This is an archive of the discontinued LLVM Phabricator instance.

CodeGen: Handle missed case of block removal during BlockPlacement.
ClosedPublic

Authored by iteratee on Oct 26 2016, 1:23 PM.

Download Raw Diff

Details

Reviewers

djasper
davidxl

Summary

There is a use after free bug in the existing code. Loop layout selects
a preferred exit block, and then lays out the loop. If this block is
removed during layout, it needs to be invalidated to prevent a use after
free.

Diff Detail

Event Timeline

iteratee updated this revision to Diff 75937.Oct 26 2016, 1:23 PM

iteratee retitled this revision from to CodeGen: Handle missed case of block removal during BlockPlacement..

iteratee updated this object.

iteratee added reviewers: davidxl, djasper.

iteratee set the repository for this revision to rL LLVM.

iteratee added subscribers: echristo, llvm-commits.

Can you explain the code path that leads to use after free?

I added comments to the 3 lines that show the possible use after free.

lib/CodeGen/MachineBlockPlacement.cpp
1477	ExitingBB is selected here. This is a reference to a block, and it only exists on the call stack.
1493	buildChain is called here. buildChain may tail-duplicate and remove the block referred to by ExitingBB.
1498	ExitingBB is used here, after it may have been freed.

davidxl added inline comments.Oct 27 2016, 1:47 PM

lib/CodeGen/MachineBlockPlacement.cpp
1503	Should the right fix be to move the 'findBestLoopExit' after buildChain call?

I found this by observing it in the debug logs while looking for something else, so I think the direct fix is worth committing, even if we do a better fix later.

lib/CodeGen/MachineBlockPlacement.cpp
1503	That would require re-writing findBestLoopExit to not assume that the blocks weren't all in a single chain already. We should re-write it to do that, but I think that's out of scope for an existing use after free bug.

lgtm.

As discussed, as this resolve the use after free error, it does point to possible missing loop rotation due to tail dup -- that needs to be investigated as follow up.

This revision is now accepted and ready to land.Oct 27 2016, 2:15 PM

Committed in rL285348

iteratee closed this revision.Oct 27 2016, 2:52 PM

Revision Contents

Path

Size

lib/

CodeGen/

MachineBlockPlacement.cpp

14 lines

Diff 75937

lib/CodeGen/MachineBlockPlacement.cpp

Show First 20 Lines • Show All 276 Lines • ▼ Show 20 Lines	class MachineBlockPlacement : public MachineFunctionPass {
const MachineBranchProbabilityInfo *MBPI;		const MachineBranchProbabilityInfo *MBPI;

/// \brief A handle to the function-wide block frequency pass.		/// \brief A handle to the function-wide block frequency pass.
std::unique_ptr<BranchFolder::MBFIWrapper> MBFI;		std::unique_ptr<BranchFolder::MBFIWrapper> MBFI;

/// \brief A handle to the loop info.		/// \brief A handle to the loop info.
MachineLoopInfo *MLI;		MachineLoopInfo *MLI;

		/// \brief Preferred loop exit.
		/// Member variable for convenience. It may be removed by duplication deep
		/// in the call stack.
		MachineBasicBlock *PreferredLoopExit;

/// \brief A handle to the target's instruction info.		/// \brief A handle to the target's instruction info.
const TargetInstrInfo *TII;		const TargetInstrInfo *TII;

/// \brief A handle to the target's lowering info.		/// \brief A handle to the target's lowering info.
const TargetLoweringBase *TLI;		const TargetLoweringBase *TLI;

/// \brief A handle to the post dominator tree.		/// \brief A handle to the post dominator tree.
MachineDominatorTree *MDT;		MachineDominatorTree *MDT;
▲ Show 20 Lines • Show All 1,176 Lines • ▼ Show 20 Lines	void MachineBlockPlacement::buildLoopChains(MachineLoop &L) {
// fewer branches in the loop body.		// fewer branches in the loop body.
// When we use profile data to rotate the loop, this is unnecessary.		// When we use profile data to rotate the loop, this is unnecessary.
MachineBasicBlock *LoopTop =		MachineBasicBlock *LoopTop =
RotateLoopWithProfile ? L.getHeader() : findBestLoopTop(L, LoopBlockSet);		RotateLoopWithProfile ? L.getHeader() : findBestLoopTop(L, LoopBlockSet);

// If we selected just the header for the loop top, look for a potentially		// If we selected just the header for the loop top, look for a potentially
// profitable exit block in the event that rotating the loop can eliminate		// profitable exit block in the event that rotating the loop can eliminate
// branches by placing an exit edge at the bottom.		// branches by placing an exit edge at the bottom.
MachineBasicBlock *ExitingBB = nullptr;		PreferredLoopExit = nullptr;
iterateeAuthorUnsubmitted Not Done Reply Inline Actions ExitingBB is selected here. This is a reference to a block, and it only exists on the call stack. iteratee: ExitingBB is selected here. This is a reference to a block, and it only exists on the call…
if (!RotateLoopWithProfile && LoopTop == L.getHeader())		if (!RotateLoopWithProfile && LoopTop == L.getHeader())
ExitingBB = findBestLoopExit(L, LoopBlockSet);		PreferredLoopExit = findBestLoopExit(L, LoopBlockSet);

