This is an archive of the discontinued LLVM Phabricator instance.

Differential D136639

[CodeGen][ObjC] Fix a memory leak that occurs when a non-trivial C struct property is set using dot notation
ClosedPublic

Authored by ahatanak on Oct 24 2022, 2:29 PM.

Details

Reviewers
rjmccall
Commits
rGea0cd51a4958: [CodeGen][ObjC] Fix a memory leak that occurs when a non-trivial C
Summary

Make sure the destructor is called if needed.

Diff Detail

Event Timeline

ahatanak created this revision.Oct 24 2022, 2:29 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 24 2022, 2:29 PM
ahatanak requested review of this revision.Oct 24 2022, 2:29 PM
Harbormaster completed remote builds in B194033: Diff 470286.Oct 24 2022, 4:40 PM
rjmccall added inline comments.Oct 25 2022, 12:07 PM
clang/test/CodeGenObjC/nontrivial-c-struct-property.m
89

It looks like we're copying a into a temporary and then copying out of that temporary into the argument slot. I don't see any reason the extra copy is required.

Also, aren't non-trivial structs consumed as arguments? If so, this would be an over-release.

ahatanak added inline comments.Dec 16 2022, 6:50 PM
clang/test/CodeGenObjC/nontrivial-c-struct-property.m
89

It isn't an over-release because, if the receiver isn't nil, temporary AGG_TMP is destructed in the callee and, if the receiver isn't nil, the temporary is destructed in the caller (by the call to @__destructor_8_s0(ptr %[[AGG_TMP]])).

As you pointed out, the copy isn't needed if the result of the assignment isn't used.

rjmccall added inline comments.Dec 16 2022, 11:05 PM
clang/test/CodeGenObjC/nontrivial-c-struct-property.m
89

Oh, is this second destructor call in conditionally-executed code? Can we test for that, at least?

ahatanak updated this revision to Diff 483973.Dec 19 2022, 8:15 AM
ahatanak marked an inline comment as done.

Check that the destructor is called conditionally.

ahatanak added inline comments.Dec 19 2022, 8:24 AM
clang/test/CodeGenObjC/nontrivial-c-struct-property.m
89

The first copy constructor call is emitted when emitPseudoObjectExpr evaluates the OpaqueValueExpr that is the result expression. The second copy constructor call is emitted to copy the argument *a to the argument temporary.

Since the result expression isn't used in this case, there isn't any reason to emit the first copy constructor call. If Sema marks the OpaqueValueExpr for the result expression as unique when the result is unused, CodeGen avoids emitting the first copy constructor.

Harbormaster completed remote builds in B203926: Diff 483973.Dec 19 2022, 10:00 AM
rjmccall accepted this revision.Dec 19 2022, 9:37 PM

Oh, I see. That's a really unfortunate way to end up emitting this code pattern, since ignoring the result is so common. To fix that, we'd have to either figure out the result was unused in Sema or do a relatively complex analysis in IRGen, though.

Anyway, not something we have to do in this patch. LGTM.

We should reconsider the rules we use for temporary destruction one of these days, though. The current pattern is very error-prone, especially in the presence of exceptions.

This revision is now accepted and ready to land.Dec 19 2022, 9:37 PM
ahatanak added a comment.Jan 5 2023, 7:46 PM
In D136639#4006953, @rjmccall wrote:

Oh, I see. That's a really unfortunate way to end up emitting this code pattern, since ignoring the result is so common. To fix that, we'd have to either figure out the result was unused in Sema or do a relatively complex analysis in IRGen, though.

DiagnoseUnusedExprResult diagnoses unused expressions in Sema, so we can modify the PseudoObjectExprs when it's called.

This revision was landed with ongoing or failed builds.Jan 5 2023, 8:03 PM
Closed by commit rGea0cd51a4958: [CodeGen][ObjC] Fix a memory leak that occurs when a non-trivial C (authored by ahatanak). · Explain Why
This revision was automatically updated to reflect the committed changes.
ahatanak added a commit: rGea0cd51a4958: [CodeGen][ObjC] Fix a memory leak that occurs when a non-trivial C.

