This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/llvm/Analysis/
-
llvm/
-
Analysis/
-
MemoryBuiltins.h
-
lib/
-
Analysis/
6
MemoryBuiltins.cpp
-
Transforms/InstCombine/
-
InstCombine/
2
InstructionCombining.cpp
-
test/Transforms/InstCombine/
-
Transforms/
-
InstCombine/
-
pr34581.ll

Differential D37933

Prevent InstCombine from miscompiling `operator delete`
AbandonedPublic

Authored by davide on Sep 15 2017, 2:42 PM.

Download Raw Diff

Details

Reviewers

majnemer
rsmith
qcolombet

Summary

It's not legal inventing calls to operator delete.

Diff Detail

Event Timeline

davide created this revision.Sep 15 2017, 2:42 PM

Side note: instcombine speculates these calls to free using pattern matching.
In my opinion, it shouldn't. Hoisting shouldn't be done in instcombine, and hoisting shouldn't be done on a per-name basis. Presumably, the frontend should attach an attribute to this call to make sure they can be hoisted.
If there's not enough information in the frontend, then the middle-end should compute this information (the attribute) and then some pass should be responsible for the sinking/hoisting.

rsmith added inline comments.Sep 15 2017, 3:06 PM

lib/Analysis/MemoryBuiltins.cpp
351	This is a really confusing name. It sounds like it's detecting whether a call is free of side-effects, whereas it's actually detecting whether the call is to a `free`-like function that has side-effects.
363–368	I really don't like duplicating this list here, in a way that means we would miscompile again if the list in `isFreeCall` is extended but this list is not. (Notably, this list is already missing cases from `isFreeCall`, and as it happens, the one in `isFreeCall` is also missing cases.) Perhaps instead changing this function to determine whether a call is known to be side-effect free when given a null pointer, and special-casing the very small number of functions for which that's true, would be a better and more maintainable approach?
393–394	Note that this function returns the wrong value for a `nobuiltin` call, and thus may still miscompile calls to `free` when building with `-fno-builtin=free`.
lib/Transforms/InstCombine/InstructionCombining.cpp
2231	This is wrong too. Either passing `undef` to any pointer parameter in a function call results in UB, or you cannot assume that passing `undef` to `::operator delete` results in UB. The user-provided `::operator delete` might ignore its argument, for example. I don't know if this is the reason, but LLVM miscompiles calls to `operator delete` in cases where it ignores its argument too: https://godbolt.org/g/dvvirQ
2242	Wrong for `operator delete`.

So, from what I can see no transformation made for free() is valid in case of operator delete.
What do you think instead of introducing a predicate isCallToOperatorDelete() and bail out at the beginning of visitFree() ?
Alternatively, we could add a boolean argument to isFreeCall() which doesn't include operator delete (still trying to pick a name for the argument).

I'm leaning towards 1), what do you think?

lib/Analysis/MemoryBuiltins.cpp
351	Not really happy about the name either, have a better proposal?

In D37933#872815, @davide wrote:

So, from what I can see no transformation made for free() is valid in case of operator delete.
What do you think instead of introducing a predicate isCallToOperatorDelete() and bail out at the beginning of visitFree() ?

Sounds fine (but we should also check whether the call is a nobuiltin call to free, which should also not be optimized).

lib/Analysis/MemoryBuiltins.cpp
351	Maybe `freeCallHasSideEffects`? (Or, if we revert the sense of this as suggested below, `freeCallHasNoSideEffects`.)
352–353	This should presumably also be checking whether the call is `nobuiltin`.

Hi @davide, do you have any plans to address this issue? Regards.

https://reviews.llvm.org/D79378 addresses this issue and moves the optimization to the frontend where it can be done correctly.

This is really ancient history.

