This is an archive of the discontinued LLVM Phabricator instance.

Differential D100779

free(nullptr) does not violate the nofree specification
ClosedPublic

Authored by reames on Apr 19 2021, 11:24 AM.

Details

Reviewers
nlopes
jdoerfert
nhaehnle
bollu
Commits
rG3b1474cab26b: free(nullptr) does not violate the nofree specification
Summary

This fixes a subtle and nasty bug in my 86664638. The problem is that free(nullptr) is well defined (and common).

The specification for the nofree attributes talks about memory objects, and doesn't explicitly address null, but I think it's reasonable to assume that nofree doesn't disallow a call to free(nullptr). If it did, we'd have to prove nonnull on an argument to ever infer nofree which doesn't seem to be the intent.

This was found by Nuno and Alive2 over in https://reviews.llvm.org/D100141#2697374. Once I saw the test case (and explanation Nuno provided), I also suspect this is the root cause of https://github.com/emscripten-core/emscripten/issues/9443 as well. (Though that had at least two root issues, so there might be more as well.)

Diff Detail

Event Timeline

reames created this revision.Apr 19 2021, 11:24 AM
Herald added a reviewer: bollu. · View Herald TranscriptApr 19 2021, 11:24 AM
Herald added subscribers: hiraditya, mcrosier. · View Herald Transcript
reames requested review of this revision.Apr 19 2021, 11:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 19 2021, 11:24 AM
reames mentioned this in D100141: [nofree] Restrict semantics to memory visible to caller.Apr 19 2021, 11:28 AM
reames mentioned this in D96349: [instcombine] Exploit UB implied by nofree attributes.
Harbormaster completed remote builds in B99522: Diff 338571.Apr 19 2021, 12:53 PM
jdoerfert accepted this revision.Apr 19 2021, 4:43 PM

LGTM

This revision is now accepted and ready to land.Apr 19 2021, 4:43 PM
This revision was landed with ongoing or failed builds.Apr 20 2021, 9:08 AM
Closed by commit rG3b1474cab26b: free(nullptr) does not violate the nofree specification (authored by reames). · Explain Why
This revision was automatically updated to reflect the committed changes.
reames added a commit: rG3b1474cab26b: free(nullptr) does not violate the nofree specification.

Revision Contents

PathSize
llvm/
lib/
Transforms/
InstCombine/
11 lines
test/
Transforms/
InstCombine/
25 lines

Diff 338890

llvm/lib/Transforms/InstCombine/InstructionCombining.cpp

Show First 20 LinesShow All 2,793 Lines▼ Show 20 Lines if (isa<UndefValue>(Op)) {
return eraseInstFromFunction(FI); return eraseInstFromFunction(FI);
} }
// If we have 'free null' delete the instruction. This can happen in stl code // If we have 'free null' delete the instruction. This can happen in stl code
// when lots of inlining happens. // when lots of inlining happens.
if (isa<ConstantPointerNull>(Op)) if (isa<ConstantPointerNull>(Op))
return eraseInstFromFunction(FI); return eraseInstFromFunction(FI);
// If we free a pointer we've been explicitly told won't be freed, this
// would be full UB and thus we can conclude this is unreachable. Cases: // If we free a non-null pointer we've been explicitly told won't be freed,
// this would be full UB and thus we can conclude that the argument must
// be null at the point of the free. Cases:
// 1) freeing a pointer which is explicitly nofree // 1) freeing a pointer which is explicitly nofree
// 2) calling free from a call site marked nofree (TODO: can generalize // 2) calling free from a call site marked nofree (TODO: can generalize
// for non-arguments) // for non-arguments)
// 3) calling free in a function scope marked nofree (when we can prove // 3) calling free in a function scope marked nofree (when we can prove
// the allocation existed before the start of the function scope) // the allocation existed before the start of the function scope)
if (auto *A = dyn_cast<Argument>(Op->stripPointerCasts())) if (auto *A = dyn_cast<Argument>(Op->stripPointerCasts()))
if (A->hasAttribute(Attribute::NoFree) || if (A->hasAttribute(Attribute::NoFree) ||
FI.hasFnAttr(Attribute::NoFree) || FI.hasFnAttr(Attribute::NoFree) ||
FI.getFunction()->hasFnAttribute(Attribute::NoFree)) { FI.getFunction()->hasFnAttribute(Attribute::NoFree)) {
// Leave a marker since we can't modify the CFG here. Value *Null = ConstantPointerNull::get(cast<PointerType>(A->getType()));
CreateNonTerminatorUnreachable(&FI); Value *Cond = Builder.CreateICmpEQ(A, Null);
Builder.CreateAssumption(Cond);
return eraseInstFromFunction(FI); return eraseInstFromFunction(FI);
} }
// If we optimize for code size, try to move the call to free before the null // If we optimize for code size, try to move the call to free before the null
// test so that simplify cfg can remove the empty block and dead code // test so that simplify cfg can remove the empty block and dead code
// elimination the branch. I.e., helps to turn something like: // elimination the branch. I.e., helps to turn something like:
// if (foo) free(foo); // if (foo) free(foo);
// into // into
▲ Show 20 LinesShow All 1,335 LinesShow Last 20 Lines

