This is an archive of the discontinued LLVM Phabricator instance.

Differential D103051

[IR] Allow Value::replaceUsesWithIf() to process constants
ClosedPublic

Authored by rampitec on May 24 2021, 2:59 PM.

Details

Reviewers
lebedev.ri
arsenm
JonChesterfield
hsmhsm
Commits
rG8f681d5b272e: [IR] Allow Value::replaceUsesWithIf() to process constants
Summary

The change is currently NFC, but exploited by the depending D102954.
Code to handle constants is borrowed from the general implementation
of Value::doRAUW().

Diff Detail

Event Timeline

rampitec created this revision.May 24 2021, 2:59 PM
Herald added subscribers: dexonsmith, hiraditya. · View Herald TranscriptMay 24 2021, 2:59 PM
rampitec requested review of this revision.May 24 2021, 2:59 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 24 2021, 2:59 PM
Herald added a subscriber: wdng. · View Herald Transcript
rampitec added a child revision: D102954: [AMDGPU] Lower kernel LDS into a sorted structure.May 24 2021, 2:59 PM
rampitec mentioned this in D102954: [AMDGPU] Lower kernel LDS into a sorted structure.
Harbormaster completed remote builds in B106000: Diff 347514.May 24 2021, 3:41 PM
lebedev.ri accepted this revision.May 25 2021, 1:39 AM

lg

This revision is now accepted and ready to land.May 25 2021, 1:39 AM
Closed by commit rG8f681d5b272e: [IR] Allow Value::replaceUsesWithIf() to process constants (authored by rampitec). · Explain WhyMay 25 2021, 2:12 AM
This revision was automatically updated to reflect the committed changes.
rampitec added a commit: rG8f681d5b272e: [IR] Allow Value::replaceUsesWithIf() to process constants.
efriedma added a subscriber: efriedma.Jun 28 2021, 10:30 AM
efriedma added inline comments.
llvm/lib/IR/Value.cpp
543

I'm suspicious of the way you're iterating over the use list here; incrementing early isn't enough to avoid a use-after-free, I think. The incremented UI might refer to the same constant.

doRAUW repeatedly accesses *use_begin() to avoid issues.

rampitec added inline comments.Jun 28 2021, 12:10 PM
llvm/lib/IR/Value.cpp
543

I do not think this is currently exploitable as the only caller with constants convertConstantExprsToInstructions() guards it, but this may be true in general. Since not all uses are going to be replaced I cannot do the same thing as doRAUW. Do you think this will resolve the potential issue?

@@ -527,22 +527,26 @@ void Value::replaceNonMetadataUsesWith(Value *New) {

 void Value::replaceUsesWithIf(Value *New,
                               llvm::function_ref<bool(Use &U)> ShouldReplace) {
   assert(New && "Value::replaceUsesWithIf(<null>) is invalid!");
   assert(New->getType() == getType() &&
          "replaceUses of value with new value of different type!");

+  SmallPtrSet<Constant *, 8> Visited;
   for (use_iterator UI = use_begin(), E = use_end(); UI != E;) {
     Use &U = *UI;
     ++UI;
+    auto *C = dyn_cast<Constant>(U.getUser());
+    if (C && !Visited.insert(C).second)
+      continue;
     if (!ShouldReplace(U))
       continue;
     // Must handle Constants specially, we cannot call replaceUsesOfWith on a
     // constant because they are uniqued.
-    if (auto *C = dyn_cast<Constant>(U.getUser())) {
+    if (C) {
       if (!isa<GlobalValue>(C)) {
         C->handleOperandChange(this, New);
         continue;
       }
     }
     U.set(New);
   }
efriedma added inline comments.Jun 28 2021, 1:10 PM
llvm/lib/IR/Value.cpp
543

I don't think that's quite right. The problem is ensuring that UI points to something valid when we execute the ++UI. Adding a "continue" after that doesn't really help.

The most straightforward solution I can think of is to dodge the issue by not calling handleOperandChange with an active use_iterator. Instead, we collect all the constant users into a vector of TrackingVH, then iterate over that.

