This is an archive of the discontinued LLVM Phabricator instance.

Differential D144806

[BOLT] Fix intermittent crash with instrumentation
ClosedPublic

Authored by maksfb on Feb 25 2023, 9:35 PM.

Details

Reviewers
yota9
Amir
ayermolo
rafauler
yavtuk
treapster
Commits
rGfb28196a642a: [BOLT] Fix intermittent crash with instrumentation
Summary

When createInstrumentedIndirectCall() was invoked for tail calls, we
attached annotation instruction twice to the new call instruction.
First in createDirectCall(), and then again while copying over the
metadata operands.

As a result, the annotations were not properly stripped for such calls
before the call to freeAnnotations() in LowerAnnotations pass. That lead
to use-after-free while restoring the offsets with setOffset() call.

Diff Detail

Event Timeline

maksfb created this revision.Feb 25 2023, 9:35 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 25 2023, 9:35 PM
Herald added a subscriber: pengfei. · View Herald Transcript
maksfb requested review of this revision.Feb 25 2023, 9:35 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 25 2023, 9:35 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B215996: Diff 500495.Feb 25 2023, 9:43 PM
yota9 added inline comments.Feb 27 2023, 7:04 AM
bolt/include/bolt/Core/MCPlusBuilder.h
181

Maybe add assert(!getAnnotationInst(DstInst) just for extra safety

182

How about to make separate function smth like "getAnnotationOpIndex" and use it also in getAnnotationInst and stripAnnotations? Just to ensure everything is in sync

maksfb added inline comments.Feb 27 2023, 11:58 AM
bolt/include/bolt/Core/MCPlusBuilder.h
181

We have it at line 168.

182

Operand handling should be happening in MCPlusBuilder annotation interface (after this change). I can add removeAnnotationInst(), but it still will be a part of the internal interface. The direct handling of operands in createInstrumentedIndirectCall() was really unfortunate.

yota9 accepted this revision.Feb 27 2023, 12:01 PM

LGTM

This revision is now accepted and ready to land.Feb 27 2023, 12:01 PM
maksfb updated this revision to Diff 500906.Feb 27 2023, 2:08 PM

Add MCPlusBuilder::removeAnnotationInst()

This revision was landed with ongoing or failed builds.Feb 27 2023, 2:11 PM
Closed by commit rGfb28196a642a: [BOLT] Fix intermittent crash with instrumentation (authored by maksfb). · Explain Why
This revision was automatically updated to reflect the committed changes.
maksfb added a commit: rGfb28196a642a: [BOLT] Fix intermittent crash with instrumentation.
Harbormaster completed remote builds in B216307: Diff 500906.Feb 27 2023, 3:11 PM

Revision Contents

PathSize
bolt/
include/
bolt/
Core/
24 lines
lib/
Core/
3 lines
Passes/
2 lines
Target/
X86/
18 lines

