This is an archive of the discontinued LLVM Phabricator instance.

Differential D77936

[Windows SEH] Fix abnormal-exits in _try
ClosedPublic

Authored by tentzen on Apr 11 2020, 1:14 AM.

Details

Reviewers
rnk
eli.friedman
JosephTremoulet
asmith
efriedma
Commits
rG4eabd0061254: [Windows SEH] Fix abnormal-exits in _try
Summary

Per Windows SEH Spec, except _leave, all other early exits of a _try (goto/return/continue/break) are considered abnormal exits. In those cases, the first parameter passes to its _finally funclet should be TRUE to indicate an abnormal-termination.

One way to implement abnormal exits in _try is to invoke Windows runtime _local_unwind() (MSVC approach) that will invoke _dtor funclet where abnormal-termination flag is always TRUE when calling _finally. Obviously this approach is less optimal and is complicated to implement in Clang.

Clang today has a NormalCleanupDestSlot mechanism to dispatch multiple exits at the end of _try. Since _leave (or try-end fall-through) is always Indexed with 0 in that NormalCleanupDestSlot, this fix takes the advantage of that mechanism and just passes NormalCleanupDest ID as 1st Arg to _finally.

Diff Detail

Event Timeline

tentzen created this revision.Apr 11 2020, 1:14 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 11 2020, 1:14 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster failed remote builds in B52792: Diff 256754!Apr 11 2020, 2:06 AM
efriedma added a subscriber: efriedma.Apr 11 2020, 1:41 PM

Needs a testcase in clang/test/CodeGen to verify the generated IR.

I haven't looked at this code in a while, but this looks reasonable.

clang/lib/CodeGen/EHScopeStack.h
164

Please add a trailing comma here.

efriedma added inline comments.Apr 11 2020, 2:06 PM
clang/lib/CodeGen/CGException.cpp
1651

Is just truncating the value really correct? What's the possible range of values stored in getNormalCleanupDestSlot()?

tentzen updated this revision to Diff 256836.Apr 11 2020, 11:51 PM
tentzen marked an inline comment as done.

Per Eli's feedbacks:
(1) a test case (windows-seh-abnormal-exit.c) is added under clang\test\CodeGen directory.
(2) an assert is added to catch the extremely rare case that the number of JumpDests in a function is greater than 255. The max. number of JumpDests is 1 (return) + 2*M + N, where M is the number of for/while-loops and N is the number of Goto targets.

Harbormaster failed remote builds in B52843: Diff 256836!Apr 12 2020, 12:29 AM
tentzen updated this revision to Diff 256840.Apr 12 2020, 1:00 AM
tentzen marked an inline comment as done.

Add option -fms-extensions in test case

Harbormaster failed remote builds in B52844: Diff 256840!Apr 12 2020, 1:34 AM
efriedma added a comment.Apr 12 2020, 12:53 PM

Instead of asserting there are less than 256 cleanup destinations, can you emit an icmp against zero, or something like that?

tentzen added a comment.Apr 12 2020, 2:03 PM
In D77936#1976938, @efriedma wrote:

Instead of asserting there are less than 256 cleanup destinations, can you emit an icmp against zero, or something like that?

I did consider that. but it splits the block and induces one compare and one branch in _try exit sequence for something that will not happen in RWC. And it's hard for Optimizer to deal with it. Optimizer can probably can tail-duplicate each path at the expense of code size which I don't think LLVM would do today. Do you really think it's worth to split the block here? thanks

clang/lib/CodeGen/CGException.cpp
1651

Good question!
Usually the number in NormalCleanupDestSlot is single digit (or at most double-digit) , the totoal number of Jump Destinations (return/goto/break/continue/..) in the function.
I thought about widening 1st arg from CHAR to unsigned, but dropped the idea as it seems unnecessary. Yes, someone can write a code to make more than 255 Jumps in a function, but it’s unlikely to happen in real world code. What do you think?
I can go either way..
For sure, we can add an assert to catch it.

efriedma added a comment.Apr 12 2020, 2:57 PM

I'm not concerned about the performance implications of whatever approach we take here. In the worst case, an "icmp+zext" corresponds to two extra arithmetic instructions; that's not enough to matter. And I expect usually it'll get optimized away.

