This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
lib/Target/WebAssembly/
-
Target/
-
WebAssembly/
-
WebAssemblyLowerEmscriptenEHSjLj.cpp
-
test/CodeGen/WebAssembly/
-
CodeGen/
-
WebAssembly/
-
lower-em-ehsjlj.ll
-
lower-em-sjlj.ll

Differential D107852

[WebAssembly] Fix leak in Emscripten SjLj
ClosedPublic

Authored by aheejin on Aug 10 2021, 11:50 AM.

Download Raw Diff

Details

Reviewers

dschuff
tlively

Commits

rGadb96d2e76ce: [WebAssembly] Fix leak in Emscripten SjLj

Summary

For SjLj, we allocate a table to record setjmp buffer info in the entry
of each setjmp-calling function by inserting a malloc call, and
insert a free call to free the buffer before each ret instruction.

But this is not sufficient; we have to free the buffer before we throw.
In SjLj handling, normal functions that can possibly throw or longjmp
are wrapped with an invoke and caught within the function so they don't
end up escaping the function. But three functions throw and escape the
function:

__resumeException (Emscripten library function used for Emscripten EH)
emscripten_longjmp (Emscripten library function used for Emscripten SjLj)
__cxa_throw (libc++abi function called when for C++ throw keyword)

The first two functions are used to rethrow the current
exception/longjmp when the caught exception/longjmp is not for the
current function. __cxa_throw is used for exception, and because we
consider that a function that cannot longjmp, it escapes the function
right away, before which we should free the buffer.

Currently lsan.test_longjmp3 and lsan.test_exceptions_longjmp3 fail
in Emscripten; this CL fixes these.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

aheejin created this revision.Aug 10 2021, 11:50 AM

Herald added subscribers: wingo, ecnelises, sunfish and 3 others. · View Herald TranscriptAug 10 2021, 11:50 AM

aheejin requested review of this revision.Aug 10 2021, 11:50 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 10 2021, 11:50 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

aheejin added a parent revision: D107685: [WebAssembly] Tidy up EH/SjLj options.Aug 10 2021, 12:20 PM

Harbormaster completed remote builds in B118947: Diff 365569.Aug 10 2021, 12:36 PM

aheejin edited the summary of this revision. (Show Details)Aug 10 2021, 2:11 PM

dschuff accepted this revision.Aug 12 2021, 12:40 PM

This revision is now accepted and ready to land.Aug 12 2021, 12:40 PM

aheejin removed a parent revision: D107685: [WebAssembly] Tidy up EH/SjLj options.Aug 12 2021, 4:20 PM

Closed by commit rGadb96d2e76ce: [WebAssembly] Fix leak in Emscripten SjLj (authored by aheejin). · Explain WhyAug 12 2021, 4:34 PM

This revision was automatically updated to reflect the committed changes.

aheejin added a commit: rGadb96d2e76ce: [WebAssembly] Fix leak in Emscripten SjLj.

aheejin mentioned this in D108955: [WebAssembly] Free setjmpTable before exiting calls in EmSjLj.Aug 30 2021, 4:16 PM

aheejin mentioned this in rG3419e85b15e3: [WebAssembly] Free setjmpTable before exiting calls in EmSjLj.Aug 30 2021, 9:46 PM

Revision Contents

Path

Size

llvm/

lib/

Target/

WebAssembly/

WebAssemblyLowerEmscriptenEHSjLj.cpp

32 lines

test/

CodeGen/

WebAssembly/

lower-em-ehsjlj.ll

32 lines

lower-em-sjlj.ll

2 lines

Diff 366147

llvm/lib/Target/WebAssembly/WebAssemblyLowerEmscriptenEHSjLj.cpp

Show First 20 Lines • Show All 1,238 Lines • ▼ Show 20 Lines	for (Instruction &I : *BB) {
BBs.push_back(Tail);		BBs.push_back(Tail);
}		}
}		}

// Erase everything we no longer need in this function		// Erase everything we no longer need in this function
for (Instruction *I : ToErase)		for (Instruction *I : ToErase)
I->eraseFromParent();		I->eraseFromParent();

