This is an archive of the discontinued LLVM Phabricator instance.

Differential D134641

[AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs::isLastVGPRUseVMEMStore
ClosedPublic

Authored by jmmartinez on Sep 26 2022, 6:24 AM.

Details

Reviewers
foad
jpages
arsenm
Commits
rGbb24b2c610b4: [AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs…

Diff Detail

Event Timeline

jmmartinez created this revision.Sep 26 2022, 6:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 26 2022, 6:24 AM
Herald added subscribers: kosarev, foad, kerbowa and 9 others. · View Herald Transcript
jmmartinez requested review of this revision.Sep 26 2022, 6:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 26 2022, 6:24 AM
Herald added subscribers: llvm-commits, wdng. · View Herald Transcript
jmmartinez added a reviewer: foad.Sep 26 2022, 6:25 AM
jmmartinez added reviewers: jpages, arsenm.Sep 26 2022, 6:30 AM
arsenm added inline comments.Sep 26 2022, 6:51 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
38–39

If you're going to resize to the number of blocks, do you really need to use a DenseMap at all? You could use a bit vector indexed by the block number

139

Capitalize We

Harbormaster completed remote builds in B188692: Diff 462889.Sep 26 2022, 7:44 AM
jmmartinez added inline comments.Sep 26 2022, 8:19 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
38–39

It doesn't map direclty into a bit-vector since there are 3 states considered (has-a-vmem-store, does-not-have-vmem-store and not-yet-computed).

What do you think about a SmallVector<VMEMStore> with an enum class UsesVMEMStoreTy { UsesVMEMStore, DoesNotUseVMEMStore, NotYetComputed } ?

arsenm added inline comments.Sep 26 2022, 8:22 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
38–39

Can you avoid the NotYetComputed case if you do this in RPO

jmmartinez updated this revision to Diff 463151.Sep 27 2022, 1:51 AM
  • [NFC][AMDGPU][Backend] Make member varialbe a parameter
jmmartinez marked an inline comment as done.Sep 27 2022, 1:56 AM
jmmartinez added inline comments.
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
38–39

Way better! Thanks! I changed it to use a BitVector, but also I've encapsulated everything in a small class. The associated object is passed as a parameter to runOnMachineBasicBlock (instead of using a member variable).

Harbormaster completed remote builds in B188892: Diff 463151.Sep 27 2022, 4:03 AM
arsenm added inline comments.Sep 27 2022, 12:20 PM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
66–97

You can just use MBB.getNumber

jmmartinez updated this revision to Diff 463462.Sep 28 2022, 2:01 AM
  • Use MachineBasicBlock::getNumber instead of std::distance
Harbormaster completed remote builds in B189114: Diff 463462.Sep 28 2022, 2:51 AM
arsenm added inline comments.Sep 28 2022, 9:25 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
69

I'd expect this to be the post_order loop

101

Just use bool?

102

This looks like a dead variable?

jmmartinez added inline comments.Sep 29 2022, 12:33 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
69

This loop sets the initialization value for each MachineBasicBlock. This loop does not take into account the predecessors/successors and it can be done in any order. Maybe the name lastBlockVGPRUseIsVMEMStore is misleading? Could be renamed to something such as lastVGPRUseInstInBlockIsVMEMStore or initVGPRUseInstInBlockIsVMEMStore.

The loop after this one is the one that propagates the values from the predecessors to every block and that must be done in reverse-post-order.

101

BitVector's operator[] returns a BitVector::reference and not a bool&. BitVector::reference encapsulates a reference to a single bit.

Maybe it's worth to explicitely state the type BitVector::reference LastUseIsVMEMStore = BlockVMEMStore[MBB->getNumber()];. I think that auto looks confusing.

For context, here's the code of BitVector::reference:

// Encapsulation of a single bit.
class reference {
  
  BitWord *WordRef;
  unsigned BitPos;
  
public:
  reference(BitVector &b, unsigned Idx) {
    WordRef = &b.Bits[Idx / BITWORD_SIZE];
    BitPos = Idx % BITWORD_SIZE;
  }
  
  reference() = delete;
  reference(const reference&) = default;
  
  reference &operator=(reference t) {
    *this = bool(t);
    return *this;
  }
  
  reference& operator=(bool t) {
    if (t)
      *WordRef |= BitWord(1) << BitPos;
    else
      *WordRef &= ~(BitWord(1) << BitPos);
    return *this;
  }
  
  operator bool() const {
    return ((*WordRef) & (BitWord(1) << BitPos)) != 0;
  }
};
102

