This is an archive of the discontinued LLVM Phabricator instance.

Differential D108142

[SamplePGO] Fixing a memory issue when creating profiles on-demand
ClosedPublic

Authored by hoy on Aug 16 2021, 9:23 AM.

Details

Reviewers
wenlei
wmi
wlei
Commits
rGa1e21864df68: [SamplePGO] Fixing a memory issue when creating profiles on-demand
Summary

There is a on-dmeand creation of function profile during top-down processing in the sample loader when merging uninlined callees. During the profile creation, a stack string object is used to store a newly-created MD5 name, which is then used by reference as hash key in the profile map. This makes the hash key a dangling reference when later on the stack string object is deallocated.

The issue only happens with md5 profile use and was exposed by context split work for CS profile. I'm making a fix by storing newly created names in the reader.

Diff Detail

Event Timeline

hoy created this revision.Aug 16 2021, 9:23 AM
Herald added subscribers: modimo, wenlei. · View Herald TranscriptAug 16 2021, 9:23 AM
hoy requested review of this revision.Aug 16 2021, 9:23 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 16 2021, 9:23 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
hoy added reviewers: wenlei, wmi, wlei.Aug 16 2021, 9:24 AM
Harbormaster completed remote builds in B119731: Diff 366659.Aug 16 2021, 10:03 AM
wlei accepted this revision.Aug 16 2021, 10:36 AM

LGTM, thanks for the fix!

This revision is now accepted and ready to land.Aug 16 2021, 10:36 AM
wenlei added a comment.Aug 16 2021, 11:43 AM

Thanks for the fix. I guess since we didn't really use the key of the map, it was just a hidden bug not causing trouble in the past (no ICE)?

llvm/include/llvm/ProfileData/SampleProfReader.h
411

Can we assert this only happens for MD5?

Additionally, NameBuffer -> MD5NameBuffer to make that explicit?

hoy added a comment.Aug 16 2021, 11:55 AM
In D108142#2947508, @wenlei wrote:

Thanks for the fix. I guess since we didn't really use the key of the map, it was just a hidden bug not causing trouble in the past (no ICE)?

We have a test for this currently, but since it is small it doesn't capture the use-after-free case.

llvm/include/llvm/ProfileData/SampleProfReader.h
411

Sounds good.

hoy updated this revision to Diff 366696.Aug 16 2021, 11:56 AM

Addressing Wenlei's comment.

hoy updated this revision to Diff 366699.Aug 16 2021, 11:57 AM

Updating D108142: [SamplePGO] Fixing a memory issue when creating profiles on-demand

wmi added inline comments.Aug 16 2021, 12:24 PM
llvm/include/llvm/ProfileData/SampleProf.h
107–110

Thanks for the improvement.

llvm/include/llvm/ProfileData/SampleProfReader.h
411

Nit:

if (It != Profiles.end())
  return &It->second;
...
516

std::unordered_set is enough?

Harbormaster completed remote builds in B119761: Diff 366699.Aug 16 2021, 12:38 PM
hoy added inline comments.Aug 16 2021, 12:49 PM
llvm/include/llvm/ProfileData/SampleProfReader.h
411

This looks cleaner.

516

Oops, that's what I meant to use. Good catch. Thanks.

hoy updated this revision to Diff 366720.Aug 16 2021, 12:50 PM

Addresing Wei's comments.

wenlei accepted this revision.Aug 16 2021, 1:01 PM

lgtm, thanks.

Harbormaster completed remote builds in B119776: Diff 366720.Aug 16 2021, 1:47 PM
wmi accepted this revision.Aug 16 2021, 2:24 PM

LGTM.

Closed by commit rGa1e21864df68: [SamplePGO] Fixing a memory issue when creating profiles on-demand (authored by hoy). · Explain WhyAug 16 2021, 4:30 PM
This revision was automatically updated to reflect the committed changes.
hoy added a commit: rGa1e21864df68: [SamplePGO] Fixing a memory issue when creating profiles on-demand.

Revision Contents

PathSize
llvm/
include/
llvm/
ProfileData/
4 lines
14 lines

Diff 366699

llvm/include/llvm/ProfileData/SampleProf.h

Show First 20 LinesShow All 98 Lines▼ Show 20 Lines return uint64_t('S') << (64 - 8) | uint64_t('P') << (64 - 16) |
uint64_t('F') << (64 - 40) | uint64_t('4') << (64 - 48) | uint64_t('F') << (64 - 40) | uint64_t('4') << (64 - 48) |
uint64_t('2') << (64 - 56) | uint64_t(Format); uint64_t('2') << (64 - 56) | uint64_t(Format);
} }
/// Get the proper representation of a string according to whether the /// Get the proper representation of a string according to whether the
/// current Format uses MD5 to represent the string. /// current Format uses MD5 to represent the string.
static inline StringRef getRepInFormat(StringRef Name, bool UseMD5, static inline StringRef getRepInFormat(StringRef Name, bool UseMD5,
std::string &GUIDBuf) { std::string &GUIDBuf) {
if (Name.empty()) if (Name.empty() || !UseMD5)
return Name; return Name;
GUIDBuf = std::to_string(Function::getGUID(Name)); GUIDBuf = std::to_string(Function::getGUID(Name));
return UseMD5 ? StringRef(GUIDBuf) : Name; return GUIDBuf;
wmiUnsubmitted
Not Done
ReplyInline Actions

