This is an archive of the discontinued LLVM Phabricator instance.

[NewGVN] Decrement UseCount only if SSA copy has an use
AbandonedPublic

Authored by vladimirradosavljevic on Aug 7 2023, 3:14 AM.

Download Raw Diff

Details

Reviewers

Summary

If SSA copy is not in the UseCounts map, don't insert it because it should be in the ProbablyDead and map can grow and lead to a dangling reference to the LeaderUseCount.

Diff Detail

Event Timeline

vladimirradosavljevic created this revision.Aug 7 2023, 3:14 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 7 2023, 3:14 AM

Herald added subscribers: kmitropoulou, StephenFan, hiraditya. · View Herald Transcript

vladimirradosavljevic requested review of this revision.Aug 7 2023, 3:14 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 7 2023, 3:14 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Harbormaster completed remote builds in B250706: Diff 547689.Aug 7 2023, 4:33 AM

Tests?

In D157267#4568479, @kmitropoulou wrote:

Tests?

Adding a small reproducer for this would be tricky, as we would need to hit the case where UseCounts map grows on the following line:

unsigned &IIUseCount = UseCounts[II];

This problem was caught by the sanitizers and here is the small trace:

READ of size 4 at 0x61d0000db3d8 thread T0
#0 0x7fcf39604358 in eliminateInstructions llvm/lib/Transforms/Scalar/NewGVN.cpp:4123

freed by thread T0 here:
#8 0x7fcf396040f0 in eliminateInstructions llvm/lib/Transforms/Scalar/NewGVN.cpp:4119

previously allocated by thread T0 here:
#9 0x7fcf395e967c in convertClassToDFSOrdered llvm/lib/Transforms/Scalar/NewGVN.cpp:3688

Here is what happens:

auto &LeaderUseCount = UseCounts[DominatingLeader]; <--- Taking reference
....
unsigned &IIUseCount = UseCounts[II]; <-- DenseMap grows under the hood
....
++LeaderUseCount; <--- Accessing freed memory

Managed to create a test case that reproduces this issue using the llvm-reduce tool. Please take a look.

Harbormaster completed remote builds in B253158: Diff 551049.Aug 17 2023, 4:03 AM

kmitropoulou added inline comments.Aug 18 2023, 2:19 PM

llvm/lib/Transforms/Scalar/NewGVN.cpp
4117–4118	The test case does not crash in my workspace. Anyway, I think the problem is here. If II is not in the UseCounts map, then it just adds it and it returns zero. Will the following change solve the problem? if (isSSACopy) { auto It = UseCounts.find(II); if (It != UseCounts.end()) { unsigned &IIUseCount = It->second; if (--IIUseCount == 0) ProbablyDead.insert(II); } }

vladimirradosavljevic added inline comments.Aug 21 2023, 4:32 AM

llvm/lib/Transforms/Scalar/NewGVN.cpp
4117–4118	Could you please try to run it with valgrind/sanitizers, because it happens occasionally and this is why it is such a dangerous bug. Yes, proposed solution fixes the problem. Please note that I'm not familiar with the NewGVN pass, but if II is not in UseCounts map, should we also insert it into ProbablyDead?

kmitropoulou added inline comments.Aug 22 2023, 7:04 PM

llvm/lib/Transforms/Scalar/NewGVN.cpp
4117–4118	I am not expert on this part of NewGVN, but I think that if II is in UseCounts map, then II should be already in ProbablyDead. This logic is towards the bottom of convertClassToDFSOrdered() . Regarding the test, if it crashes with the sanitizer, then it is OK. But, the test is way too big. Please make it smaller. Since NewGVN is not enabled by default, we should run the tests from test-suite with NewGVN enabled. Please be aware that there are some tests that are failing due to NewGVN.

kmitropoulou added inline comments.Aug 23 2023, 9:56 AM

llvm/lib/Transforms/Scalar/NewGVN.cpp
4117–4118	I am sorry I meant: I think that if II is not in UseCounts map, then II should be already in ProbablyDead.

