In D136765#4076621, @AdvenamTacet wrote:

I see that the revision is accepted, but based on the inline commit, I updated static_assert.
Now TEST_ALIGNOF is used instead of two cases with #if.

I do not have commiter permissions.

LGTM % nit means that it looks good when the remaining comments are addressed, which are usually just small changes where one can't do much wrong. Are the Name and E-Mail in the commit correct?

LGTM % nit means that it looks good when the remaining comments are addressed, which are usually just small changes where one can't do much wrong

Thank you for explaining. I realized that it means LGTM modulo something, but I wasn't sure if I should fix it or not.

Are the Name and E-Mail in the commit correct?

I don't see those fields here, but I believe so. locally it's correct (Advenam Tacet <advenam.tacet@trailofbits.com>) in git commit and I used arc to send it.

Extending the check to non-standard allocators, appears to cause a false positive during copy-assignment of a vector with custom allocator in V8, see https://crbug.com/1410719#c6

In D136765#4085406, @hans wrote:

Extending the check to non-standard allocators, appears to cause a false positive during copy-assignment of a vector with custom allocator in V8, see https://crbug.com/1410719#c6

Filed as https://github.com/llvm/llvm-project/issues/60384 with a stand-alone reproducer. I'll revert this until it can be fixed.

This revision passed automatic tests. To confirm that it's working, I used those changes to compile a bunch of random harnesses (~45) from Chromium and I'm fuzzing using them right now. Everything works.
The problem with false positives was caused by incorrect use/missing use of __annotate_delete() and should be fixed with that revision. Just the fix to that problem was suggested in D144155 but moved here, look there for details.

I believe the patch is ready to be merged again. Please, let me know if there is anything else to do.

To make sure that after changes this diff still works as intended, I again compiled a bunch of Chromium harnesses and I don't get any false positives during fuzzing.
I believe, the patch is ready for upstream.

I'm afraid we did hit an issue with this in Chromium, but I think it points to a more fundamental problem with these annotations rather than this patch.

The issue is that we have some code using an arena allocator to allocate a bunch of objects, including vectors and their backing memory. Then instead of tracking the lifetimes of those objects, the arena is cleared, and the memory recycled for next time. That means the vector destructors don't run, so some memory is left in the arena with container annotations, causing errors when it's reused.

I've created a reproducer at https://bugs.chromium.org/p/chromium/issues/detail?id=1419798#c5

This could have happened before this patch too, if the user overloaded the global operator new and delete for example.

The question is what to do about it. I don't think there's an easy way for the allocator to remove the container annotations when recycling the memory?

In D136765#4155262, @hans wrote:

I'm afraid we did hit an issue with this in Chromium, but I think it points to a more fundamental problem with these annotations rather than this patch.

The issue is that we have some code using an arena allocator to allocate a bunch of objects, including vectors and their backing memory. Then instead of tracking the lifetimes of those objects, the arena is cleared, and the memory recycled for next time. That means the vector destructors don't run, so some memory is left in the arena with container annotations, causing errors when it's reused.

I've created a reproducer at https://bugs.chromium.org/p/chromium/issues/detail?id=1419798#c5

This could have happened before this patch too, if the user overloaded the global operator new and delete for example.

The question is what to do about it. I don't think there's an easy way for the allocator to remove the container annotations when recycling the memory?

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

In D136765#4155285, @philnik wrote:

In D136765#4155262, @hans wrote:

I'm afraid we did hit an issue with this in Chromium, but I think it points to a more fundamental problem with these annotations rather than this patch.

The issue is that we have some code using an arena allocator to allocate a bunch of objects, including vectors and their backing memory. Then instead of tracking the lifetimes of those objects, the arena is cleared, and the memory recycled for next time. That means the vector destructors don't run, so some memory is left in the arena with container annotations, causing errors when it's reused.

I've created a reproducer at https://bugs.chromium.org/p/chromium/issues/detail?id=1419798#c5

This could have happened before this patch too, if the user overloaded the global operator new and delete for example.

The question is what to do about it. I don't think there's an easy way for the allocator to remove the container annotations when recycling the memory?

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

@hans If Chromium knowingly drops destructors, can you just upoison the entire range there, by arena allocator?

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

I'm not sure it is UB actually. (At least not the part that recycles the vector storage memory.) In any case it's not an unreasonable pattern; for example Clang does the same for its AST with ASTContext::Allocator -- the AST nodes' destructors never run, and one could imagine a scenario where the memory is re-used.

