This is an archive of the discontinued LLVM Phabricator instance.

Differential D41589

Avoid modifying DbgInfo while looping in salvageDebuginfo
ClosedPublic

Authored by dim on Dec 26 2017, 4:16 PM.

Details

Reviewers
aprantl
bogner
bkramer
davide
Commits
rG2fb6134305d0: Avoid modifying DbgInfo while looping in salvageDebuginfo
rL321545: Avoid modifying DbgInfo while looping in salvageDebuginfo
Summary

I have been getting rather difficult to reproduce SIGBUS crashes when compiling certain FreeBSD sources, and their stack traces pointed squarely at SelectionDAG::salvageDebugInfo():

Core was generated by `/usr/obj/share/dim/src/freebsd/clang600-import/amd64.amd64/tmp/usr/bin/cc -cc1 -'.
Program terminated with signal SIGBUS, Bus error.
#0  isInvalidated () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SDNodeDbgValue.h:115
115       bool isInvalidated() const { return Invalid; }
(gdb) bt
#0  isInvalidated () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SDNodeDbgValue.h:115
#1  salvageDebugInfo () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:7116
#2  0x00000000033b2516 in operator() () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:3595
#3  __invoke<(lambda at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:3593:59) &, llvm::SDNode *, llvm::SDNode *> () at /usr/include/c++/v1/type_traits:4323
#4  __call<(lambda at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:3593:59) &, llvm::SDNode *, llvm::SDNode *> () at /usr/include/c++/v1/__functional_base:349
#5  operator() () at /usr/include/c++/v1/functional:1562
#6  0x00000000033b0817 in operator() () at /usr/include/c++/v1/functional:1916
#7  NodeDeleted () at /share/dim/src/freebsd/clang600-import/contrib/llvm/include/llvm/CodeGen/SelectionDAG.h:293
#8  0x0000000003529dde in RemoveDeadNodes () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:610
#9  0x00000000035556df in MorphNodeTo () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:6794
#10 0x00000000033a9acc in MorphNode () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:2594
#11 0x00000000033ac80b in SelectCodeCommon () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:3601
#12 0x00000000023d464b in SelectCode () at /usr/obj/share/dim/src/freebsd/clang600-import/amd64.amd64/tmp/obj-tools/lib/clang/libllvm/X86GenDAGISel.inc:282902
#13 Select () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:3072
#14 0x00000000033a5afa in DoInstructionSelection () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:988
#15 0x00000000033a4e1a in CodeGenAndEmitDAG () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:868
#16 0x00000000033a2643 in SelectAllBasicBlocks () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:1624
#17 0x000000000339f158 in runOnMachineFunction () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAGISel.cpp:466
#18 0x00000000023d03c4 in runOnMachineFunction () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/Target/X86/X86ISelDAGToDAG.cpp:175
#19 0x00000000035cc8c2 in runOnFunction () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/MachineFunctionPass.cpp:62
#20 0x00000000030dca9a in runOnFunction () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/IR/LegacyPassManager.cpp:1520
#21 0x00000000030dccf3 in runOnModule () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/IR/LegacyPassManager.cpp:1541
#22 0x00000000030dd228 in runOnModule () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/IR/LegacyPassManager.cpp:1597
#23 run () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/IR/LegacyPassManager.cpp:1700
#24 0x00000000014db578 in EmitAssembly () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:815
#25 EmitBackendOutput () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:1181
#26 0x00000000014d5b26 in HandleTranslationUnit () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:292
#27 0x0000000001c4c332 in ParseAST () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/Parse/ParseAST.cpp:159
#28 0x00000000015d546c in Execute () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:897
#29 0x0000000001cec311 in ExecuteAction () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:991
#30 0x00000000014b4f81 in ExecuteCompilerInvocation () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:252
#31 0x00000000014aa73f in cc1_main () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#32 0x00000000014b2928 in ExecuteCC1Tool () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/tools/driver/driver.cpp:309
#33 main () at /share/dim/src/freebsd/clang600-import/contrib/llvm/tools/clang/tools/driver/driver.cpp:388
(gdb) frame 1
#1  salvageDebugInfo () at /share/dim/src/freebsd/clang600-import/contrib/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.cpp:7116
7116        if (DV->isInvalidated())
(gdb) disassemble
Dump of assembler code for function salvageDebugInfo():
[...]
   0x0000000003557348 <+744>:   nopl   0x0(%rax,%rax,1)
   0x0000000003557350 <+752>:   mov    (%r12),%r13
=> 0x0000000003557354 <+756>:   cmpb   $0x0,0x31(%r13)
   0x0000000003557359 <+761>:   jne    0x35573b0 <salvageDebugInfo()+848>
(gdb) info registers
[...]
r13            0x5a5a5a5a5a5a5a5a       6510615555426900570

