This is an archive of the discontinued LLVM Phabricator instance.

Differential D134641

[AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs::isLastVGPRUseVMEMStore
ClosedPublic

Authored by jmmartinez on Sep 26 2022, 6:24 AM.

Details

Reviewers
foad
jpages
arsenm
Commits
rGbb24b2c610b4: [AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs…

Diff Detail

Unit TestsFailed

TimeTest
60,040 msx64 debian > MLIR.Examples/standalone::test.toy
120 msx64 debian > ORC-x86_64-linux.TestCases/Linux/x86-64::lljit-initialize-deinitialize.ll
180 msx64 debian > ORC-x86_64-linux.TestCases/Linux/x86-64::priority-static-initializer.S
150 msx64 debian > ORC-x86_64-linux.TestCases/Linux/x86-64::trivial-cxa-atexit.S

Event Timeline

jmmartinez created this revision.Sep 26 2022, 6:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 26 2022, 6:24 AM
Herald added subscribers: kosarev, foad, kerbowa and 9 others. · View Herald Transcript
jmmartinez requested review of this revision.Sep 26 2022, 6:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 26 2022, 6:24 AM
Herald added subscribers: llvm-commits, wdng. · View Herald Transcript
jmmartinez added a reviewer: foad.Sep 26 2022, 6:25 AM
jmmartinez added reviewers: jpages, arsenm.Sep 26 2022, 6:30 AM
arsenm added inline comments.Sep 26 2022, 6:51 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
43

If you're going to resize to the number of blocks, do you really need to use a DenseMap at all? You could use a bit vector indexed by the block number

125

Capitalize We

Harbormaster completed remote builds in B188692: Diff 462889.Sep 26 2022, 7:44 AM
jmmartinez added inline comments.Sep 26 2022, 8:19 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
43

It doesn't map direclty into a bit-vector since there are 3 states considered (has-a-vmem-store, does-not-have-vmem-store and not-yet-computed).

What do you think about a SmallVector<VMEMStore> with an enum class UsesVMEMStoreTy { UsesVMEMStore, DoesNotUseVMEMStore, NotYetComputed } ?

arsenm added inline comments.Sep 26 2022, 8:22 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
43

Can you avoid the NotYetComputed case if you do this in RPO

jmmartinez updated this revision to Diff 463151.Sep 27 2022, 1:51 AM
  • [NFC][AMDGPU][Backend] Make member varialbe a parameter
jmmartinez marked an inline comment as done.Sep 27 2022, 1:56 AM
jmmartinez added inline comments.
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
43

Way better! Thanks! I changed it to use a BitVector, but also I've encapsulated everything in a small class. The associated object is passed as a parameter to runOnMachineBasicBlock (instead of using a member variable).

Harbormaster completed remote builds in B188892: Diff 463151.Sep 27 2022, 4:03 AM
arsenm added inline comments.Sep 27 2022, 12:20 PM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
85

You can just use MBB.getNumber

jmmartinez updated this revision to Diff 463462.Sep 28 2022, 2:01 AM
  • Use MachineBasicBlock::getNumber instead of std::distance
Harbormaster completed remote builds in B189114: Diff 463462.Sep 28 2022, 2:51 AM
arsenm added inline comments.Sep 28 2022, 9:25 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
88

I'd expect this to be the post_order loop

89

Just use bool?

90

This looks like a dead variable?

jmmartinez added inline comments.Sep 29 2022, 12:33 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
88

This loop sets the initialization value for each MachineBasicBlock. This loop does not take into account the predecessors/successors and it can be done in any order. Maybe the name lastBlockVGPRUseIsVMEMStore is misleading? Could be renamed to something such as lastVGPRUseInstInBlockIsVMEMStore or initVGPRUseInstInBlockIsVMEMStore.

The loop after this one is the one that propagates the values from the predecessors to every block and that must be done in reverse-post-order.

89

BitVector's operator[] returns a BitVector::reference and not a bool&. BitVector::reference encapsulates a reference to a single bit.

Maybe it's worth to explicitely state the type BitVector::reference LastUseIsVMEMStore = BlockVMEMStore[MBB->getNumber()];. I think that auto looks confusing.