@hans If Chromium knowingly drops destructors, can you just upoison the entire range there, by arena allocator?

Yes, I think that would work for us. (You mean just with __asan_unpoison_memory_region right?)
I'll give it a try tomorrow.

In D136765#4156486, @hans wrote:

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

I'm not sure it is UB actually. (At least not the part that recycles the vector storage memory.) In any case it's not an unreasonable pattern; for example Clang does the same for its AST with ASTContext::Allocator -- the AST nodes' destructors never run, and one could imagine a scenario where the memory is re-used.

Since you never run the destructor the object is still within it's lifetime, i.e. you create multiple objects within the same memory region, which is UB. I agree that it's not that crazy of a thing to do, just like comparing unrelated pointers is. Still, both are UB and are reasonable to be detected by a tool that is there to find UB. Maybe there should be a standards-blessed mechanism to destroy all objects within a region of memory, but we don't have that.

@hans If Chromium knowingly drops destructors, can you just upoison the entire range there, by arena allocator?

Yes, I think that would work for us. (You mean just with __asan_unpoison_memory_region right?)
I'll give it a try tomorrow.

I wasn't aware that there exists a magic way to remove any annotations within a region, interesting.

In D136765#4156486, @hans wrote:

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

I'm not sure it is UB actually. (At least not the part that recycles the vector storage memory.) In any case it's not an unreasonable pattern; for example Clang does the same for its AST with ASTContext::Allocator -- the AST nodes' destructors never run, and one could imagine a scenario where the memory is re-used.

@hans If Chromium knowingly drops destructors, can you just upoison the entire range there, by arena allocator?

Yes, I think that would work for us. (You mean just with __asan_unpoison_memory_region right?)
I'll give it a try tomorrow.

In D136765#4158559, @philnik wrote:

In D136765#4156486, @hans wrote:

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

I'm not sure it is UB actually. (At least not the part that recycles the vector storage memory.) In any case it's not an unreasonable pattern; for example Clang does the same for its AST with ASTContext::Allocator -- the AST nodes' destructors never run, and one could imagine a scenario where the memory is re-used.

Since you never run the destructor the object is still within it's lifetime, i.e. you create multiple objects within the same memory region, which is UB. I agree that it's not that crazy of a thing to do, just like comparing unrelated pointers is. Still, both are UB and are reasonable to be detected by a tool that is there to find UB. Maybe there should be a standards-blessed mechanism to destroy all objects within a region of memory, but we don't have that.

@hans If Chromium knowingly drops destructors, can you just upoison the entire range there, by arena allocator?

Yes, I think that would work for us. (You mean just with __asan_unpoison_memory_region right?)
I'll give it a try tomorrow.

I wasn't aware that there exists a magic way to remove any annotations within a region, interesting.

In D136765#4158559, @philnik wrote:

In D136765#4156486, @hans wrote:

I think it's pretty clear that what you are doing is UB, so IMO we want to catch this generally. I don't think there is an easy way to unpoison the memory other than running the destructors. We could add an escape hatch through the allocator traits, but that would of course mean that you don't get the additional coverage for that allocator.

I'm not sure it is UB actually. (At least not the part that recycles the vector storage memory.) In any case it's not an unreasonable pattern; for example Clang does the same for its AST with ASTContext::Allocator -- the AST nodes' destructors never run, and one could imagine a scenario where the memory is re-used.

Since you never run the destructor the object is still within it's lifetime, i.e. you create multiple objects within the same memory region, which is UB. I agree that it's not that crazy of a thing to do, just like comparing unrelated pointers is. Still, both are UB and are reasonable to be detected by a tool that is there to find UB. Maybe there should be a standards-blessed mechanism to destroy all objects within a region of memory, but we don't have that.

@hans If Chromium knowingly drops destructors, can you just upoison the entire range there, by arena allocator?

Yes, I think that would work for us. (You mean just with __asan_unpoison_memory_region right?)
I'll give it a try tomorrow.

I wasn't aware that there exists a magic way to remove any annotations within a region, interesting.

You should be able to achieve the same with sanitizer_annotate_contiguous_container() using special set of arguments.
something like sanitizer_annotate_contiguous_container(alloc_begin, alloc_end, alloc_begin, alloc_end)
libc++ should use the __sanitizer_ api so we can support other sanitizers, e.g. HWASAN, or even MTE.