llvm/test/Transforms/InstCombine/malloc-free-delete.ll

Show First 20 LinesShow All 385 Lines▼ Show 20 Linesif.then: ; preds = %entry
%bitcast = bitcast i32* %foo to i8* %bitcast = bitcast i32* %foo to i8*
tail call void @free(i8* %bitcast) tail call void @free(i8* %bitcast)
br label %if.end br label %if.end
if.end: ; preds = %entry, %if.then if.end: ; preds = %entry, %if.then
ret void ret void
} }
; Freeing a no-free pointer -> full UB ; Freeing a no-free pointer -> %foo must be null
define void @test13(i8* nofree %foo) { define void @test13(i8* nofree %foo) {
; CHECK-LABEL: @test13( ; CHECK-LABEL: @test13(
; CHECK-NEXT: store i1 true, i1* undef, align 1 ; CHECK-NEXT: [[TMP1:%.*]] = icmp eq i8* [[FOO:%.*]], null
; CHECK-NEXT: call void @llvm.assume(i1 [[TMP1]])
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
call void @free(i8* %foo) call void @free(i8* %foo)
ret void ret void
} }
; Freeing a no-free pointer -> full UB ; Freeing a no-free pointer -> %foo must be null
define void @test14(i8* %foo) nofree { define void @test14(i8* %foo) nofree {
; CHECK-LABEL: @test14( ; CHECK-LABEL: @test14(
; CHECK-NEXT: store i1 true, i1* undef, align 1 ; CHECK-NEXT: [[TMP1:%.*]] = icmp eq i8* [[FOO:%.*]], null
; CHECK-NEXT: call void @llvm.assume(i1 [[TMP1]])
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
call void @free(i8* %foo) call void @free(i8* %foo)
ret void ret void
} }
; free call marked no-free -> full UB ; free call marked no-free -> %foo must be null
define void @test15(i8* %foo) { define void @test15(i8* %foo) {
; CHECK-LABEL: @test15( ; CHECK-LABEL: @test15(
; CHECK-NEXT: store i1 true, i1* undef, align 1 ; CHECK-NEXT: [[TMP1:%.*]] = icmp eq i8* [[FOO:%.*]], null
; CHECK-NEXT: call void @llvm.assume(i1 [[TMP1]])
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
call void @free(i8* %foo) nofree call void @free(i8* %foo) nofree
ret void ret void
} }
; freeing a nonnull nofree pointer -> full UB
define void @test16(i8* nonnull nofree %foo) {
; CHECK-LABEL: @test16(
; CHECK-NEXT: call void @llvm.assume(i1 false)
; CHECK-NEXT: ret void
;
call void @free(i8* %foo)
ret void
}