This is an archive of the discontinued LLVM Phabricator instance.

Differential D130212

[libc++][ranges] attempt to fix proxy iterator issues that cause Chromium to crash
ClosedPublic

Authored by var-const on Jul 20 2022, 4:12 PM.

Details

Reviewers
ldionne
eaeltsin
huixie90
Group Reviewers
Restricted Project
Commits
rG7abbd6224b0b: [libc++] Fix proxy iterator issues that trigger an assertion in Chromium.
Summary

[libc++][ranges] attempt to fix proxy iterator issues that cause Chromium to crash

The crash reported by Chrome v8 is related to sorting with v8::internal::AtomicSlot
According to https://chromium.googlesource.com/v8/v8/+/9bcb5eb590643db0c1f688fea316c7f1f4786a3c/src/objects/slots-atomic-inl.h
AtomicSlot is indeed a proxy iterator with a proxy type AtomicSlot::Reference

https://reviews.llvm.org/D130197 correctly spotted issues in __iter_move, but the fix does not fix the issue.
The reason is that AtomicSlot::operator* returns a prvalue Reference. After the fix in D130197, the return type
of __iter_move is Reference&&. But the rvalue reference is bond to the temporary value returned by operator*,
which will be dangling after __iter_move returns.

The idea of the fix in this change is borrowed from C++17's move_iterator
https://timsong-cpp.github.io/cppwp/n4659/move.iterators#move.iterator-1
When underlying reference is a prvalue, we just return it by value.

Diff Detail

Event Timeline

huixie90 created this revision.Jul 20 2022, 4:12 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 20 2022, 4:12 PM
Herald added a subscriber: mgrang. · View Herald Transcript
huixie90 requested review of this revision.Jul 20 2022, 4:12 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 20 2022, 4:12 PM
Herald added a reviewer: Restricted Project. · View Herald Transcript
Herald added a subscriber: libcxx-commits. · View Herald Transcript
huixie90 added a reviewer: eaeltsin.Jul 20 2022, 4:21 PM
Harbormaster completed remote builds in B176617: Diff 446294.Jul 20 2022, 4:41 PM
var-const accepted this revision.Jul 20 2022, 6:06 PM

LGTM. It looks like the new tests still pass even without the fix, which means we still have work to do there. However, the tests are a great starting point, and I manually verified that the fix works, so I think it's good to go.

This revision is now accepted and ready to land.Jul 20 2022, 6:06 PM
var-const commandeered this revision.Jul 20 2022, 6:13 PM
var-const edited reviewers, added: huixie90; removed: var-const.

I'll commandeer this just to land this quicker -- @huixie90 I hope that's okay with you.

This revision now requires review to proceed.Jul 20 2022, 6:13 PM
var-const updated this revision to Diff 446318.Jul 20 2022, 6:13 PM

Rebase and reword the description.

This revision was not accepted when it landed; it landed in state Needs Review.Jul 20 2022, 6:16 PM
This revision was landed with ongoing or failed builds.
Closed by commit rG7abbd6224b0b: [libc++] Fix proxy iterator issues that trigger an assertion in Chromium. (authored by huixie90, committed by var-const). · Explain Why
This revision was automatically updated to reflect the committed changes.
var-const added a commit: rG7abbd6224b0b: [libc++] Fix proxy iterator issues that trigger an assertion in Chromium..
var-const mentioned this in D129823: [libc++][ranges] Make range algorithms support proxy iterators.Jul 20 2022, 6:18 PM
Harbormaster completed remote builds in B176635: Diff 446318.Jul 20 2022, 7:04 PM
var-const mentioned this in D130330: [libc++][NFC] Add checks for lifetime issues in classic algorithms..Jul 21 2022, 10:28 PM

Revision Contents

PathSize
libcxx/
include/
__algorithm/
19 lines
test/
std/
algorithms/
alg.sorting/
alg.sort/
sort/
108 lines

Diff 446319

libcxx/include/__algorithm/iterator_operations.h

Show First 20 LinesShow All 60 Lines▼ Show 20 Linesstruct _IterOps<_ClassicAlgPolicy> {
_LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11 _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11
static typename iterator_traits<_Iter>::difference_type distance(_Iter __first, _Iter __last) { static typename iterator_traits<_Iter>::difference_type distance(_Iter __first, _Iter __last) {
return std::distance(__first, __last); return std::distance(__first, __last);
} }
// iter_move // iter_move
template <class _Iter> template <class _Iter>
_LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11 _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11
// Declaring the return type is necessary for C++03, so we basically mirror what `decltype(auto)` would deduce. // Declaring the return type is necessary for C++03, so we basically mirror what `decltype(auto)` would deduce.
static typename remove_reference< static __enable_if_t<
typename iterator_traits<__uncvref_t<_Iter> >::reference is_reference<typename iterator_traits<__uncvref_t<_Iter> >::reference>::value,
>::type&& __iter_move(_Iter&& __i) { typename remove_reference< typename iterator_traits<__uncvref_t<_Iter> >::reference >::type&&>
__iter_move(_Iter&& __i) {
return std::move(*std::forward<_Iter>(__i)); return std::move(*std::forward<_Iter>(__i));
} }
template <class _Iter>
_LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11
// Declaring the return type is necessary for C++03, so we basically mirror what `decltype(auto)` would deduce.
static __enable_if_t<
!is_reference<typename iterator_traits<__uncvref_t<_Iter> >::reference>::value,
typename iterator_traits<__uncvref_t<_Iter> >::reference>
__iter_move(_Iter&& __i) {
return *std::forward<_Iter>(__i);
}
// iter_swap // iter_swap
template <class _Iter1, class _Iter2> template <class _Iter1, class _Iter2>
_LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11 _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_AFTER_CXX11
static void iter_swap(_Iter1&& __a, _Iter2&& __b) { static void iter_swap(_Iter1&& __a, _Iter2&& __b) {
std::iter_swap(std::forward<_Iter1>(__a), std::forward<_Iter2>(__b)); std::iter_swap(std::forward<_Iter1>(__a), std::forward<_Iter2>(__b));
} }
// next // next
Show All 23 Lines