Addressed in the previous comment, since it's not a reference it's not dead. But it surely looks confusing.

jmmartinez updated this revision to Diff 463789.Sep 29 2022, 1:17 AM
  • Be explicit about BitVector::reference
Harbormaster completed remote builds in B189336: Diff 463789.Sep 29 2022, 2:43 AM
jmmartinez marked 4 inline comments as done.Sep 30 2022, 12:54 AM
jmmartinez added inline comments.
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
102

Bad phrasing: reference->value : Since it's not a value , but a reference, it's not dead. But it surely looks confusing.

arsenm added inline comments.Sep 30 2022, 8:07 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
69

Maybe I'm confusing my iteration orders again, but I think you can get away with the one post_order (not reverse) loop if you're looking at successors

111

Can't you just inspect the bit vector if these are precomputed without the recursive call?

jmmartinez added inline comments.Oct 3 2022, 7:56 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
105

There is a bug in here: if BlockVMEMStore[MBB->getNumber()] was initialized to false because the last instruction referencing a vgpr instruction is not a store, and for one of the predecessors the last instruction referencing a vgpr is a store, we may override the false value with a true which is not correct.

jmmartinez updated this revision to Diff 464969.Oct 4 2022, 5:03 AM

Bring back the old algorithm structure but using bitvectors instead

jmmartinez marked an inline comment as done.Oct 4 2022, 5:07 AM
jmmartinez added inline comments.
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
69

I brought back the old algorithm with the recusrive call.

I tried several alternatives but I always found a case where the reverse post order missed propagating the values accordingly :S .

Harbormaster completed remote builds in B190178: Diff 464969.Oct 4 2022, 5:56 AM
jmmartinez updated this revision to Diff 467066.Oct 12 2022, 2:04 AM
  • Propagate the vgpr-is-vmem-store using depth-first-search
Harbormaster completed remote builds in B191683: Diff 467066.Oct 12 2022, 2:53 AM
jmmartinez marked 2 inline comments as done.Oct 18 2022, 12:28 AM

All remarks addressed.

jmmartinez added a comment.Oct 18 2022, 9:05 AM

@arsenm Could I ask you to take a look to the latest changes ?

arsenm accepted this revision.Oct 18 2022, 9:38 AM

LGTM with nit

llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
70–71

east const?

86

Passing a pre-filled set to visited is a bit weird, but I think this is OK

This revision is now accepted and ready to land.Oct 18 2022, 9:38 AM
jpages accepted this revision.Oct 18 2022, 9:42 AM

LGTM, thanks!

jmmartinez updated this revision to Diff 468804.Oct 19 2022, 1:00 AM

West to East const.

Harbormaster completed remote builds in B192926: Diff 468804.Oct 19 2022, 2:13 AM
Closed by commit rGbb24b2c610b4: [AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs… (authored by jmmartinez). · Explain WhyOct 19 2022, 2:43 AM
This revision was automatically updated to reflect the committed changes.
jmmartinez added a commit: rGbb24b2c610b4: [AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs….

Revision Contents

PathSize
llvm/
lib/
Target/
AMDGPU/
106 lines

Diff 468829

llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AMDGPU.h" #include "AMDGPU.h"
#include "AMDGPUSubtarget.h" #include "AMDGPUSubtarget.h"
#include "GCNSubtarget.h" #include "GCNSubtarget.h"
#include "MCTargetDesc/AMDGPUMCTargetDesc.h" #include "MCTargetDesc/AMDGPUMCTargetDesc.h"
#include "SIDefines.h" #include "SIDefines.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/DepthFirstIterator.h"
#include "llvm/CodeGen/MachineBasicBlock.h" #include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineOperand.h" #include "llvm/CodeGen/MachineOperand.h"
using namespace llvm; using namespace llvm;
#define DEBUG_TYPE "release-vgprs" #define DEBUG_TYPE "release-vgprs"
namespace { namespace {
class AMDGPUReleaseVGPRs : public MachineFunctionPass { class AMDGPUReleaseVGPRs : public MachineFunctionPass {
public: public:
static char ID; static char ID;
const SIInstrInfo *SII;
const SIRegisterInfo *TRI;
AMDGPUReleaseVGPRs() : MachineFunctionPass(ID) {} AMDGPUReleaseVGPRs() : MachineFunctionPass(ID) {}
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.setPreservesAll(); AU.setPreservesAll();
MachineFunctionPass::getAnalysisUsage(AU); MachineFunctionPass::getAnalysisUsage(AU);
} }
// Used to cache the result of isLastInstructionVMEMStore for each block // Track if the last instruction referencing a vgpr in a MBB is a VMEM
arsenmUnsubmitted
Done
ReplyInline Actions

