This is an archive of the discontinued LLVM Phabricator instance.

Differential D12970

SmallVector fix for use-after-dtor bug.
AbandonedPublic

Authored by nmusgrave on Sep 18 2015, 10:04 AM.

Details

Reviewers
eugenis
Summary

Fix for use-after-dtor bug in SmallVector. Circular dependency in class hierarchy:

SmallVector contains a SmallVectorStorage member.
This member is never explicitly referenced, but removing it results in major
test failures.
SmallVectorStorage contains a SmallVectorTemplateCommon member, which SmallVector
is also a subclass of.

This fix resolves some of the issues, but there are still failures arising
in connection with SmallVector.

Diff Detail

Event Timeline

nmusgrave updated this revision to Diff 35098.Sep 18 2015, 10:04 AM
nmusgrave retitled this revision from to SmallVector fix. Some tests still failing. Not sure this is right approach for fixing circular dependency that gives use-after-dtor bug..
nmusgrave updated this object.
nmusgrave added a reviewer: eugenis.
nmusgrave added a subscriber: llvm-commits.
nmusgrave retitled this revision from SmallVector fix. Some tests still failing. Not sure this is right approach for fixing circular dependency that gives use-after-dtor bug. to SmallVector fix for use-after-dtor bug..Sep 18 2015, 10:07 AM
nmusgrave updated this object.
dblaikie added a subscriber: dblaikie.Sep 18 2015, 10:11 AM

We try to keep as much code in the Impl rather than the SmallVector itself to reduce template code bloat.

Could you explain in more detail what the circular dependency/use-after-dtor issue is? Which entity's dtor is ~SmallVectorImpl using inappropriately?

yaron.keren added a subscriber: yaron.keren.Sep 18 2015, 10:12 AM
eugenis edited edge metadata.Sep 18 2015, 3:13 PM

The problem is this:
SmallVectorTemplateCommon only has space for the first element of the vector; the rest of the space is provided by SmallVector and used by effectively overflowing the field SmallVectorTemplateCommon. Sanitizers are OK with it because the memory is, in fact, allocated.

Use-after-destroy detector complains about ~SmallVectorTemplateCommon accessing memory that belongs to SmallVector (the destructor for that has already ran at the point) when calling destructors for individual vector elements in destroy_range.

dblaikie added inline comments.Sep 18 2015, 5:05 PM
include/llvm/ADT/SmallVector.h
926

This is different from the original code, why?

I assume this would introduce a bug where in big-mode it doesn't call the dtors on the elements of the vector?

nmusgrave abandoned this revision.Sep 18 2015, 9:56 PM

Revision Contents

PathSize
include/
llvm/
ADT/
22 lines

Diff 35098

include/llvm/ADT/SmallVector.h

Show First 20 LinesShow All 359 Lines▼ Show 20 Lines
protected: protected:
// Default ctor - Initialize to empty. // Default ctor - Initialize to empty.
explicit SmallVectorImpl(unsigned N) explicit SmallVectorImpl(unsigned N)
: SmallVectorTemplateBase<T, isPodLike<T>::value>(N*sizeof(T)) { : SmallVectorTemplateBase<T, isPodLike<T>::value>(N*sizeof(T)) {
} }
public: public:
~SmallVectorImpl() {
// Destroy the constructed elements in the vector.
this->destroy_range(this->begin(), this->end());
// If this wasn't grown from the inline copy, deallocate the old space.
if (!this->isSmall())
free(this->begin());
}
void clear() { void clear() {
this->destroy_range(this->begin(), this->end()); this->destroy_range(this->begin(), this->end());
this->EndX = this->BeginX; this->EndX = this->BeginX;
} }
void resize(size_type N) { void resize(size_type N) {
if (N < this->size()) { if (N < this->size()) {
this->destroy_range(this->begin()+N, this->end()); this->destroy_range(this->begin()+N, this->end());
▲ Show 20 LinesShow All 535 Lines▼ Show 20 Lines const SmallVector &operator=(SmallVectorImpl<T> &&RHS) {
SmallVectorImpl<T>::operator=(::std::move(RHS)); SmallVectorImpl<T>::operator=(::std::move(RHS));
return *this; return *this;
} }
const SmallVector &operator=(std::initializer_list<T> IL) { const SmallVector &operator=(std::initializer_list<T> IL) {
this->assign(IL); this->assign(IL);
return *this; return *this;
} }
~SmallVector() {
if (this->isSmall()) {
// Destroy the constructed elements in the vector.
this->destroy_range(this->begin(), this->end());
} else {
// If this wasn't grown from the inline copy, deallocate the old space.
free(this->begin());
dblaikieUnsubmitted
Not Done
ReplyInline Actions

This is different from the original code, why?

I assume this would introduce a bug where in big-mode it doesn't call the dtors on the elements of the vector?

dblaikie: This is different from the original code, why? I assume this would introduce a bug where in…
}
}
}; };
template<typename T, unsigned N> template <typename T, unsigned N>
static inline size_t capacity_in_bytes(const SmallVector<T, N> &X) { static inline size_t capacity_in_bytes(const SmallVector<T, N> &X) {
return X.capacity_in_bytes(); return X.capacity_in_bytes();
} }
} // End llvm namespace } // End llvm namespace
namespace std { namespace std {
/// Implement std::swap in terms of SmallVector swap. /// Implement std::swap in terms of SmallVector swap.
Show All 15 Lines