This is an archive of the discontinued LLVM Phabricator instance.

Differential D22419

[CFG] Fix crash in thread sanitizer.
ClosedPublic

Authored by nandor on Jul 15 2016, 11:56 AM.

Details

Reviewers
dcoughlin
NoQ
dexonsmith
Commits
rG2a531d02a485: Merging r277522: --------------------------------------------------------------…
rG6eb1ca74165a: [CFG] Fix crash finding destructor of lifetime-extended temporary.
rC277522: [CFG] Fix crash finding destructor of lifetime-extended temporary.
rL277522: [CFG] Fix crash finding destructor of lifetime-extended temporary.
Summary

clang was crashing with -Wthread-safety due to the incorrect construction of the CFG when dealing with C++ lifetime-extending constructs.

struct Holder {
  virtual ~Holder() throw() {}
  int i = 0;
};

int main() {
  const auto &value = Holder().i;
}

This patch fixes the crash by correctly identifying the destructor.

Diff Detail

Repository
rL LLVM

Event Timeline

nandor updated this revision to Diff 64177.Jul 15 2016, 11:56 AM
nandor retitled this revision from to [CFG] Fix crash in thread sanitizer..
nandor updated this object.
nandor added a reviewer: krememek.
nandor added a subscriber: cfe-commits.Jul 17 2016, 10:47 PM
nandor updated this revision to Diff 64368.Jul 18 2016, 1:09 PM

Fixed typo

nandor added a reviewer: doug.gregor.Jul 19 2016, 5:09 PM
dcoughlin added a reviewer: dcoughlin.Jul 23 2016, 9:17 AM
dcoughlin edited edge metadata.
dcoughlin added a subscriber: dcoughlin.

This is https://llvm.org/bugs/show_bug.cgi?id=28666

nandor added a comment.Jul 25 2016, 9:54 AM

ping?

zaks.anna edited reviewers, added: NoQ, dexonsmith; removed: doug.gregor, krememek.Jul 25 2016, 10:12 AM
NoQ edited edge metadata.Jul 26 2016, 2:17 AM

Thanks for working on this!

While i probably won't be of much help (no expert in temporaries yet), i notice that this code piece (with getReferenceInitTemporaryType()) seems to be duplicated at least three times in this file, with slight variations and FIXMEs. So i guess this needs some care, not necessarily in this patch.

lib/Analysis/CFG.cpp
3910 ↗(On Diff #64368)

Simple ty->isReferenceType() should work as well (the overloaded operator ->() in QualType).

3912–3914 ↗(On Diff #64368)

Is this sequence of checks certainly needed? All tests seem to pass without it. Or maybe it's also needed in addAutomaticObjectDtors()? Perhaps just nest these checks inside getReferenceInitTemporaryType()?

nandor updated this revision to Diff 65545.Jul 26 2016, 9:43 AM
nandor edited edge metadata.
nandor marked an inline comment as done.

removed redundant checks

nandor added a comment.Jul 26 2016, 9:43 AM

I'm not an expert in temporaries either, I think for a proper fix a lot more work is required.

It seems that the problem is with locating destructors in destructor calls. I get the impression that currently a destructor node pointing to the declaration is added and the type that is actually destroyed is inferred from the expression every time it is needed. I think destructors should be able to point to specific temporary subexpressions that they destroy in order to deal with multiple temporaries from the same expression.

This fix only ensures that all scenarios which lead to a placement of such a destructor node are handled so no SIGSEV occurs due to a destructor being added, but not handled at all later on.

lib/Analysis/CFG.cpp
3912–3914 ↗(On Diff #64368)

It seems like getReferenceInitTemporaryType includes these two statements, we can remove them from here.

nandor added a comment.Aug 2 2016, 10:18 AM

ping

dcoughlin accepted this revision.Aug 2 2016, 1:58 PM
dcoughlin edited edge metadata.

LGTM. I will commit. Thanks Nandor!

This revision is now accepted and ready to land.Aug 2 2016, 1:58 PM
Closed by commit rL277522: [CFG] Fix crash finding destructor of lifetime-extended temporary. (authored by dcoughlin). · Explain WhyAug 2 2016, 2:15 PM
This revision was automatically updated to reflect the committed changes.
NoQ mentioned this in D26839: [analyzer] An attempt to fix pr19539 - crashes on temporaries life-extended via members.Nov 17 2016, 11:29 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
Analysis/
12 lines
test/
SemaCXX/
15 lines

Diff 66554

cfe/trunk/lib/Analysis/CFG.cpp

Show First 20 LinesShow All 3,896 Lines▼ Show 20 Lines switch (getKind()) {
case CFGElement::Statement: case CFGElement::Statement:
case CFGElement::Initializer: case CFGElement::Initializer:
case CFGElement::NewAllocator: case CFGElement::NewAllocator:
llvm_unreachable("getDestructorDecl should only be used with " llvm_unreachable("getDestructorDecl should only be used with "
"ImplicitDtors"); "ImplicitDtors");
case CFGElement::AutomaticObjectDtor: { case CFGElement::AutomaticObjectDtor: {
const VarDecl *var = castAs<CFGAutomaticObjDtor>().getVarDecl(); const VarDecl *var = castAs<CFGAutomaticObjDtor>().getVarDecl();
QualType ty = var->getType(); QualType ty = var->getType();
ty = ty.getNonReferenceType();
// FIXME: See CFGBuilder::addLocalScopeForVarDecl.
//
// Lifetime-extending constructs are handled here. This works for a single
// temporary in an initializer expression.
if (ty->isReferenceType()) {
if (const Expr *Init = var->getInit()) {
ty = getReferenceInitTemporaryType(astContext, Init);
}
}
while (const ArrayType *arrayType = astContext.getAsArrayType(ty)) { while (const ArrayType *arrayType = astContext.getAsArrayType(ty)) {
ty = arrayType->getElementType(); ty = arrayType->getElementType();
} }
const RecordType *recordType = ty->getAs<RecordType>(); const RecordType *recordType = ty->getAs<RecordType>();
const CXXRecordDecl *classDecl = const CXXRecordDecl *classDecl =
cast<CXXRecordDecl>(recordType->getDecl()); cast<CXXRecordDecl>(recordType->getDecl());
return classDecl->getDestructor(); return classDecl->getDestructor();
} }
▲ Show 20 LinesShow All 768 LinesShow Last 20 Lines

cfe/trunk/test/SemaCXX/warn-thread-safety-analysis.cpp

Show First 20 LinesShow All 5,154 Lines▼ Show 20 Linesvoid test3() {
mu1.Lock(); // expected-warning {{mutex 'mu1' must be acquired before 'mu2'}} mu1.Lock(); // expected-warning {{mutex 'mu1' must be acquired before 'mu2'}}
mu1.Unlock(); mu1.Unlock();
mu2.Unlock(); mu2.Unlock();
} }
} // end namespace GlobalAcquiredBeforeAfterTest } // end namespace GlobalAcquiredBeforeAfterTest
namespace LifetimeExtensionText {
struct Holder {
virtual ~Holder() throw() {}
int i = 0;
};
void test() {
// Should not crash.
const auto &value = Holder().i;
}
} // end namespace LifetimeExtensionTest
namespace LockableUnions { namespace LockableUnions {
union LOCKABLE MutexUnion { union LOCKABLE MutexUnion {
int a; int a;
char* b; char* b;
void Lock() EXCLUSIVE_LOCK_FUNCTION(); void Lock() EXCLUSIVE_LOCK_FUNCTION();
void Unlock() UNLOCK_FUNCTION(); void Unlock() UNLOCK_FUNCTION();
Show All 21 Lines