This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/Sema/
-
Sema/
1/4
SemaExpr.cpp
-
test/SemaTemplate/
-
SemaTemplate/
-
lambda-variadic.cpp

Differential D140184

Fix crash with lambda and variadic template
ClosedPublic

Authored by rtrieu on Dec 15 2022, 6:43 PM.

Download Raw Diff

Details

Reviewers

aaron.ballman
asbirlea
cor3ntin
royjacobson
erichkeane

Summary

Inside Sema::tryCaptureVariable, there is an unconditional cast from a FunctionScopeInfo to a CapturingScopeInfo. With a mixture of lambdas and variadic template, we can arrive at this point with a FunctionScopeInfo that is not a CapturingScopeInfo. This is the simple fix of bailing out early with a default return value.

This fixes https://github.com/llvm/llvm-project/issues/56071 plus another test case reduction I found.

Diff Detail

Event Timeline

rtrieu created this revision.Dec 15 2022, 6:43 PM

Herald added a project: Restricted Project. · View Herald TranscriptDec 15 2022, 6:43 PM

rtrieu requested review of this revision.Dec 15 2022, 6:43 PM

rtrieu edited the summary of this revision. (Show Details)Dec 15 2022, 6:56 PM

rtrieu added a reviewer: aaron.ballman.

Harbormaster completed remote builds in B203527: Diff 483407.Dec 15 2022, 9:14 PM

asbirlea accepted this revision.Jan 3 2023, 10:34 AM

This revision is now accepted and ready to land.Jan 3 2023, 10:34 AM

Adding additional reviewers for some additional perspective (perhaps my concerns are unfounded).

The changes should also have a release note about the fix.

clang/lib/Sema/SemaExpr.cpp
18875–18876	I'm not certain whether this is indicative of a deeper issue where we expect to get a capturing scope and we're not, but the early return seems surprising. I would have guessed that we'd want to `continue` so that we loop around again and continue to try to capture the variable.

cor3ntin added inline comments.Jan 3 2023, 12:18 PM

clang/lib/Sema/SemaExpr.cpp
18875–18876	Yes, i think there is something fishy here, and I am uncertain this is the right fix. Either we are not currently in a lambda and `if (VarDC == DC) return true;` would prevent us from continuing, or there should only ever be lambda scopes between us and the variable declaration point. Note that in either tests, the lambda don't capture anything. My guess is that either: We are trying to capture something when we should not - unevaluated lambdas can't have captures. In which case bailing early in unevaluated scope may be a cleaner fix We are trying to capture in the the wrong context (ie we should do sdomethink like `ActOnReenterFunctionContext` but that would also be suspicious) I think continuing would be wrong too. captures cannot skip a capturing scope.

Gentle ping. Can you propose an alternate patch to fix this crash? The github issue is 6 months old and similar crashes are reported due to this.

rtrieu added inline comments.Jan 13 2023, 6:20 PM

clang/lib/Sema/SemaExpr.cpp
18875–18876	I've been trying look into this more. From my understanding, FunctionScopeInfo `FSI` should correspond to DeclContext `DC`. When the crash happens, `DC->dumpAsDecl()` shows that the DeclContext is for a lambda (specifically, `inner_lambda`), but `FSI->Kind` evaluates to `FunctionScopeInfo::SK_Function`. I think this means that a function scope was never popped off `FunctionScopes` and replaced with a lambda scope.

It looks like this bug may also be related: https://github.com/llvm/llvm-project/issues/60155

Re-ping to current reviewers. Any thoughts on the above @cor3ntin? Is there someone who you recommend look into this issue?

ayzhao added a subscriber: ayzhao.Jan 30 2023, 2:59 PM

ayzhao added inline comments.Feb 2 2023, 5:04 PM

clang/lib/Sema/SemaExpr.cpp
18875–18876	I took a look at this and it appears that in `test2`, in the following lines from `inner_function()`: char c; [](auto param) -> decltype(c) { return param; }(0); we try to capture `char c` because of the `decltype`. I'm not entirely sure what the behavior is here - if we remove the template parameter from `inner_function()`, this function still tries to capture `char c`, and yet it `FSI` is always a `CapturingScopeInfo`.

It looks like we might have another similar bug: https://github.com/llvm/llvm-project/issues/61589

@cor3ntin is this still relevant? It looks like the test cases don't crash: https://godbolt.org/z/o3Y9req17

Nope, the "deeper issue" seemed to have been fixed in the 17 cycle. But maybe we could keep the tests anyway?

Keeping the tests seems reasonable, please do so!

@cor3ntin can you do a new PR on github w/ just the tests or alternatively land the tests w/o the rest of the patch?

cor3ntin mentioned this in rGd6ae4bd68671: [Clang][NFC] Add tests for #56071.Sep 28 2023, 8:58 AM

I've added the tests to clang.
Thanks a lot of finding these tests cases and the work you did on this PR!

