF.rbegin() instead of isEndSection; misclassifies skip condition for split functions |
|
| 077 | 077-asmprinter-coff-fltused-early-return-skips-morestack - early-return on fltused emission skips morestack frame emission | |
| 078 | 078-w38-extloadi64i32-ignores-promote-anyext - ignores EnablePromoteAnyextLoad predicate; pattern fires when it should be gated |
|
| 079 | 079-w38-gisel-loadi16-loadi32-ignores-promote-anyext - same EnablePromoteAnyextLoad predicate omission on GISel side |
|
| 080 | 080-w45-asmprinter-modifier-a-A-intel-dialect - 'a'/'A' modifiers hardcode AT&T syntax, produce invalid output in Intel-dialect inline asm |
|
| 081 | 081-w45-asmprinter-P-modifier-att-intel-asymmetry - "disp-only" semantics honored by Intel printer but ignored by AT&T printer | |
| 082 | 082-w45-asmparser-lvi-cfi-shl64-in-32-bit-mode - always uses SHL64mi even matching RET16/32 in 16/32-bit modes — emits REX.W in modes where REX is undefined |
|
| 083 | 083-w49-lvi-analyzedefusechain-dead-check-wrong-def - dead-check on wrong def — misses an instruction that needs hardening | |
| 084 | 084-w49-lvi-cfg-traverse-skips-instrs-on-revisit - revisits skip instructions; misses hardening sites | |
| 085 | 085-w49-lvi-insertfences-branch-mutates-during-iteration - mutates branch list during iteration — iterator invalidation | |
| 086 | 086-w49-optimize-leas-choose-best-after-MI - picks the best LEA after MI but doesn't validate operand-classes are equal | |
| 087 | 087-strict-fp-routed-to-fast-libcall - strict-fp arithmetic with fast flags routed to FAST_* libcall (e.g. __hexagon_fast_*); violates fpexcept.strict contract |
|
| 088 | 088-scev-howmanylessthans-unsigned-uses-signed-stride-check - unsigned variant uses signed stride check; mismatched signedness can yield wrong trip-count | WONTFIX — see WONTFIX catalog below |
| 089 | 089-machine-copy-prop-erase-if-redundant-drops-implicit-operands - erases a COPY that's redundant for explicit defs but carries implicit-defs the user depends on | |
| 090 | 090-vplan-cse-intersect-flags-fmf-wrong-direction - intersects FMF in wrong direction for vector recipes; can promote a less-flexible variant to apply more flags than allowed | |
| 091 | 091-simplifycfg-hoistcondloads-drops-pointer-metadata - hoisted load drops !nonnull/!dereferenceable metadata; downstream passes lose info |
|
| 092 | 092-fixupsetcc-zu-assert-on-survived-setccr - accepts both SETCCr and SETZUCCr at filter, then asserts SETZUCCr when ZU; GISel + ZU can trigger | WONTFIX — see WONTFIX catalog below (PR #200334 closed) |
| 093 | 093-avx512-vmovs-x86selects-load-fold-mask-suppress - load-fold pattern under masking misses suppress condition; load may execute on masked lanes | |
| 094 | 094-vex3-to-vex2-xmm16-31-not-rejected - VEX3→VEX2 shortening doesn't reject XMM16-31; resulting VEX2 encodes wrong register | |
| 095 | 095-mcp-hasimplicitoverlap-misses-implicit-def-of-source - doesn't detect when the source physreg is implicit-def'd between COPY pair | |
| 096 | 096-arg-stack-slot-iterator-invalidated-by-eliminateFI - iterator invalidated when eliminateFrameIndex erases/inserts MIs during the rebase walk | |
| 097 | 097-instcombine-vpermilvar-pd-mask-truncates-bit-1 - mask interpretation uses only bit 0 instead of bit 1 (per Intel spec, PD uses bit 1) | WONTFIX — see WONTFIX catalog below |
| 098 | 098-utils-canCreateUndefOrPoison-missing-div - doesn't consider G_SDIV/G_UDIV etc. as poison-creating; downstream speculative folds unsound |
|
| 099 | 099-implicitnullchecks-insertFaultingInstr-loses-mi-flags - doesn't preserve MI flags on the faulting variant; FrameSetup/FrameDestroy/Tail-Call lost | |
| 100 | 100-instcombine-imm-shift-upper-demand-wrong-for-i32 - DemandedUpper mask for i32 shift intrinsics uses wrong bit count | WONTFIX — see WONTFIX catalog below |
| 101 | 101-x86-cleanup-tls-iterator-invalidated - iterator invalidated by an in-loop erase; possible misclean of TLS_addr sequences | |
| 102 | 102-lower-tile-copy-rax-spill-no-mmo - RAX spill/reload MOV64mr/MOV64rm lack MachineMemOperand; post-RA scheduler can reorder around them |
|
| 103 | 103-constantfoldfp-host-libm-variance - FP intrinsics (pow/sin/atan2/etc.) constant-folded through build-host libm; last-ULP variance and boundary disagreement |
|
| 104 | 104-calllowering-sret-demote-inherits-return-attrs - demote-sret pointer ArgInfo inherits return value's SExt/ZExt/InReg/Returned flags | |
| 105 | 105-mirbuilder-buildmasklowptrbits-truncates-wide-ptr - mask built with maskTrailingZeros<uint64_t>(NumBits); >64-bit pointers get upper mask bits zeroed |
|
| 106 | 106-mirbuilder-buildvector-vacuous-assert - assert (!SrcOps.empty() || SrcOps.size() < 2) is always true; intended >= 2; same dead guard in G_BUILD_VECTOR_TRUNC, G_CONCAT_VECTORS |
|
| 107 | 107-utils-lookthrough-anyext-treats-as-sext - with LookThroughAnyExt=true, G_ANYEXT reconstructed as Val.sext(); constant-folder/codegen disagree on extension |
|
| 108 | 108-dse-partial-merge-drops-volatile-atomic - volatile/atomic killing store dropped + value merged into non-volatile/non-atomic earlier store | PR #199728 merged |