@hans For arena __sanitizer_annotate_contiguous_container looks like weird but probably better option for the same reason. But having ifdef per sanitizers seems fine as well.

We've hit another issue after this in Chromium: http://crbug.com/1420967. Also, Google internal testing hit a similar issue in MySQL. That means at least three false positives after this patch. At the same time this patch has revealed zero real issues in our code.

I understand the desire to make the behavior with custom allocators match that of standard allocators, but perhaps these stats indicate that the new behavior is doing more harm than good? As opposed to standard allocators, it seems that with custom allocators, it's common to have accesses to the memory that fall outside the container range.

I think we should consider backing this out, and leaving the container annotations to the standard allocators only.

In D136765#4171295, @hans wrote:

We've hit another issue after this in Chromium: http://crbug.com/1420967. Also, Google internal testing hit a similar issue in MySQL. That means at least three false positives after this patch. At the same time this patch has revealed zero real issues in our code.

I understand the desire to make the behavior with custom allocators match that of standard allocators, but perhaps these stats indicate that the new behavior is doing more harm than good? As opposed to standard allocators, it seems that with custom allocators, it's common to have accesses to the memory that fall outside the container range.

I think we should consider backing this out, and leaving the container annotations to the standard allocators only.

3 issues doesn't seem like a lot of data to build on. I don't think that these should be described as "not real issues", since they are clearly UB, which is something ASan is supposed to flag. I guess these are three different custom allocators that try to access allocated memory for some reason? I'd be fine with an opt-out mechanism for these allocators, but I think we should enable poisoning by default. e.g. for the wink-out mechanism it makes sense to poison the memory and when winking-out the objects un-poison everything. This allows ASan to still detect any overflow issues and having (most of) the performance benefit. There are also super simple allocators out there for logging etc. which would benefit from this kind of poisoning.

In D136765#4171473, @philnik wrote:

In D136765#4171295, @hans wrote:

We've hit another issue after this in Chromium: http://crbug.com/1420967. Also, Google internal testing hit a similar issue in MySQL. That means at least three false positives after this patch. At the same time this patch has revealed zero real issues in our code.

I understand the desire to make the behavior with custom allocators match that of standard allocators, but perhaps these stats indicate that the new behavior is doing more harm than good? As opposed to standard allocators, it seems that with custom allocators, it's common to have accesses to the memory that fall outside the container range.

I think we should consider backing this out, and leaving the container annotations to the standard allocators only.

3 issues doesn't seem like a lot of data to build on.

Combined with the fact that we've run tests for hundreds of millions of lines of code and found zero real issues, I think it's a good indication.

I don't think that these should be described as "not real issues", since they are clearly UB, which is something ASan is supposed to flag.

I don't think the UB situation is that clear. If an allocator has allocated a chunk of ints, it's perfectly well defined behavior for that allocator or other code to access the whole chunk, even if parts of it is being used by a vector.

Another indication that these are not real issues is that the fix for all of them is to remove the container annotations.

One way to think about the situation is that with the standard allocator, these annotations work because the std::vector is in practice in complete control of the memory. With custom allocators that's no longer true, since the standard doesn't say what those allocators might do, and then these checks become much less precise.

I guess these are three different custom allocators that try to access allocated memory for some reason? I'd be fine with an opt-out mechanism for these allocators, but I think we should enable poisoning by default. e.g. for the wink-out mechanism it makes sense to poison the memory and when winking-out the objects un-poison everything. This allows ASan to still detect any overflow issues and having (most of) the performance benefit. There are also super simple allocators out there for logging etc. which would benefit from this kind of poisoning.

I can also see the theoretical benefit of this, and part of me likes it, but with the issues that are showing up, I'm just not sure it works out in practice. Perhaps it should be opt-in instead?

FYI this is causing (yet another) bug on Chrome/Chrome OS: https://crbug.com/1422033

The question is what to do about it. I don't think there's an easy way for the allocator to remove the container annotations when recycling the memory?

Depends on your implementation, but you can easily unpoison memory (there are macros for it in the ASan API, but it should be possible to also use interface functions (not recommended)), or turn off instrumentation in a function accessing poisoned area. At the same time, I'm happy to implement an easy way to turn off annotations for specific allocators. Below details.