If you're going to resize to the number of blocks, do you really need to use a DenseMap at all? You could use a bit vector indexed by the block number

arsenm: If you're going to resize to the number of blocks, do you really need to use a DenseMap at all?
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

It doesn't map direclty into a bit-vector since there are 3 states considered (has-a-vmem-store, does-not-have-vmem-store and not-yet-computed).

What do you think about a SmallVector<VMEMStore> with an enum class UsesVMEMStoreTy { UsesVMEMStore, DoesNotUseVMEMStore, NotYetComputed } ?

jmmartinez: It doesn't map direclty into a bit-vector since there are 3 states considered (has-a-vmem-store…
arsenmUnsubmitted
Done
ReplyInline Actions

Can you avoid the NotYetComputed case if you do this in RPO

arsenm: Can you avoid the NotYetComputed case if you do this in RPO
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

Way better! Thanks! I changed it to use a BitVector, but also I've encapsulated everything in a small class. The associated object is passed as a parameter to runOnMachineBasicBlock (instead of using a member variable).

jmmartinez: Way better! Thanks! I changed it to use a `BitVector`, but also I've encapsulated everything in…
using BlockVMEMStoreType = DenseMap<MachineBasicBlock *, bool>; // store. Because this pass is late in the pipeline, it is expected that the
BlockVMEMStoreType BlockVMEMStore;
// Return true if the last instruction referencing a vgpr in this MBB
// is a VMEM store, otherwise return false.
// Visit previous basic blocks to find this last instruction if needed.
// Because this pass is late in the pipeline, it is expected that the
// last vgpr use will likely be one of vmem store, ds, exp. // last vgpr use will likely be one of vmem store, ds, exp.
// Loads and others vgpr operations would have been // Loads and others vgpr operations would have been
// deleted by this point, except for complex control flow involving loops. // deleted by this point, except for complex control flow involving loops.
// This is why we are just testing the type of instructions rather // This is why we are just testing the type of instructions rather
// than the operands. // than the operands.
bool isLastVGPRUseVMEMStore(MachineBasicBlock &MBB) { class LastVGPRUseIsVMEMStore {
// Use the cache to break infinite loop and save some time. Initialize to BitVector BlockVMEMStore;
// false in case we have a cycle.
BlockVMEMStoreType::iterator It;
bool Inserted;
std::tie(It, Inserted) = BlockVMEMStore.insert({&MBB, false});
bool &CacheEntry = It->second;
if (!Inserted)
return CacheEntry;
static Optional<bool> lastVGPRUseIsStore(const MachineBasicBlock &MBB) {
for (auto &MI : reverse(MBB.instrs())) { for (auto &MI : reverse(MBB.instrs())) {
// If it's a VMEM store, a vgpr will be used, return true. // If it's a VMEM store, a VGPR will be used, return true.
if ((SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI)) && MI.mayStore()) if ((SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI)) &&
return CacheEntry = true; MI.mayStore())
return true;
// If it's referencing a VGPR but is not a VMEM store, return false. // If it's referencing a VGPR but is not a VMEM store, return false.
if (SIInstrInfo::isDS(MI) || SIInstrInfo::isEXP(MI) || if (SIInstrInfo::isDS(MI) || SIInstrInfo::isEXP(MI) ||
SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI) || SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI) ||
SIInstrInfo::isVALU(MI)) SIInstrInfo::isVALU(MI))
return CacheEntry = false; return false;
}
// Wait until the values are propagated from the predecessors
return None;
} }
// Recursive call into parent blocks. Look into predecessors if there is no public:
// vgpr used in this block. LastVGPRUseIsVMEMStore(const MachineFunction &MF)
return CacheEntry = llvm::any_of(MBB.predecessors(), : BlockVMEMStore(MF.getNumBlockIDs()) {
[this](MachineBasicBlock *Parent) {
arsenmUnsubmitted
Done
ReplyInline Actions

I'd expect this to be the post_order loop

arsenm: I'd expect this to be the post_order loop
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

This loop sets the initialization value for each MachineBasicBlock. This loop does not take into account the predecessors/successors and it can be done in any order. Maybe the name lastBlockVGPRUseIsVMEMStore is misleading? Could be renamed to something such as lastVGPRUseInstInBlockIsVMEMStore or initVGPRUseInstInBlockIsVMEMStore.