I'd prefer to avoid exposing our cleanup numbering to user code, if possible. The Microsoft documentation says it returns 0 or 1.

tentzen added a comment.Apr 12 2020, 6:12 PM
In D77936#1976984, @efriedma wrote:

I'm not concerned about the performance implications of whatever approach we take here. In the worst case, an "icmp+zext" corresponds to two extra arithmetic instructions; that's not enough to matter. And I expect usually it'll get optimized away.

I'd prefer to avoid exposing our cleanup numbering to user code, if possible. The Microsoft documentation says it returns 0 or 1.

OK, will do..
thanks

tentzen updated this revision to Diff 256906.Apr 12 2020, 6:36 PM

Per Eli's suggestion,
Use icmp (and zext) to check the JumpDest index, instead of directly passing the Index to _finally().

Harbormaster completed remote builds in B52891: Diff 256906.Apr 12 2020, 7:46 PM
efriedma accepted this revision.Apr 13 2020, 10:32 AM

LGTM

This revision is now accepted and ready to land.Apr 13 2020, 10:32 AM
rnk added a comment.Apr 13 2020, 12:22 PM

I like the implementation strategy, but I have one corner case, which is probably worth a test.

clang/lib/CodeGen/CGCleanup.cpp
848

Are we sure this is the right set of predicates? It seems like we'll get the wrong flag in cases like:

  __try {
    mayThrow();
    goto out;  // AbnormalTermination should be 1
  } __finally {
    tearDown();
  }
out:
  return 0;

I think these conditions are designed to avoid the switch when there is no normal fallthrough destination (!HasFallthrough). I see clang emits no switch for this C++ input:

$ cat t.cpp
void mayThrow();
struct Dtor {
  ~Dtor();
};
int f() {
  do {
    Dtor o;
    mayThrow();
    break;
  } while (0);
  return 0;
}

$ clang t.cpp  -S -emit-llvm -fno-exceptions -o - | grep switch
# empty
863–864

This flag is set for any cleanup that needs to switch-out to multiple normal destinations. You have named this an "seh abnormal exit", an exit that is abnormal for the purposes of SEH, but I think it would be clearer to give the flag a more general name.

Based on the existing terminology, maybe (F_)HasBranchAfter would be the closest to what we are looking for?

clang/lib/CodeGen/EHScopeStack.h
184

Please add a comment describing the accessor.

tentzen marked 2 inline comments as done.Apr 13 2020, 4:16 PM
tentzen added inline comments.
clang/lib/CodeGen/CGCleanup.cpp
848

Yes, this test passed.

store i32 3, i32* %cleanup.dest.slot, align 4
%0 = call i8* @llvm.localaddress()
%cleanup.dest = load i32, i32* %cleanup.dest.slot, align 4
%1 = icmp ne i32 %cleanup.dest, 0
%2 = zext i1 %1 to i8
call void @"?fin$0@0@Test84@@"(i8 %2, i8* %0)
%cleanup.dest1 = load i32, i32* %cleanup.dest.slot, align 4
switch i32 %cleanup.dest1, label %unreachable [
  i32 3, label %out
]
863–864

my original implementation in https://github.com/tentzen/llvm-project is still using (F_)HasBranchAfters. it's renamed because I'm afraid it may mis-imply it to Scope.getNumBranchAfters().

Yes, Agree, it should not be SEH specific.
how about F_HasExitSwitch?

tentzen updated this revision to Diff 257849.Apr 15 2020, 2:26 PM

Replace F_HasSehAbnormalExits with F_HasExitSwitch

Harbormaster failed remote builds in B53430: Diff 257849!Apr 15 2020, 2:55 PM
tentzen updated this revision to Diff 257977.Apr 16 2020, 12:44 AM

remade a patch after re-sync

Harbormaster failed remote builds in B53518: Diff 257977!Apr 16 2020, 12:48 AM
Closed by commit rG4eabd0061254: [Windows SEH] Fix abnormal-exits in _try (authored by asmith). · Explain WhyApr 30 2020, 10:08 AM
This revision was automatically updated to reflect the committed changes.
tentzen mentioned this in D80344: [Windows SEH]: HARDWARE EXCEPTION HANDLING (MSVC -EHa) - Part 1.Sep 24 2020, 12:40 AM