1. Unpoisoning:
   • The best option may be using macros for manual poisoning, as described in sanitizers wiki, but I never used them, so I'm not sure.
   • @vitalybuka I think __sanitizer_annotate_contiguous_container cannot be used here, as the function checks state of shadow memory, it's a pain to work with and I would be happy to remove those checks, if you agree.

2. It's possible to access memory without checks by turning off instrumentation with __attribute__((__no_sanitize__("address"))).

we've run tests for hundreds of millions of lines of code and found zero real issues

with the issues that are showing up, I'm just not sure it works out in practice. Perhaps it should be opt-in instead?

I strongly believe, it shouldn't be opt-in. We would have to educate everyone about that possibility and they would have to maintain list of allocators. With opt-out, one may just react to visible errors. Also, if in "hundreds of millions of lines" only 3 allocators are problematic, turning off annotations for them (or unpoisoning memory in them) seems like a small effort compared to a potential benefit of finding a security bug early. I understand that you didn't find anything yet, but it's same logic as for default allocator, and implementations with custom allocators may have bugs as well.

If @philnik thinks that opt-out is ok, I'm happy to add something like:

template<class A>
struct libcxx_asan_allocator_annotate {
    const bool value = true;
}

and in vectors member function __annotate_contiguous_container add to the check && libcxx_asan_allocator_annotate<_Allocator>::value.

• @philnik what file would be best for that class definition? Probably std::basic_string and std::deque should have access to it as well.
• @hans do you have a minimal failing example? Would be good to add unit test and make sure that it solves problems you observe.

At the same time, if simply unpoisoning memory works for you, it is probably a better choice as that change increases chance of detecting bugs.

@ayzhao I'm not sure what exactly is happening in your case, but there is a write to memory.

Strangely enough, calling __asan_unpoison_memory_region(...) in deallocate(...) doesn't resolve this...

Is it the first thing you do in deallocator? Are you unpoisoning whole memory for sure?

I'm guessing the reason is because std::vector calls __annotate_delete() before deallocate()

It should leave memory poisoned in the very same way as before a constructor. Why do you think it's the reason?

Regarding the Standard terms, accessing destructed, but not released memory is well defined in basic.life#6 (in some limited ways, but exactly sufficient for the allocator needs):

after the lifetime of an object has ended and before the storage which the object occupied is reused or released, any pointer that represents the address of the storage location where the object will be or was located may be used but only in limited ways. ... such a pointer refers to allocated storage ([basic.stc.dynamic.allocation]), and using the pointer as if the pointer were of type void* is well-defined. Indirection through such a pointer is permitted...

Since you never run the destructor the object is still within it's lifetime, i.e. you create multiple objects within the same memory region, which is UB.

Even that may (suprisingly) be well-defined (as the paragraph above mentions):

A program may end the lifetime of an object of class type without invoking the destructor, by reusing or releasing the storage as described above.

In D136765#4173661, @ayzhao wrote:

FYI this is causing (yet another) bug on Chrome/Chrome OS: https://crbug.com/1422033

We've root caused this to ChromeOS using a toolchain based on llvmorg-16-init-6711-g11897708c022, which is before the ASan runtime gained support for unaligned container memory in llvmorg-16-init-9006-gdd1b7b797a11, which this patch depends on. (https://crbug.com/1422033#c11 has a reproducer).

I see that the patch is already trying to handle this with the #if _LIBCPP_CLANG_VER >= 1600 check. However, that doesn't quite work since there were many revisions with that version number before the ASan change.

Should it be checking _LIBCPP_CLANG_VER >= 1700 instead, or is there some more precise way to handle this? (Does the ASan runtime have some way to check if it supports this for example?)

In D136765#4178089, @hans wrote:

In D136765#4173661, @ayzhao wrote:

FYI this is causing (yet another) bug on Chrome/Chrome OS: https://crbug.com/1422033

We've root caused this to ChromeOS using a toolchain based on llvmorg-16-init-6711-g11897708c022, which is before the ASan runtime gained support for unaligned container memory in llvmorg-16-init-9006-gdd1b7b797a11, which this patch depends on. (https://crbug.com/1422033#c11 has a reproducer).

I see that the patch is already trying to handle this with the #if _LIBCPP_CLANG_VER >= 1600 check. However, that doesn't quite work since there were many revisions with that version number before the ASan change.

Should it be checking _LIBCPP_CLANG_VER >= 1700 instead, or is there some more precise way to handle this? (Does the ASan runtime have some way to check if it supports this for example?)

