This is an archive of the discontinued LLVM Phabricator instance.

Differential D102015

[clang CodeGen] Don't crash on large atomic function parameter.
ClosedPublic

Authored by efriedma on May 6 2021, 12:38 PM.

Details

Reviewers
rsmith
ahatanak
rjmccall
Commits
rG698568b74c93: [clang CodeGen] Don't crash on large atomic function parameter.
Summary

I wouldn't recommend writing code like the testcase; a function parameter isn't atomic, so using an atomic type doesn't really make sense. But it's valid, so clang shouldn't crash on it.

The code was assuming hasAggregateEvaluationKind(Ty) implies Ty is a RecordType, which isn't true. Looking at the code, I think the only other possibility for a parameter is an atomic type, though. Atomic types are always trivially destructible, I think.

Diff Detail

Event Timeline

efriedma created this revision.May 6 2021, 12:38 PM
Herald added a subscriber: jfb. · View Herald TranscriptMay 6 2021, 12:38 PM
efriedma requested review of this revision.May 6 2021, 12:38 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 6 2021, 12:38 PM
Harbormaster completed remote builds in B103046: Diff 343477.May 6 2021, 1:14 PM
rjmccall added a comment.May 6 2021, 9:19 PM

Objective-C object types also have aggregate evaluation kind. Those can only be used as value types in an old, fragile ObjC ABI, but I believe we haven't yet formally decided to remove support for that. Fortunately, however, there's a much better simplification available: this hasAggregateEvaluationKind(Ty) call is literally doing nothing that couldn't just be a getAs<RecordType>() call, and then we don't need to worry about it.

...I'm confused about why this code is doing what it's doing with cleanups, though. Why does it only apply when the parameter is indirect? I believe isParamDestroyedInCallee() can apply to types that are passed in other ways, so where we pushing the destructor for those, and why isn't it good enough to handle this case as well?

efriedma added a comment.May 10 2021, 11:09 AM
In D102015#2743634, @rjmccall wrote:

Objective-C object types also have aggregate evaluation kind. Those can only be used as value types in an old, fragile ObjC ABI, but I believe we haven't yet formally decided to remove support for that. Fortunately, however, there's a much better simplification available: this hasAggregateEvaluationKind(Ty) call is literally doing nothing that couldn't just be a getAs<RecordType>() call, and then we don't need to worry about it.

If you're confident that only RecordTypes need to be destroyed, sure.

Did some grepping, and there's some other places using isParamDestroyedInCallee(); I'll make sure they're also okay.

...I'm confused about why this code is doing what it's doing with cleanups, though. Why does it only apply when the parameter is indirect? I believe isParamDestroyedInCallee() can apply to types that are passed in other ways, so where we pushing the destructor for those, and why isn't it good enough to handle this case as well?

Objects with a non-trivial destructor end up indirect anyway under the normal ABI rules. Not sure how it interacts with trivial_abi; I'll look into it.

efriedma added a comment.May 10 2021, 12:21 PM
In D102015#2748441, @efriedma wrote:

...I'm confused about why this code is doing what it's doing with cleanups, though. Why does it only apply when the parameter is indirect? I believe isParamDestroyedInCallee() can apply to types that are passed in other ways, so where we pushing the destructor for those, and why isn't it good enough to handle this case as well?

Objects with a non-trivial destructor end up indirect anyway under the normal ABI rules. Not sure how it interacts with trivial_abi; I'll look into it.

Figured it out. "isIndirect()" here doesn't mean the same thing that it means in ABIArgInfo. If hasScalarEvaluationKind(Ty) is false, the caller ensures the value is "isIndirect()", i.e. on the stack. It doesn't matter if the value was actually passed in registers.

It's not immediately obvious to me why the responsibility for creating stack temporaries was split this way, but it's not really relevant to this patch.

efriedma updated this revision to Diff 344193.May 10 2021, 1:58 PM

Use isRecordType() instead of checking for an atomic type. Fix the caller side as well.

Harbormaster completed remote builds in B103584: Diff 344193.May 10 2021, 2:33 PM
ahatanak added a comment.May 10 2021, 3:16 PM

C structs with ObjC pointer fields under ARC are non-trivial to destruct too.

struct foo {
  int big[128];
  id a;
};

void test_atomic_array_param(_Atomic(struct foo) a) {
}
ahatanak added a comment.May 10 2021, 3:30 PM

Using _Atomic for C structs with non-trivially destructible fields currently doesn't work, so maybe that should just be disallowed.

efriedma added a comment.May 10 2021, 3:37 PM

Using _Atomic for C structs with non-trivially destructible fields currently doesn't work, so maybe that should just be disallowed.

I'd prefer to disallow _Atomic on all types that aren't trivially destructible, yes. Not impossible to support, of course, but I don't really see the value.

rjmccall added a comment.May 10 2021, 10:49 PM
In D102015#2748441, @efriedma wrote:
In D102015#2743634, @rjmccall wrote:

Objective-C object types also have aggregate evaluation kind. Those can only be used as value types in an old, fragile ObjC ABI, but I believe we haven't yet formally decided to remove support for that. Fortunately, however, there's a much better simplification available: this hasAggregateEvaluationKind(Ty) call is literally doing nothing that couldn't just be a getAs<RecordType>() call, and then we don't need to worry about it.