libcxx/test/std/algorithms/alg.sorting/alg.sort/sort/sort_proxy.pass.cpp

//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// <algorithm> // <algorithm>
#include <algorithm> #include <algorithm>
#include <cassert> #include <cassert>
#include <vector> #include <vector>
struct Cpp17ProxyIterator {
struct Reference {
int* i_;
Reference(int& i) : i_(&i) {}
operator int() const { return *i_; }
Reference& operator=(int i) {
*i_ = i;
return *this;
}
friend bool operator<(const Reference& x, const Reference& y) { return *x.i_ < *y.i_; }
friend bool operator==(const Reference& x, const Reference& y) { return *x.i_ == *y.i_; }
friend void swap(Reference x, Reference y) { std::swap(*(x.i_), *(y.i_)); }
};
using difference_type = int;
using value_type = int;
using reference = Reference;
using pointer = void*;
using iterator_category = std::random_access_iterator_tag;
int* ptr_;
Cpp17ProxyIterator(int* ptr) : ptr_(ptr) {}
Reference operator*() const { return Reference(*ptr_); }
Cpp17ProxyIterator& operator++() {
++ptr_;
return *this;
}
Cpp17ProxyIterator operator++(int) {
auto tmp = *this;
++*this;
return tmp;
}
friend bool operator==(const Cpp17ProxyIterator& x, const Cpp17ProxyIterator& y) { return x.ptr_ == y.ptr_; }
friend bool operator!=(const Cpp17ProxyIterator& x, const Cpp17ProxyIterator& y) { return x.ptr_ != y.ptr_; }
Cpp17ProxyIterator& operator--() {
--ptr_;
return *this;
}
Cpp17ProxyIterator operator--(int) {
auto tmp = *this;
--*this;
return tmp;
}
Cpp17ProxyIterator& operator+=(difference_type n) {
ptr_ += n;
return *this;
}
Cpp17ProxyIterator& operator-=(difference_type n) {
ptr_ -= n;
return *this;
}
Reference operator[](difference_type i) const { return Reference(*(ptr_ + i)); }
friend bool operator<(const Cpp17ProxyIterator& x, const Cpp17ProxyIterator& y) { return x.ptr_ < y.ptr_; }
friend bool operator>(const Cpp17ProxyIterator& x, const Cpp17ProxyIterator& y) { return x.ptr_ > y.ptr_; }
friend bool operator<=(const Cpp17ProxyIterator& x, const Cpp17ProxyIterator& y) { return x.ptr_ <= y.ptr_; }
friend bool operator>=(const Cpp17ProxyIterator& x, const Cpp17ProxyIterator& y) { return x.ptr_ >= y.ptr_; }
friend Cpp17ProxyIterator operator+(const Cpp17ProxyIterator& x, difference_type n) {
return Cpp17ProxyIterator(x.ptr_ + n);
}
friend Cpp17ProxyIterator operator+(difference_type n, const Cpp17ProxyIterator& x) {
return Cpp17ProxyIterator(n + x.ptr_);
}
friend Cpp17ProxyIterator operator-(const Cpp17ProxyIterator& x, difference_type n) {
return Cpp17ProxyIterator(x.ptr_ - n);
}
friend difference_type operator-(Cpp17ProxyIterator x, Cpp17ProxyIterator y) {
return static_cast<int>(x.ptr_ - y.ptr_);
}
};
void test() { void test() {
// TODO: use a custom proxy iterator instead of (or in addition to) `vector<bool>`. // TODO: use a custom proxy iterator instead of (or in addition to) `vector<bool>`.
std::vector<bool> v(5, false); std::vector<bool> v(5, false);
v[1] = true; v[3] = true; v[1] = true;
v[3] = true;
std::sort(v.begin(), v.end()); std::sort(v.begin(), v.end());
assert(std::is_sorted(v.begin(), v.end())); assert(std::is_sorted(v.begin(), v.end()));
} }
void testCustomProxyIterator() {
int a[] = {5, 1, 3, 2, 4};
std::sort(Cpp17ProxyIterator(a), Cpp17ProxyIterator(a + 5));
assert(a[0] == 1);
assert(a[1] == 2);
assert(a[2] == 3);
assert(a[3] == 4);
assert(a[4] == 5);
}
int main(int, char**) { int main(int, char**) {
test(); test();
testCustomProxyIterator();
return 0; return 0;
} }