The loop after this one is the one that propagates the values from the predecessors to every block and that must be done in reverse-post-order.

jmmartinez: This loop sets the initialization value for each `MachineBasicBlock`. This loop does not take…
arsenmUnsubmitted
Done
ReplyInline Actions

Maybe I'm confusing my iteration orders again, but I think you can get away with the one post_order (not reverse) loop if you're looking at successors

arsenm: Maybe I'm confusing my iteration orders again, but I think you can get away with the one…
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

I brought back the old algorithm with the recusrive call.

I tried several alternatives but I always found a case where the reverse post order missed propagating the values accordingly :S .

jmmartinez: I brought back the old algorithm with the recusrive call. I tried several alternatives but I…
return isLastVGPRUseVMEMStore(*Parent); df_iterator_default_set<const MachineBasicBlock *> Visited;
}); SmallVector<const MachineBasicBlock *> EndWithVMEMStoreBlocks;
arsenmUnsubmitted
Not Done
ReplyInline Actions

east const?

arsenm: east const?
for (const auto &MBB : MF) {
auto LastUseIsStore = lastVGPRUseIsStore(MBB);
if (!LastUseIsStore.has_value())
continue;
if (*LastUseIsStore) {
EndWithVMEMStoreBlocks.push_back(&MBB);
} else {
Visited.insert(&MBB);
}
} }
bool runOnMachineBasicBlock(MachineBasicBlock &MBB) { for (const auto *MBB : EndWithVMEMStoreBlocks) {
for (const auto *Succ : depth_first_ext(MBB, Visited)) {
arsenmUnsubmitted
Not Done
ReplyInline Actions

Passing a pre-filled set to visited is a bit weird, but I think this is OK

arsenm: Passing a pre-filled set to visited is a bit weird, but I think this is OK
BlockVMEMStore[Succ->getNumber()] = true;
}
}
}
// Return true if the last instruction referencing a vgpr in this MBB
// is a VMEM store, otherwise return false.
bool isLastVGPRUseVMEMStore(const MachineBasicBlock &MBB) const {
return BlockVMEMStore[MBB.getNumber()];
}
};
arsenmUnsubmitted
Done
ReplyInline Actions

You can just use MBB.getNumber

arsenm: You can just use MBB.getNumber
static bool
runOnMachineBasicBlock(MachineBasicBlock &MBB, const SIInstrInfo *SII,
const LastVGPRUseIsVMEMStore &BlockVMEMStore) {
arsenmUnsubmitted
Done
ReplyInline Actions

Just use bool?

arsenm: Just use bool?
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

BitVector's operator[] returns a BitVector::reference and not a bool&. BitVector::reference encapsulates a reference to a single bit.

Maybe it's worth to explicitely state the type BitVector::reference LastUseIsVMEMStore = BlockVMEMStore[MBB->getNumber()];. I think that auto looks confusing.

For context, here's the code of BitVector::reference:

// Encapsulation of a single bit.
class reference {
  
  BitWord *WordRef;
  unsigned BitPos;
  
public:
  reference(BitVector &b, unsigned Idx) {
    WordRef = &b.Bits[Idx / BITWORD_SIZE];
    BitPos = Idx % BITWORD_SIZE;
  }
  
  reference() = delete;
  reference(const reference&) = default;
  
  reference &operator=(reference t) {
    *this = bool(t);
    return *this;
  }
  
  reference& operator=(bool t) {
    if (t)
      *WordRef |= BitWord(1) << BitPos;
    else
      *WordRef &= ~(BitWord(1) << BitPos);
    return *this;
  }
  
  operator bool() const {
    return ((*WordRef) & (BitWord(1) << BitPos)) != 0;
  }
};
jmmartinez: BitVector's `operator[]` returns a `BitVector::reference` and not a `bool&`. `BitVector…
arsenmUnsubmitted
Not Done
ReplyInline Actions

This looks like a dead variable?

arsenm: This looks like a dead variable?
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

Addressed in the previous comment, since it's not a reference it's not dead. But it surely looks confusing.

jmmartinez: Addressed in the previous comment, since it's not a reference it's not dead. But it surely…
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

Bad phrasing: reference->value : Since it's not a value , but a reference, it's not dead. But it surely looks confusing.