For context, here's the code of BitVector::reference:

// Encapsulation of a single bit.
class reference {
  
  BitWord *WordRef;
  unsigned BitPos;
  
public:
  reference(BitVector &b, unsigned Idx) {
    WordRef = &b.Bits[Idx / BITWORD_SIZE];
    BitPos = Idx % BITWORD_SIZE;
  }
  
  reference() = delete;
  reference(const reference&) = default;
  
  reference &operator=(reference t) {
    *this = bool(t);
    return *this;
  }
  
  reference& operator=(bool t) {
    if (t)
      *WordRef |= BitWord(1) << BitPos;
    else
      *WordRef &= ~(BitWord(1) << BitPos);
    return *this;
  }
  
  operator bool() const {
    return ((*WordRef) & (BitWord(1) << BitPos)) != 0;
  }
};
90

Addressed in the previous comment, since it's not a reference it's not dead. But it surely looks confusing.

jmmartinez updated this revision to Diff 463789.Sep 29 2022, 1:17 AM
  • Be explicit about BitVector::reference
Harbormaster completed remote builds in B189336: Diff 463789.Sep 29 2022, 2:43 AM
jmmartinez marked 4 inline comments as done.Sep 30 2022, 12:54 AM
jmmartinez added inline comments.
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
90

Bad phrasing: reference->value : Since it's not a value , but a reference, it's not dead. But it surely looks confusing.

arsenm added inline comments.Sep 30 2022, 8:07 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
88

Maybe I'm confusing my iteration orders again, but I think you can get away with the one post_order (not reverse) loop if you're looking at successors

99

Can't you just inspect the bit vector if these are precomputed without the recursive call?

jmmartinez added inline comments.Oct 3 2022, 7:56 AM
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
93

There is a bug in here: if BlockVMEMStore[MBB->getNumber()] was initialized to false because the last instruction referencing a vgpr instruction is not a store, and for one of the predecessors the last instruction referencing a vgpr is a store, we may override the false value with a true which is not correct.

jmmartinez updated this revision to Diff 464969.Oct 4 2022, 5:03 AM

Bring back the old algorithm structure but using bitvectors instead

jmmartinez marked an inline comment as done.Oct 4 2022, 5:07 AM
jmmartinez added inline comments.
llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
88

I brought back the old algorithm with the recusrive call.

I tried several alternatives but I always found a case where the reverse post order missed propagating the values accordingly :S .

Harbormaster completed remote builds in B190178: Diff 464969.Oct 4 2022, 5:56 AM
jmmartinez updated this revision to Diff 467066.Oct 12 2022, 2:04 AM
  • Propagate the vgpr-is-vmem-store using depth-first-search
Harbormaster completed remote builds in B191683: Diff 467066.Oct 12 2022, 2:53 AM
jmmartinez marked 2 inline comments as done.Oct 18 2022, 12:28 AM

All remarks addressed.

jmmartinez added a comment.Oct 18 2022, 9:05 AM

@arsenm Could I ask you to take a look to the latest changes ?

arsenm accepted this revision.Oct 18 2022, 9:38 AM

LGTM with nit

llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp
89–90

east const?

105

Passing a pre-filled set to visited is a bit weird, but I think this is OK

This revision is now accepted and ready to land.Oct 18 2022, 9:38 AM
jpages accepted this revision.Oct 18 2022, 9:42 AM

LGTM, thanks!

jmmartinez updated this revision to Diff 468804.Oct 19 2022, 1:00 AM

West to East const.

Harbormaster completed remote builds in B192926: Diff 468804.Oct 19 2022, 2:13 AM
Closed by commit rGbb24b2c610b4: [AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs… (authored by jmmartinez). · Explain WhyOct 19 2022, 2:43 AM
This revision was automatically updated to reflect the committed changes.
jmmartinez added a commit: rGbb24b2c610b4: [AMDGPU][Backend] Fix user-after-free in AMDGPUReleaseVGPRs….