Diff 500909

bolt/include/bolt/Core/MCPlusBuilder.h

Show First 20 LinesShow All 104 Lines▼ Show 20 Lines if (!LastOp.isInst())
return nullptr; return nullptr;
MCInst *AnnotationInst = const_cast<MCInst *>(LastOp.getInst()); MCInst *AnnotationInst = const_cast<MCInst *>(LastOp.getInst());
assert(AnnotationInst->getOpcode() == TargetOpcode::ANNOTATION_LABEL); assert(AnnotationInst->getOpcode() == TargetOpcode::ANNOTATION_LABEL);
return AnnotationInst; return AnnotationInst;
} }
void removeAnnotationInst(MCInst &Inst) const {
assert(getAnnotationInst(Inst) && "Expected annotation instruction.");
Inst.erase(std::prev(Inst.end()));
assert(!getAnnotationInst(Inst) &&
"More than one annotation instruction detected.");
}
void setAnnotationOpValue(MCInst &Inst, unsigned Index, int64_t Value, void setAnnotationOpValue(MCInst &Inst, unsigned Index, int64_t Value,
AllocatorIdTy AllocatorId = 0) { AllocatorIdTy AllocatorId = 0) {
MCInst *AnnotationInst = getAnnotationInst(Inst); MCInst *AnnotationInst = getAnnotationInst(Inst);
if (!AnnotationInst) { if (!AnnotationInst) {
AnnotationAllocator &Allocator = getAnnotationAllocator(AllocatorId); AnnotationAllocator &Allocator = getAnnotationAllocator(AllocatorId);
AnnotationInst = new (Allocator.MCInstAllocator.Allocate()) MCInst(); AnnotationInst = new (Allocator.MCInstAllocator.Allocate()) MCInst();
AnnotationInst->setOpcode(TargetOpcode::ANNOTATION_LABEL); AnnotationInst->setOpcode(TargetOpcode::ANNOTATION_LABEL);
Inst.addOperand(MCOperand::createInst(AnnotationInst)); Inst.addOperand(MCOperand::createInst(AnnotationInst));
Show All 37 Linesprotected:
/// Names of non-standard annotations. /// Names of non-standard annotations.
SmallVector<std::string, 8> AnnotationNames; SmallVector<std::string, 8> AnnotationNames;
/// Allocate the TailCall annotation value. Clients of the target-specific /// Allocate the TailCall annotation value. Clients of the target-specific
/// MCPlusBuilder classes must use convert/lower/create* interfaces instead. /// MCPlusBuilder classes must use convert/lower/create* interfaces instead.
void setTailCall(MCInst &Inst); void setTailCall(MCInst &Inst);
/// Transfer annotations from \p SrcInst to \p DstInst.
void moveAnnotations(MCInst &&SrcInst, MCInst &DstInst) const {
assert(!getAnnotationInst(DstInst) &&
"Destination instruction should not have annotations.");
const MCInst *AnnotationInst = getAnnotationInst(SrcInst);
if (!AnnotationInst)
return;
DstInst.addOperand(MCOperand::createInst(AnnotationInst));
yota9Unsubmitted
Not Done
ReplyInline Actions

Maybe add assert(!getAnnotationInst(DstInst) just for extra safety

yota9: Maybe add assert(!getAnnotationInst(DstInst) just for extra safety
maksfbAuthorUnsubmitted
Done
ReplyInline Actions

We have it at line 168.

maksfb: We have it at line 168.
removeAnnotationInst(SrcInst);
yota9Unsubmitted
Not Done
ReplyInline Actions

How about to make separate function smth like "getAnnotationOpIndex" and use it also in getAnnotationInst and stripAnnotations? Just to ensure everything is in sync

yota9: How about to make separate function smth like "getAnnotationOpIndex" and use it also in…
maksfbAuthorUnsubmitted
Done
ReplyInline Actions

Operand handling should be happening in MCPlusBuilder annotation interface (after this change). I can add removeAnnotationInst(), but it still will be a part of the internal interface. The direct handling of operands in createInstrumentedIndirectCall() was really unfortunate.

maksfb: Operand handling should be happening in MCPlusBuilder annotation interface (after this change).
}
public: public:
class InstructionIterator { class InstructionIterator {
public: public:
using iterator_category = std::bidirectional_iterator_tag; using iterator_category = std::bidirectional_iterator_tag;
using value_type = MCInst; using value_type = MCInst;
using difference_type = std::ptrdiff_t; using difference_type = std::ptrdiff_t;
using pointer = value_type *; using pointer = value_type *;
using reference = value_type &; using reference = value_type &;
▲ Show 20 LinesShow All 1,685 Lines▼ Show 20 Lines if (!Index)
return false; return false;
return removeAnnotation(Inst, *Index); return removeAnnotation(Inst, *Index);
} }
/// Remove meta-data, but don't destroy it. /// Remove meta-data, but don't destroy it.
void stripAnnotations(MCInst &Inst, bool KeepTC = false); void stripAnnotations(MCInst &Inst, bool KeepTC = false);
virtual InstructionListType virtual InstructionListType
createInstrumentedIndirectCall(const MCInst &CallInst, bool TailCall, createInstrumentedIndirectCall(MCInst &&CallInst, MCSymbol *HandlerFuncAddr,
MCSymbol *HandlerFuncAddr, int CallSiteID, int CallSiteID, MCContext *Ctx) {
MCContext *Ctx) {
llvm_unreachable("not implemented"); llvm_unreachable("not implemented");
return InstructionListType(); return InstructionListType();
} }
virtual InstructionListType createInstrumentedIndCallHandlerExitBB() const { virtual InstructionListType createInstrumentedIndCallHandlerExitBB() const {
llvm_unreachable("not implemented"); llvm_unreachable("not implemented");
return InstructionListType(); return InstructionListType();
} }
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines

