This is an archive of the discontinued LLVM Phabricator instance.

Differential D137067

[DebugInfo][Metadata] Make AllEnumTypes holding TrackingMDNodeRef
ClosedPublic

Authored by krisb on Oct 31 2022, 3:15 AM.

Details

Reviewers
ellis
aprantl
dblaikie
Commits
rG4ecb2b8ef6be: [DebugInfo][Metadata] Make AllEnumTypes holding TrackingMDNodeRef
Summary

Having AllEnumtypes to be a vector of TrackingMDNodeRef makes it possible
to reflect changes in metadata in the vector if they took place before DIBuilder
being finalized.

Otherwise, we end up with heap-use-after-free because AllEnumTypes contains
metadata that no longer valid.

Consider a case where we have a class containing a definition of a enum,
so this enum has the class as a scope. For some reason (doesn't matter for
the current issue), we create a temporary debug metadata for this class, and
then resolve it while finalizing CGDebugInfo.

Once resolved the temporary, we may need to replace its uses with a new pointer.
If a temporary's user is unique (this is the enum mentioned above), we
may need re-uniqueing it, which may return a new pointer in a case of collision.
If so, the pointer we stored in AllEnumTypes vector become dangling.
Making AllEnumTypes hodling TrackingMDNodeRef should solve this problem
(see debug-info-enum-metadata-collision.cpp test for details).

Diff Detail

Event Timeline

krisb created this revision.Oct 31 2022, 3:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 31 2022, 3:15 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
krisb requested review of this revision.Oct 31 2022, 3:15 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptOct 31 2022, 3:15 AM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B195223: Diff 471946.Oct 31 2022, 4:00 AM
dblaikie accepted this revision.Oct 31 2022, 8:02 AM

Test case can be simplified a bit further:

template <typename> struct Struct1 {
  enum { enumValue1 };
  Struct1();
};
void function2() {
  struct Struct3 {};
  int i = Struct1<Struct3>::enumValue1;
}
void function3() {
  struct Struct3 {};
  int i = Struct1<Struct3>::enumValue1;
}

but otherwise I'm OK with this - I don't /fully/ understand it, but it sounds plausible enough. (if you have time, I wouldn't mind hearing more about why this requires local types (Struct3) and two similar functions to tickle the issue)

This revision is now accepted and ready to land.Oct 31 2022, 8:02 AM
krisb updated this revision to Diff 472079.Oct 31 2022, 11:17 AM

Apply review comments.

krisb added a comment.EditedOct 31 2022, 11:18 AM
In D137067#3896524, @dblaikie wrote:

Test case can be simplified a bit further:

Thank you!

but otherwise I'm OK with this - I don't /fully/ understand it, but it sounds plausible enough. (if you have time, I wouldn't mind hearing more about why this requires local types (Struct3) and two similar functions to tickle the issue)

The test is just a simplified code sample where the issue was original faced. I'm not sure we specifically need local types or two particular functions, but artificially reproducing the same conditions may be tricky.
Basically, the issue happens only when collisions take place twice:

  • first time when a record's temporary debug metadata being replaced by a unique, and
  • second time when tempopary's enum user being re-uniquefied.

I haven't studied deeply why the collisions happen in this particular test, since if collisions /may/ happen, we should handle this case correctly anyway.

Harbormaster completed remote builds in B195315: Diff 472079.Oct 31 2022, 12:38 PM
This revision was landed with ongoing or failed builds.Nov 3 2022, 1:30 AM
Closed by commit rG4ecb2b8ef6be: [DebugInfo][Metadata] Make AllEnumTypes holding TrackingMDNodeRef (authored by krisb). · Explain Why
This revision was automatically updated to reflect the committed changes.
krisb added a commit: rG4ecb2b8ef6be: [DebugInfo][Metadata] Make AllEnumTypes holding TrackingMDNodeRef.

Revision Contents

PathSize
clang/
test/
CodeGenCXX/
25 lines
llvm/
include/
llvm/
IR/
2 lines
lib/
IR/
6 lines

Diff 472870

clang/test/CodeGenCXX/debug-info-enum-metadata-collision.cpp

  • This file was added.
// RUN: %clang_cc1 -triple %itanium_abi_triple -emit-llvm -debug-info-kind=constructor %s -o - | FileCheck %s
// Test that clang doesn't crash while resolving temporary debug metadata of
// a record with collisions in the record's enum users.
// CHECK: !DICompositeType(tag: DW_TAG_enumeration_type,
// CHECK-SAME: scope: [[SCOPE:![0-9]+]]
// CHECK-SAME: elements: [[ELEMENTS:![0-9]+]]
// CHECK: [[SCOPE]] = !DICompositeType(tag: DW_TAG_structure_type
// CHECK-SAME: name: "Struct1<Struct3>"
// CHECK: [[ELEMENTS]] = !{[[ELEMENT:![0-9]+]]}
// CHECK: [[ELEMENT]] = !DIEnumerator(name: "enumValue1"
template <typename> struct Struct1 {
enum { enumValue1 };
Struct1();
};
void function2() {
struct Struct3 {};
int i = Struct1<Struct3>::enumValue1;
}
void function3() {
struct Struct3 {};
int i = Struct1<Struct3>::enumValue1;
}