BlockChain &LoopChain = *BlockToChain[LoopTop];		BlockChain &LoopChain = *BlockToChain[LoopTop];

// FIXME: This is a really lame way of walking the chains in the loop: we		// FIXME: This is a really lame way of walking the chains in the loop: we
// walk the blocks, and use a set to prevent visiting a particular chain		// walk the blocks, and use a set to prevent visiting a particular chain
// twice.		// twice.
SmallPtrSet<BlockChain *, 4> UpdatedPreds;		SmallPtrSet<BlockChain *, 4> UpdatedPreds;
assert(LoopChain.UnscheduledPredecessors == 0);		assert(LoopChain.UnscheduledPredecessors == 0);
UpdatedPreds.insert(&LoopChain);		UpdatedPreds.insert(&LoopChain);

for (MachineBasicBlock *LoopBB : LoopBlockSet)		for (MachineBasicBlock *LoopBB : LoopBlockSet)
fillWorkLists(LoopBB, UpdatedPreds, &LoopBlockSet);		fillWorkLists(LoopBB, UpdatedPreds, &LoopBlockSet);

buildChain(LoopTop, LoopChain, &LoopBlockSet);		buildChain(LoopTop, LoopChain, &LoopBlockSet);
iterateeAuthorUnsubmitted Not Done Reply Inline Actions buildChain is called here. buildChain may tail-duplicate and remove the block referred to by ExitingBB. iteratee: buildChain is called here. buildChain may tail-duplicate and remove the block referred to by…

if (RotateLoopWithProfile)		if (RotateLoopWithProfile)
rotateLoopWithProfile(LoopChain, L, LoopBlockSet);		rotateLoopWithProfile(LoopChain, L, LoopBlockSet);
else		else
rotateLoop(LoopChain, ExitingBB, LoopBlockSet);		rotateLoop(LoopChain, PreferredLoopExit, LoopBlockSet);
iterateeAuthorUnsubmitted Not Done Reply Inline Actions ExitingBB is used here, after it may have been freed. iteratee: ExitingBB is used here, after it may have been freed.
		davidxlUnsubmitted Not Done Reply Inline Actions Should the right fix be to move the 'findBestLoopExit' after buildChain call? davidxl: Should the right fix be to move the 'findBestLoopExit' after buildChain call?
		iterateeAuthorUnsubmitted Not Done Reply Inline Actions That would require re-writing findBestLoopExit to not assume that the blocks weren't all in a single chain already. We should re-write it to do that, but I think that's out of scope for an existing use after free bug. iteratee: That would require re-writing findBestLoopExit to not assume that the blocks weren't all in a…

DEBUG({		DEBUG({
// Crash at the end so we get all of the debugging output first.		// Crash at the end so we get all of the debugging output first.
bool BadLoop = false;		bool BadLoop = false;
if (LoopChain.UnscheduledPredecessors) {		if (LoopChain.UnscheduledPredecessors) {
BadLoop = true;		BadLoop = true;
dbgs() << "Loop chain contains a block without its preds placed!\n"		dbgs() << "Loop chain contains a block without its preds placed!\n"
<< " Loop header: " << getBlockName(*L.block_begin()) << "\n"		<< " Loop header: " << getBlockName(*L.block_begin()) << "\n"
▲ Show 20 Lines • Show All 416 Lines • ▼ Show 20 Lines	auto RemovalCallback =

// Handle the filter set		// Handle the filter set
if (BlockFilter) {		if (BlockFilter) {
BlockFilter->erase(RemBB);		BlockFilter->erase(RemBB);
}		}

// Remove the block from loop info.		// Remove the block from loop info.
MLI->removeBlock(RemBB);		MLI->removeBlock(RemBB);
		if (RemBB == PreferredLoopExit)
		PreferredLoopExit = nullptr;

// TailDuplicator handles removing it from loops.
DEBUG(dbgs() << "TailDuplicator deleted block: "		DEBUG(dbgs() << "TailDuplicator deleted block: "
<< getBlockName(RemBB) << "\n");		<< getBlockName(RemBB) << "\n");
};		};
auto RemovalCallbackRef =		auto RemovalCallbackRef =
llvm::function_ref<void(MachineBasicBlock*)>(RemovalCallback);		llvm::function_ref<void(MachineBasicBlock*)>(RemovalCallback);

SmallVector<MachineBasicBlock *, 8> DuplicatedPreds;		SmallVector<MachineBasicBlock *, 8> DuplicatedPreds;
TailDup.tailDuplicateAndUpdate(IsSimple, BB, LPred,		TailDup.tailDuplicateAndUpdate(IsSimple, BB, LPred,
▲ Show 20 Lines • Show All 168 Lines • Show Last 20 Lines