This is an archive of the discontinued LLVM Phabricator instance.

Differential D132493

[Sample Profile Reader] Fix potential integer overflow/infinite loop bug in sample profile reader
ClosedPublic

Authored by huangjd on Aug 23 2022, 12:08 PM.

Details

Reviewers
davidxl
wenlei
Commits
rGb10565620714: [Sample Profile Reader] Fix potential integer overflow/infinite loop bug in…
Summary

Change loop induction variable type to match the type of "SIZE" where it's compared against, to prevent infinite loop caused by overflow wraparound if there are more than 2^32 samples

Diff Detail

Event Timeline

huangjd created this revision.Aug 23 2022, 12:08 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 23 2022, 12:08 PM
Herald added subscribers: wenlei, hiraditya. · View Herald Transcript
huangjd requested review of this revision.Aug 23 2022, 12:08 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 23 2022, 12:08 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
wenlei accepted this revision.Aug 23 2022, 12:35 PM

The change makes sense since the fields are actually 64-bit ones. But which one of the loops did you run into issue with? Curious which part is overflowing int32.

This revision is now accepted and ready to land.Aug 23 2022, 12:35 PM
huangjd added a comment.Aug 23 2022, 1:19 PM

It is more of a precaution, but I did come across very large afdo profiles.

This revision was landed with ongoing or failed builds.Aug 23 2022, 1:36 PM
Closed by commit rGb10565620714: [Sample Profile Reader] Fix potential integer overflow/infinite loop bug in… (authored by huangjd). · Explain Why
This revision was automatically updated to reflect the committed changes.
huangjd added a commit: rGb10565620714: [Sample Profile Reader] Fix potential integer overflow/infinite loop bug in….
Harbormaster completed remote builds in B182902: Diff 454921.Aug 23 2022, 2:42 PM

