This is an archive of the discontinued LLVM Phabricator instance.

[AAPointerInfo] fix assertion at the pass-through use of a pointer
ClosedPublic

Authored by sameerds on Jan 1 2023, 10:18 PM.

Download Raw Diff

Details

Reviewers

jdoerfert
sstefan1
ronlieb

Commits

rGa73e0c306cdd: [AAPointerInfo] fix assertion at the pass-through use of a pointer

Summary

HandlePassthroughUser may sometimes create a new entry for the OffsetInfo of a
user in the OffsetInfoMap. This can invalidate outstanding references into the
map, including the one which needs to be copied into the new entry. This
produces invalid offset info that can trigger assertions.

Fixed this by not using references at this point. The bug was originally
introduced in commit ID 0dc0a441323d41b4860668f38d290579e0de130c.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

sameerds created this revision.Jan 1 2023, 10:18 PM

Herald added a project: Restricted Project. · View Herald TranscriptJan 1 2023, 10:18 PM

Herald added subscribers: ormris, okura, jdoerfert and 2 others. · View Herald Transcript

sameerds requested review of this revision.Jan 1 2023, 10:18 PM

Herald added a reviewer: jdoerfert. · View Herald TranscriptJan 1 2023, 10:18 PM

Herald added a reviewer: sstefan1. · View Herald Transcript

Herald added a project: Restricted Project. · View Herald Transcript

Herald added a subscriber: llvm-commits. · View Herald Transcript

Harbormaster completed remote builds in B205340: Diff 485842.Jan 1 2023, 11:08 PM

Testcase?

In D140837#4021788, @arsenm wrote:

Testcase?

I am not sure how to go about writing a reliable test for an invalidated reference into a container, especially a map. It would have to depend on possibly adding enough entries to cause a reallocation, or inserting keys in an order that causes earlier keys to be moved around. What would such a test actually check? That the invalidation "never" happens?

In D140837#4021833, @sameerds wrote:

In D140837#4021788, @arsenm wrote:

Testcase?

I am not sure how to go about writing a reliable test for an invalidated reference into a container, especially a map. It would have to depend on possibly adding enough entries to cause a reallocation, or inserting keys in an order that causes earlier keys to be moved around. What would such a test actually check? That the invalidation "never" happens?

What does llvm-reduce give you if you just feed your original testcase to it?

Actually fix the root cause. The previous change was cleaned up too hastily and completely missed the point of the fix.

Harbormaster completed remote builds in B205362: Diff 485870.Jan 2 2023, 9:47 AM

lgtm, passed the 5 internal tests that failed.

This revision is now accepted and ready to land.Jan 2 2023, 10:05 AM

This revision was landed with ongoing or failed builds.Jan 4 2023, 3:24 AM

Closed by commit rGa73e0c306cdd: [AAPointerInfo] fix assertion at the pass-through use of a pointer (authored by sameerds). · Explain Why

This revision was automatically updated to reflect the committed changes.

sameerds added a commit: rGa73e0c306cdd: [AAPointerInfo] fix assertion at the pass-through use of a pointer.

In D140837#4021892, @arsenm wrote:

In D140837#4021833, @sameerds wrote:

In D140837#4021788, @arsenm wrote:

Testcase?

I am not sure how to go about writing a reliable test for an invalidated reference into a container, especially a map. It would have to depend on possibly adding enough entries to cause a reallocation, or inserting keys in an order that causes earlier keys to be moved around. What would such a test actually check? That the invalidation "never" happens?

What does llvm-reduce give you if you just feed your original testcase to it?

It did produce a pretty small testcase, but it was not convincing. The crash only happens with "opt -O3", at the point where a specific pass OpenMPOptCGSCC runs. All optimizations up to that point have no effect on the test IR, but running only that pass does not produce a crash. It's basically a very fragile situation where all the earlier passes produce an application state that just happens to produce the right invalidation inside the map. That's not very robust.