jmmartinez: Bad phrasing: reference->value : Since it's not a //value //, but a reference, it's not dead.
bool Changed = false; bool Changed = false;
for (auto &MI : MBB.terminators()) { for (auto &MI : MBB.terminators()) {
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

There is a bug in here: if BlockVMEMStore[MBB->getNumber()] was initialized to false because the last instruction referencing a vgpr instruction is not a store, and for one of the predecessors the last instruction referencing a vgpr is a store, we may override the false value with a true which is not correct.

jmmartinez: There is a bug in here: if `BlockVMEMStore[MBB->getNumber()]` was initialized to false because…
// Look for S_ENDPGM instructions // Look for S_ENDPGM instructions
if (MI.getOpcode() == AMDGPU::S_ENDPGM || if (MI.getOpcode() == AMDGPU::S_ENDPGM ||
MI.getOpcode() == AMDGPU::S_ENDPGM_SAVED) { MI.getOpcode() == AMDGPU::S_ENDPGM_SAVED) {
// If the last instruction using a VGPR in the block is a VMEM store, // If the last instruction using a VGPR in the block is a VMEM store,
// release VGPRs. The VGPRs release will be placed just before ending // release VGPRs. The VGPRs release will be placed just before ending
// the program // the program
arsenmUnsubmitted
Done
ReplyInline Actions

Can't you just inspect the bit vector if these are precomputed without the recursive call?

arsenm: Can't you just inspect the bit vector if these are precomputed without the recursive call?
if (isLastVGPRUseVMEMStore(MBB)) { if (BlockVMEMStore.isLastVGPRUseVMEMStore(MBB)) {
BuildMI(MBB, MI, DebugLoc(), SII->get(AMDGPU::S_SENDMSG)) BuildMI(MBB, MI, DebugLoc(), SII->get(AMDGPU::S_SENDMSG))
.addImm(AMDGPU::SendMsg::ID_DEALLOC_VGPRS_GFX11Plus); .addImm(AMDGPU::SendMsg::ID_DEALLOC_VGPRS_GFX11Plus);
Changed = true; Changed = true;
} }
} }
} }
return Changed; return Changed;
} }
bool runOnMachineFunction(MachineFunction &MF) override { bool runOnMachineFunction(MachineFunction &MF) override {
Function &F = MF.getFunction(); Function &F = MF.getFunction();
if (skipFunction(F) || !AMDGPU::isEntryFunctionCC(F.getCallingConv())) if (skipFunction(F) || !AMDGPU::isEntryFunctionCC(F.getCallingConv()))
return false; return false;
// This pass only runs on GFX11+ // This pass only runs on GFX11+
const GCNSubtarget &ST = MF.getSubtarget<GCNSubtarget>(); const GCNSubtarget &ST = MF.getSubtarget<GCNSubtarget>();
if (ST.getGeneration() < AMDGPUSubtarget::GFX11) if (ST.getGeneration() < AMDGPUSubtarget::GFX11)
return false; return false;
LLVM_DEBUG(dbgs() << "AMDGPUReleaseVGPRs running on " << MF.getName() LLVM_DEBUG(dbgs() << "AMDGPUReleaseVGPRs running on " << MF.getName()
<< "\n"); << "\n");
SII = ST.getInstrInfo(); const SIInstrInfo *SII = ST.getInstrInfo();
TRI = ST.getRegisterInfo(); LastVGPRUseIsVMEMStore BlockVMEMStore(MF);
bool Changed = false; bool Changed = false;
arsenmUnsubmitted
Done
ReplyInline Actions

Capitalize We

arsenm: Capitalize We
for (auto &MBB : MF) { for (auto &MBB : MF) {
Changed |= runOnMachineBasicBlock(MBB); Changed |= runOnMachineBasicBlock(MBB, SII, BlockVMEMStore);
} }
BlockVMEMStore.clear();
return Changed; return Changed;
} }
}; };
} // namespace } // namespace
char AMDGPUReleaseVGPRs::ID = 0; char AMDGPUReleaseVGPRs::ID = 0;
char &llvm::AMDGPUReleaseVGPRsID = AMDGPUReleaseVGPRs::ID; char &llvm::AMDGPUReleaseVGPRsID = AMDGPUReleaseVGPRs::ID;
INITIALIZE_PASS(AMDGPUReleaseVGPRs, DEBUG_TYPE, "Release VGPRs", false, false) INITIALIZE_PASS(AMDGPUReleaseVGPRs, DEBUG_TYPE, "Release VGPRs", false, false)