Afaik, this is against libc++ policy. libc++ needs to work with at least 1 or 2 last clang releases so this patch needs to accomodate it.
@ldionne to confirm.

In D136765#4178116, @manojgupta wrote:

In D136765#4178089, @hans wrote:

In D136765#4173661, @ayzhao wrote:

FYI this is causing (yet another) bug on Chrome/Chrome OS: https://crbug.com/1422033

We've root caused this to ChromeOS using a toolchain based on llvmorg-16-init-6711-g11897708c022, which is before the ASan runtime gained support for unaligned container memory in llvmorg-16-init-9006-gdd1b7b797a11, which this patch depends on. (https://crbug.com/1422033#c11 has a reproducer).

I see that the patch is already trying to handle this with the #if _LIBCPP_CLANG_VER >= 1600 check. However, that doesn't quite work since there were many revisions with that version number before the ASan change.

Should it be checking _LIBCPP_CLANG_VER >= 1700 instead, or is there some more precise way to handle this? (Does the ASan runtime have some way to check if it supports this for example?)

Afaik, this is against libc++ policy. libc++ needs to work with at least 1 or 2 last clang releases so this patch needs to accomodate it.
@ldionne to confirm.

The last two official releases. It doesn't seem like ChromeOS uses that, given that LLVM16 isn't released yet. Anyways, I think we have to revert, since we clearly need some way to fix the annotation problems, and that will probably take some time to figure out.

In D136765#4178156, @philnik wrote:

The last two official releases. It doesn't seem like ChromeOS uses that, given that LLVM16 isn't released yet. Anyways, I think we have to revert, since we clearly need some way to fix the annotation problems, and that will probably take some time to figure out.

FWIW I think just checking _LIBCPP_CLANG_VER >= 1700 would be a good fix.

In D136765#4178231, @hans wrote:

In D136765#4178156, @philnik wrote:

The last two official releases. It doesn't seem like ChromeOS uses that, given that LLVM16 isn't released yet. Anyways, I think we have to revert, since we clearly need some way to fix the annotation problems, and that will probably take some time to figure out.

FWIW I think just checking _LIBCPP_CLANG_VER >= 1700 would be a good fix.

I don't think that makes sense. We don't check that we have the version after the first one in which it's implemented anywhere else. Supporting this kind of stuff would be a nightmare, and 99% of people who don't use an official release are either on the bleeding edge, or are a vendor. If you are a vendor you probably have some downstream patches anyways, so having this too seems not that much of a problem.

In D136765#4178312, @philnik wrote:

In D136765#4178231, @hans wrote:

In D136765#4178156, @philnik wrote:

The last two official releases. It doesn't seem like ChromeOS uses that, given that LLVM16 isn't released yet. Anyways, I think we have to revert, since we clearly need some way to fix the annotation problems, and that will probably take some time to figure out.

FWIW I think just checking _LIBCPP_CLANG_VER >= 1700 would be a good fix.

I don't think that makes sense. We don't check that we have the version after the first one in which it's implemented anywhere else. Supporting this kind of stuff would be a nightmare, and 99% of people who don't use an official release are either on the bleeding edge, or are a vendor. If you are a vendor you probably have some downstream patches anyways, so having this too seems not that much of a problem.

As we've seen, _LIBCPP_CLANG_VER >= 1600 is not sufficient to check that the ASan support is there, but _LIBCPP_CLANG_VER >= 1700 is sufficient. And since this patch (annotations for vector with custom allocator) is happening in the 17 release, there's no delay before they can be used. That's why I thought it would be a good fix.

An even nicer fix would of course be if ASan had some kind of feature checking mechanism or finer grained version we could check.

In D136765#4179911, @AdvenamTacet wrote:

This update includes change from D145628 and adds an easy way to turn off annotations for a specific allocator.
It also adds a test for that change, based on failing example showed above.

I still consider unpoisoning memory as a superior choice, but if it's impossible in some situations (like using allocator mantained by someone else), now it should be easy to turn off annotations for a specific allocator.

Thanks! I added a comment on that. Besides allocators maintained by someone else, I think https://crbug.com/1420967 is also a good example of where unpoisoning isn't an option.

The current patch still has the _LIBCPP_CLANG_VER issue though.

I think https://crbug.com/1420967 is also a good example of where unpoisoning isn't an option.