bolt/lib/Core/MCPlusBuilder.cpp

Show First 20 LinesShow All 292 Lines▼ Show 20 Lines
void MCPlusBuilder::stripAnnotations(MCInst &Inst, bool KeepTC) { void MCPlusBuilder::stripAnnotations(MCInst &Inst, bool KeepTC) {
MCInst *AnnotationInst = getAnnotationInst(Inst); MCInst *AnnotationInst = getAnnotationInst(Inst);
if (!AnnotationInst) if (!AnnotationInst)
return; return;
// Preserve TailCall annotation. // Preserve TailCall annotation.
auto IsTC = hasAnnotation(Inst, MCAnnotation::kTailCall); auto IsTC = hasAnnotation(Inst, MCAnnotation::kTailCall);
Inst.erase(std::prev(Inst.end())); removeAnnotationInst(Inst);
if (KeepTC && IsTC) if (KeepTC && IsTC)
setTailCall(Inst); setTailCall(Inst);
} }
void MCPlusBuilder::printAnnotations(const MCInst &Inst, void MCPlusBuilder::printAnnotations(const MCInst &Inst,
raw_ostream &OS) const { raw_ostream &OS) const {
const MCInst *AnnotationInst = getAnnotationInst(Inst); const MCInst *AnnotationInst = getAnnotationInst(Inst);
if (!AnnotationInst) if (!AnnotationInst)
▲ Show 20 LinesShow All 219 LinesShow Last 20 Lines

bolt/lib/Passes/Instrumentation.cpp

Show First 20 LinesShow All 209 Lines▼ Show 20 Linesvoid Instrumentation::instrumentIndirectTarget(BinaryBasicBlock &BB,
uint32_t From) { uint32_t From) {
auto L = FromFunction.getBinaryContext().scopeLock(); auto L = FromFunction.getBinaryContext().scopeLock();
const size_t IndCallSiteID = Summary->IndCallDescriptions.size(); const size_t IndCallSiteID = Summary->IndCallDescriptions.size();
createIndCallDescription(FromFunction, From); createIndCallDescription(FromFunction, From);
BinaryContext &BC = FromFunction.getBinaryContext(); BinaryContext &BC = FromFunction.getBinaryContext();
bool IsTailCall = BC.MIB->isTailCall(*Iter); bool IsTailCall = BC.MIB->isTailCall(*Iter);
InstructionListType CounterInstrs = BC.MIB->createInstrumentedIndirectCall( InstructionListType CounterInstrs = BC.MIB->createInstrumentedIndirectCall(
*Iter, IsTailCall, std::move(*Iter),
IsTailCall ? IndTailCallHandlerExitBBFunction->getSymbol() IsTailCall ? IndTailCallHandlerExitBBFunction->getSymbol()
: IndCallHandlerExitBBFunction->getSymbol(), : IndCallHandlerExitBBFunction->getSymbol(),
IndCallSiteID, &*BC.Ctx); IndCallSiteID, &*BC.Ctx);
Iter = BB.eraseInstruction(Iter); Iter = BB.eraseInstruction(Iter);
Iter = insertInstructions(CounterInstrs, BB, Iter); Iter = insertInstructions(CounterInstrs, BB, Iter);
--Iter; --Iter;
} }
▲ Show 20 LinesShow All 481 LinesShow Last 20 Lines