Thanks for the improvement.

wmi: Thanks for the improvement.
} }
static inline uint64_t SPVersion() { return 103; } static inline uint64_t SPVersion() { return 103; }
// Section Type used by SampleProfileExtBinaryBaseReader and // Section Type used by SampleProfileExtBinaryBaseReader and
// SampleProfileExtBinaryBaseWriter. Never change the existing // SampleProfileExtBinaryBaseWriter. Never change the existing
// value of enum. Only append new ones. // value of enum. Only append new ones.
enum SecType { enum SecType {
▲ Show 20 LinesShow All 932 LinesShow Last 20 Lines

llvm/include/llvm/ProfileData/SampleProfReader.h

Show First 20 LinesShow All 401 Lines▼ Show 20 Linespublic:
} }
/// Return the samples collected for function \p F, create empty /// Return the samples collected for function \p F, create empty
/// FunctionSamples if it doesn't exist. /// FunctionSamples if it doesn't exist.
FunctionSamples *getOrCreateSamplesFor(const Function &F) { FunctionSamples *getOrCreateSamplesFor(const Function &F) {
std::string FGUID; std::string FGUID;
StringRef CanonName = FunctionSamples::getCanonicalFnName(F); StringRef CanonName = FunctionSamples::getCanonicalFnName(F);
CanonName = getRepInFormat(CanonName, useMD5(), FGUID); CanonName = getRepInFormat(CanonName, useMD5(), FGUID);
auto It = Profiles.find(CanonName);
if (It == Profiles.end()) {
wenleiUnsubmitted
Not Done
ReplyInline Actions

Can we assert this only happens for MD5?

Additionally, NameBuffer -> MD5NameBuffer to make that explicit?

wenlei: Can we assert this only happens for MD5? Additionally, NameBuffer -> MD5NameBuffer to make…
hoyAuthorUnsubmitted
Done
ReplyInline Actions

Sounds good.

hoy: Sounds good.
wmiUnsubmitted
Not Done
ReplyInline Actions

Nit:

if (It != Profiles.end())
  return &It->second;
...
wmi: Nit: ``` if (It != Profiles.end()) return &It->second; ... ```
hoyAuthorUnsubmitted
Done
ReplyInline Actions

This looks cleaner.

hoy: This looks cleaner.
if (!FGUID.empty()) {
assert(useMD5() && "New name should only be generated for md5 profile");
CanonName = *MD5NameBuffer.insert(FGUID).first;
}
return &Profiles[CanonName]; return &Profiles[CanonName];
} }
return &It->second;
}
/// Return the samples collected for function \p F. /// Return the samples collected for function \p F.
virtual FunctionSamples *getSamplesFor(StringRef Fname) { virtual FunctionSamples *getSamplesFor(StringRef Fname) {
std::string FGUID; std::string FGUID;
Fname = getRepInFormat(Fname, useMD5(), FGUID); Fname = getRepInFormat(Fname, useMD5(), FGUID);
auto It = Profiles.find(Fname); auto It = Profiles.find(Fname);
if (It != Profiles.end()) if (It != Profiles.end())
return &It->second; return &It->second;
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Linesprotected:
StringMap<FunctionSamples> Profiles; StringMap<FunctionSamples> Profiles;
/// LLVM context used to emit diagnostics. /// LLVM context used to emit diagnostics.
LLVMContext &Ctx; LLVMContext &Ctx;
/// Memory buffer holding the profile file. /// Memory buffer holding the profile file.
std::unique_ptr<MemoryBuffer> Buffer; std::unique_ptr<MemoryBuffer> Buffer;
/// Extra name buffer holding names created on demand.
/// This should only be needed for md5 profiles.
std::set<std::string> MD5NameBuffer;
wmiUnsubmitted
Not Done
ReplyInline Actions

std::unordered_set is enough?

wmi: std::unordered_set is enough?
hoyAuthorUnsubmitted
Done
ReplyInline Actions

Oops, that's what I meant to use. Good catch. Thanks.

hoy: Oops, that's what I meant to use. Good catch. Thanks.
/// Profile summary information. /// Profile summary information.
std::unique_ptr<ProfileSummary> Summary; std::unique_ptr<ProfileSummary> Summary;
/// Take ownership of the summary of this reader. /// Take ownership of the summary of this reader.
static std::unique_ptr<ProfileSummary> static std::unique_ptr<ProfileSummary>
takeSummary(SampleProfileReader &Reader) { takeSummary(SampleProfileReader &Reader) {
return std::move(Reader.Summary); return std::move(Reader.Summary);
} }
▲ Show 20 LinesShow All 347 LinesShow Last 20 Lines