Comments addressed.

vladimirradosavljevic added inline comments.Aug 24 2023, 3:46 AM

llvm/lib/Transforms/Scalar/NewGVN.cpp
4117–4118	Thanks for the clarification! I submitted the new patch with your suggestion. Regarding the test case, it is the smallest reproducer I managed to create, and I used llvm-reduce test to do so.

Harbormaster completed remote builds in B254591: Diff 553063.Aug 24 2023, 4:23 AM

Ping.

LGTM! Please change the title to something like:
Decrement UseCount only if SSA copy has a use.

vladimirradosavljevic retitled this revision from [NewGVN] Don't always update use counts for SSA copies to [NewGVN] Decrement UseCount only if SSA copy has an use.Sep 8 2023, 1:27 AM

In D157267#4641527, @kmitropoulou wrote:

LGTM! Please change the title to something like:
Decrement UseCount only if SSA copy has a use.

@kmitropoulou Done!

Thanks for the review! Could you please commit this on my behalf?
E-Mail: Vladimir Radosavljevic <vr@matterlabs.dev>

I will do it :)

kmitropoulou mentioned this in rG798f2465f3df: [NewGVN] Decrement UseCount only if SSA copy has one use.Sep 11 2023, 6:09 PM

The patch was merged in:

commit 3a318382baceacc94992f0239636d6d243a57565

Can you please close the ticket?

Merged in rG798f2465f3dfdbe21463f3008c51a6e63cc271c2.
@kmitropoulou Thanks!

Revision Contents

Path

Size

llvm/

lib/

Transforms/

Scalar/

NewGVN.cpp

9 lines

test/

Transforms/

NewGVN/

crash-usecounts.ll

156 lines

Diff 553063

llvm/lib/Transforms/Scalar/NewGVN.cpp

Show First 20 Lines • Show All 4,108 Lines • ▼ Show 20 Lines	if (alwaysAvailable(Leader)) {
// This is now a use of the dominating leader, which means if the		// This is now a use of the dominating leader, which means if the
// dominating leader was dead, it's now live!		// dominating leader was dead, it's now live!
auto &LeaderUseCount = UseCounts[DominatingLeader];		auto &LeaderUseCount = UseCounts[DominatingLeader];
// It's about to be alive again.		// It's about to be alive again.
if (LeaderUseCount == 0 && isa<Instruction>(DominatingLeader))		if (LeaderUseCount == 0 && isa<Instruction>(DominatingLeader))
ProbablyDead.erase(cast<Instruction>(DominatingLeader));		ProbablyDead.erase(cast<Instruction>(DominatingLeader));
// For copy instructions, we use their operand as a leader,		// For copy instructions, we use their operand as a leader,
// which means we remove a user of the copy and it may become dead.		// which means we remove a user of the copy and it may become dead.
if (isSSACopy) {		if (isSSACopy) {
unsigned &IIUseCount = UseCounts[II];		auto It = UseCounts.find(II);
		kmitropoulouUnsubmitted Not Done Reply Inline Actions The test case does not crash in my workspace. Anyway, I think the problem is here. If II is not in the UseCounts map, then it just adds it and it returns zero. Will the following change solve the problem? if (isSSACopy) { auto It = UseCounts.find(II); if (It != UseCounts.end()) { unsigned &IIUseCount = It->second; if (--IIUseCount == 0) ProbablyDead.insert(II); } } kmitropoulou: The test case does not crash in my workspace. Anyway, I think the problem is here. If II is not…
		vladimirradosavljevicAuthorUnsubmitted Done Reply Inline Actions Could you please try to run it with valgrind/sanitizers, because it happens occasionally and this is why it is such a dangerous bug. Yes, proposed solution fixes the problem. Please note that I'm not familiar with the NewGVN pass, but if II is not in UseCounts map, should we also insert it into ProbablyDead? vladimirradosavljevic: Could you please try to run it with valgrind/sanitizers, because it happens occasionally and…
		kmitropoulouUnsubmitted Not Done Reply Inline Actions I am not expert on this part of NewGVN, but I think that if II is in UseCounts map, then II should be already in ProbablyDead. This logic is towards the bottom of convertClassToDFSOrdered() . Regarding the test, if it crashes with the sanitizer, then it is OK. But, the test is way too big. Please make it smaller. Since NewGVN is not enabled by default, we should run the tests from test-suite with NewGVN enabled. Please be aware that there are some tests that are failing due to NewGVN. kmitropoulou: I am not expert on this part of NewGVN, but I think that if II is in UseCounts map, then II…
		kmitropoulouUnsubmitted Not Done Reply Inline Actions I am sorry I meant: I think that if II is not in UseCounts map, then II should be already in ProbablyDead. kmitropoulou: I am sorry I meant: I think that if II is not in UseCounts map, then II should be already in…
		vladimirradosavljevicAuthorUnsubmitted Done Reply Inline Actions Thanks for the clarification! I submitted the new patch with your suggestion. Regarding the test case, it is the smallest reproducer I managed to create, and I used llvm-reduce test to do so. vladimirradosavljevic: Thanks for the clarification! I submitted the new patch with your suggestion. Regarding the…
		if (It != UseCounts.end()) {
		unsigned &IIUseCount = It->second;
if (--IIUseCount == 0)		if (--IIUseCount == 0)
ProbablyDead.insert(II);		ProbablyDead.insert(II);
}		}
		}
++LeaderUseCount;		++LeaderUseCount;
AnythingReplaced = true;		AnythingReplaced = true;
}		}
}		}
}		}