Revision Contents

Path

Size

llvm/

lib/

Transforms/

IPO/

AttributorAttributes.cpp

21 lines

Diff 486227

llvm/lib/Transforms/IPO/AttributorAttributes.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 1,429 Lines • ▼ Show 20 Lines	ChangeStatus AAPointerInfoFloating::updateImpl(Attributor &A) {
using namespace AA::PointerInfo;		using namespace AA::PointerInfo;
ChangeStatus Changed = ChangeStatus::UNCHANGED;		ChangeStatus Changed = ChangeStatus::UNCHANGED;
const DataLayout &DL = A.getDataLayout();		const DataLayout &DL = A.getDataLayout();
Value &AssociatedValue = getAssociatedValue();		Value &AssociatedValue = getAssociatedValue();

DenseMap<Value *, OffsetInfo> OffsetInfoMap;		DenseMap<Value *, OffsetInfo> OffsetInfoMap;
OffsetInfoMap[&AssociatedValue].insert(0);		OffsetInfoMap[&AssociatedValue].insert(0);

auto HandlePassthroughUser = [&](Value *Usr, const OffsetInfo &PtrOI,		auto HandlePassthroughUser = [&](Value Usr, Value CurPtr, bool &Follow) {
bool &Follow) {		// One does not simply walk into a map and assign a reference to a possibly
		// new location. That can cause an invalidation before the assignment
		// happens, like so:
		//
		// OffsetInfoMap[Usr] = OffsetInfoMap[CurPtr]; /* bad idea! */
		//
		// The RHS is a reference that may be invalidated by an insertion caused by
		// the LHS. So we ensure that the side-effect of the LHS happens first.
		auto &UsrOI = OffsetInfoMap[Usr];
		auto &PtrOI = OffsetInfoMap[CurPtr];
assert(!PtrOI.isUnassigned() &&		assert(!PtrOI.isUnassigned() &&
"Cannot pass through if the input Ptr was not visited!");		"Cannot pass through if the input Ptr was not visited!");
OffsetInfoMap[Usr] = PtrOI;		UsrOI = PtrOI;
Follow = true;		Follow = true;
return true;		return true;
};		};

const auto *F = getAnchorScope();		const auto *F = getAnchorScope();
const auto *CI =		const auto *CI =
F ? A.getInfoCache().getAnalysisResultForFunction<CycleAnalysis>(*F)		F ? A.getInfoCache().getAnalysisResultForFunction<CycleAnalysis>(*F)
: nullptr;		: nullptr;
const auto *TLI =		const auto *TLI =
F ? A.getInfoCache().getTargetLibraryInfoForFunction(*F) : nullptr;		F ? A.getInfoCache().getTargetLibraryInfoForFunction(*F) : nullptr;

auto UsePred = [&](const Use &U, bool &Follow) -> bool {		auto UsePred = [&](const Use &U, bool &Follow) -> bool {
Value *CurPtr = U.get();		Value *CurPtr = U.get();
User *Usr = U.getUser();		User *Usr = U.getUser();
LLVM_DEBUG(dbgs() << "[AAPointerInfo] Analyze " << CurPtr << " in " << Usr		LLVM_DEBUG(dbgs() << "[AAPointerInfo] Analyze " << CurPtr << " in " << Usr
<< "\n");		<< "\n");
assert(OffsetInfoMap.count(CurPtr) &&		assert(OffsetInfoMap.count(CurPtr) &&
"The current pointer offset should have been seeded!");		"The current pointer offset should have been seeded!");