| 109 | 109-memcpyopt-memsetmemcpy-drops-volatile-memset - volatile memset followed by memcpy: original deleted, replacement non-volatile (and equal-size case deletes outright) | PR #200100 merged |
| 110 | 110-gisel-usube-inverted-borrow-sub128 - i128 sub: setb; cmpb $1 inverts borrow → sbb adds 1 to high half |
PR #199261 merged |
| 111 | 111-lower-atomic-drops-volatile-rmw-cmpxchg - lower-atomic lowers atomicrmw volatile/cmpxchg volatile into non-volatile load+store; volatile/ordering/syncscope dropped |
|
| 113 | 113-avx512-mask-arith-ss-sd-round-cur-direction-mxcsr - mask scalar add/sub/mul/div.ss/sd.round with rounding=4 (CUR_DIRECTION) folded to plain fadd, losing MXCSR-set rounding |
|
| 114 | 114-gvnsink-merges-volatile-stores - volatile is included in expression hash; two equivalent volatile stores merged across branches into one sunk store | WONTFIX — see WONTFIX catalog below |
| 118 | 118-sroa-drops-atomic-ordering - predicate if (LI.isVolatile()) NewLI->setAtomic(...) should be isAtomic(); atomic seq_cst load/store reduced to plain access |
WONTFIX — see WONTFIX catalog below |
| 119 | 119-simplifycfg-merge-cond-stores-drops-atomic - filters via isUnordered() (which accepts Unordered atomic) then emits plain CreateStore; atomic Unordered → plain store, racy access becomes UB |
PR #200327 merged |
| 124 | 124-atomic-expand-load-to-cmpxchg-drops-volatile-syncscope - i128 atomic-volatile load with singlethread syncscope → cmpxchg without volatile + system-scope |
PR #200324 merged |
| 125 | 125-atomic-expand-store-to-xchg-drops-volatile-syncscope - i128 atomic-volatile store with singlethread → cmpxchg loop without volatile + system-scope; also inserts a bare non-volatile load of the dst |
PR #200324 merged (same PR as #124; fixes expandAtomicStoreToXChg) |
| 126 | 126-licm-promote-drops-syncscope - preheader load and exit-block store dropped from syncscope("singlethread") to default System scope |
|
| 127 | 127-newgvn-call-cse-ignores-operand-bundles - call CSE ignores operand bundles (deopt/funclet/ptrauth/kcfi/clang.arc/gc-*); second call with bundle deleted | deprioritized |
| 128 | 128-lower-matrix-fuseFlatten-drops-volatile - matrix.column.major.load(..., i1 true /*volatile*/) rewritten as plain load <N x float> — volatile bit dropped |
|
| 129 | 129-earlycse-load-cse-ignores-syncscope - atomic unordered loads CSE'd ignoring SyncScope::ID; second load takes the cached load's narrower syncscope |
WONTFIX — see WONTFIX catalog below |
| 130 | 130-earlycse-dse-stores-ignores-syncscope - DSE drops earlier atomic store with different syncscope from later one | |
| 132 | 132-atomic-expand-convertcmpxchgtoint-drops-metadata - cmpxchg ptr → i64 conversion drops !noalias/!tbaa/!alias.scope/!access_group metadata |
|
| 133 | 133-atomic-expand-rmwcmpxchgloop-initload-drops-metadata - InitLoaded load doesn't carry the source RMW's metadata; AA-inconsistent view | |
| 134 | 134-atomic-expand-rmw-libcall-drops-volatile-ssid - libcall (e.g. __atomic_fetch_nand_16) silently drops volatile and syncscope |
WONTFIX — see WONTFIX catalog below |
| 137 | 137-sroa-tree-merge-drops-atomic-load - filters isVolatile() only; atomic unordered load synthesized via CreateAlignedLoad without setAtomic |
|
| 138 | 138-sroa-vector-promotion-drops-atomic - atomic struct store folded into plain zext/shl/or integer-widening output | |
| 139 | 139-cgp-splitBranchCondition-stale-prof-weights - all four createBranchWeights calls pass original (TrueWeight, FalseWeight) instead of freshly scaled weights |
PR #199822 merged |
| 140 | 140-cgp-splitMergedValStore-drops-aa-tbaa-nontemporal - dropped !nontemporal (no MOVNTI emitted!), !tbaa, !alias.scope, !noalias, !DIAssignID, !annotation |
|
| 141 | 141-branchfold-merges-volatile-and-plain-store - MachineInstr::isIdenticalTo ignores MMO flags; volatile store and plain store merged |
|
| 142 | 142-machinelicm-isInvariantStore-skips-volatile-atomic - doesn't check isVolatile()/hasOrderedMemoryRef(); HoistConstStores=true by default → volatile/atomic stack-cookie writes hoisted |
|
| 143 | 143-memcpyopt-processmemmove-volatile-memset-dropped - volatile memset followed by memmove handling | |
| 144 | 144-licm-promote-merges-mismatched-syncscopes - atomic accesses w/ mismatched syncscopes promoted to single System-scope load+store; original singlethread contract lost | |
| 145 | 145-gvn-pre-drops-loadinst-metadata - hand-rolled metadata whitelist drops !noundef/!align/!dereferenceable/!nonnull/!nontemporal/!alias.scope on PRE'd load |
local branch fix6-gvn-pre-load-metadata (draft, not pushed) |
| 146 | 146-gvn-createExpr-ignores-IRFlags - CSE keys on (Ty, Opcode, VarArgs) only; kept instr loses nsw/nuw/disjoint/exact/inbounds/FMF via patchAndReplaceAllUsesWith |
WONTFIX — sound flag-stripping (missed-opt only). patchAndReplaceAllUsesWith intersects flags so the IR stays correct; GVN intentionally value-numbers without IR flags. |