Revision Contents

PathSize
clang/
lib/
CodeGen/
11 lines
test/
CodeGenObjC/
36 lines

Diff 486745

clang/lib/CodeGen/CGExprAgg.cpp

Show First 20 LinesShow All 195 Lines▼ Show 20 Linespublic:
void VisitOpaqueValueExpr(OpaqueValueExpr *E); void VisitOpaqueValueExpr(OpaqueValueExpr *E);
void VisitPseudoObjectExpr(PseudoObjectExpr *E) { void VisitPseudoObjectExpr(PseudoObjectExpr *E) {
if (E->isGLValue()) { if (E->isGLValue()) {
LValue LV = CGF.EmitPseudoObjectLValue(E); LValue LV = CGF.EmitPseudoObjectLValue(E);
return EmitFinalDestCopy(E->getType(), LV); return EmitFinalDestCopy(E->getType(), LV);
} }
CGF.EmitPseudoObjectRValue(E, EnsureSlot(E->getType())); AggValueSlot Slot = EnsureSlot(E->getType());
bool NeedsDestruction =
!Slot.isExternallyDestructed() &&
E->getType().isDestructedType() == QualType::DK_nontrivial_c_struct;
if (NeedsDestruction)
Slot.setExternallyDestructed();
CGF.EmitPseudoObjectRValue(E, Slot);
if (NeedsDestruction)
CGF.pushDestroy(QualType::DK_nontrivial_c_struct, Slot.getAddress(),
E->getType());
} }
void VisitVAArgExpr(VAArgExpr *E); void VisitVAArgExpr(VAArgExpr *E);
void EmitInitializationToLValue(Expr *E, LValue Address); void EmitInitializationToLValue(Expr *E, LValue Address);
void EmitNullInitializationToLValue(LValue Address); void EmitNullInitializationToLValue(LValue Address);
// case Expr::ChooseExprClass: // case Expr::ChooseExprClass:
void VisitCXXThrowExpr(const CXXThrowExpr *E) { CGF.EmitCXXThrowExpr(E); } void VisitCXXThrowExpr(const CXXThrowExpr *E) { CGF.EmitCXXThrowExpr(E); }
▲ Show 20 LinesShow All 1,968 LinesShow Last 20 Lines

clang/test/CodeGenObjC/nontrivial-c-struct-property.m

Show First 20 LinesShow All 62 Lines▼ Show 20 Lines
// CHECK: call void @objc_copyCppObjectAtomic({{.*}}, {{.*}}, ptr noundef @__copy_constructor_8_8_s0) // CHECK: call void @objc_copyCppObjectAtomic({{.*}}, {{.*}}, ptr noundef @__copy_constructor_8_8_s0)
// CHECK-NOT: call // CHECK-NOT: call
// CHECK: ret i64 // CHECK: ret i64
// CHECK-LABEL: define internal void @"\01-[C setAtomic0:]"( // CHECK-LABEL: define internal void @"\01-[C setAtomic0:]"(
// CHECK: call void @objc_copyCppObjectAtomic({{.*}}, {{.*}}, ptr noundef @__move_assignment_8_8_s0) // CHECK: call void @objc_copyCppObjectAtomic({{.*}}, {{.*}}, ptr noundef @__move_assignment_8_8_s0)
// CHECK-NOT: call // CHECK-NOT: call
// CHECK: ret void // CHECK: ret void
// CHECK: define void @test0(ptr noundef %[[C:.*]], ptr noundef %[[A:.*]])
// CHECK: %[[C_ADDR:.*]] = alloca ptr, align 8
// CHECK: %[[A_ADDR:.*]] = alloca ptr, align 8
// CHECK: %[[AGG_TMP_ENSURED:.*]] = alloca %[[STRUCT_S0]], align 8
// CHECK: %[[AGG_TMP:.*]] = alloca %[[STRUCT_S0]], align 8
// CHECK: store ptr null, ptr %[[C_ADDR]], align 8
// CHECK: call void @llvm.objc.storeStrong(ptr %[[C_ADDR]], ptr %[[C]])
// CHECK: store ptr %[[A]], ptr %[[A_ADDR]], align 8
// CHECK: %[[V0:.*]] = load ptr, ptr %[[A_ADDR]], align 8
// CHECK: call void @__copy_constructor_8_8_s0(ptr %[[AGG_TMP_ENSURED]], ptr %[[V0]])
// CHECK: %[[V1:.*]] = load ptr, ptr %[[C_ADDR]], align 8
// CHECK: call void @__copy_constructor_8_8_s0(ptr %[[AGG_TMP]], ptr %[[AGG_TMP_ENSURED]])
// CHECK: %[[V2:.*]] = icmp eq ptr %[[V1]], null
// CHECK: br i1 %[[V2]], label %[[MSGSEND_NULL:.*]], label %[[MSGSEND_CALL:.*]]
// CHECK: [[MSGSEND_CALL]]:
// CHECK: %[[V3:.*]] = load ptr, ptr @OBJC_SELECTOR_REFERENCES_, align 8
// CHECK: %[[COERCE_DIVE:.*]] = getelementptr inbounds %[[STRUCT_S0]], ptr %[[AGG_TMP]], i32 0, i32 0
rjmccallUnsubmitted
Not Done
ReplyInline Actions