Revision Contents

Path

Size

include/

llvm/

Analysis/

MemoryBuiltins.h

3 lines

lib/

Analysis/

MemoryBuiltins.cpp

20 lines

Transforms/

InstCombine/

InstructionCombining.cpp

4 lines

test/

Transforms/

InstCombine/

pr34581.ll

32 lines

Diff 115501

include/llvm/Analysis/MemoryBuiltins.h

Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines	static inline CallInst extractCallocCall(Value I,
return const_cast<CallInst>(extractCallocCall((const Value)I, TLI));		return const_cast<CallInst>(extractCallocCall((const Value)I, TLI));
}		}


//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// free Call Utility Functions.		// free Call Utility Functions.
//		//

		/// hasSideEffectsFreeCall - Returns true if the call has side effects.
		bool hasSideEffectsFreeCall(const CallInst *CI, const TargetLibraryInfo &TLI);

/// isFreeCall - Returns non-null if the value is a call to the builtin free()		/// isFreeCall - Returns non-null if the value is a call to the builtin free()
const CallInst isFreeCall(const Value I, const TargetLibraryInfo *TLI);		const CallInst isFreeCall(const Value I, const TargetLibraryInfo *TLI);

static inline CallInst isFreeCall(Value I, const TargetLibraryInfo *TLI) {		static inline CallInst isFreeCall(Value I, const TargetLibraryInfo *TLI) {
return const_cast<CallInst>(isFreeCall((const Value)I, TLI));		return const_cast<CallInst>(isFreeCall((const Value)I, TLI));
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
▲ Show 20 Lines • Show All 168 Lines • Show Last 20 Lines

lib/Analysis/MemoryBuiltins.cpp

Show First 20 Lines • Show All 342 Lines • ▼ Show 20 Lines

/// extractCallocCall - Returns the corresponding CallInst if the instruction		/// extractCallocCall - Returns the corresponding CallInst if the instruction
/// is a calloc call.		/// is a calloc call.
const CallInst llvm::extractCallocCall(const Value I,		const CallInst llvm::extractCallocCall(const Value I,
const TargetLibraryInfo *TLI) {		const TargetLibraryInfo *TLI) {
return isCallocLikeFn(I, TLI) ? cast<CallInst>(I) : nullptr;		return isCallocLikeFn(I, TLI) ? cast<CallInst>(I) : nullptr;
}		}

		/// hasSideEffectsFreeCall - Returns true if the call has side effects.
		rsmithUnsubmitted Not Done Reply Inline Actions This is a really confusing name. It sounds like it's detecting whether a call is free of side-effects, whereas it's actually detecting whether the call is to a `free`-like function that has side-effects. rsmith: This is a really confusing name. It sounds like it's detecting whether a call is free of side…
		davideAuthorUnsubmitted Not Done Reply Inline Actions Not really happy about the name either, have a better proposal? davide: Not really happy about the name either, have a better proposal?
		rsmithUnsubmitted Not Done Reply Inline Actions Maybe `freeCallHasSideEffects`? (Or, if we revert the sense of this as suggested below, `freeCallHasNoSideEffects`.) rsmith: Maybe `freeCallHasSideEffects`? (Or, if we revert the sense of this as suggested below…
		bool llvm::hasSideEffectsFreeCall(const CallInst *CI,
		const TargetLibraryInfo &TLI) {
		rsmithUnsubmitted Not Done Reply Inline Actions This should presumably also be checking whether the call is `nobuiltin`. rsmith: This should presumably also be checking whether the call is `nobuiltin`.
		Function *Callee = CI->getCalledFunction();
		if (Callee == nullptr)
		return false;

		StringRef FnName = Callee->getName();
		LibFunc TLIFn;
		if (!TLI.getLibFunc(FnName, TLIFn) \|\| !TLI.has(TLIFn))
		return false;

		return TLIFn == LibFunc_ZdlPv \|\| // operator delete(void*)
		TLIFn == LibFunc_ZdaPv \|\| // operator delete[](void*)
		TLIFn == LibFunc_msvc_delete_ptr32 \|\| // operator delete(void*)
		TLIFn == LibFunc_msvc_delete_ptr64 \|\| // operator delete(void*)
		TLIFn == LibFunc_msvc_delete_array_ptr32 \|\| // operator delete[](void*)
		TLIFn == LibFunc_msvc_delete_array_ptr64; // operator delete[](void*)
		rsmithUnsubmitted Not Done Reply Inline Actions I really don't like duplicating this list here, in a way that means we would miscompile again if the list in `isFreeCall` is extended but this list is not. (Notably, this list is already missing cases from `isFreeCall`, and as it happens, the one in `isFreeCall` is also missing cases.) Perhaps instead changing this function to determine whether a call is known to be side-effect free when given a null pointer, and special-casing the very small number of functions for which that's true, would be a better and more maintainable approach? rsmith: I really don't like duplicating this list here, in a way that means we would miscompile again…
		}