Also, minor related issue: handleOperandChange updates all the uses in a given Constant, not just the one passed to ShouldReplace.

rampitec marked an inline comment as done.Jun 28 2021, 1:50 PM
rampitec added inline comments.
llvm/lib/IR/Value.cpp
543

Thanks! A good idea, here is the patch: D105061
For the handleOperandChange() I have left a FIXME for now in the same review. This is a very good point, although not essential for the current use.

Revision Contents

PathSize
llvm/
include/
llvm/
IR/
18 lines
lib/
IR/
23 lines

Diff 347611

llvm/include/llvm/IR/Value.h

Show First 20 LinesShow All 305 Lines▼ Show 20 Lines#endif
/// ///
/// Go through the uses list for this definition and make each use point to /// Go through the uses list for this definition and make each use point to
/// "V" instead of "this". This function skips metadata entries in the list. /// "V" instead of "this". This function skips metadata entries in the list.
void replaceNonMetadataUsesWith(Value *V); void replaceNonMetadataUsesWith(Value *V);
/// Go through the uses list for this definition and make each use point /// Go through the uses list for this definition and make each use point
/// to "V" if the callback ShouldReplace returns true for the given Use. /// to "V" if the callback ShouldReplace returns true for the given Use.
/// Unlike replaceAllUsesWith() this function does not support basic block /// Unlike replaceAllUsesWith() this function does not support basic block
/// values or constant users. /// values.
void replaceUsesWithIf(Value *New, void replaceUsesWithIf(Value *New,
llvm::function_ref<bool(Use &U)> ShouldReplace) { llvm::function_ref<bool(Use &U)> ShouldReplace);
assert(New && "Value::replaceUsesWithIf(<null>) is invalid!");
assert(New->getType() == getType() &&
"replaceUses of value with new value of different type!");
for (use_iterator UI = use_begin(), E = use_end(); UI != E;) {
Use &U = *UI;
++UI;
if (!ShouldReplace(U))
continue;
U.set(New);
}
}
/// replaceUsesOutsideBlock - Go through the uses list for this definition and /// replaceUsesOutsideBlock - Go through the uses list for this definition and
/// make each use point to "V" instead of "this" when the use is outside the /// make each use point to "V" instead of "this" when the use is outside the
/// block. 'This's use list is expected to have at least one element. /// block. 'This's use list is expected to have at least one element.
/// Unlike replaceAllUsesWith() this function does not support basic block /// Unlike replaceAllUsesWith() this function does not support basic block
/// values or constant users. /// values.
void replaceUsesOutsideBlock(Value *V, BasicBlock *BB); void replaceUsesOutsideBlock(Value *V, BasicBlock *BB);
//---------------------------------------------------------------------- //----------------------------------------------------------------------
// Methods for handling the chain of uses of this Value. // Methods for handling the chain of uses of this Value.
// //
// Materializing a function can introduce new uses, so these methods come in // Materializing a function can introduce new uses, so these methods come in
// two variants: // two variants:
// The methods that start with materialized_ check the uses that are // The methods that start with materialized_ check the uses that are
▲ Show 20 LinesShow All 727 LinesShow Last 20 Lines

llvm/lib/IR/Value.cpp

Show First 20 LinesShow All 526 Lines▼ Show 20 Lines
void Value::replaceAllUsesWith(Value *New) { void Value::replaceAllUsesWith(Value *New) {
doRAUW(New, ReplaceMetadataUses::Yes); doRAUW(New, ReplaceMetadataUses::Yes);
} }
void Value::replaceNonMetadataUsesWith(Value *New) { void Value::replaceNonMetadataUsesWith(Value *New) {
doRAUW(New, ReplaceMetadataUses::No); doRAUW(New, ReplaceMetadataUses::No);
} }
void Value::replaceUsesWithIf(Value *New,
llvm::function_ref<bool(Use &U)> ShouldReplace) {
assert(New && "Value::replaceUsesWithIf(<null>) is invalid!");
assert(New->getType() == getType() &&
"replaceUses of value with new value of different type!");
for (use_iterator UI = use_begin(), E = use_end(); UI != E;) {
Use &U = *UI;
++UI;
efriedmaUnsubmitted
Done
ReplyInline Actions