Revision Contents

PathSize
clang/
lib/
CodeGen/
3 lines
13 lines
9 lines
test/
CodeGen/
30 lines

Diff 261275

clang/lib/CodeGen/CGCleanup.cpp

Show First 20 LinesShow All 839 Lines▼ Show 20 Lines // the cleanup block and then try to clean up after ourselves.
NormalCleanupDestSlot->user_back()->eraseFromParent(); NormalCleanupDestSlot->user_back()->eraseFromParent();
NormalCleanupDestSlot->eraseFromParent(); NormalCleanupDestSlot->eraseFromParent();
NormalCleanupDest = Address::invalid(); NormalCleanupDest = Address::invalid();
} }
llvm::BasicBlock *BranchAfter = Scope.getBranchAfterBlock(0); llvm::BasicBlock *BranchAfter = Scope.getBranchAfterBlock(0);
InstsToAppend.push_back(llvm::BranchInst::Create(BranchAfter)); InstsToAppend.push_back(llvm::BranchInst::Create(BranchAfter));
// Build a switch-out if we need it: // Build a switch-out if we need it:
rnkUnsubmitted
Not Done
ReplyInline Actions

Are we sure this is the right set of predicates? It seems like we'll get the wrong flag in cases like:

  __try {
    mayThrow();
    goto out;  // AbnormalTermination should be 1
  } __finally {
    tearDown();
  }
out:
  return 0;

I think these conditions are designed to avoid the switch when there is no normal fallthrough destination (!HasFallthrough). I see clang emits no switch for this C++ input:

$ cat t.cpp
void mayThrow();
struct Dtor {
  ~Dtor();
};
int f() {
  do {
    Dtor o;
    mayThrow();
    break;
  } while (0);
  return 0;
}

$ clang t.cpp  -S -emit-llvm -fno-exceptions -o - | grep switch
# empty
rnk: Are we sure this is the right set of predicates? It seems like we'll get the wrong flag in…
tentzenAuthorUnsubmitted
Done
ReplyInline Actions

Yes, this test passed.

store i32 3, i32* %cleanup.dest.slot, align 4
%0 = call i8* @llvm.localaddress()
%cleanup.dest = load i32, i32* %cleanup.dest.slot, align 4
%1 = icmp ne i32 %cleanup.dest, 0
%2 = zext i1 %1 to i8
call void @"?fin$0@0@Test84@@"(i8 %2, i8* %0)
%cleanup.dest1 = load i32, i32* %cleanup.dest.slot, align 4
switch i32 %cleanup.dest1, label %unreachable [
  i32 3, label %out
]
tentzen: Yes, this test passed. ``` store i32 3, i32* %cleanup.dest.slot, align 4 %0 = call i8*…
// - if there are branch-afters threaded through the scope // - if there are branch-afters threaded through the scope
// - if fall-through is a branch-after // - if fall-through is a branch-after
// - if there are fixups that have nowhere left to go and // - if there are fixups that have nowhere left to go and
// so must be immediately resolved // so must be immediately resolved
} else if (Scope.getNumBranchAfters() || } else if (Scope.getNumBranchAfters() ||
(HasFallthrough && !FallthroughIsBranchThrough) || (HasFallthrough && !FallthroughIsBranchThrough) ||
(HasFixups && !HasEnclosingCleanups)) { (HasFixups && !HasEnclosingCleanups)) {
llvm::BasicBlock *Default = llvm::BasicBlock *Default =
(BranchThroughDest ? BranchThroughDest : getUnreachableBlock()); (BranchThroughDest ? BranchThroughDest : getUnreachableBlock());
// TODO: base this on the number of branch-afters and fixups // TODO: base this on the number of branch-afters and fixups
const unsigned SwitchCapacity = 10; const unsigned SwitchCapacity = 10;
// pass the abnormal exit flag to Fn (SEH cleanup)
cleanupFlags.setHasExitSwitch();
rnkUnsubmitted
Not Done
ReplyInline Actions

This flag is set for any cleanup that needs to switch-out to multiple normal destinations. You have named this an "seh abnormal exit", an exit that is abnormal for the purposes of SEH, but I think it would be clearer to give the flag a more general name.

Based on the existing terminology, maybe (F_)HasBranchAfter would be the closest to what we are looking for?

rnk: This flag is set for any cleanup that needs to switch-out to multiple normal destinations. You…
tentzenAuthorUnsubmitted
Done
ReplyInline Actions

my original implementation in https://github.com/tentzen/llvm-project is still using (F_)HasBranchAfters. it's renamed because I'm afraid it may mis-imply it to Scope.getNumBranchAfters().