/// isFreeCall - Returns non-null if the value is a call to the builtin free()		/// isFreeCall - Returns non-null if the value is a call to the builtin free()
const CallInst llvm::isFreeCall(const Value I, const TargetLibraryInfo *TLI) {		const CallInst llvm::isFreeCall(const Value I, const TargetLibraryInfo *TLI) {
const CallInst *CI = dyn_cast<CallInst>(I);		const CallInst *CI = dyn_cast<CallInst>(I);
if (!CI \|\| isa<IntrinsicInst>(CI))		if (!CI \|\| isa<IntrinsicInst>(CI))
return nullptr;		return nullptr;
Function *Callee = CI->getCalledFunction();		Function *Callee = CI->getCalledFunction();
if (Callee == nullptr)		if (Callee == nullptr)
return nullptr;		return nullptr;
Show All 26 Lines	else if (TLIFn == LibFunc_ZdlPvj \|\| // delete(void*, uint)
TLIFn == LibFunc_msvc_delete_array_ptr64_longlong \|\| // delete[](void*, ulonglong)		TLIFn == LibFunc_msvc_delete_array_ptr64_longlong \|\| // delete[](void*, ulonglong)
TLIFn == LibFunc_msvc_delete_array_ptr32_nothrow \|\| // delete[](void*, nothrow)		TLIFn == LibFunc_msvc_delete_array_ptr32_nothrow \|\| // delete[](void*, nothrow)
TLIFn == LibFunc_msvc_delete_array_ptr64_nothrow) // delete[](void*, nothrow)		TLIFn == LibFunc_msvc_delete_array_ptr64_nothrow) // delete[](void*, nothrow)
ExpectedNumParams = 2;		ExpectedNumParams = 2;
else		else
return nullptr;		return nullptr;

// Check free prototype.		// Check free prototype.
// FIXME: workaround for PR5130, this will be obsolete when a nobuiltin		// FIXME: workaround for PR5130, this will be obsolete when a nobuiltin
// attribute will exist.		// attribute will exist.
rsmithUnsubmitted Not Done Reply Inline Actions Note that this function returns the wrong value for a `nobuiltin` call, and thus may still miscompile calls to `free` when building with `-fno-builtin=free`. rsmith: Note that this function returns the wrong value for a `nobuiltin` call, and thus may still…
FunctionType *FTy = Callee->getFunctionType();		FunctionType *FTy = Callee->getFunctionType();
if (!FTy->getReturnType()->isVoidTy())		if (!FTy->getReturnType()->isVoidTy())
return nullptr;		return nullptr;
if (FTy->getNumParams() != ExpectedNumParams)		if (FTy->getNumParams() != ExpectedNumParams)
return nullptr;		return nullptr;
if (FTy->getParamType(0) != Type::getInt8PtrTy(Callee->getContext()))		if (FTy->getParamType(0) != Type::getInt8PtrTy(Callee->getContext()))
return nullptr;		return nullptr;

▲ Show 20 Lines • Show All 448 Lines • Show Last 20 Lines

lib/Transforms/InstCombine/InstructionCombining.cpp

	Show First 20 Lines • Show All 473 Lines • ▼ Show 20 Lines
	FI.moveBefore(TI);			FI.moveBefore(TI);
	return &FI;			return &FI;
	}			}


	Instruction *InstCombiner::visitFree(CallInst &FI) {			Instruction *InstCombiner::visitFree(CallInst &FI) {
	Value *Op = FI.getArgOperand(0);			Value *Op = FI.getArgOperand(0);