| 147 | 147-jt-duplicateCondBranch-noalias-scopes-not-cloned - inline clone loop omits cloneNoAliasScopes/adaptNoAliasScopes (present in cloneInstructions); duplicated load/store share original scope IDs |
PR #200550 (open) |
| 148 | 148-vectorcombine-scalarizeLoadExtract-strips-atomic - atomic unordered vector load → N plain non-atomic scalar loads; no-torn-read guarantee broken (-O3 default pipeline) |
PR #200263 merged — same root cause as 190/191, all three fixed by the isVolatile→!isSimple gate change |
| 149 | 149-dse-partial-merge-drops-nontemporal - drops !nontemporal metadata when merging (sibling of #108 atomic gap) |
|
| 150 | 150-memcpyopt-trymerge-drops-nontemporal-hint - bails when start store has !nontemporal but inner forward-scan ignores it; subsequent nontemporal stores merged into plain memset, hardware hint lost |
|
| 151 | 151-strict-ldexp-i64-libcall-silent-truncation - sibling of #011 for llvm.experimental.constrained.ldexp.f64.i64 — same silent truncation, lacks FPOWI-style guard |
|
| 152 | 152-simplifycfg-sink-merges-two-volatile-seqcst-cmpxchg - volatile seq_cst cmpxchg instructions in mutually-exclusive branches sunk into one |
WONTFIX — see WONTFIX catalog below |
| 153 | 153-dse-dominating-condition-drops-nontemporal - dropped !nontemporal on merged stores |
|
| 154 | 154-simplifycfg-sink-merges-two-volatile-seqcst-atomicrmw - volatile seq_cst atomicrmw instructions in mutually-exclusive branches sunk into one (sibling of #152) |
WONTFIX — see WONTFIX catalog below |
| 155 | 155-frexp-i64-libcall-stack-slot-overrun - llvm.frexp.f64.i64 allocates 8-byte slot, libcall writes 4 (int), load reads 8 — uninitialized upper 4 bytes (info leak + wrong value) |
|
| 157 | 157-dse-redundant-stores-of-existing-values-drops-nontemporal - isIdenticalToWhenDefined ignores metadata; merging two identical stores drops !nontemporal (different code path from #149/#153) |
|
| 158 | 158-sroa-memcpy-split-overrides-load-tbaa-nontemporal - per-load !tbaa/!nontemporal/!invariant.load dropped + memcpy's broader TBAA substituted onto user loads |
|
| 159 | 159-sroa-phi-speculate-picks-aa-from-one-user - AA tag picked from one user of the speculated PHI, applied to merged load — wrong for other users | |
| 160 | 160-licm-promote-merges-store-only-mismatched-syncscopes - two unordered atomic STORES w/ mismatched syncscopes merged to one System-scope store; distinct from #144 (load+store) | |
| 161 | 161-licm-promote-merges-load-only-mismatched-syncscopes - two unordered atomic LOADS w/ mismatched syncscopes merged to one System-scope load; distinct from #144 | |
| 162 | 162-gvnsink-merges-deopt-bundle-operands-via-phi - non-const deopt bundle operand can be PHI'd; sunk call has per-path deopt value replaced by runtime select | WONTFIX — see WONTFIX catalog below |
| 163 | 163-instcombine-load-retype-drops-invariant-group - !invariant.group dropped on load retype; missing case in switch (compare combineMetadata which does handle it) |
PR #200535 (draft; adds MD_invariant_group to copyMetadataForLoad) |
| 164 | 164-mem2reg-convertmetadatatoassumes-drops-range-align-deref - only converts !nonnull/!noundef; !range, !align, !dereferenceable, !invariant.load, AA metadata silently dropped |
|
| 165 | 165-instcombine-load-of-select-drops-noundef-invariant-load-nontemporal - only copies Metadata::PoisonGeneratingIDs to split loads; drops !noundef/!invariant.load/!nontemporal/!tbaa/!alias.scope/!dereferenceable |
local branch fix6-load-of-select-md (draft, not pushed) |
| 167 | 167-gvnhoist-alias-scope-union-extra-membership - hoisted load tagged with UNION of !alias.scope from both branches; claims membership originals never had → unsound AA queries |
WONTFIX — does not reproduce at HEAD: GVNHoist uses combineMetadataForCSE, which intersects !alias.scope via getMostGenericAliasScope (not union). |
| 168 | 168-instcombine-unpack-array-load-drops-invariant-load - per-element loads from unpacked array drop !invariant.load (and other metadata) |
local branch fix6-unpack-load-md (draft, not pushed) |
| 169 | 169-newgvn-storeexpression-drops-nontemporal - doesn't compare !nontemporal; NT store deleted in favor of plain store, NT hint lost |
|
| 170 | 170-newgvn-loadexpression-drops-nontemporal - doesn't compare !nontemporal; CSE merges loads, combineMetadataForCSE intersect drops NT hint |
|
| 171 | 171-gvnhoist-range-md-union-expands-set - hoisted load !range is UNION of source ranges, claiming membership in extra range that neither original load had |
WONTFIX — not a bug: the hoisted single load may yield either branch’s value, so the UNION !range is the sound assertion (getMostGenericRange). Intersection would be wrong. |
| 172 | 172-gvnhoist-store-nontemporal-silently-dropped - hoisted store drops !nontemporal (sibling of NewGVN store-expr bug) |
|
| 173 | 173-x86fold-NDDtoRMW-killsRegister-ignores-subreg - killsRegister check doesn't account for sub-register kills; can fold over a still-live sub-reg |
|
| 174 | 174-atomic-expand-rmwcmpxchgloop-initload-drops-tbaa-noalias - InitLoaded missing copyMetadataForAtomic; cmpxchg has tbaa+noalias but seed load doesn't |
|