If access to poisoned memory happens only in a few functions, it's possible to just turn off instrumentation in them with __attribute__((__no_sanitize__("address"))).
But if the buffer is modified, it may be better to turn off annotations for that allocator. Therefore I made D145628.

The current patch still has the _LIBCPP_CLANG_VER issue though.

Here I agree with @philnik that waiting until LLVM17 (given that LLVM16 isn't released yet) makes no sense and testing changes would be very difficult. Also, rGdd1b7b797a116eed588fd752fbe61d34deeb24e4 was accepted more than 4 moths ago, so it's a big time gap between support in compiler-rt and libc++.
I also don't see any other reasonable way to check support in compiler-rt than checking version number.

In D136765#4198690, @AdvenamTacet wrote:

I think https://crbug.com/1420967 is also a good example of where unpoisoning isn't an option.

If access to poisoned memory happens only in a few functions, it's possible to just turn off instrumentation in them with __attribute__((__no_sanitize__("address"))).
But if the buffer is modified, it may be better to turn off annotations for that allocator. Therefore I made D145628.

Thanks, I think turning off annotations for this allocator is the best option. Hunting down all functions that access the memory would be hard, and also disabling instrumentation in them seems like a too big hammer.

The current patch still has the _LIBCPP_CLANG_VER issue though.

Here I agree with @philnik that waiting until LLVM17 (given that LLVM16 isn't released yet) makes no sense and testing changes would be very difficult. Also, rGdd1b7b797a116eed588fd752fbe61d34deeb24e4 was accepted more than 4 moths ago, so it's a big time gap between support in compiler-rt and libc++.
I also don't see any other reasonable way to check support in compiler-rt than checking version number.

There would be no need to wait since 17 is already the current version at HEAD.

Considering that this won't be cherry-picked back to release/16.x (right?), then whether we use _LIBCPP_CLANG_VER >= 1600 or _LIBCPP_CLANG_VER >= 1700 is irrelevant for all practical purposes, since libc++ gets released in sync with Clang and the next release this will get in will have Clang 17. I do agree however that if someone (in this case Chrome) is using a not-yet-released snapshot of trunk that happens to have _LIBCPP_CLANG_VER >= 1600 yet isn't something we've released as LLVM 16, then it's probably not reasonable for us to try to support that. Imagine coming up with that policy, I think it would mean that we can't ever rely on _LIBCPP_CLANG_VER >= 1600 during the libc++ 16 release, which would be pretty unfortunate.

So I have no strong opinion, either way is fine with me (even though the status quo is kind of unfortunate for Chrome until they bump their Clang version).

In D136765#4203247, @ldionne wrote:

I do agree however that if someone (in this case Chrome) is using a not-yet-released snapshot of trunk that happens to have _LIBCPP_CLANG_VER >= 1600 yet isn't something we've released as LLVM 16, then it's probably not reasonable for us to try to support that. Imagine coming up with that policy, I think it would mean that we can't ever rely on _LIBCPP_CLANG_VER >= 1600 during the libc++ 16 release, which would be pretty unfortunate.

(FWIW it's ChromeOS, not Chrome, that's using an older Clang version. And if necessary they can probably patch in the needed compiler-rt changes. Also, https://libcxx.llvm.org/ technically says that clang "16-git" is supported, which is what they are using ;)

I'll stop harping on about this, but I think gating functionality on _LIBCPP_CLANG_VER isn't great for the reason we've seen here. (And Eric predicted it in his "It smells weird, and it looks weird, and I think it'll lead to bugs." comment). I'm pleased to see that it's currently only used in two places in libc++, one of which is for a deprecation warning. As mentioned above, the best would be if compiler-rt exposed some kind of feature check for this, but if we can't have that, I think >= 17 is the way to go.

In D136765#4205962, @hans wrote:

In D136765#4203247, @ldionne wrote:

I do agree however that if someone (in this case Chrome) is using a not-yet-released snapshot of trunk that happens to have _LIBCPP_CLANG_VER >= 1600 yet isn't something we've released as LLVM 16, then it's probably not reasonable for us to try to support that. Imagine coming up with that policy, I think it would mean that we can't ever rely on _LIBCPP_CLANG_VER >= 1600 during the libc++ 16 release, which would be pretty unfortunate.

(FWIW it's ChromeOS, not Chrome, that's using an older Clang version. And if necessary they can probably patch in the needed compiler-rt changes. Also, https://libcxx.llvm.org/ technically says that clang "16-git" is supported, which is what they are using ;)

It's "16-git" as-in current trunk, not some random version from a few months ago.