If you're confident that only RecordTypes need to be destroyed, sure.

Well, they're the only thing for which isParamDestroyedInCallee() is defined. If we generalize that in the future, I think the code in your patch will be obvious enough how to modify.

In D102015#2748595, @efriedma wrote:
In D102015#2748441, @efriedma wrote:

...I'm confused about why this code is doing what it's doing with cleanups, though. Why does it only apply when the parameter is indirect? I believe isParamDestroyedInCallee() can apply to types that are passed in other ways, so where we pushing the destructor for those, and why isn't it good enough to handle this case as well?

Objects with a non-trivial destructor end up indirect anyway under the normal ABI rules. Not sure how it interacts with trivial_abi; I'll look into it.

Figured it out. "isIndirect()" here doesn't mean the same thing that it means in ABIArgInfo. If hasScalarEvaluationKind(Ty) is false, the caller ensures the value is "isIndirect()", i.e. on the stack. It doesn't matter if the value was actually passed in registers.

Ugh. Well, that's not great, but yeah, I agree we don't need to mess with that right now. Thanks for checking it out.

In D102015#2749212, @efriedma wrote:

Using _Atomic for C structs with non-trivially destructible fields currently doesn't work, so maybe that should just be disallowed.

I'd prefer to disallow _Atomic on all types that aren't trivially destructible, yes. Not impossible to support, of course, but I don't really see the value.

I agree that disallowing this is the right way to go. There are non-trivial C structs that can support atomic operations easily enough, but the ones with ARC strong references specifically aren't among them.

I guess your test case is testing both the parameter and argument code. The delegate-arg code should be testable with an override thunk with a big atomic parameter, right?

efriedma updated this revision to Diff 345543.May 14 2021, 1:33 PM

Figured out a way to test the EmitDelegateCallArg codepath. (A thunk doesn't work because the code is guarded by !CurFuncIsThunk.)

Harbormaster completed remote builds in B104583: Diff 345543.May 14 2021, 2:40 PM
rjmccall accepted this revision.May 14 2021, 2:59 PM

Thanks, LGTM

This revision is now accepted and ready to land.May 14 2021, 2:59 PM
Closed by commit rG698568b74c93: [clang CodeGen] Don't crash on large atomic function parameter. (authored by efriedma). · Explain WhyMay 17 2021, 1:18 PM
This revision was automatically updated to reflect the committed changes.
efriedma added a commit: rG698568b74c93: [clang CodeGen] Don't crash on large atomic function parameter..

Revision Contents

PathSize
clang/
lib/
CodeGen/
4 lines
2 lines
test/
CodeGen/
6 lines
CodeGenCXX/
10 lines

Diff 345984

clang/lib/CodeGen/CGCall.cpp

Show First 20 LinesShow All 3,706 Lines▼ Show 20 Linesvoid CodeGenFunction::EmitDelegateCallArg(CallArgList &args,
// For the most part, we just need to load the alloca, except that // For the most part, we just need to load the alloca, except that
// aggregate r-values are actually pointers to temporaries. // aggregate r-values are actually pointers to temporaries.
} else { } else {
args.add(convertTempToRValue(local, type, loc), type); args.add(convertTempToRValue(local, type, loc), type);
} }
// Deactivate the cleanup for the callee-destructed param that was pushed. // Deactivate the cleanup for the callee-destructed param that was pushed.
if (hasAggregateEvaluationKind(type) && !CurFuncIsThunk && if (type->isRecordType() && !CurFuncIsThunk &&
type->castAs<RecordType>()->getDecl()->isParamDestroyedInCallee() && type->castAs<RecordType>()->getDecl()->isParamDestroyedInCallee() &&
param->needsDestruction(getContext())) { param->needsDestruction(getContext())) {
EHScopeStack::stable_iterator cleanup = EHScopeStack::stable_iterator cleanup =
CalleeDestructedParamCleanups.lookup(cast<ParmVarDecl>(param)); CalleeDestructedParamCleanups.lookup(cast<ParmVarDecl>(param));
assert(cleanup.isValid() && assert(cleanup.isValid() &&
"cleanup for callee-destructed param not recorded"); "cleanup for callee-destructed param not recorded");
// This unreachable is a temporary marker which will be removed later. // This unreachable is a temporary marker which will be removed later.
llvm::Instruction *isActive = Builder.CreateUnreachable(); llvm::Instruction *isActive = Builder.CreateUnreachable();
▲ Show 20 LinesShow All 554 Lines▼ Show 20 Lines if (E->isGLValue()) {
return args.add(EmitReferenceBindingToExpr(E), type); return args.add(EmitReferenceBindingToExpr(E), type);
} }
bool HasAggregateEvalKind = hasAggregateEvaluationKind(type); bool HasAggregateEvalKind = hasAggregateEvaluationKind(type);
// In the Microsoft C++ ABI, aggregate arguments are destructed by the callee. // In the Microsoft C++ ABI, aggregate arguments are destructed by the callee.
// However, we still have to push an EH-only cleanup in case we unwind before // However, we still have to push an EH-only cleanup in case we unwind before
// we make it to the call. // we make it to the call.
if (HasAggregateEvalKind && if (type->isRecordType() &&
type->castAs<RecordType>()->getDecl()->isParamDestroyedInCallee()) { type->castAs<RecordType>()->getDecl()->isParamDestroyedInCallee()) {
// If we're using inalloca, use the argument memory. Otherwise, use a // If we're using inalloca, use the argument memory. Otherwise, use a
// temporary. // temporary.
AggValueSlot Slot; AggValueSlot Slot;
if (args.isUsingInAlloca()) if (args.isUsingInAlloca())
Slot = createPlaceholderSlot(*this, type); Slot = createPlaceholderSlot(*this, type);
else else
Slot = CreateAggTemp(type, "agg.tmp"); Slot = CreateAggTemp(type, "agg.tmp");
▲ Show 20 LinesShow All 1,222 LinesShow Last 20 Lines