Revision Contents

PathSize
llvm/
lib/
Target/
AMDGPU/
7 lines

Diff 462889

llvm/lib/Target/AMDGPU/AMDGPUReleaseVGPRs.cpp

Show All 34 Linespublic:
AMDGPUReleaseVGPRs() : MachineFunctionPass(ID) {} AMDGPUReleaseVGPRs() : MachineFunctionPass(ID) {}
void getAnalysisUsage(AnalysisUsage &AU) const override { void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.setPreservesAll(); AU.setPreservesAll();
MachineFunctionPass::getAnalysisUsage(AU); MachineFunctionPass::getAnalysisUsage(AU);
} }
// Used to cache the result of isLastInstructionVMEMStore for each block // Used to cache the result of isLastInstructionVMEMStore for each block
using BlockVMEMStoreType = DenseMap<MachineBasicBlock *, bool>; using BlockVMEMStoreType = DenseMap<MachineBasicBlock *, bool>;
arsenmUnsubmitted
Done
ReplyInline Actions

If you're going to resize to the number of blocks, do you really need to use a DenseMap at all? You could use a bit vector indexed by the block number

arsenm: If you're going to resize to the number of blocks, do you really need to use a DenseMap at all?
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

It doesn't map direclty into a bit-vector since there are 3 states considered (has-a-vmem-store, does-not-have-vmem-store and not-yet-computed).

What do you think about a SmallVector<VMEMStore> with an enum class UsesVMEMStoreTy { UsesVMEMStore, DoesNotUseVMEMStore, NotYetComputed } ?

jmmartinez: It doesn't map direclty into a bit-vector since there are 3 states considered (has-a-vmem-store…
arsenmUnsubmitted
Done
ReplyInline Actions

Can you avoid the NotYetComputed case if you do this in RPO

arsenm: Can you avoid the NotYetComputed case if you do this in RPO
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

Way better! Thanks! I changed it to use a BitVector, but also I've encapsulated everything in a small class. The associated object is passed as a parameter to runOnMachineBasicBlock (instead of using a member variable).

jmmartinez: Way better! Thanks! I changed it to use a `BitVector`, but also I've encapsulated everything in…
BlockVMEMStoreType BlockVMEMStore; BlockVMEMStoreType BlockVMEMStore;
// Return true if the last instruction referencing a vgpr in this MBB // Return true if the last instruction referencing a vgpr in this MBB
// is a VMEM store, otherwise return false. // is a VMEM store, otherwise return false.
// Visit previous basic blocks to find this last instruction if needed. // Visit previous basic blocks to find this last instruction if needed.
// Because this pass is late in the pipeline, it is expected that the // Because this pass is late in the pipeline, it is expected that the
// last vgpr use will likely be one of vmem store, ds, exp. // last vgpr use will likely be one of vmem store, ds, exp.
// Loads and others vgpr operations would have been // Loads and others vgpr operations would have been
// deleted by this point, except for complex control flow involving loops. // deleted by this point, except for complex control flow involving loops.
// This is why we are just testing the type of instructions rather // This is why we are just testing the type of instructions rather
// than the operands. // than the operands.
bool isLastVGPRUseVMEMStore(MachineBasicBlock &MBB) { bool isLastVGPRUseVMEMStore(MachineBasicBlock &MBB) {
// Use the cache to break infinite loop and save some time. Initialize to // Use the cache to break infinite loop and save some time. Initialize to
// false in case we have a cycle. // false in case we have a cycle.
BlockVMEMStoreType::iterator It; BlockVMEMStoreType::iterator It;
bool Inserted; bool Inserted;
std::tie(It, Inserted) = BlockVMEMStore.insert({&MBB, false}); std::tie(It, Inserted) = BlockVMEMStore.try_emplace(&MBB, false);
bool &CacheEntry = It->second; bool &CacheEntry = It->second;
if (!Inserted) if (!Inserted)
return CacheEntry; return CacheEntry;
for (auto &MI : reverse(MBB.instrs())) { for (auto &MI : reverse(MBB.instrs())) {
// If it's a VMEM store, a vgpr will be used, return true. // If it's a VMEM store, a vgpr will be used, return true.
if ((SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI)) && MI.mayStore()) if ((SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI)) && MI.mayStore())
return CacheEntry = true; return CacheEntry = true;
// If it's referencing a VGPR but is not a VMEM store, return false. // If it's referencing a VGPR but is not a VMEM store, return false.
if (SIInstrInfo::isDS(MI) || SIInstrInfo::isEXP(MI) || if (SIInstrInfo::isDS(MI) || SIInstrInfo::isEXP(MI) ||
SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI) || SIInstrInfo::isVMEM(MI) || SIInstrInfo::isFLAT(MI) ||
SIInstrInfo::isVALU(MI)) SIInstrInfo::isVALU(MI))
return CacheEntry = false; return CacheEntry = false;
} }
// Recursive call into parent blocks. Look into predecessors if there is no // Recursive call into parent blocks. Look into predecessors if there is no
// vgpr used in this block. // vgpr used in this block.
// The iterator is not invalidated by the recursive calls since we grew the
// dictionary to hold all the entries in advance
return CacheEntry = llvm::any_of(MBB.predecessors(), return CacheEntry = llvm::any_of(MBB.predecessors(),
[this](MachineBasicBlock *Parent) { [this](MachineBasicBlock *Parent) {
return isLastVGPRUseVMEMStore(*Parent); return isLastVGPRUseVMEMStore(*Parent);
}); });
} }
arsenmUnsubmitted
Done
ReplyInline Actions