| 175 | 175-atomic-expand-expandPartwordCmpXchg-newCI-drops-tbaa - widened cmpxchg new CI missing copyMetadataForAtomic; sibling widenPartwordAtomicRMW does it correctly |
|
| 176 | 176-atomic-expand-convertAtomicLoadToIntegerType-drops-tbaa - drops !tbaa/!noalias/!alias.scope; sibling convertAtomicXchgToIntegerType does it correctly |
|
| 177 | 177-instcombine-store-bitcast-drops-invariant-group - omits MD_invariant_group; store (bitcast double X to i64) %p, !invariant.group becomes plain store |
local branch fix6-instcombine-store-retype-md (draft, not pushed) |
| 178 | 178-instcombine-store-bitcast-drops-noalias-addrspace - omits MD_noalias_addrspace; load/store asymmetric (copyMetadataForLoad has it) |
local branch fix6-instcombine-store-retype-md (draft, not pushed) |
| 179 | 179-instcombine-load-of-select-drops-invariant-group-tbaa - broader than #165 — also strips !invariant.group, !invariant.load, !tbaa, !nontemporal, !dereferenceable |
|
| 180 | 180-scalarize-masked-mem-drops-metadata-const-mask - drops !range/!tbaa/!noalias/!nontemporal/!nonnull/!dereferenceable; all-true path correctly copies metadata |
|
| 181 | 181-separate-const-offset-from-gep-false-inbounds - unconditionally setIsInBounds(true); can mark a temporarily-OOB GEP as inbounds → guaranteed poison |
PR #199304 merged |
| 183 | 183-simplifycfg-hoist-memintrinsic-drops-nontemporal - hoisted llvm.memcpy drops !nontemporal when only one of two carries it (combineMetadataForCSE writes JMD) |
|
| 189 | 189-gvn-processMaskedLoad-drops-return-attrs - replaces masked.load with select but copies no return-value attributes (nofpclass, !range, noundef, align, dereferenceable) |
|
| 190 | 190-vectorcombine-scalarizeLoadBitcast-strips-atomic - sibling of #148: atomic vector load that feeds only bitcast users → plain non-atomic scalar load via CreateLoad + copyMetadata | PR #200263 merged — same root cause as 148/191, all three fixed by the isVolatile→!isSimple gate change |
| 191 | 191-vectorcombine-scalarizeLoad-infloop-on-strong-atomic - monotonic/acquire/seq_cst atomic vector load → opt hangs at 100% CPU (worklist re-pushes the surviving original load forever) |
PR #200263 merged — same root cause as 148/190, all three fixed by the isVolatile→!isSimple gate change |
| 192 | 192-simplifycfg-mergeCondStores-drops-nontemporal - merged store drops !nontemporal when only one of the paired stores carried it |
|
| 193 | 193-simplifycfg-mergeCondStores-spreads-invariant-group - !invariant.group from one store leaks onto the merged store carrying the other branch's value |
PR #200551 (open); LangRef clarification #200552 (open) |
| 195 | 195-instcombine-ldexp-chain-integer-overflow - ldexp(ldexp(x, INT_MAX), INT_MAX) → fmul x, 0.25 (i32 exponent sum wraps to -2 inverting overflow→underflow); should be +inf |
PR #199274 merged |
| 196 | 196-dagcombiner-trystoremergeofloads-drops-aamd - merged wide load+store has no !tbaa/!alias.scope/!noalias (4-arg getLoad/getStore overloads drop AAInfo) |
local branch fix6-dag-storemergeofloads-aainfo (draft, not pushed) |
| 198 | 198-dagcombiner-reduceloadopstorewidth-store-drops-aamd - asymmetric MMO loss: load-side keeps NT/tbaa, store-side drops both — visible in OR8mi MMOs |
local branch fix6-dag-reduceloadopstorewidth-aainfo (draft, not pushed) |
| 199 | 199-dagcombiner-combineconsecutiveloads-drops-flags-aainfo - fused wide load drops MOInvariant + MONonTemporal + AAInfo; disables hoisting/CSE of immutable loads | WONTFIX (sound fix, undemonstrable here) — fix (AND MMO flags + concat AA) is correct, but bitcast(build_pair(ld,ld)) only fires via ABI-synthesized loads (no IR metadata) on X86/RISCV; the only in-tree regression test is SystemZ, not built here. No lit test can exhibit the preservation; branch dropped. |
| 200 | 200-memcpyopt-processStoreOfLoad-drops-load-nontemporal-aamd - load+store→memcpy fold drops load's !nontemporal/!invariant.load and AAMD; only DIAssignID copied |
|
| 201 | 201-memcpyopt-processMemCpyMemCpyDependence-drops-nontemporal-aamd - chained memcpy fold drops !nontemporal and AAMD on the surviving memcpy |
|
| 202 | 202-scalarize-masked-gather-dynamic-drops-metadata - per-lane loads drop ALL metadata (!range/!nontemporal/!noalias/!alias.scope/...) — downstream instcombine !range fold fails |
local branch fix6-scalarize-masked-copymetadata (draft, not pushed) |
| 203 | 203-scalarize-masked-scatter-dynamic-drops-nontemporal - per-lane stores drop !nontemporal (and AAMD); backend emits cached MOV instead of MOVNT* |
local branch fix6-scalarize-masked-copymetadata (draft, not pushed) |
| 204 | 204-scalarize-masked-expandload-drops-nontemporal - both const- and dyn-mask paths drop !nontemporal/AAMD on per-lane loads (no all-true short-cut) |
local branch fix6-scalarize-masked-copymetadata (draft, not pushed) |
| 205 | 205-scalarize-masked-compressstore-drops-nontemporal - mirror of #204 — per-lane stores drop NT/AAMD on both const- and dyn-mask paths | local branch fix6-scalarize-masked-copymetadata (draft, not pushed) |