// At this point, anything still in the ProbablyDead set is actually dead if		// At this point, anything still in the ProbablyDead set is actually dead if
// would be trivially dead.		// would be trivially dead.
▲ Show 20 Lines • Show All 130 Lines • Show Last 20 Lines

llvm/test/Transforms/NewGVN/crash-usecounts.ll

This file was added.

				; RUN: opt -passes=newgvn -disable-output < %s

				define void @test(i1 %arg, i1 %arg1) {
				bb:
				%alloca = alloca i64, i32 0, align 8
				%alloca2 = alloca i64, i32 0, align 8
				%load = load i64, ptr null, align 8
				%icmp = icmp ult i64 0, %load
				br i1 %icmp, label %bb24, label %bb25

				bb24: ; preds = %bb
				unreachable

				bb25: ; preds = %bb
				store i64 %load, ptr %alloca, align 8
				%load26 = load i64, ptr addrspace(1) null, align 8
				%icmp27 = icmp ugt i64 %load26, 1
				br i1 %icmp27, label %bb28, label %bb29

				bb28: ; preds = %bb25
				unreachable

				bb29: ; preds = %bb25
				%icmp30 = icmp ugt i64 %load26, 0
				br i1 %icmp30, label %bb34, label %bb31

				bb31: ; preds = %bb38, %bb29
				%load32 = load i64, ptr addrspace(1) null, align 8
				%icmp33 = icmp ugt i64 %load32, 1
				br i1 %icmp33, label %bb42, label %bb43

				bb34: ; preds = %bb29
				%load35 = load i64, ptr addrspace(1) null, align 8
				store i64 %load35, ptr null, align 8
				%load36 = load i64, ptr null, align 8
				br label %bb37

				bb37: ; preds = %bb37, %bb34
				%phi = phi i64 [ 0, %bb37 ], [ %load36, %bb34 ]
				%inttoptr = inttoptr i64 %phi to ptr addrspace(1)
				br i1 false, label %bb37, label %bb38

				bb38: ; preds = %bb37
				%load39 = load i64, ptr null, align 8
				%inttoptr40 = inttoptr i64 %load39 to ptr addrspace(1)
				%load41 = load i64, ptr addrspace(1) %inttoptr40, align 8
				%shl = shl i64 %load26, 0
				%and = and i64 %shl, 0
				br label %bb31

				bb42: ; preds = %bb31
				unreachable

				bb43: ; preds = %bb31
				%load44 = load i64, ptr null, align 8
				%load45 = load i64, ptr null, align 8
				%icmp46 = icmp ugt i64 1, %load45
				br i1 %icmp46, label %bb51, label %bb60

