This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/CodeGen/GlobalISel/
-
CodeGen/
-
GlobalISel/
1/2
IRTranslator.cpp

Differential D33224

[GISel]: Fix more Undefined behavior in GlobalISel::IRTranslator
ClosedPublic

Authored by aditya_nandakumar on May 15 2017, 5:58 PM.

Download Raw Diff

Details

Reviewers

qcolombet
ab
t.p.northover
dsanders
rovka

Summary

Turns out the MachineIRBuilder holds on references to TrackingMDRef (and IRTranslator has MachineIRBuilder objects). When the context gets destroyed, first all the MDRefs are deallocated and then the passes are destroyed. When the IRTranslator is about to get destroyed, it's destructor would end up trying to destroy the trackingMDRefs which the builders held on to leading to Undefined behavior.
Fix this by explicitly default constructing the MachineIRBuidlers at the end of runOnMachineFunction.

Diff Detail

Event Timeline

aditya_nandakumar created this revision.May 15 2017, 5:58 PM

Herald added subscribers: igorb, kristof.beyls. · View Herald TranscriptMay 15 2017, 5:58 PM

Is it possible to add a test case for this? It seems that a test where the last instruction has a DILocation should trigger it.

lib/CodeGen/GlobalISel/IRTranslator.cpp
1132–1140	Based on our discussion off-list it was my understanding that ~IRTranslator() wasn't the only trigger for this. Wasn't the call to MachineIRBuilder::setMF() in IRTranslator::runOnMachineFunction() also triggering it? If so, I'd suggest adapting this comment to talk about the MachineIRBuilder/DebugLoc outliving the DILocation it holds rather than going into detail about the LLVMContext case. That way it will cover both.

Updated comment based on Daniel's feedback.

LGTM

lib/CodeGen/GlobalISel/IRTranslator.cpp
1132–1134	One tiny nit: Doxygen comments don't do anything here as far as I know so these should use `//`

This revision is now accepted and ready to land.May 17 2017, 2:55 AM

Submitted in r303277

Revision Contents

Path

Size

lib/

CodeGen/

GlobalISel/

IRTranslator.cpp

5 lines

Diff 99200

lib/CodeGen/GlobalISel/IRTranslator.cpp

	Show First 20 Lines • Show All 1,123 Lines • ▼ Show 20 Lines

	void IRTranslator::finalizeFunction() {			void IRTranslator::finalizeFunction() {
	// Release the memory used by the different maps we			// Release the memory used by the different maps we
	// needed during the translation.			// needed during the translation.
	PendingPHIs.clear();			PendingPHIs.clear();
	ValToVReg.clear();			ValToVReg.clear();
	FrameIndices.clear();			FrameIndices.clear();
	MachinePreds.clear();			MachinePreds.clear();
				/// MachineIRBuilder::DebugLoc can outlive the DILocation it holds. Clear it
				/// to avoid accessing free’d memory (in runOnMachineFunction) and to avoid
				/// destroying it twice (in ~IRTranslator() and ~LLVMContext())
				dsandersUnsubmitted Not Done Reply Inline Actions One tiny nit: Doxygen comments don't do anything here as far as I know so these should use `//` dsanders: One tiny nit: Doxygen comments don't do anything here as far as I know so these should use `//`
				EntryBuilder = MachineIRBuilder();
				CurBuilder = MachineIRBuilder();
	}			}

	bool IRTranslator::runOnMachineFunction(MachineFunction &CurMF) {			bool IRTranslator::runOnMachineFunction(MachineFunction &CurMF) {
	MF = &CurMF;			MF = &CurMF;
				dsandersUnsubmitted Done Reply Inline Actions Based on our discussion off-list it was my understanding that ~IRTranslator() wasn't the only trigger for this. Wasn't the call to MachineIRBuilder::setMF() in IRTranslator::runOnMachineFunction() also triggering it? If so, I'd suggest adapting this comment to talk about the MachineIRBuilder/DebugLoc outliving the DILocation it holds rather than going into detail about the LLVMContext case. That way it will cover both. dsanders: Based on our discussion off-list it was my understanding that ~IRTranslator() wasn't the only…
	const Function &F = *MF->getFunction();			const Function &F = *MF->getFunction();
	if (F.empty())			if (F.empty())
	return false;			return false;
	CLI = MF->getSubtarget().getCallLowering();			CLI = MF->getSubtarget().getCallLowering();
	CurBuilder.setMF(*MF);			CurBuilder.setMF(*MF);
	EntryBuilder.setMF(*MF);			EntryBuilder.setMF(*MF);
	MRI = &MF->getRegInfo();			MRI = &MF->getRegInfo();
	DL = &F.getParent()->getDataLayout();			DL = &F.getParent()->getDataLayout();
	▲ Show 20 Lines • Show All 95 Lines • Show Last 20 Lines