bolt/lib/Target/X86/X86MCPlusBuilder.cpp

Show First 20 LinesShow All 3,079 Lines▼ Show 20 Lines void createIndirectBranch(MCInst &Inst, MCPhysReg MemBaseReg,
Inst.setOpcode(X86::JMP64m); Inst.setOpcode(X86::JMP64m);
Inst.addOperand(MCOperand::createReg(MemBaseReg)); // BaseReg Inst.addOperand(MCOperand::createReg(MemBaseReg)); // BaseReg
Inst.addOperand(MCOperand::createImm(1)); // ScaleAmt Inst.addOperand(MCOperand::createImm(1)); // ScaleAmt
Inst.addOperand(MCOperand::createReg(X86::NoRegister)); // IndexReg Inst.addOperand(MCOperand::createReg(X86::NoRegister)); // IndexReg
Inst.addOperand(MCOperand::createImm(Disp)); // Displacement Inst.addOperand(MCOperand::createImm(Disp)); // Displacement
Inst.addOperand(MCOperand::createReg(X86::NoRegister)); // AddrSegmentReg Inst.addOperand(MCOperand::createReg(X86::NoRegister)); // AddrSegmentReg
} }
InstructionListType createInstrumentedIndirectCall(const MCInst &CallInst, InstructionListType createInstrumentedIndirectCall(MCInst &&CallInst,
bool TailCall,
MCSymbol *HandlerFuncAddr, MCSymbol *HandlerFuncAddr,
int CallSiteID, int CallSiteID,
MCContext *Ctx) override { MCContext *Ctx) override {
// Check if the target address expression used in the original indirect call // Check if the target address expression used in the original indirect call
// uses the stack pointer, which we are going to clobber. // uses the stack pointer, which we are going to clobber.
static BitVector SPAliases(getAliases(X86::RSP)); static BitVector SPAliases(getAliases(X86::RSP));
bool UsesSP = false; bool UsesSP = false;
// Skip defs. // Skip defs.
Show All 34 Lines if (UsesSP) {
createStackPointerIncrement(Insts.back(), 8, /*NoFlagsClobber=*/false); createStackPointerIncrement(Insts.back(), 8, /*NoFlagsClobber=*/false);
} }
Insts.emplace_back(); Insts.emplace_back();
createPushRegister(Insts.back(), TempReg, 8); createPushRegister(Insts.back(), TempReg, 8);
Insts.emplace_back(); Insts.emplace_back();
createLoadImmediate(Insts.back(), TempReg, CallSiteID); createLoadImmediate(Insts.back(), TempReg, CallSiteID);
Insts.emplace_back(); Insts.emplace_back();
createPushRegister(Insts.back(), TempReg, 8); createPushRegister(Insts.back(), TempReg, 8);
Insts.emplace_back();
createDirectCall(Insts.back(), HandlerFuncAddr, Ctx, MCInst &NewCallInst = Insts.emplace_back();
/*TailCall=*/TailCall); createDirectCall(NewCallInst, HandlerFuncAddr, Ctx, isTailCall(CallInst));
// Carry over metadata
for (int I = MCPlus::getNumPrimeOperands(CallInst), // Carry over metadata including tail call marker if present.
E = CallInst.getNumOperands(); stripAnnotations(NewCallInst);
I != E; ++I) moveAnnotations(std::move(CallInst), NewCallInst);
Insts.back().addOperand(CallInst.getOperand(I));
return Insts; return Insts;
} }
InstructionListType createInstrumentedIndCallHandlerExitBB() const override { InstructionListType createInstrumentedIndCallHandlerExitBB() const override {
const MCPhysReg TempReg = getIntArgRegister(0); const MCPhysReg TempReg = getIntArgRegister(0);
// We just need to undo the sequence created for every ind call in // We just need to undo the sequence created for every ind call in
// instrumentIndirectTarget(), which can be accomplished minimally with: // instrumentIndirectTarget(), which can be accomplished minimally with:
▲ Show 20 LinesShow All 440 LinesShow Last 20 Lines