				bb47: ; preds = %bb60, %bb55, %bb51
				%load48 = load i64, ptr %alloca, align 8
				%inttoptr49 = inttoptr i64 %load48 to ptr addrspace(1)
				%load50 = load i64, ptr addrspace(1) %inttoptr49, align 8
				br i1 %arg, label %bb63, label %bb75

				bb51: ; preds = %bb43
				%load52 = load i64, ptr addrspace(1) null, align 8
				store i64 %load52, ptr %alloca2, align 8
				%load53 = load i64, ptr null, align 8
				store i64 %load53, ptr null, align 8
				%icmp54 = icmp ult i64 0, %load32
				br i1 %icmp54, label %bb55, label %bb47

				bb55: ; preds = %bb51
				%load56 = load i64, ptr null, align 8
				%or = or i64 %load56, 0
				%inttoptr57 = inttoptr i64 %or to ptr addrspace(1)
				%load58 = load i64, ptr addrspace(1) %inttoptr57, align 8
				%and59 = and i64 %load32, 0
				br label %bb47

				bb60: ; preds = %bb43
				%or61 = or i64 %load44, 0
				%load62 = load i64, ptr addrspace(1) null, align 8
				store i64 %load62, ptr null, align 8
				br label %bb47

				bb63: ; preds = %bb47
				%load64 = load i64, ptr addrspace(1) inttoptr (i64 64 to ptr addrspace(1)), align 8
				%inttoptr65 = inttoptr i64 %load64 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr65, align 8
				%or66 = or i64 %load64, 4
				%inttoptr67 = inttoptr i64 %or66 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr67, align 8
				%or68 = or i64 %load64, 36
				%inttoptr69 = inttoptr i64 %or68 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr69, align 8
				%or70 = or i64 %load64, 68
				%inttoptr71 = inttoptr i64 %or70 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr71, align 8
				%load72 = load i64, ptr null, align 8
				%shl73 = shl i64 %load72, 0
				%or74 = or i64 %shl73, 0
				store i64 %or74, ptr null, align 8
				unreachable

				bb75: ; preds = %bb47
				br i1 %arg1, label %bb88, label %bb76

				bb76: ; preds = %bb75
				%load77 = load i64, ptr addrspace(1) inttoptr (i64 64 to ptr addrspace(1)), align 8
				%inttoptr78 = inttoptr i64 %load77 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr78, align 8
				%or79 = or i64 %load77, 4
				%inttoptr80 = inttoptr i64 %or79 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr80, align 8
				%or81 = or i64 %load77, 36
				%inttoptr82 = inttoptr i64 %or81 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr82, align 8
				%or83 = or i64 %load77, 68
				%inttoptr84 = inttoptr i64 %or83 to ptr addrspace(1)
				store i64 0, ptr addrspace(1) %inttoptr84, align 8
				%load85 = load i64, ptr null, align 8
				%shl86 = shl i64 %load85, 0
				%or87 = or i64 %shl86, 0
				store i64 %or87, ptr null, align 8
				unreachable

				bb88: ; preds = %bb75
				%load89 = load i64, ptr addrspace(1) null, align 8
				%icmp90 = icmp ugt i64 %load89, 0
				br i1 %icmp90, label %bb91, label %bb92

				bb91: ; preds = %bb88
				unreachable

				bb92: ; preds = %bb88
				br i1 false, label %bb93, label %bb95

				bb93: ; preds = %bb93, %bb92
				%phi94 = phi i64 [ 0, %bb93 ], [ %load89, %bb92 ]
				br label %bb93

				bb95: ; preds = %bb92
				%load96 = load i64, ptr null, align 8
				br label %bb98

				bb97: ; preds = %bb98
				ret void

				bb98: ; preds = %bb98, %bb95
				%phi99 = phi i64 [ %load96, %bb95 ], [ 0, %bb98 ]
				%inttoptr100 = inttoptr i64 %phi99 to ptr
				%load101 = load i64, ptr %inttoptr100, align 8
				br i1 false, label %bb98, label %bb97
				}