Revision Contents

Path

Size

clang/

lib/

Sema/

SemaExpr.cpp

4 lines

test/

SemaTemplate/

lambda-variadic.cpp

51 lines

Diff 483407

clang/lib/Sema/SemaExpr.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 18,866 Lines • ▼ Show 20 Lines	if (!ParentDC) {
if (IsGlobal) {		if (IsGlobal) {
FunctionScopesIndex = MaxFunctionScopesIndex - 1;		FunctionScopesIndex = MaxFunctionScopesIndex - 1;
break;		break;
}		}
return true;		return true;
}		}

FunctionScopeInfo *FSI = FunctionScopes[FunctionScopesIndex];		FunctionScopeInfo *FSI = FunctionScopes[FunctionScopesIndex];
CapturingScopeInfo *CSI = cast<CapturingScopeInfo>(FSI);		CapturingScopeInfo *CSI = dyn_cast<CapturingScopeInfo>(FSI);
		if (!CSI) return true;
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I'm not certain whether this is indicative of a deeper issue where we expect to get a capturing scope and we're not, but the early return seems surprising. I would have guessed that we'd want to `continue` so that we loop around again and continue to try to capture the variable. aaron.ballman: I'm not certain whether this is indicative of a deeper issue where we expect to get a capturing…
		cor3ntinUnsubmitted Not Done Reply Inline Actions Yes, i think there is something fishy here, and I am uncertain this is the right fix. Either we are not currently in a lambda and `if (VarDC == DC) return true;` would prevent us from continuing, or there should only ever be lambda scopes between us and the variable declaration point. Note that in either tests, the lambda don't capture anything. My guess is that either: We are trying to capture something when we should not - unevaluated lambdas can't have captures. In which case bailing early in unevaluated scope may be a cleaner fix We are trying to capture in the the wrong context (ie we should do sdomethink like `ActOnReenterFunctionContext` but that would also be suspicious) I think continuing would be wrong too. captures cannot skip a capturing scope. cor3ntin: Yes, i think there is something fishy here, and I am uncertain this is the right fix. Either…
		rtrieuAuthorUnsubmitted Done Reply Inline Actions I've been trying look into this more. From my understanding, FunctionScopeInfo `FSI` should correspond to DeclContext `DC`. When the crash happens, `DC->dumpAsDecl()` shows that the DeclContext is for a lambda (specifically, `inner_lambda`), but `FSI->Kind` evaluates to `FunctionScopeInfo::SK_Function`. I think this means that a function scope was never popped off `FunctionScopes` and replaced with a lambda scope. rtrieu: I've been trying look into this more. From my understanding, FunctionScopeInfo `FSI` should…
		ayzhaoUnsubmitted Not Done Reply Inline Actions I took a look at this and it appears that in `test2`, in the following lines from `inner_function()`: char c; [](auto param) -> decltype(c) { return param; }(0); we try to capture `char c` because of the `decltype`. I'm not entirely sure what the behavior is here - if we remove the template parameter from `inner_function()`, this function still tries to capture `char c`, and yet it `FSI` is always a `CapturingScopeInfo`. ayzhao: I took a look at this and it appears that in `test2`, in the following lines from…

// Check whether we've already captured it.		// Check whether we've already captured it.
if (isVariableAlreadyCapturedInScopeInfo(CSI, Var, Nested, CaptureType,		if (isVariableAlreadyCapturedInScopeInfo(CSI, Var, Nested, CaptureType,
DeclRefType)) {		DeclRefType)) {
CSI->getCapture(Var).markUsed(BuildAndDiagnose);		CSI->getCapture(Var).markUsed(BuildAndDiagnose);
break;		break;
}		}
// If we are instantiating a generic lambda call operator body,		// If we are instantiating a generic lambda call operator body,
▲ Show 20 Lines • Show All 2,047 Lines • Show Last 20 Lines

clang/test/SemaTemplate/lambda-variadic.cpp

This file was added.

				// RUN: %clang_cc1 -fsyntax-only -verify %s -Wno-unused-value
				// expected-no-diagnostics
				namespace test1 {

				template <int num> int return_num() { return num; }

				template <typename lambda> struct lambda_wrapper {
				lambda &outer_lambda;
				lambda_wrapper(lambda& outer_lambda) : outer_lambda(outer_lambda) {}
				template <typename T> auto operator+(T t) { outer_lambda(t); return 1; }
				};

				template <int... nums, typename lambda>
				void bw(lambda& outer_lambda) {
				(lambda_wrapper(outer_lambda) + ... + return_num<nums>());
				}

				template <typename lambda> auto check_return_type(lambda inner_lambda) {
				using inner_lambda_return_type = decltype(inner_lambda(5));
				}

				void cs() {
				auto outer_lambda = [](auto param) {
				auto inner_lambda = [](auto o) -> decltype(param) {};
				check_return_type(inner_lambda);
				};
				bw<1,2>(outer_lambda);
				}

				} // namespace test1

				namespace test2 {

				template <typename lambda>
				auto run_lambda_with_zero(lambda l) {
				l(0);
				}
				template <typename ... Ts, typename lambda>
				void run_lambda_once_per_type(lambda l) {
				((Ts{}, run_lambda_with_zero(l)), ...);
				}
				template <typename> void inner_function() {
				char c;
				[](auto param) -> decltype(c) { return param; }(0);
				}
				void run() {
				auto x = [](auto) -> void { inner_function<int>(); };
				run_lambda_once_per_type<int>(x);
				}

				} // namespace test2