Yes, Agree, it should not be SEH specific.
how about F_HasExitSwitch?

tentzen: my original implementation in https://github.com/tentzen/llvm-project is still using…
llvm::LoadInst *Load = llvm::LoadInst *Load =
createLoadInstBefore(getNormalCleanupDestSlot(), "cleanup.dest", createLoadInstBefore(getNormalCleanupDestSlot(), "cleanup.dest",
nullptr); nullptr);
llvm::SwitchInst *Switch = llvm::SwitchInst *Switch =
llvm::SwitchInst::Create(Load, Default, SwitchCapacity); llvm::SwitchInst::Create(Load, Default, SwitchCapacity);
InstsToAppend.push_back(Load); InstsToAppend.push_back(Load);
InstsToAppend.push_back(Switch); InstsToAppend.push_back(Switch);
▲ Show 20 LinesShow All 408 LinesShow Last 20 Lines

clang/lib/CodeGen/CGException.cpp

Show First 20 LinesShow All 1,633 Lines▼ Show 20 Lines void Emit(CodeGenFunction &CGF, Flags F) override {
} else { } else {
llvm::Function *LocalAddrFn = llvm::Function *LocalAddrFn =
CGM.getIntrinsic(llvm::Intrinsic::localaddress); CGM.getIntrinsic(llvm::Intrinsic::localaddress);
FP = CGF.Builder.CreateCall(LocalAddrFn); FP = CGF.Builder.CreateCall(LocalAddrFn);
} }
llvm::Value *IsForEH = llvm::Value *IsForEH =
llvm::ConstantInt::get(CGF.ConvertType(ArgTys[0]), F.isForEHCleanup()); llvm::ConstantInt::get(CGF.ConvertType(ArgTys[0]), F.isForEHCleanup());
// Except _leave and fall-through at the end, all other exits in a _try
// (return/goto/continue/break) are considered as abnormal terminations
// since _leave/fall-through is always Indexed 0,
// just use NormalCleanupDestSlot (>= 1 for goto/return/..),
// as 1st Arg to indicate abnormal termination
if (!F.isForEHCleanup() && F.hasExitSwitch()) {
Address Addr = CGF.getNormalCleanupDestSlot();
llvm::Value *Load = CGF.Builder.CreateLoad(Addr, "cleanup.dest");
llvm::Value *Zero = llvm::Constant::getNullValue(CGM.Int32Ty);
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Is just truncating the value really correct? What's the possible range of values stored in getNormalCleanupDestSlot()?

efriedma: Is just truncating the value really correct? What's the possible range of values stored in…
tentzenAuthorUnsubmitted
Done
ReplyInline Actions

Good question!
Usually the number in NormalCleanupDestSlot is single digit (or at most double-digit) , the totoal number of Jump Destinations (return/goto/break/continue/..) in the function.
I thought about widening 1st arg from CHAR to unsigned, but dropped the idea as it seems unnecessary. Yes, someone can write a code to make more than 255 Jumps in a function, but it’s unlikely to happen in real world code. What do you think?
I can go either way..
For sure, we can add an assert to catch it.

tentzen: Good question! Usually the number in NormalCleanupDestSlot is single digit (or at most double…
IsForEH = CGF.Builder.CreateICmpNE(Load, Zero);
}
Args.add(RValue::get(IsForEH), ArgTys[0]); Args.add(RValue::get(IsForEH), ArgTys[0]);
Args.add(RValue::get(FP), ArgTys[1]); Args.add(RValue::get(FP), ArgTys[1]);
// Arrange a two-arg function info and type. // Arrange a two-arg function info and type.
const CGFunctionInfo &FnInfo = const CGFunctionInfo &FnInfo =
CGM.getTypes().arrangeBuiltinFunctionCall(Context.VoidTy, Args); CGM.getTypes().arrangeBuiltinFunctionCall(Context.VoidTy, Args);
auto Callee = CGCallee::forDirect(OutlinedFinally); auto Callee = CGCallee::forDirect(OutlinedFinally);
▲ Show 20 LinesShow All 466 LinesShow Last 20 Lines

clang/lib/CodeGen/EHScopeStack.h

Show First 20 LinesShow All 152 Lines▼ Show 20 Linespublic:
public: public:
Cleanup(const Cleanup &) = default; Cleanup(const Cleanup &) = default;
Cleanup(Cleanup &&) {} Cleanup(Cleanup &&) {}
Cleanup() = default; Cleanup() = default;
/// Generation flags. /// Generation flags.
class Flags { class Flags {
enum { enum {
F_IsForEH = 0x1, F_IsForEH = 0x1,
F_IsNormalCleanupKind = 0x2, F_IsNormalCleanupKind = 0x2,
F_IsEHCleanupKind = 0x4 F_IsEHCleanupKind = 0x4,
F_HasExitSwitch = 0x8,
efriedmaUnsubmitted
Done
ReplyInline Actions