| 206 | 206-simplifylibcalls-fmod-incorrect-nnan-on-frem - fmod(NaN, 1.0) folded to frem nnan NaN, 1.0 → poison; IsNoNan proof actually checks no-errno not no-NaN |
PR #199284 merged |
| 207 | 207-simplifylibcalls-fdim-inf-minus-inf-qnan - fdim(±Inf, ±Inf) folds to qNaN instead of +0.0 per C99 (uses max(X-Y, 0) instead of comparison-first definition) |
PR #199306 merged |
| 208 | 208-sdag-memcpy-lowering-drops-nontemporal - llvm.memcpy ..., !nontemporal → per-chunk MMOs with no MONonTemporal; x86 emits cached MOV* instead of MOVNT* |
WONTFIX — !nontemporal is LangRef-defined only for load/store, not for mem* intrinsic calls. Honoring it on llvm.memcpy would invent semantics no frontend emits/relies on. |
| 209 | 209-sdag-memmove-lowering-drops-nontemporal - sister of #208 for memmove | WONTFIX — sister of #208; !nontemporal undefined on llvm.memmove. |
| 210 | 210-sdag-memset-lowering-drops-nontemporal - sister of #208 for memset | WONTFIX — sister of #208; !nontemporal undefined on llvm.memset. |
| 211 | 211-instcombine-unpack-struct-load-drops-nontemporal - per-field load i32 instructions don't inherit !nontemporal/!access_group from aggregate load |
local branch fix6-unpack-load-md (draft, not pushed) |
| 212 | 212-instcombine-unpack-struct-store-drops-nontemporal - mirror of #211 for stores | local branch fix6-unpack-store-md (draft, not pushed) |
| 213 | 213-legalize-expandintres-load-drops-range - i128 load split into two i64 loads drops !range on both MMOs |
|
| 214 | 214-jumpthreading-unfoldselect-drops-unpredictable - select !unpredictable → br drops !unpredictable (pass never references MD_unpredictable) |
local branch fix6-jumpthreading-unpredictable (draft, not pushed) |
| 217 | 217-lowerinvoke-drops-invoke-metadata - new CallInst lacks copyMetadata; drops !prof/!annotation/!range/!callees/!nosanitize/!noalias/!alias.scope |
PR #200536 merged (uses createCallMatchingInvoke) |
| 218 | 218-verifier-vp-profile-null-deref-crash - malformed !prof !{"VP", i32 0, i64 100, !"oops", i64 50} triggers null-deref crash in verifier (getZExtValue() on null dyn_extract) |
PR #199170 merged |
| 219 | 219-combinemetadata-drops-j-only-tbaa - iterates only K's metadata via getAllMetadataOtherThanDebugLoc; any kind J-only (e.g., !tbaa) silently dropped during EarlyCSE/GVN/SimplifyCFG |
|
| 221 | 221-instcombine-mergeStoreIntoSuccessor-drops-nontemporal - two !nontemporal stores in successor blocks merged into single store; new store gets no metadata (only dbg/DIAssignID/AAMetadata transferred) |
|
| 222 | 222-expand-ir-insts-scalarize-ice-on-fpto_sat-vector - ICE on <2 x i256> @llvm.fptoui.sat.v2i256.v2f32; dispatcher enqueues IntrinsicInst but scalarize only handles BinaryOperator/CastInst |
PR #199174 merged |
| 223 | 223-expand-ir-insts-fpto-sat-inf-not-saturated - fptoui.sat.i256.f32(+Inf) produces ~2^128 instead of UINT256_MAX; threshold BitWidth-IsSigned ≥ FP exponent max never holds for wide ints |
PR #200261 merged |
| 224 | 224-sdagbuilder-atomicrmw-cmpxchg-drops-align-aamd - uses getEVTAlign(MemVT) instead of I.getAlign(); atomicrmw add align 32 produces MMO alignment: 1 |
PR #200332 merged |
| 225 | 225-loopunroll-loadcse-drops-nontemporal - RAUW merging same-address loads in unrolled iterations drops !nontemporal/!align (no combineMetadataForCSE) |
|
| 226 | 226-branchfolding-tail-merge-drops-atomic-ordering - tail-merges load atomic monotonic with plain load; result is plain (monotonic dropped) |
PR #199892 merged |
| 227 | 227-atomicexpand-vector-load-to-cmpxchg-verifier-crash - load atomic <2 x i64> (+cx16) synthesizes illegal cmpxchg ptr, vec, vec; verifier rejects → hard crash |
PR #199310 merged |
| 228 | 228-gvn-pre-drops-load-metadata-whitelist - hand-rolled metadata whitelist drops !nonnull/!dereferenceable/!align/!noundef/!nontemporal/!fpmath on PRE'd load (verified at default -O2) |
local branch fix6-gvn-pre-load-metadata (draft, not pushed) |
| 229 | 229-gvn-earlycse-cse-strips-nontemporal-from-stationary-leader - unconditional setMetadata(JMD) strips NT from stationary CSE leader when sibling lacks it; fires in GVN AND EarlyCSE |
|
| 230 | 230-gvn-earlycse-cse-strips-nosanitize - same shape as #229 for !nosanitize; CSE'd leader loses no-instrumentation hint, sanitizers may re-instrument |
|
| 231 | 231-branchfolding-tail-merge-strengthens-miflags - nuw add + plain add in tail-merge candidates → single nuw add on both paths; strengthens flag (unsound direction) |
WONTFIX — see WONTFIX catalog below |
| 232 | 232-simple-loop-unswitch-zeroes-default-weight - switch with !prof {branch_weights, "expected", 100, 1, 1} unswitched to {branch_weights, 0, 1, 1} — default weight zeroed |
PR #200025 merged |
| 234 | 234-instsimplify-strictfp-poison-fold-drops-side-effect - strict-FP constrained.fadd nnan with sNaN folded to NaN literal; FE_INVALID exception side-effect elided |
PR #199405 closed (not merged) |
| 235 | 235-slpvectorizer-select-drops-fmf-prof - 4 scalar select nnan lanes merged into <4 x i1> select with no nnan/!prof/!unpredictable (no propagateIRFlags call) |
|