Revision Contents

PathSize
llvm/
lib/
ProfileData/
10 lines

Diff 454943

llvm/lib/ProfileData/SampleProfReader.cpp

Show First 20 LinesShow All 803 Lines▼ Show 20 Linesstd::error_code SampleProfileReaderExtBinaryBase::readFuncOffsetTable() {
FuncOffsetTable.reserve(*Size); FuncOffsetTable.reserve(*Size);
if (FuncOffsetsOrdered) { if (FuncOffsetsOrdered) {
OrderedFuncOffsets = OrderedFuncOffsets =
std::make_unique<std::vector<std::pair<SampleContext, uint64_t>>>(); std::make_unique<std::vector<std::pair<SampleContext, uint64_t>>>();
OrderedFuncOffsets->reserve(*Size); OrderedFuncOffsets->reserve(*Size);
} }
for (uint32_t I = 0; I < *Size; ++I) { for (uint64_t I = 0; I < *Size; ++I) {
auto FContext(readSampleContextFromTable()); auto FContext(readSampleContextFromTable());
if (std::error_code EC = FContext.getError()) if (std::error_code EC = FContext.getError())
return EC; return EC;
auto Offset = readNumber<uint64_t>(); auto Offset = readNumber<uint64_t>();
if (std::error_code EC = Offset.getError()) if (std::error_code EC = Offset.getError())
return EC; return EC;
▲ Show 20 LinesShow All 270 Lines▼ Show 20 Lines if (FixedLengthMD5) {
// check using the size of NameTable. // check using the size of NameTable.
NameTable.resize(*Size + NameTable.size()); NameTable.resize(*Size + NameTable.size());
MD5NameMemStart = Data; MD5NameMemStart = Data;
Data = Data + (*Size) * sizeof(uint64_t); Data = Data + (*Size) * sizeof(uint64_t);
return sampleprof_error::success; return sampleprof_error::success;
} }
NameTable.reserve(*Size); NameTable.reserve(*Size);
for (uint32_t I = 0; I < *Size; ++I) { for (uint64_t I = 0; I < *Size; ++I) {
auto FID = readNumber<uint64_t>(); auto FID = readNumber<uint64_t>();
if (std::error_code EC = FID.getError()) if (std::error_code EC = FID.getError())
return EC; return EC;
MD5StringBuf->push_back(std::to_string(*FID)); MD5StringBuf->push_back(std::to_string(*FID));
// NameTable is a vector of StringRef. Here it is pushing back a // NameTable is a vector of StringRef. Here it is pushing back a
// StringRef initialized with the last string in MD5stringBuf. // StringRef initialized with the last string in MD5stringBuf.
NameTable.push_back(MD5StringBuf->back()); NameTable.push_back(MD5StringBuf->back());
} }
▲ Show 20 LinesShow All 124 Lines▼ Show 20 LinesSampleProfileReaderExtBinaryBase::readFuncMetadata(bool ProfileHasAttribute) {
return sampleprof_error::success; return sampleprof_error::success;
} }
std::error_code SampleProfileReaderCompactBinary::readNameTable() { std::error_code SampleProfileReaderCompactBinary::readNameTable() {
auto Size = readNumber<uint64_t>(); auto Size = readNumber<uint64_t>();
if (std::error_code EC = Size.getError()) if (std::error_code EC = Size.getError())
return EC; return EC;
NameTable.reserve(*Size); NameTable.reserve(*Size);
for (uint32_t I = 0; I < *Size; ++I) { for (uint64_t I = 0; I < *Size; ++I) {
auto FID = readNumber<uint64_t>(); auto FID = readNumber<uint64_t>();
if (std::error_code EC = FID.getError()) if (std::error_code EC = FID.getError())
return EC; return EC;
NameTable.push_back(std::to_string(*FID)); NameTable.push_back(std::to_string(*FID));
} }
return sampleprof_error::success; return sampleprof_error::success;
} }
Show All 25 LinesSampleProfileReaderExtBinaryBase::readSecHdrTableEntry(uint32_t Idx) {
return sampleprof_error::success; return sampleprof_error::success;
} }
std::error_code SampleProfileReaderExtBinaryBase::readSecHdrTable() { std::error_code SampleProfileReaderExtBinaryBase::readSecHdrTable() {
auto EntryNum = readUnencodedNumber<uint64_t>(); auto EntryNum = readUnencodedNumber<uint64_t>();
if (std::error_code EC = EntryNum.getError()) if (std::error_code EC = EntryNum.getError())
return EC; return EC;
for (uint32_t i = 0; i < (*EntryNum); i++) for (uint64_t i = 0; i < (*EntryNum); i++)
if (std::error_code EC = readSecHdrTableEntry(i)) if (std::error_code EC = readSecHdrTableEntry(i))
return EC; return EC;
return sampleprof_error::success; return sampleprof_error::success;
} }
std::error_code SampleProfileReaderExtBinaryBase::readHeader() { std::error_code SampleProfileReaderExtBinaryBase::readHeader() {
const uint8_t *BufStart = const uint8_t *BufStart =
▲ Show 20 LinesShow All 152 Lines▼ Show 20 Lines const uint8_t *TableStart =
*TableOffset; *TableOffset;
Data = TableStart; Data = TableStart;
auto Size = readNumber<uint64_t>(); auto Size = readNumber<uint64_t>();
if (std::error_code EC = Size.getError()) if (std::error_code EC = Size.getError())
return EC; return EC;
FuncOffsetTable.reserve(*Size); FuncOffsetTable.reserve(*Size);
for (uint32_t I = 0; I < *Size; ++I) { for (uint64_t I = 0; I < *Size; ++I) {
auto FName(readStringFromTable()); auto FName(readStringFromTable());
if (std::error_code EC = FName.getError()) if (std::error_code EC = FName.getError())
return EC; return EC;
auto Offset = readNumber<uint64_t>(); auto Offset = readNumber<uint64_t>();
if (std::error_code EC = Offset.getError()) if (std::error_code EC = Offset.getError())
return EC; return EC;
▲ Show 20 LinesShow All 512 LinesShow Last 20 Lines