clang/lib/CodeGen/CGDecl.cpp

Show First 20 LinesShow All 2,467 Lines▼ Show 20 Lines if (SrcLangAS != DestLangAS) {
DeclPtr = Address(getTargetHooks().performAddrSpaceCast( DeclPtr = Address(getTargetHooks().performAddrSpaceCast(
*this, V, SrcLangAS, DestLangAS, T, true), *this, V, SrcLangAS, DestLangAS, T, true),
DeclPtr.getAlignment()); DeclPtr.getAlignment());
} }
// Push a destructor cleanup for this parameter if the ABI requires it. // Push a destructor cleanup for this parameter if the ABI requires it.
// Don't push a cleanup in a thunk for a method that will also emit a // Don't push a cleanup in a thunk for a method that will also emit a
// cleanup. // cleanup.
if (hasAggregateEvaluationKind(Ty) && !CurFuncIsThunk && if (Ty->isRecordType() && !CurFuncIsThunk &&
Ty->castAs<RecordType>()->getDecl()->isParamDestroyedInCallee()) { Ty->castAs<RecordType>()->getDecl()->isParamDestroyedInCallee()) {
if (QualType::DestructionKind DtorKind = if (QualType::DestructionKind DtorKind =
D.needsDestruction(getContext())) { D.needsDestruction(getContext())) {
assert((DtorKind == QualType::DK_cxx_destructor || assert((DtorKind == QualType::DK_cxx_destructor ||
DtorKind == QualType::DK_nontrivial_c_struct) && DtorKind == QualType::DK_nontrivial_c_struct) &&
"unexpected destructor type"); "unexpected destructor type");
pushDestroy(DtorKind, DeclPtr, Ty); pushDestroy(DtorKind, DeclPtr, Ty);
CalleeDestructedParamCleanups[cast<ParmVarDecl>(&D)] = CalleeDestructedParamCleanups[cast<ParmVarDecl>(&D)] =
▲ Show 20 LinesShow All 185 LinesShow Last 20 Lines

clang/test/CodeGen/big-atomic-ops.c

Show First 20 LinesShow All 305 Lines▼ Show 20 Linesvoid atomic_init_foo()
// CHECK-NOT: atomic // CHECK-NOT: atomic
// CHECK: store // CHECK: store
__c11_atomic_init(&j, 42); __c11_atomic_init(&j, 42);
// CHECK-NOT: atomic // CHECK-NOT: atomic
// CHECK: } // CHECK: }
} }
// Check this doesn't crash
// CHECK: @test_atomic_array_param(
void test_atomic_array_param(_Atomic(struct foo) a) {
test_atomic_array_param(a);
}
#endif #endif

clang/test/CodeGenCXX/atomic.cpp

Show All 9 Linesnamespace PR11411 {
template<typename _Tp> inline void Ptr<_Tp>::f() { template<typename _Tp> inline void Ptr<_Tp>::f() {
int* _refcount; int* _refcount;
// CHECK: atomicrmw add i32* {{.*}} seq_cst, align 4 // CHECK: atomicrmw add i32* {{.*}} seq_cst, align 4
__sync_fetch_and_add(_refcount, 1); __sync_fetch_and_add(_refcount, 1);
// CHECK-NEXT: ret void // CHECK-NEXT: ret void
} }
void f(Ptr<int> *a) { a->f(); } void f(Ptr<int> *a) { a->f(); }
} }
namespace DelegatingParameter {
// Check that we're delegating the complete ctor to the base
// ctor, and that doesn't crash.
// CHECK-LABEL: define void @_ZN19DelegatingParameter1SC1EU7_AtomicNS_1ZE
// CHECK: call void @_ZN19DelegatingParameter1SC2EU7_AtomicNS_1ZE
struct Z { int z[100]; };
struct S { S(_Atomic Z); };
S::S(_Atomic Z) {}
}