I'll stop harping on about this, but I think gating functionality on _LIBCPP_CLANG_VER isn't great for the reason we've seen here. (And Eric predicted it in his "It smells weird, and it looks weird, and I think it'll lead to bugs." comment). I'm pleased to see that it's currently only used in two places in libc++, one of which is for a deprecation warning. As mentioned above, the best would be if compiler-rt exposed some kind of feature check for this, but if we can't have that, I think >= 17 is the way to go.

I don't think >= 17 is an option. You are basically asking us to keep the code around for another release because someone used some wacky unsupported configuration. Either live at head or use releases. They exist for a reason.

In D136765#4205989, @philnik wrote:

I don't think >= 17 is an option. You are basically asking us to keep the code around for another release because someone used some wacky unsupported configuration. Either live at head or use releases. They exist for a reason.

I'm just trying to be pragmatic. Given the nasty failure mode - ASan silently malfunctioning - using a check which actually guarantees that the required functionality is there seems reasonable to me.

In D136765#4205989, @philnik wrote:

In D136765#4205962, @hans wrote:

In D136765#4203247, @ldionne wrote:

I do agree however that if someone (in this case Chrome) is using a not-yet-released snapshot of trunk that happens to have _LIBCPP_CLANG_VER >= 1600 yet isn't something we've released as LLVM 16, then it's probably not reasonable for us to try to support that. Imagine coming up with that policy, I think it would mean that we can't ever rely on _LIBCPP_CLANG_VER >= 1600 during the libc++ 16 release, which would be pretty unfortunate.

(FWIW it's ChromeOS, not Chrome, that's using an older Clang version. And if necessary they can probably patch in the needed compiler-rt changes. Also, https://libcxx.llvm.org/ technically says that clang "16-git" is supported, which is what they are using ;)

It's "16-git" as-in current trunk, not some random version from a few months ago.

I'll stop harping on about this, but I think gating functionality on _LIBCPP_CLANG_VER isn't great for the reason we've seen here. (And Eric predicted it in his "It smells weird, and it looks weird, and I think it'll lead to bugs." comment). I'm pleased to see that it's currently only used in two places in libc++, one of which is for a deprecation warning. As mentioned above, the best would be if compiler-rt exposed some kind of feature check for this, but if we can't have that, I think >= 17 is the way to go.

I don't think >= 17 is an option. You are basically asking us to keep the code around for another release because someone used some wacky unsupported configuration. Either live at head or use releases. They exist for a reason.

809855b56f06dd7182685f88fbbc64111df9339a changed clang version in trunk to 16.
https://reviews.llvm.org/rGdd1b7b797a11 added the API that this patch is using.

This change means that any clang released in the range 809855b56f06dd7182685f88fbbc64111df9339a..dd1b7b797a11 is now BAD for building libc++.

$ git log 809855b56f06dd7182685f88fbbc64111df9339a..dd1b7b797a11 --oneline | wc -l
9006

IMO, this is an large number of commits and punishes people that made clang releases in this range.

I'd however like to steer out of the debate by cherry-picking https://reviews.llvm.org/rGdd1b7b797a11 to ChromeOS clang.

I was thinking about a solution for the silent error.

API for contiguous containers was extended on Oct 28 2022, - rGdd1b7b797a116eed588fd752fbe61d34deeb24e4.

API for double ended containers was commited on Nov 22 2022 - rG1c5ad6d2c01294a0decde43a88e9c27d7437d157.
And extended on Nov 29 - rGe1657e322902d973aea606d3557f938ce0e0f06c

If we first land D132092 (annotations for std::deque with default allocator only), there will be no silent error, as a missing function in compiler-rt causes an error.

That solutions holds water only if D132092 will be accepted, but I hope it will be. The pach is ready for review.

In D136765#4212222, @AdvenamTacet wrote:

If we first land D132092 (annotations for std::deque with default allocator only), there will be no silent error, as a missing function in compiler-rt causes an error.

Yes, that is indeed much nicer.

Somewhat early heads-up: This is again causing various test failures in Chromium land. Several of us are traveling this week, so it'll likely be a while until we can provide more details. (No action needed at this point, just as an FYI.) Our upstream bug is https://bugs.chromium.org/p/chromium/issues/detail?id=1444659 .