| 237 | 237-machinecse-drops-mmo-on-erase - CSE'd MachineInstr load loses sibling's !range/AAInfo on erase (no cloneMergedMemRefs) |
|
| 238 | 238-branchfolding-tail-merge-narrows-syncscope - system-scope atomic store + syncscope("singlethread") atomic store tail-merged → system path silently narrowed to singlethread |
PR #199892 merged |
| 239 | 239-machinelateinstrscleanup-isidenticalto-ignores-mmos - merged invariant-load survivor drops !nontemporal MMO flag (uses isIdenticalTo which ignores MMOs) |
|
| 240 | 240-x86-inline-probe-stack-skips-full-page-alloca - one-page (4096-byte) alloca with probe-stack="inline-asm" emits subq $4096, %rsp WITHOUT any probe; defeats stack-clash protection |
WONTFIX — see WONTFIX catalog below |
| 241 | 241-instcombine-buildNew-shuffle-reorder-drops-cmp-cast-flags - shuffle reorder of icmp samesign/fcmp nnan ninf/zext nneg/trunc nuw drops the flag on new instr |
|
| 242 | 242-aic-foldConsecutiveLoads-drops-load-metadata - merged wide load loses !nontemporal/!invariant.load/!noundef; only AAMD propagated |
local branch fix6-aic-foldloads-md (draft, not pushed) |
| 243 | 243-lcssa-exit-phi-drops-fmf - %y.lcssa = phi float [ %y, %h ] lacks nnan ninf nsz reassoc even though %y (only incoming) carries them |
|
| 244 | 244-scev-expander-drops-inrange-inbounds-on-gep - synthesized %scevgep = getelementptr i8, ... loses inbounds AND inrange(-8, 24) from source GEP |
|
| 245 | 245-instcombine-unpack-aggregate-drops-nontemporal-extra - full enumeration of dropped kinds: !nontemporal, !access_group, !invariant.group, !mem_parallel_loop_access, !DIAssignID |
|
| 246 | 246-constantfolding-ldexp-i64-exponent-narrowed-to-int - ldexp(1.0, i64 4294967330) folded to 2^34 (i64→int narrowing wraps); expected +inf per LangRef |
PR #199309 merged |
| 249 | 249-function-attrs-ignores-operand-bundles - predicates use CallBase::hasFnAttr which ignores operand bundles; caller with [ "side_effects"() ] on leaf still infers nofree nosync nounwind willreturn |
WONTFIX — see WONTFIX catalog below |
| 250 | 250-simplifycfg-mergeConditionalStoreToAddress-drops-pstore-metadata - asymmetric combineMetadata + SI->copyMetadata(*QStore) drops PStore-only !nontemporal/!tbaa/...; !invariant.group special-case can taint merged store |
PR #200551 (open) |
| 252 | 252-jumpthreading-unfoldSelectInstr-branches-on-poison - original safely freezes potentially-poison condition before branching; after JT, the freeze is gone and br i1 %maybe_poison is direct UB |
PR #199408 merged (+ NFC follow-up #199718) |
| 254 | 254-x86-fmaximum-fminimum-fp128-ice - llvm.maximum.f128/llvm.minimum.f128 (+ vector.reduce.f{max,min}imum.vNf128) ICE in LegalizeDAG (setcc on i128 bitcast left illegal); default mattr |
WONTFIX — see WONTFIX catalog below |
| 255 | 255-x86-strict-bf16-arith-ice - strict-fp constrained.fadd/.../.bf16 ICE: SoftPromoteHalfResult has no strict-arith bf16 case — "soft promote ... result!"; default mattr |
WONTFIX (strict-fp, deprecating) |
| 256 | 256-x86-strict-bf16-fcmp-ice - strict-fp constrained.fcmp[s].bf16 ICE: SoftPromoteHalfOperand has no strict-fcmp case — "soft promote ... operand!"; default mattr |
WONTFIX (strict-fp, deprecating) |
| 257 | 257-x86-strict-vec-fp128-fcmp-ice - strict-fp constrained.fcmp[s].v2f128 ICE: vector-result expander can't expand STRICT_FSETCC of vector fp128 — "expand the result!"; default mattr |
WONTFIX (strict-fp, deprecating) |
| 258 | 258-x86-copyphysreg-vk16-kmovq-without-bwi - copyPhysReg emits BWI-only KMOVQkk_EVEX for VK16 $k->$k copy on +avx512f,+egpr (no BWI); should be KMOVWkk_EVEX (siblings do). Target-illegal insn silently emitted |
PR #200337 merged |
| 259 | 259-x86-kcfi-arity-from-liveins-undercount - -fsanitize-kcfi-arity: __cfi_ prefix derives arg arity from MIR live-ins (used regs) not ABI arity; unused/sparse params under-encode + assume RDI-first → wrong FineIBT register poisoning |
new (security) |
| 260 | 260-rs4gc-addrspacecast-base-assert - rewrite-statepoints-for-gc asserts "unsupported addrspacecast" (crash on verifier-valid IR) for one-way addrspacecast ptr→addrspace(1) |
WONTFIX — see WONTFIX catalog below |
| 261 | 261-licm-reassoc-icmp-keeps-samesign - LICM hoistAdd/hoistSub reassociate LV+C1 cmp C2→LV cmp C2-C1 but keep samesign on the new LHS → poison/wrong value (x86-exec verified) |
PR #200344 merged |
| 262 | 262-mergeicmps-non-byte-multiple-memcmp - MergeICmps merges non-byte-multiple int compares (e.g. i17) into a memcmp whose byte length (SizeBits/8) covers the wrong bytes → wrong result (x86-exec verified) |
PR #200346 merged |
Entries below were investigated and deliberately not filed, either because
they are not bugs at all, are permitted by LangRef, only fire on undefined
behavior, are unreachable / already-correct on the default x86 pipeline, are
already fixed upstream, or are intentional design. Many were previously
deleted from the catalog; they have been restored here (with their
bugs/NNN-…/ folders) so the reasoning is preserved rather than lost.
Verified at LLVM HEAD 023e7decf625 with ~/code/llvm3/build/bin/{opt,llc}
(assertions on) unless noted.