// Free setjmpTable buffer before each return instruction		// Free setjmpTable buffer before each return instruction + function-exiting
		// call
		SmallVector<Instruction *, 16> ExitingInsts;
for (BasicBlock &BB : F) {		for (BasicBlock &BB : F) {
Instruction *TI = BB.getTerminator();		Instruction *TI = BB.getTerminator();
if (isa<ReturnInst>(TI)) {		if (isa<ReturnInst>(TI))
DebugLoc DL = getOrCreateDebugLoc(TI, F.getSubprogram());		ExitingInsts.push_back(TI);
auto *Free = CallInst::CreateFree(SetjmpTable, TI);		for (auto &I : BB) {
		if (auto *CB = dyn_cast<CallBase>(&I)) {
		StringRef CalleeName = CB->getCalledOperand()->getName();
		if (CalleeName == "__resumeException" \|\|
		CalleeName == "emscripten_longjmp" \|\| CalleeName == "__cxa_throw")
		ExitingInsts.push_back(&I);
		}
		}
		}
		for (auto *I : ExitingInsts) {
		DebugLoc DL = getOrCreateDebugLoc(I, F.getSubprogram());
		auto *Free = CallInst::CreateFree(SetjmpTable, I);
Free->setDebugLoc(DL);		Free->setDebugLoc(DL);
// CallInst::CreateFree may create a bitcast instruction if its argument		// CallInst::CreateFree may create a bitcast instruction if its argument
// types mismatch. We need to set the debug loc for the bitcast too.		// types mismatch. We need to set the debug loc for the bitcast too.
if (auto *FreeCallI = dyn_cast<CallInst>(Free)) {		if (auto *FreeCallI = dyn_cast<CallInst>(Free)) {
if (auto *BitCastI = dyn_cast<BitCastInst>(FreeCallI->getArgOperand(0)))		if (auto *BitCastI = dyn_cast<BitCastInst>(FreeCallI->getArgOperand(0)))
BitCastI->setDebugLoc(DL);		BitCastI->setDebugLoc(DL);
}		}
}		}
}

// Every call to saveSetjmp can change setjmpTable and setjmpTableSize		// Every call to saveSetjmp can change setjmpTable and setjmpTableSize
// (when buffer reallocation occurs)		// (when buffer reallocation occurs)
// entry:		// entry:
// setjmpTableSize = 4;		// setjmpTableSize = 4;
// setjmpTable = (int *) malloc(40);		// setjmpTable = (int *) malloc(40);
// setjmpTable[0] = 0;		// setjmpTable[0] = 0;
// ...		// ...
▲ Show 20 Lines • Show All 46 Lines • Show Last 20 Lines

llvm/test/CodeGen/WebAssembly/lower-em-ehsjlj.ll

Show First 20 Lines • Show All 83 Lines • ▼ Show 20 Lines	lpad: ; preds = %entry
br label %try.cont		br label %try.cont

try.cont: ; preds = %entry, %lpad		try.cont: ; preds = %entry, %lpad
ret void		ret void
}		}

; This function contains a setjmp call and no invoke, so we only handle longjmp		; This function contains a setjmp call and no invoke, so we only handle longjmp
; here. But @foo can also throw an exception, so we check if an exception is		; here. But @foo can also throw an exception, so we check if an exception is
; thrown and if so rethrow it by calling @__resumeException.		; thrown and if so rethrow it by calling @__resumeException. Also we have to
		; free the setjmpTable buffer before calling @__resumeException.
define void @rethrow_exception() {		define void @rethrow_exception() {
; CHECK-LABEL: @rethrow_exception		; CHECK-LABEL: @rethrow_exception
entry:		entry:
%buf = alloca [1 x %struct.__jmp_buf_tag], align 16		%buf = alloca [1 x %struct.__jmp_buf_tag], align 16
%arraydecay = getelementptr inbounds [1 x %struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* %buf, i32 0, i32 0		%arraydecay = getelementptr inbounds [1 x %struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* %buf, i32 0, i32 0
%call = call i32 @setjmp(%struct.__jmp_buf_tag* %arraydecay) #0		%call = call i32 @setjmp(%struct.__jmp_buf_tag* %arraydecay) #0
%cmp = icmp ne i32 %call, 0		%cmp = icmp ne i32 %call, 0
br i1 %cmp, label %return, label %if.end		br i1 %cmp, label %return, label %if.end

if.end: ; preds = %entry		if.end: ; preds = %entry
call void @foo()		call void @foo()
br label %return		br label %return

; CHECK: if.end:		; CHECK: if.end:
; CHECK: %cmp.eq.one = icmp eq i32 %__THREW__.val, 1		; CHECK: %cmp.eq.one = icmp eq i32 %__THREW__.val, 1
; CHECK-NEXT: br i1 %cmp.eq.one, label %eh.rethrow, label %normal		; CHECK-NEXT: br i1 %cmp.eq.one, label %eh.rethrow, label %normal

; CHECK: normal:		; CHECK: normal:
; CHECK-NEXT: icmp ne i32 %__THREW__.val, 0		; CHECK-NEXT: icmp ne i32 %__THREW__.val, 0

; CHECK: eh.rethrow:		; CHECK: eh.rethrow:
; CHECK-NEXT: %exn = call i8* @__cxa_find_matching_catch_2()		; CHECK-NEXT: %exn = call i8* @__cxa_find_matching_catch_2()
		; CHECK-NEXT: %[[BUF:.]] = bitcast i32 %setjmpTable1 to i8*
		; CHECK-NEXT: call void @free(i8* %[[BUF]])
; CHECK-NEXT: call void @__resumeException(i8* %exn)		; CHECK-NEXT: call void @__resumeException(i8* %exn)
; CHECK-NEXT: unreachable		; CHECK-NEXT: unreachable

return: ; preds = %entry, %if.end		return: ; preds = %entry, %if.end
ret void		ret void
}		}