I'm suspicious of the way you're iterating over the use list here; incrementing early isn't enough to avoid a use-after-free, I think. The incremented UI might refer to the same constant.

doRAUW repeatedly accesses *use_begin() to avoid issues.

efriedma: I'm suspicious of the way you're iterating over the use list here; incrementing early isn't…
rampitecAuthorUnsubmitted
Done
ReplyInline Actions

I do not think this is currently exploitable as the only caller with constants convertConstantExprsToInstructions() guards it, but this may be true in general. Since not all uses are going to be replaced I cannot do the same thing as doRAUW. Do you think this will resolve the potential issue?

@@ -527,22 +527,26 @@ void Value::replaceNonMetadataUsesWith(Value *New) {

 void Value::replaceUsesWithIf(Value *New,
                               llvm::function_ref<bool(Use &U)> ShouldReplace) {
   assert(New && "Value::replaceUsesWithIf(<null>) is invalid!");
   assert(New->getType() == getType() &&
          "replaceUses of value with new value of different type!");

+  SmallPtrSet<Constant *, 8> Visited;
   for (use_iterator UI = use_begin(), E = use_end(); UI != E;) {
     Use &U = *UI;
     ++UI;
+    auto *C = dyn_cast<Constant>(U.getUser());
+    if (C && !Visited.insert(C).second)
+      continue;
     if (!ShouldReplace(U))
       continue;
     // Must handle Constants specially, we cannot call replaceUsesOfWith on a
     // constant because they are uniqued.
-    if (auto *C = dyn_cast<Constant>(U.getUser())) {
+    if (C) {
       if (!isa<GlobalValue>(C)) {
         C->handleOperandChange(this, New);
         continue;
       }
     }
     U.set(New);
   }
rampitec: I do not think this is currently exploitable as the only caller with constants…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I don't think that's quite right. The problem is ensuring that UI points to something valid when we execute the ++UI. Adding a "continue" after that doesn't really help.

The most straightforward solution I can think of is to dodge the issue by not calling handleOperandChange with an active use_iterator. Instead, we collect all the constant users into a vector of TrackingVH, then iterate over that.

Also, minor related issue: handleOperandChange updates all the uses in a given Constant, not just the one passed to ShouldReplace.

efriedma: I don't think that's quite right. The problem is ensuring that UI points to something valid…
rampitecAuthorUnsubmitted
Done
ReplyInline Actions

Thanks! A good idea, here is the patch: D105061
For the handleOperandChange() I have left a FIXME for now in the same review. This is a very good point, although not essential for the current use.

rampitec: Thanks! A good idea, here is the patch: D105061 For the handleOperandChange() I have left a…
if (!ShouldReplace(U))
continue;
// Must handle Constants specially, we cannot call replaceUsesOfWith on a
// constant because they are uniqued.
if (auto *C = dyn_cast<Constant>(U.getUser())) {
if (!isa<GlobalValue>(C)) {
C->handleOperandChange(this, New);
continue;
}
}
U.set(New);
}
}
/// Replace llvm.dbg.* uses of MetadataAsValue(ValueAsMetadata(V)) outside BB /// Replace llvm.dbg.* uses of MetadataAsValue(ValueAsMetadata(V)) outside BB
/// with New. /// with New.
static void replaceDbgUsesOutsideBlock(Value *V, Value *New, BasicBlock *BB) { static void replaceDbgUsesOutsideBlock(Value *V, Value *New, BasicBlock *BB) {
SmallVector<DbgVariableIntrinsic *> DbgUsers; SmallVector<DbgVariableIntrinsic *> DbgUsers;
findDbgUsers(DbgUsers, V); findDbgUsers(DbgUsers, V);
for (auto *DVI : DbgUsers) { for (auto *DVI : DbgUsers) {
if (DVI->getParent() != BB) if (DVI->getParent() != BB)
DVI->replaceVariableLocationOp(V, New); DVI->replaceVariableLocationOp(V, New);
▲ Show 20 LinesShow All 668 LinesShow Last 20 Lines