You can just use MBB.getNumber

arsenm: You can just use MBB.getNumber
bool runOnMachineBasicBlock(MachineBasicBlock &MBB) { bool runOnMachineBasicBlock(MachineBasicBlock &MBB) {
arsenmUnsubmitted
Done
ReplyInline Actions

I'd expect this to be the post_order loop

arsenm: I'd expect this to be the post_order loop
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

This loop sets the initialization value for each MachineBasicBlock. This loop does not take into account the predecessors/successors and it can be done in any order. Maybe the name lastBlockVGPRUseIsVMEMStore is misleading? Could be renamed to something such as lastVGPRUseInstInBlockIsVMEMStore or initVGPRUseInstInBlockIsVMEMStore.

The loop after this one is the one that propagates the values from the predecessors to every block and that must be done in reverse-post-order.

jmmartinez: This loop sets the initialization value for each `MachineBasicBlock`. This loop does not take…
arsenmUnsubmitted
Done
ReplyInline Actions

Maybe I'm confusing my iteration orders again, but I think you can get away with the one post_order (not reverse) loop if you're looking at successors

arsenm: Maybe I'm confusing my iteration orders again, but I think you can get away with the one…
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

I brought back the old algorithm with the recusrive call.

I tried several alternatives but I always found a case where the reverse post order missed propagating the values accordingly :S .

jmmartinez: I brought back the old algorithm with the recusrive call. I tried several alternatives but I…
bool Changed = false; bool Changed = false;
arsenmUnsubmitted
Done
ReplyInline Actions

Just use bool?

arsenm: Just use bool?
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

BitVector's operator[] returns a BitVector::reference and not a bool&. BitVector::reference encapsulates a reference to a single bit.

Maybe it's worth to explicitely state the type BitVector::reference LastUseIsVMEMStore = BlockVMEMStore[MBB->getNumber()];. I think that auto looks confusing.

For context, here's the code of BitVector::reference:

// Encapsulation of a single bit.
class reference {
  
  BitWord *WordRef;
  unsigned BitPos;
  
public:
  reference(BitVector &b, unsigned Idx) {
    WordRef = &b.Bits[Idx / BITWORD_SIZE];
    BitPos = Idx % BITWORD_SIZE;
  }
  
  reference() = delete;
  reference(const reference&) = default;
  
  reference &operator=(reference t) {
    *this = bool(t);
    return *this;
  }
  
  reference& operator=(bool t) {
    if (t)
      *WordRef |= BitWord(1) << BitPos;
    else
      *WordRef &= ~(BitWord(1) << BitPos);
    return *this;
  }
  
  operator bool() const {
    return ((*WordRef) & (BitWord(1) << BitPos)) != 0;
  }
};
jmmartinez: BitVector's `operator[]` returns a `BitVector::reference` and not a `bool&`. `BitVector…
arsenmUnsubmitted
Not Done
ReplyInline Actions

This looks like a dead variable?

arsenm: This looks like a dead variable?
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

Addressed in the previous comment, since it's not a reference it's not dead. But it surely looks confusing.

jmmartinez: Addressed in the previous comment, since it's not a reference it's not dead. But it surely…
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

Bad phrasing: reference->value : Since it's not a value , but a reference, it's not dead. But it surely looks confusing.