	// free undef -> unreachable.			// free undef -> unreachable.
				rsmithUnsubmitted Not Done Reply Inline Actions This is wrong too. Either passing `undef` to any pointer parameter in a function call results in UB, or you cannot assume that passing `undef` to `::operator delete` results in UB. The user-provided `::operator delete` might ignore its argument, for example. I don't know if this is the reason, but LLVM miscompiles calls to `operator delete` in cases where it ignores its argument too: https://godbolt.org/g/dvvirQ rsmith: This is wrong too. Either passing `undef` to any pointer parameter in a function call results…
	if (isa<UndefValue>(Op)) {			if (isa<UndefValue>(Op)) {
	// Insert a new store to null because we cannot modify the CFG here.			// Insert a new store to null because we cannot modify the CFG here.
	Builder.CreateStore(ConstantInt::getTrue(FI.getContext()),			Builder.CreateStore(ConstantInt::getTrue(FI.getContext()),
	UndefValue::get(Type::getInt1PtrTy(FI.getContext())));			UndefValue::get(Type::getInt1PtrTy(FI.getContext())));
	return eraseInstFromFunction(FI);			return eraseInstFromFunction(FI);
	}			}

	// If we have 'free null' delete the instruction. This can happen in stl code			// If we have 'free null' delete the instruction. This can happen in stl code
	// when lots of inlining happens.			// when lots of inlining happens.
	if (isa<ConstantPointerNull>(Op))			if (isa<ConstantPointerNull>(Op))
	return eraseInstFromFunction(FI);			return eraseInstFromFunction(FI);
				rsmithUnsubmitted Not Done Reply Inline Actions Wrong for `operator delete`. rsmith: Wrong for `operator delete`.

	// If we optimize for code size, try to move the call to free before the null			// If we optimize for code size, try to move the call to free before the null
	// test so that simplify cfg can remove the empty block and dead code			// test so that simplify cfg can remove the empty block and dead code
	// elimination the branch. I.e., helps to turn something like:			// elimination the branch. I.e., helps to turn something like:
	// if (foo) free(foo);			// if (foo) free(foo);
	// into			// into
	// free(foo);			// free(foo);
	if (MinimizeSize)			// Note we can't really do it in the case of `operator delete` as this one
				// can have visible side effects.
				if (MinimizeSize && !hasSideEffectsFreeCall(&FI, TLI))
	if (Instruction *I = tryToMoveFreeBeforeNullTest(FI))			if (Instruction *I = tryToMoveFreeBeforeNullTest(FI))
	return I;			return I;

	return nullptr;			return nullptr;
	}			}

	Instruction *InstCombiner::visitReturnInst(ReturnInst &RI) {			Instruction *InstCombiner::visitReturnInst(ReturnInst &RI) {
	if (RI.getNumOperands() == 0) // ret void			if (RI.getNumOperands() == 0) // ret void
	▲ Show 20 Lines • Show All 492 Lines • Show Last 20 Lines

test/Transforms/InstCombine/pr34581.ll

This file was added.

				; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
				; Instcombine is not free of doing anything hazy like hoisting calls to operator
				; delete. This is PR34581.

				; RUN: opt -instcombine %s -S \| FileCheck %s

				define void @patatino(i8* %c) #0 {
				; CHECK-LABEL: @patatino(
				; CHECK-NEXT: entry:
				; CHECK-NEXT: [[ISNULL:%.]] = icmp eq i8 [[C:%.*]], null
				; CHECK-NEXT: br i1 [[ISNULL]], label [[DELETE_END:%.]], label [[DELETE_NOTNULL:%.]]
				; CHECK: delete.notnull:
				; CHECK-NEXT: call void @_ZdlPv(i8* [[C]])
				; CHECK-NEXT: br label [[DELETE_END]]
				; CHECK: delete.end:
				; CHECK-NEXT: ret void
				;
				entry:
				%isnull = icmp eq i8* %c, null
				br i1 %isnull, label %delete.end, label %delete.notnull

				delete.notnull:
				call void @_ZdlPv(i8* %c)
				br label %delete.end

				delete.end:
				ret void
				}

				declare void @_ZdlPv(i8*)

				attributes #0 = { minsize }