expand: Fix handling of asm goto outputs vs. PHI argument adjustments [PR113921]

The Linux kernel and the following testcase distilled from it is
miscompiled, because tree-outof-ssa.cc (eliminate_phi) emits some
fixups on some of the edges (but doesn't commit edge insertions).
Later expand_asm_stmt emits further instructions on the same edge.
Now the problem is that expand_asm_stmt uses insert_insn_on_edge
to add its own fixups, but that function appends to the existing
sequence on the edge if any.  And the bug triggers when the
fixup sequence emitted by eliminate_phi uses a pseudo which the
fixup sequence emitted by expand_asm_stmt later on sets.
So, we end up with
  (set (reg A) (asm_operands ...))
and on one of the edges queued sequence
  (set (reg C) (reg B)) // added by eliminate_phi
  (set (reg B) (reg A)) // added by expand_asm_stmt
That is wrong, what we emit by expand_asm_stmt needs to be as close
to the asm_operands as possible (they aren't known until expand_asm_stmt
is called, the PHI fixup code assumes it is reg B which holds the right
value) and the PHI adjustments need to be done after it.

So, the following patch introduces a prepend_insn_to_edge function and
uses it from expand_asm_stmt, so that we queue
  (set (reg B) (reg A)) // added by expand_asm_stmt
  (set (reg C) (reg B)) // added by eliminate_phi
instead and so the value from the asm_operands output propagates correctly
to the PHI result.

2024-02-15  Jakub Jelinek  <jakub@redhat.com>

	PR middle-end/113921
	* cfgrtl.h (prepend_insn_to_edge): New declaration.
	* cfgrtl.c (insert_insn_on_edge): Clarify behavior in function
	comment.
	(prepend_insn_to_edge): New function.
	* cfgexpand.c (expand_asm_stmt): Use prepend_insn_to_edge instead of
	insert_insn_on_edge.

	* gcc.target/i386/pr113921.c: New test.

(cherry picked from commit 2b4efc5db2aedb59196987300e14951d08cd7106)

4 files changed, 44 insertions, 3 deletions

diff --git a/gcc/cfgexpand.c b/gcc/cfgexpand.c
index a607ad50d2b..d3768a6134b 100644
--- a/gcc/cfgexpand.c
+++ b/gcc/cfgexpand.c
@@ -3639,7 +3639,7 @@ expand_asm_stmt (gasm *stmt)
 		emit_insn (copy_insn (PATTERN (curr)));
 	      rtx_insn *copy = get_insns ();
 	      end_sequence ();
-	      insert_insn_on_edge (copy, e);
+	      prepend_insn_to_edge (copy, e);
 	    }
 	}
     }
diff --git a/gcc/cfgrtl.c b/gcc/cfgrtl.c
index 4fb145ee4c4..e24c6c04ec8 100644
--- a/gcc/cfgrtl.c
+++ b/gcc/cfgrtl.c
@@ -25,7 +25,7 @@ along with GCC; see the file COPYING3.  If not see
      - CFG-aware instruction chain manipulation
 	 delete_insn, delete_insn_chain
      - Edge splitting and committing to edges
-	 insert_insn_on_edge, commit_edge_insertions
+	 insert_insn_on_edge, prepend_insn_to_edge, commit_edge_insertions
      - CFG updating after insn simplification
 	 purge_dead_edges, purge_all_dead_edges
      - CFG fixing after coarse manipulation
@@ -1990,7 +1990,8 @@ rtl_split_edge (edge edge_in)
 
 /* Queue instructions for insertion on an edge between two basic blocks.
    The new instructions and basic blocks (if any) will not appear in the
-   CFG until commit_edge_insertions is called.  */
+   CFG until commit_edge_insertions is called.  If there are already
+   queued instructions on the edge, PATTERN is appended to them.  */
 
 void
 insert_insn_on_edge (rtx pattern, edge e)
@@ -2010,6 +2011,25 @@ insert_insn_on_edge (rtx pattern, edge e)
   end_sequence ();
 }
 
+/* Like insert_insn_on_edge, but if there are already queued instructions
+   on the edge, PATTERN is prepended to them.  */
+
+void
+prepend_insn_to_edge (rtx pattern, edge e)
+{
+  /* We cannot insert instructions on an abnormal critical edge.
+     It will be easier to find the culprit if we die now.  */
+  gcc_assert (!((e->flags & EDGE_ABNORMAL) && EDGE_CRITICAL_P (e)));
+
+  start_sequence ();
+
+  emit_insn (pattern);
+  emit_insn (e->insns.r);
+
+  e->insns.r = get_insns ();
+  end_sequence ();
+}
+
 /* Update the CFG for the instructions queued on edge E.  */
 
 void
diff --git a/gcc/cfgrtl.h b/gcc/cfgrtl.h
index 0c8568ba757..9ef8db33e23 100644
--- a/gcc/cfgrtl.h
+++ b/gcc/cfgrtl.h
@@ -38,6 +38,7 @@ extern edge try_redirect_by_replacing_jump (edge, basic_block, bool);
 extern void emit_barrier_after_bb (basic_block bb);
 extern basic_block force_nonfallthru_and_redirect (edge, basic_block, rtx);
 extern void insert_insn_on_edge (rtx, edge);
+extern void prepend_insn_to_edge (rtx, edge);
 extern void commit_one_edge_insertion (edge e);
 extern void commit_edge_insertions (void);
 extern void print_rtl_with_bb (FILE *, const rtx_insn *, dump_flags_t);
diff --git a/gcc/testsuite/gcc.target/i386/pr113921.c b/gcc/testsuite/gcc.target/i386/pr113921.c
new file mode 100644
index 00000000000..f7efba74143
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr113921.c
@@ -0,0 +1,20 @@
+/* PR middle-end/113921 */
+/* { dg-do run } */
+/* { dg-options "-O2" } */
+
+__attribute__((noipa)) long
+foo (void)
+{
+  long v;
+  asm volatile goto ("jmp %l2" : "=r" (v) : "0" (27) : : lab);
+  return v;
+lab:
+  return 42;
+}
+
+int
+main ()
+{
+  if (foo () != 42)
+    __builtin_abort ();
+}