| # | Bug | Why WONTFIX |
|---|---|---|
| 002 | minimumnum sNaN not quieted | LangRef floatnan explicitly permits "Unchanged NaN propagation"; returning an input sNaN unchanged when both inputs are NaN is allowed. |
| 006 | SESES one-lfence skips branch | Non-default mitigation (-x86-seses-one-lfence-per-bb); the dedup mechanism (PrevInstIsLFENCE) is already present, so no LFENCE is actually dropped. |
| 009 | IBT misses WinEH funclet entries | No enforcing platform. The missing endbr64 only #CP-faults where IBT is enforced, but the only EH model that produces funclets is WinEH, and Windows does not implement IBT — it uses Control Flow Guard / XFG for the forward edge and adopts only CET's shadow stack (backward edge). So on every shipping Windows the endbr64 are inert NOPs and the fault cannot occur. clang still accepts -fcf-protection=branch on a Windows triple with no diagnostic (so LLVM does emit endbr64 on the parent/EH-pad blocks there), making the funclet gap a real codegen inconsistency — but it's theoretical hardening, not an observable bug. The right fix, if any, is to reject/warn on -fcf-protection=branch for Windows targets in the driver. |
| 044 | TileConfig ConstMI position drift | AMX-only, MIR-level; dropped in the Opus-4.7 audit as not a real bug (no realistic-source reproducer). |
| 061 | mulhu vec one-splat | Unreachable in practice: SimplifyVBinOp scalarizes the splat ahead of the broken isOneConstant early-out, so the asm is already correct and the patch would be a strict no-op. |
| 088 | SCEV howManyLessThans signed-stride | Not a miscompile. The closing-rate formula only fires because the RHS recurrence carries nsw; every input where it diverges signed-overflows the nsw add → UB before the unsigned exit can legitimately fire. 46M+ well-defined inputs (strides −1/−3) match the closed form exactly; -fwrapv strips nsw and suppresses the fold. Sound UB-exploitation, not a wrong value. |
| 097 | vpermilvar.pd mask bit-1 truncation | NOTES self-concludes "No bug": zextOrTrunc(32) → getLoBits(2) → >>1 is equivalent to extracting bit 1 of the original i64 mask, which matches hardware. |
| 100 | imm-shift upper-demand for i32 | NOTES self-concludes "Ruled out": getBitsSet(NumElts,1,NumElts/2) demands exactly the right low-64-bit lanes for v4i32/v8i16/v2i64. |
| 112 | fp-round-of-fp-extend sNaN quieting | sNaN-quieting loss — a known accepted LLVM limitation; LangRef permits it. |
| 114 | GVNSink merges volatile stores | Property-preserving sink: in any single execution exactly one volatile store runs before and after, so the observable per-path count is unchanged. |
| 115 | simplifyFPBinop sNaN bypass fmul | sNaN-quieting loss; same accepted-limitation class as 112. |
| 116 | simplifyFPBinop sNaN bypass fadd -0 | sNaN-quieting loss; same as 112. |
| 117 | fdiv -1 sNaN passthrough | sNaN-quieting loss; same as 112. |
| 120 | simplifycfg sink merges volatile stores | SimplifyCFG hoist/sink of equivalent volatile/atomic accesses along the CFG is count-preserving per path; not treated as a FuzzX bug. |
| 121 | simplifycfg hoist merges volatile loads | Same as 120. |
| 122 | simplifycfg hoist merges seq_cst atomic loads | Same as 120. |
| 123 | instcombine constfold nnan/ninf → nan/inf | LangRef explicitly permits replacing a poison value with any value of the type (poison→value refinement). |
| 131 | atomic-expand initload not atomic | Illegal under LLVM IR semantics in the abstract but intentionally harmless on x86 (the seed load is immediately validated by the cmpxchg). |
| 134 | atomicrmw→libcall drops volatile/SSID | A forced __atomic_* libcall is opaque (may-write, can't be elided/CSE'd) so the dropped volatile bit is unobservable; syncscope widening to system is the safe direction. If a libcall must be emitted, a libcall must be emitted. |
| 136 | newgvn freeze-cse same operand | freeze-CSE is a valid refinement of source nondeterminism (matches D75334 design intent). |
| 143 | memcpyopt processMemMove volatile memset | Fixed upstream by merged PR #200100 — the if (MemSet->isVolatile()) return false; guard added to processMemSetMemCpyDependence (the shared entry point with #109) covers this path. |
| 152 | simplifycfg sink 2× volatile seq_cst cmpxchg | Per-path count preserved (one cmpxchg executes either way); the sink-common guard already refuses this at HEAD (does not reproduce, even with sink-common-insts). |
| 154 | simplifycfg sink 2× volatile seq_cst atomicrmw | Same as 152. |
| 156 | instcombine fcmp nnan-with-nan → bool | poison→value refinement, permitted by LangRef. |
| 162 | GVNSink deopt bundle operand → PHI | GVNSink is not in the default O2/O3 pipeline; the merged operand is a correct per-path select (value-preserving), and deopt bundles are emitted only by JIT/VM frontends, never the default C/C++ pipeline. |
| 166 | mem2reg noundef across phi undef edge | The "fix" requires inserting assume(noundef), which is itself an optimization-blocker; net wash, not worth it. |
| 182 | simplifycfg sink merges two fences | Per-path count preserved (one fence executes either way); CFG-motion of equivalent fences, same class as 120–122. |
| 184 | instcombine atomic memcpy/memset element-atomicity | The fold only fires when the total length ≤ one element size, so the single load+store is a single element and element-atomicity is trivially preserved. |
| 185 | licm promote hoists conditional load | Does not survive LLVM's static-dereferenceability / capture-analysis semantics. |
| 186 | licm promote sinks conditional store | Same as 185. |
| 187 | gvn freeze-cse distinct instances | freeze-CSE valid refinement; same as 136. |
| 188 | earlycse freeze-cse distinct instances | Same as 187. |
| 194 | instcombine freeze-cse distinct instances | Same as 187. |
| 197 | dagcombiner mergeTruncStores drops NT/AAInfo | Metadata missed-opt only (no wrong value); removed as a weak duplicate of the 4-arg getStore AAInfo-drop family (#196/#198/#199). |
| 215 | lower-expect handleBrSel clobbers prof | Intentional MisExpect design: __builtin_expect is meant to override frontend PGO (checkFrontendInstrumentation emits -pgo-warn-misexpect). |
| 216 | lower-expect handleSwitch clobbers prof | Same intentional MisExpect design as 215. |
| 220 | gvn patchReplacementInstruction drops nsw | The global nsw drop is required for correctness (PR #82935 / Transforms/GVN/pr82884.ll): RAUW-ing extractvalue(sadd.with.overflow) users with a still-nsw add would hand them poison where source had a defined wrapped value. |
