This is an archive of the discontinued LLVM Phabricator instance.

Differential D78850

Memory corruption issure for DenseStringElementsAttr
ClosedPublic

Authored by rsuderman on Apr 24 2020, 7:42 PM.

Details

Reviewers
rriddle
Commits
rG72af0bf17609: Memory corruption issure for DenseStringElementsAttr
Summary

There was a memory corruption issue where the lifespan of the ArrayRef<StringRef> would fail. Directly passing the data will avoid the issue.

Diff Detail

Event Timeline

rsuderman created this revision.Apr 24 2020, 7:42 PM
Herald added 1 blocking reviewer(s): rriddle. · View Herald TranscriptApr 24 2020, 7:42 PM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: llvm-commits, Kayjukh, frgossen and 11 others. · View Herald Transcript
rriddle accepted this revision.Apr 24 2020, 8:00 PM
This revision is now accepted and ready to land.Apr 24 2020, 8:00 PM
Harbormaster completed remote builds in B54662: Diff 260055.Apr 24 2020, 8:34 PM
Closed by commit rG72af0bf17609: Memory corruption issure for DenseStringElementsAttr (authored by rsuderman, committed by rriddle). · Explain WhyApr 25 2020, 1:33 AM
This revision was automatically updated to reflect the committed changes.
mehdi_amini added inline comments.Apr 25 2020, 9:31 PM
mlir/lib/IR/AttributeDetail.h
614

I don't understand the fix, can you elaborate? Seems like the ArrayRef is passed by value to the KeyTy so I don't get the lifetime issue?

mehdi_amini added inline comments.Apr 25 2020, 9:39 PM
mlir/lib/IR/AttributeDetail.h
614

We were creating an ArrayRef pointing to the local variable firstElt before, but since it is a reference it should be fine. So there is likely a copy of the StringRef in the implicit conversion to ArrayRef.

The change here is making us taking the hash of the entire array instead of the first element, I don't think this is necessary, something like this should work as well:

return KeyTy(ty, ArrayRef<StringRef>{&firstElt, 1}, hashVal, /*isSplat=*/true);
mehdi_amini added inline comments.Apr 26 2020, 12:26 PM
mlir/lib/IR/AttributeDetail.h
614

Actually nicer and equivalent I think:

return KeyTy(ty, data.take_front(), hashVal, /*isSplat=*/true);

Revision Contents

PathSize
mlir/
lib/
IR/
4 lines

Diff 260074

mlir/lib/IR/AttributeDetail.h

Show First 20 LinesShow All 604 Lines▼ Show 20 Lines static KeyTy getKey(ShapedType ty, ArrayRef<StringRef> data,
auto hashVal = llvm::hash_value(firstElt); auto hashVal = llvm::hash_value(firstElt);
// Check to see if this storage represents a splat. If it doesn't then // Check to see if this storage represents a splat. If it doesn't then
// combine the hash for the data starting with the first non splat element. // combine the hash for the data starting with the first non splat element.
for (size_t i = 1, e = data.size(); i != e; i++) for (size_t i = 1, e = data.size(); i != e; i++)
if (!firstElt.equals(data[i])) if (!firstElt.equals(data[i]))
return KeyTy(ty, data, llvm::hash_combine(hashVal, data.drop_front(i))); return KeyTy(ty, data, llvm::hash_combine(hashVal, data.drop_front(i)));
// Otherwise, this is a splat so just return the hash of the first element. // Otherwise, this is a splat.
return KeyTy(ty, {firstElt}, hashVal, /*isSplat=*/true); return KeyTy(ty, data, hashVal, /*isSplat=*/true);
mehdi_aminiUnsubmitted
Not Done
ReplyInline Actions

I don't understand the fix, can you elaborate? Seems like the ArrayRef is passed by value to the KeyTy so I don't get the lifetime issue?

mehdi_amini: I don't understand the fix, can you elaborate? Seems like the ArrayRef is passed by value to…
mehdi_aminiUnsubmitted
Not Done
ReplyInline Actions

We were creating an ArrayRef pointing to the local variable firstElt before, but since it is a reference it should be fine. So there is likely a copy of the StringRef in the implicit conversion to ArrayRef.

The change here is making us taking the hash of the entire array instead of the first element, I don't think this is necessary, something like this should work as well:

return KeyTy(ty, ArrayRef<StringRef>{&firstElt, 1}, hashVal, /*isSplat=*/true);
mehdi_amini: We were creating an ArrayRef pointing to the local variable firstElt before, but since it is a…
mehdi_aminiUnsubmitted
Not Done
ReplyInline Actions

Actually nicer and equivalent I think:

return KeyTy(ty, data.take_front(), hashVal, /*isSplat=*/true);
mehdi_amini: Actually nicer and equivalent I think: ``` return KeyTy(ty, data.take_front(), hashVal…
} }
/// Hash the key for the storage. /// Hash the key for the storage.
static llvm::hash_code hashKey(const KeyTy &key) { static llvm::hash_code hashKey(const KeyTy &key) {
return llvm::hash_combine(key.type, key.hashCode); return llvm::hash_combine(key.type, key.hashCode);
} }
/// Construct a new storage instance. /// Construct a new storage instance.
▲ Show 20 LinesShow All 106 LinesShow Last 20 Lines