jmmartinez: Bad phrasing: reference->value : Since it's not a //value //, but a reference, it's not dead.
arsenmUnsubmitted
Not Done
ReplyInline Actions

east const?

arsenm: east const?
for (auto &MI : MBB.terminators()) { for (auto &MI : MBB.terminators()) {
// Look for S_ENDPGM instructions // Look for S_ENDPGM instructions
if (MI.getOpcode() == AMDGPU::S_ENDPGM || if (MI.getOpcode() == AMDGPU::S_ENDPGM ||
jmmartinezAuthorUnsubmitted
Done
ReplyInline Actions

There is a bug in here: if BlockVMEMStore[MBB->getNumber()] was initialized to false because the last instruction referencing a vgpr instruction is not a store, and for one of the predecessors the last instruction referencing a vgpr is a store, we may override the false value with a true which is not correct.

jmmartinez: There is a bug in here: if `BlockVMEMStore[MBB->getNumber()]` was initialized to false because…
MI.getOpcode() == AMDGPU::S_ENDPGM_SAVED) { MI.getOpcode() == AMDGPU::S_ENDPGM_SAVED) {
// If the last instruction using a VGPR in the block is a VMEM store, // If the last instruction using a VGPR in the block is a VMEM store,
// release VGPRs. The VGPRs release will be placed just before ending // release VGPRs. The VGPRs release will be placed just before ending
// the program // the program
if (isLastVGPRUseVMEMStore(MBB)) { if (isLastVGPRUseVMEMStore(MBB)) {
BuildMI(MBB, MI, DebugLoc(), SII->get(AMDGPU::S_SENDMSG)) BuildMI(MBB, MI, DebugLoc(), SII->get(AMDGPU::S_SENDMSG))
arsenmUnsubmitted
Done
ReplyInline Actions

Can't you just inspect the bit vector if these are precomputed without the recursive call?

arsenm: Can't you just inspect the bit vector if these are precomputed without the recursive call?
.addImm(AMDGPU::SendMsg::ID_DEALLOC_VGPRS_GFX11Plus); .addImm(AMDGPU::SendMsg::ID_DEALLOC_VGPRS_GFX11Plus);
Changed = true; Changed = true;
} }
} }
} }
arsenmUnsubmitted
Not Done
ReplyInline Actions

Passing a pre-filled set to visited is a bit weird, but I think this is OK

arsenm: Passing a pre-filled set to visited is a bit weird, but I think this is OK
return Changed; return Changed;
} }
bool runOnMachineFunction(MachineFunction &MF) override { bool runOnMachineFunction(MachineFunction &MF) override {
Function &F = MF.getFunction(); Function &F = MF.getFunction();
if (skipFunction(F) || !AMDGPU::isEntryFunctionCC(F.getCallingConv())) if (skipFunction(F) || !AMDGPU::isEntryFunctionCC(F.getCallingConv()))
return false; return false;
// This pass only runs on GFX11+ // This pass only runs on GFX11+
const GCNSubtarget &ST = MF.getSubtarget<GCNSubtarget>(); const GCNSubtarget &ST = MF.getSubtarget<GCNSubtarget>();
if (ST.getGeneration() < AMDGPUSubtarget::GFX11) if (ST.getGeneration() < AMDGPUSubtarget::GFX11)
return false; return false;
LLVM_DEBUG(dbgs() << "AMDGPUReleaseVGPRs running on " << MF.getName() LLVM_DEBUG(dbgs() << "AMDGPUReleaseVGPRs running on " << MF.getName()
<< "\n"); << "\n");
SII = ST.getInstrInfo(); SII = ST.getInstrInfo();
TRI = ST.getRegisterInfo(); TRI = ST.getRegisterInfo();
// we grow BlockVMEMStore to prevent the invalidation of its iterators
arsenmUnsubmitted
Done
ReplyInline Actions

Capitalize We

arsenm: Capitalize We
BlockVMEMStore.grow(MF.size());
bool Changed = false; bool Changed = false;
for (auto &MBB : MF) { for (auto &MBB : MF) {
Changed |= runOnMachineBasicBlock(MBB); Changed |= runOnMachineBasicBlock(MBB);
} }
BlockVMEMStore.clear(); BlockVMEMStore.clear();
return Changed; return Changed;
Show All 10 Lines