| 233 | constantfolding fmuladd folded fused | LangRef says llvm.fmuladd fusion is unspecified ("Fusion is not guaranteed, even if the target supports it"), so constant-folding it as a single-rounding FMA is permitted. |
| 236 | instcombine ashr→lshr preserves exact | exact requires the shifted-out bits to be zero, so propagating it is not the anti-refinement originally claimed. |
| 240 | stack-probe skips full-page alloca | Does not reproduce at HEAD — emitStackProbeInlineGenericBlock emits movq $0,(%rsp) after every subq $4096, for both the exactly-4096 and 16384 (multi-page) cases. The "unprobed tail" claim does not hold at 023e7decf625. |
| 247 | constantfolding bitcast poison lane → zero | poison→value refinement, permitted by LangRef. |
| 118 | SROA drops atomic ordering | Benign / not prioritized. The guard if (LI.isVolatile()) NewLI->setAtomic(...) does drop the ordering of a non-volatile atomic on the slice-rewrite path, but SROA only operates on allocas it has proven do not escape/capture, so the memory is thread-local and the atomicity is unobservable. The current behavior is also arguably preferable: preserving the moot ordering would block later SSA promotion of the slice, a pessimization with no correctness benefit. |
| 129 | EarlyCSE load CSE ignores syncscope | Benign / not prioritized. Two load atomic unordered with different syncscopes are CSE'd to one. unordered participates in no inter-thread ordering, so its syncscope has no observable effect; merging is sound. Adding syncscope to the CSE key would only block valid CSEs (a pessimization) for no correctness benefit. |
| 248 | foldSelectIntoOp ninf on new select | Not a bug (under current LangRef). LangRef ninf: "If an argument is +/-Inf, or the result would be +/-Inf, it produces a poison value." So fmul ninf 0.0, +inf is already poison (inf argument), not the "defined NaN" the NOTES assumed. Whenever the source select is defined, the folded operand is non-inf, so the ninf-stamped new select never introduces poison the source lacked. The code comment ("flag only guarantees the result is never inf") reflects older result-only semantics. Originally restored as a re-promotion, then re-refuted. |
| 249 | function-attrs ignores operand bundles | Not a bug — LangRef §Operand Bundles restricts an unknown bundle to (a) escaping its operands and (b) unknown heap read/write, and states "an operand bundle at a call site cannot change the implementation of the called function." Bundles therefore cannot make a callee unwind/free/synchronize/not-return, so inferring nounwind/nofree/nosync/willreturn through a bundled call is sound. The existing test Transforms/FunctionAttrs/operand-bundles-scc.ll codifies exactly this. The original NOTES premise (bundles "can free/sync/throw/fail-to-return") contradicts LangRef. Only the memory attribute bails on bundles (correctly), via checkFunctionMemoryAccess. |
| 251 | cvp RetRange undef-tainted add nuw/nsw | Already tracked as upstream issue llvm/llvm-project#114902; not kept as a separate FuzzX bug. |
| 255 | strict-fp bf16 arith ICE | WONTFIX — real crash (SoftPromoteHalfResult lacks strict-fp arith cases), but the strict-fp constrained-intrinsic API is changing/being phased out and is little-used; deprioritized. A correct fix would also need a deeper STRICT_FP_TO_BF16 result-ABI repair (the strict round corrupts the value via a spurious pinsrw). |
| 256 | strict-fp bf16 fcmp ICE | WONTFIX — same strict-fp class as #255. |
| 257 | strict-fp vec fp128 fcmp ICE | WONTFIX — same strict-fp class as #255. |
| 253 | foldAddLikeCommutative nsw from or disjoint | Not a bug — brute force over all i8×i8 inputs (C1∈{1,5,64,127,250}) finds zero defined→poison cases. Whenever the or disjoint precondition holds and add nsw a,C1 does not overflow, add nsw a,(b|C1) provably does not overflow either. The original NOTES arithmetic was wrong (it treated the i8 operand 135 as exceeding INT8_MAX; as i8 it is −121 and 100+(−121)=−21 is in range). or disjoint→add nsw nuw forwarding is sound. |
| 092 | fixupsetcc ZU asserts on survived SETCCr | WONTFIX — GlobalISel-only. The assert only fires via llc -global-isel -mattr=+zu (GISel emits a plain SETCCr unconditionally, not gating on ZU; SelectionDAG already pre-selects SETZUCCr so it never trips). The X86 GlobalISel path is not production-ready, so GISel-only crashes are deprioritized. The one-line normalization fix (convert SETCCr→SETZUCCr instead of asserting) is correct but not worth carrying; PR #200334 closed. |
| 254 | fmaximum/fminimum f128/f80 ICE | WONTFIX — not worth fixing. Real crash, but only llvm.maximum/llvm.minimum (IEEE-754-2019 / C23 fmaximum/fminimum) on __float128/long double hits it, which no realistic source emits. A clean fix exists (route to the fminimuml/fmaximuml / fminimumf128/fmaximumf128 libcalls, wiring FMINIMUM/FMAXIMUM into ConvertNodeToLibcall) but the payoff doesn't justify carrying it. |
| 260 | RS4GC addrspacecast base assert | WONTFIX — not worth fixing. rewrite-statepoints-for-gc is not in the default x86 pipeline and only GC frontends invoke it; the assert is a longstanding known upstream issue (#61917, open since 2023). A fix (treat the non-GC→GC addrspacecast as its own base, like the inttoptr rule) is straightforward but the case is too niche to maintain. |
- Hunted LV miscompiles via C-level random fuzz, IR-level random fuzz, and pattern-targeted tests
- Compared O0 vs O2; also O2 vs O2 with -fno-vectorize/-fno-slp-vectorize as reference
- Patterns probed: tail-folded reductions, predicated div/rem, first-order recurrence, stride-3/5 interleave, min/max reduction with index (FindLast), early-exit, anyOf, gather/scatter, conditional store, conditional load, alignment edges, multiple inductions, reverse iteration, u8 wrap accum, FP min/max
- Flag combos: default O2; predicate-dont-vectorize; force-vector-width 2/4/8/16/32; force-vector-interleave 2/4/8; -mavx2; -mavx512f/vl/bw/dq; -enable-masked-interleaved-mem-accesses; -enable-early-exit-vectorization
- Initial integer C-fuzz found 13 mismatches (signed-overflow / INT_MIN/-1 UB — disappeared with -fwrapv, not LV bugs)
- FP fuzz with -ffast-math found 122 mismatches but all persist with -fno-vectorize (generic FP reassoc, not LV)
- After UB-filtering: 0 confirmed LV miscompiles in ~12 minutes
- Conclusion: LoopVectorize at default O2 is robust against these patterns; no bugs added