llvm/include/llvm/IR/DIBuilder.h

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines class DIBuilder {
LLVMContext &VMContext; LLVMContext &VMContext;
DICompileUnit *CUNode; ///< The one compile unit created by this DIBuiler. DICompileUnit *CUNode; ///< The one compile unit created by this DIBuiler.
Function *DeclareFn; ///< llvm.dbg.declare Function *DeclareFn; ///< llvm.dbg.declare
Function *ValueFn; ///< llvm.dbg.value Function *ValueFn; ///< llvm.dbg.value
Function *LabelFn; ///< llvm.dbg.label Function *LabelFn; ///< llvm.dbg.label
Function *AddrFn; ///< llvm.dbg.addr Function *AddrFn; ///< llvm.dbg.addr
SmallVector<Metadata *, 4> AllEnumTypes; SmallVector<TrackingMDNodeRef, 4> AllEnumTypes;
/// Track the RetainTypes, since they can be updated later on. /// Track the RetainTypes, since they can be updated later on.
SmallVector<TrackingMDNodeRef, 4> AllRetainTypes; SmallVector<TrackingMDNodeRef, 4> AllRetainTypes;
SmallVector<Metadata *, 4> AllSubprograms; SmallVector<Metadata *, 4> AllSubprograms;
SmallVector<Metadata *, 4> AllGVs; SmallVector<Metadata *, 4> AllGVs;
SmallVector<TrackingMDNodeRef, 4> AllImportedModules; SmallVector<TrackingMDNodeRef, 4> AllImportedModules;
/// Map Macro parent (which can be DIMacroFile or nullptr) to a list of /// Map Macro parent (which can be DIMacroFile or nullptr) to a list of
/// Metadata all of type DIMacroNode. /// Metadata all of type DIMacroNode.
/// DIMacroNode's with nullptr parent are DICompileUnit direct children. /// DIMacroNode's with nullptr parent are DICompileUnit direct children.
▲ Show 20 LinesShow All 971 LinesShow Last 20 Lines

llvm/lib/IR/DIBuilder.cpp

Show First 20 LinesShow All 78 Lines▼ Show 20 Lines
void DIBuilder::finalize() { void DIBuilder::finalize() {
if (!CUNode) { if (!CUNode) {
assert(!AllowUnresolvedNodes && assert(!AllowUnresolvedNodes &&
"creating type nodes without a CU is not supported"); "creating type nodes without a CU is not supported");
return; return;
} }
if (!AllEnumTypes.empty()) if (!AllEnumTypes.empty())
CUNode->replaceEnumTypes(MDTuple::get(VMContext, AllEnumTypes)); CUNode->replaceEnumTypes(MDTuple::get(
VMContext, SmallVector<Metadata *, 16>(AllEnumTypes.begin(),
AllEnumTypes.end())));
SmallVector<Metadata *, 16> RetainValues; SmallVector<Metadata *, 16> RetainValues;
// Declarations and definitions of the same type may be retained. Some // Declarations and definitions of the same type may be retained. Some
// clients RAUW these pairs, leaving duplicates in the retained types // clients RAUW these pairs, leaving duplicates in the retained types
// list. Use a set to remove the duplicates while we transform the // list. Use a set to remove the duplicates while we transform the
// TrackingVHs back into Values. // TrackingVHs back into Values.
SmallPtrSet<Metadata *, 16> RetainSet; SmallPtrSet<Metadata *, 16> RetainSet;
for (unsigned I = 0, E = AllRetainTypes.size(); I < E; I++) for (unsigned I = 0, E = AllRetainTypes.size(); I < E; I++)
▲ Show 20 LinesShow All 455 Lines▼ Show 20 LinesDICompositeType *DIBuilder::createEnumerationType(
DIScope *Scope, StringRef Name, DIFile *File, unsigned LineNumber, DIScope *Scope, StringRef Name, DIFile *File, unsigned LineNumber,
uint64_t SizeInBits, uint32_t AlignInBits, DINodeArray Elements, uint64_t SizeInBits, uint32_t AlignInBits, DINodeArray Elements,
DIType *UnderlyingType, StringRef UniqueIdentifier, bool IsScoped) { DIType *UnderlyingType, StringRef UniqueIdentifier, bool IsScoped) {
auto *CTy = DICompositeType::get( auto *CTy = DICompositeType::get(
VMContext, dwarf::DW_TAG_enumeration_type, Name, File, LineNumber, VMContext, dwarf::DW_TAG_enumeration_type, Name, File, LineNumber,
getNonCompileUnitScope(Scope), UnderlyingType, SizeInBits, AlignInBits, 0, getNonCompileUnitScope(Scope), UnderlyingType, SizeInBits, AlignInBits, 0,
IsScoped ? DINode::FlagEnumClass : DINode::FlagZero, Elements, 0, nullptr, IsScoped ? DINode::FlagEnumClass : DINode::FlagZero, Elements, 0, nullptr,
nullptr, UniqueIdentifier); nullptr, UniqueIdentifier);
AllEnumTypes.push_back(CTy); AllEnumTypes.emplace_back(CTy);
trackIfUnresolved(CTy); trackIfUnresolved(CTy);
return CTy; return CTy;
} }
DIDerivedType *DIBuilder::createSetType(DIScope *Scope, StringRef Name, DIDerivedType *DIBuilder::createSetType(DIScope *Scope, StringRef Name,
DIFile *File, unsigned LineNo, DIFile *File, unsigned LineNo,
uint64_t SizeInBits, uint64_t SizeInBits,
uint32_t AlignInBits, DIType *Ty) { uint32_t AlignInBits, DIType *Ty) {
▲ Show 20 LinesShow All 590 LinesShow Last 20 Lines