if (ConstantExpr *CE = dyn_cast<ConstantExpr>(Usr)) {		if (ConstantExpr *CE = dyn_cast<ConstantExpr>(Usr)) {
if (CE->isCast())		if (CE->isCast())
return HandlePassthroughUser(Usr, OffsetInfoMap[CurPtr], Follow);		return HandlePassthroughUser(Usr, CurPtr, Follow);
if (CE->isCompare())		if (CE->isCompare())
return true;		return true;
if (!isa<GEPOperator>(CE)) {		if (!isa<GEPOperator>(CE)) {
LLVM_DEBUG(dbgs() << "[AAPointerInfo] Unhandled constant user " << *CE		LLVM_DEBUG(dbgs() << "[AAPointerInfo] Unhandled constant user " << *CE
<< "\n");		<< "\n");
return false;		return false;
}		}
}		}
Show All 13 Lines	if (auto *GEP = dyn_cast<GEPOperator>(Usr)) {
}		}

Follow = collectConstantsForGEP(A, DL, UsrOI, PtrOI, GEP);		Follow = collectConstantsForGEP(A, DL, UsrOI, PtrOI, GEP);
return true;		return true;
}		}
if (isa<PtrToIntInst>(Usr))		if (isa<PtrToIntInst>(Usr))
return false;		return false;
if (isa<CastInst>(Usr) \|\| isa<SelectInst>(Usr) \|\| isa<ReturnInst>(Usr))		if (isa<CastInst>(Usr) \|\| isa<SelectInst>(Usr) \|\| isa<ReturnInst>(Usr))
return HandlePassthroughUser(Usr, OffsetInfoMap[CurPtr], Follow);		return HandlePassthroughUser(Usr, CurPtr, Follow);

// For PHIs we need to take care of the recurrence explicitly as the value		// For PHIs we need to take care of the recurrence explicitly as the value
// might change while we iterate through a loop. For now, we give up if		// might change while we iterate through a loop. For now, we give up if
// the PHI is not invariant.		// the PHI is not invariant.
if (isa<PHINode>(Usr)) {		if (isa<PHINode>(Usr)) {
// Note the order here, the Usr access might change the map, CurPtr is		// Note the order here, the Usr access might change the map, CurPtr is
// already in it though.		// already in it though.
bool IsFirstPHIUser = !OffsetInfoMap.count(Usr);		bool IsFirstPHIUser = !OffsetInfoMap.count(Usr);
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines	if (isa<PHINode>(Usr)) {
// every Cycle header; if such a node is marked unknown, this will		// every Cycle header; if such a node is marked unknown, this will
// eventually propagate through the whole net of PHIs in the recurrence.		// eventually propagate through the whole net of PHIs in the recurrence.
if (mayBeInCycleHeader(CI, cast<Instruction>(Usr))) {		if (mayBeInCycleHeader(CI, cast<Instruction>(Usr))) {
auto BaseOI = It->getSecond();		auto BaseOI = It->getSecond();
BaseOI.addToAll(Offset.getZExtValue());		BaseOI.addToAll(Offset.getZExtValue());
if (IsFirstPHIUser \|\| BaseOI == UsrOI) {		if (IsFirstPHIUser \|\| BaseOI == UsrOI) {
LLVM_DEBUG(dbgs() << "[AAPointerInfo] PHI is invariant " << *CurPtr		LLVM_DEBUG(dbgs() << "[AAPointerInfo] PHI is invariant " << *CurPtr
<< " in " << *Usr << "\n");		<< " in " << *Usr << "\n");
return HandlePassthroughUser(Usr, PtrOI, Follow);		return HandlePassthroughUser(Usr, CurPtr, Follow);
}		}

LLVM_DEBUG(		LLVM_DEBUG(
dbgs() << "[AAPointerInfo] PHI operand pointer offset mismatch "		dbgs() << "[AAPointerInfo] PHI operand pointer offset mismatch "
<< CurPtr << " in " << Usr << "\n");		<< CurPtr << " in " << Usr << "\n");
UsrOI.setUnknown();		UsrOI.setUnknown();
Follow = true;		Follow = true;
return true;		return true;
▲ Show 20 Lines • Show All 9,818 Lines • Show Last 20 Lines