		; The same as 'rethrow_exception' but contains a __cxa_throw call. We have to
		; free the setjmpTable buffer before calling __cxa_throw.
		define void @rethrow_exception2() {
		; CHECK-LABEL: @rethrow_exception2
		entry:
		%buf = alloca [1 x %struct.__jmp_buf_tag], align 16
		%arraydecay = getelementptr inbounds [1 x %struct.__jmp_buf_tag], [1 x %struct.__jmp_buf_tag]* %buf, i32 0, i32 0
		%call = call i32 @setjmp(%struct.__jmp_buf_tag* %arraydecay) #0
		%cmp = icmp ne i32 %call, 0
		br i1 %cmp, label %throw, label %if.end

		if.end: ; preds = %entry
		call void @foo()
		br label %throw

		throw: ; preds = %entry, %if.end
		call void @__cxa_throw(i8* null, i8* null, i8* null) #1
		unreachable

		; CHECK: throw:
		; CHECK: %[[BUF:.]] = bitcast i32 %setjmpTable5 to i8*
		; CHECK-NEXT: call void @free(i8* %[[BUF]])
		; CHECK-NEXT: call void @__cxa_throw(i8* null, i8* null, i8* null)
		; CHECK-NEXT: unreachable
		}

declare void @foo()		declare void @foo()
; Function Attrs: returns_twice		; Function Attrs: returns_twice
declare i32 @setjmp(%struct.__jmp_buf_tag*)		declare i32 @setjmp(%struct.__jmp_buf_tag*)
; Function Attrs: noreturn		; Function Attrs: noreturn
declare void @longjmp(%struct.__jmp_buf_tag*, i32)		declare void @longjmp(%struct.__jmp_buf_tag*, i32)
declare i32 @__gxx_personality_v0(...)		declare i32 @__gxx_personality_v0(...)
declare i8* @__cxa_begin_catch(i8*)		declare i8* @__cxa_begin_catch(i8*)
declare void @__cxa_end_catch()		declare void @__cxa_end_catch()
		declare void @__cxa_throw(i8, i8, i8*)

attributes #0 = { returns_twice }		attributes #0 = { returns_twice }
attributes #1 = { noreturn }		attributes #1 = { noreturn }

llvm/test/CodeGen/WebAssembly/lower-em-sjlj.ll

	Show First 20 Lines • Show All 65 Lines • ▼ Show 20 Lines
	; CHECK: if.end:			; CHECK: if.end:
	; CHECK-NEXT: %[[LABEL_PHI:.]] = phi i32 [ %[[LABEL:.]], %if.end2 ], [ -1, %if.else1 ]			; CHECK-NEXT: %[[LABEL_PHI:.]] = phi i32 [ %[[LABEL:.]], %if.end2 ], [ -1, %if.else1 ]
	; CHECK-NEXT: %[[LONGJMP_RESULT]] = call i32 @getTempRet0()			; CHECK-NEXT: %[[LONGJMP_RESULT]] = call i32 @getTempRet0()
	; CHECK-NEXT: switch i32 %[[LABEL_PHI]], label %entry.split.split [			; CHECK-NEXT: switch i32 %[[LABEL_PHI]], label %entry.split.split [
	; CHECK-NEXT: i32 1, label %entry.split			; CHECK-NEXT: i32 1, label %entry.split
	; CHECK-NEXT: ]			; CHECK-NEXT: ]

	; CHECK: if.then2:			; CHECK: if.then2:
				; CHECK-NEXT: %[[BUF:.]] = bitcast i32 %[[SETJMP_TABLE1]] to i8*
				; CHECK-NEXT: call void @free(i8* %[[BUF]])
	; CHECK-NEXT: call void @emscripten_longjmp([[PTR]] %[[__THREW__VAL]], i32 %[[THREWVALUE_VAL]])			; CHECK-NEXT: call void @emscripten_longjmp([[PTR]] %[[__THREW__VAL]], i32 %[[THREWVALUE_VAL]])
	; CHECK-NEXT: unreachable			; CHECK-NEXT: unreachable

	; CHECK: if.end2:			; CHECK: if.end2:
	; CHECK-NEXT: call void @setTempRet0(i32 %[[THREWVALUE_VAL]])			; CHECK-NEXT: call void @setTempRet0(i32 %[[THREWVALUE_VAL]])
	; CHECK-NEXT: br label %if.end			; CHECK-NEXT: br label %if.end
	}			}

	▲ Show 20 Lines • Show All 222 Lines • Show Last 20 Lines