Please add a trailing comma here.

efriedma: Please add a trailing comma here.
}; };
unsigned flags; unsigned flags;
public: public:
Flags() : flags(0) {} Flags() : flags(0) {}
/// isForEH - true if the current emission is for an EH cleanup. /// isForEH - true if the current emission is for an EH cleanup.
bool isForEHCleanup() const { return flags & F_IsForEH; } bool isForEHCleanup() const { return flags & F_IsForEH; }
bool isForNormalCleanup() const { return !isForEHCleanup(); } bool isForNormalCleanup() const { return !isForEHCleanup(); }
void setIsForEHCleanup() { flags |= F_IsForEH; } void setIsForEHCleanup() { flags |= F_IsForEH; }
bool isNormalCleanupKind() const { return flags & F_IsNormalCleanupKind; } bool isNormalCleanupKind() const { return flags & F_IsNormalCleanupKind; }
void setIsNormalCleanupKind() { flags |= F_IsNormalCleanupKind; } void setIsNormalCleanupKind() { flags |= F_IsNormalCleanupKind; }
/// isEHCleanupKind - true if the cleanup was pushed as an EH /// isEHCleanupKind - true if the cleanup was pushed as an EH
/// cleanup. /// cleanup.
bool isEHCleanupKind() const { return flags & F_IsEHCleanupKind; } bool isEHCleanupKind() const { return flags & F_IsEHCleanupKind; }
void setIsEHCleanupKind() { flags |= F_IsEHCleanupKind; } void setIsEHCleanupKind() { flags |= F_IsEHCleanupKind; }
};
bool hasExitSwitch() const { return flags & F_HasExitSwitch; }
rnkUnsubmitted
Not Done
ReplyInline Actions

Please add a comment describing the accessor.

rnk: Please add a comment describing the accessor.
void setHasExitSwitch() { flags |= F_HasExitSwitch; }
};
/// Emit the cleanup. For normal cleanups, this is run in the /// Emit the cleanup. For normal cleanups, this is run in the
/// same EH context as when the cleanup was pushed, i.e. the /// same EH context as when the cleanup was pushed, i.e. the
/// immediately-enclosing context of the cleanup scope. For /// immediately-enclosing context of the cleanup scope. For
/// EH cleanups, this is run in a terminate context. /// EH cleanups, this is run in a terminate context.
/// ///
// \param flags cleanup kind. // \param flags cleanup kind.
virtual void Emit(CodeGenFunction &CGF, Flags flags) = 0; virtual void Emit(CodeGenFunction &CGF, Flags flags) = 0;
▲ Show 20 LinesShow All 229 LinesShow Last 20 Lines

clang/test/CodeGen/windows-seh-abnormal-exits.c

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-windows -fms-extensions -Wno-implicit-function-declaration -S -emit-llvm %s -o - | FileCheck %s
// CHECK: %[[src:[0-9-]+]] = call i8* @llvm.localaddress()
// CHECK-NEXT: %cleanup.dest = load i32, i32* %cleanup.dest.slot, align 4
// CHECK-NEXT: %[[src2:[0-9-]+]] = icmp ne i32 %cleanup.dest, 0
// CHECK-NEXT: %[[src3:[0-9-]+]] = zext i1 %[[src2]] to i8
// CHECK-NEXT: call void @"?fin$0@0@seh_abnormal_exits@@"(i8 %[[src3]], i8* %[[src]])
void seh_abnormal_exits(int *Counter) {
for (int i = 0; i < 5; i++) {
__try {
if (i == 0)
continue; // abnormal termination
else if (i == 1)
goto t10; // abnormal termination
else if (i == 2)
__leave; // normal execution
else if (i == 4)
return; // abnormal termination
}
__finally {
if (AbnormalTermination()) {
*Counter += 1;
}
}
t10:;
}
return; // *Counter == 3
}