It looks like we're copying a into a temporary and then copying out of that temporary into the argument slot. I don't see any reason the extra copy is required.

Also, aren't non-trivial structs consumed as arguments? If so, this would be an over-release.

rjmccall: It looks like we're copying `a` into a temporary and then copying out of that temporary into…
ahatanakAuthorUnsubmitted
Done
ReplyInline Actions

It isn't an over-release because, if the receiver isn't nil, temporary AGG_TMP is destructed in the callee and, if the receiver isn't nil, the temporary is destructed in the caller (by the call to @__destructor_8_s0(ptr %[[AGG_TMP]])).

As you pointed out, the copy isn't needed if the result of the assignment isn't used.

ahatanak: It isn't an over-release because, if the receiver isn't nil, temporary `AGG_TMP` is destructed…
rjmccallUnsubmitted
Done
ReplyInline Actions

Oh, is this second destructor call in conditionally-executed code? Can we test for that, at least?

rjmccall: Oh, is this second destructor call in conditionally-executed code? Can we test for that, at…
ahatanakAuthorUnsubmitted
Done
ReplyInline Actions

The first copy constructor call is emitted when emitPseudoObjectExpr evaluates the OpaqueValueExpr that is the result expression. The second copy constructor call is emitted to copy the argument *a to the argument temporary.

Since the result expression isn't used in this case, there isn't any reason to emit the first copy constructor call. If Sema marks the OpaqueValueExpr for the result expression as unique when the result is unused, CodeGen avoids emitting the first copy constructor.

ahatanak: The first copy constructor call is emitted when `emitPseudoObjectExpr` evaluates the…
// CHECK: %[[V4:.*]] = load ptr, ptr %[[COERCE_DIVE]], align 8
// CHECK: %[[COERCE_VAL_PI:.*]] = ptrtoint ptr %[[V4]] to i64
// CHECK: call void @objc_msgSend(ptr noundef %[[V1]], ptr noundef %[[V3]], i64 %[[COERCE_VAL_PI]])
// CHECK: br label %[[MSGSEND_CONT:.*]]
// CHECK: [[MSGSEND_NULL]]:
// CHECK: call void @__destructor_8_s0(ptr %[[AGG_TMP]])
// CHECK: br label %[[MSGSEND_CONT]]
// CHECK: [[MSGSEND_CONT]]:
// CHECK: call void @__destructor_8_s0(ptr %[[AGG_TMP_ENSURED]]
// CHECK: call void @llvm.objc.storeStrong(ptr %[[C_ADDR]], ptr null)
// CHECK: ret void
void test0(C *c, S0 *a) {
c.atomic0 = *a;
}