The 0x5a5a5a5a5a5a5a5a value in r13 indicates the memory was either uninitialized, or already freed.

Unfortunately I do not have a simple self-contained test case for this. However, it seems pretty clear that the call to AddDbgValue() in salvageDebugInfo() causes the problems, since it modifies SelectionDag::DbgInfo while looping through one of its DenseMaps:

void SelectionDAG::salvageDebugInfo(SDNode &N) {
[...]
  for (auto DV : GetDbgValues(&N)) {
    if (DV->isInvalidated())
      continue;
[...]
        AddDbgValue(Clone, N0.getNode(), false);
[...]
  }
}

At least, if I comment out the AddDbgValue() call, the crashes go away. I propose to change this function slightly, similar to the SelectionDAG::transferDbgValues() function just above it, to save the cloned SDDbgValues in a separate SmallVector, and only call AddDbgValue() on them after the for loop is done.

Diff Detail

Repository
rL LLVM

Event Timeline

dim created this revision.Dec 26 2017, 4:16 PM
Herald added subscribers: JDevlieghere, krytarowski. · View Herald TranscriptDec 26 2017, 4:16 PM
davide accepted this revision.Dec 28 2017, 11:51 AM
davide added a subscriber: davide.

Yes, this sounds like classic iterator invalidation. This is probably safe.

This revision is now accepted and ready to land.Dec 28 2017, 11:51 AM
Closed by commit rL321545: Avoid modifying DbgInfo while looping in salvageDebuginfo (authored by dim). · Explain WhyDec 28 2017, 3:43 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
CodeGen/
SelectionDAG/
7 lines

Diff 128310

llvm/trunk/lib/CodeGen/SelectionDAG/SelectionDAG.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 7,122 Lines▼ Show 20 Linesvoid SelectionDAG::transferDbgValues(SDValue From, SDValue To,
for (SDDbgValue *Dbg : ClonedDVs) for (SDDbgValue *Dbg : ClonedDVs)
AddDbgValue(Dbg, ToNode, false); AddDbgValue(Dbg, ToNode, false);
} }
void SelectionDAG::salvageDebugInfo(SDNode &N) { void SelectionDAG::salvageDebugInfo(SDNode &N) {
if (!N.getHasDebugValue()) if (!N.getHasDebugValue())
return; return;
SmallVector<SDDbgValue *, 2> ClonedDVs;
for (auto DV : GetDbgValues(&N)) { for (auto DV : GetDbgValues(&N)) {
if (DV->isInvalidated()) if (DV->isInvalidated())
continue; continue;
switch (N.getOpcode()) { switch (N.getOpcode()) {
default: default:
break; break;
case ISD::ADD: case ISD::ADD:
SDValue N0 = N.getOperand(0); SDValue N0 = N.getOperand(0);
SDValue N1 = N.getOperand(1); SDValue N1 = N.getOperand(1);
if (!isConstantIntBuildVectorOrConstantInt(N0) && if (!isConstantIntBuildVectorOrConstantInt(N0) &&
isConstantIntBuildVectorOrConstantInt(N1)) { isConstantIntBuildVectorOrConstantInt(N1)) {
uint64_t Offset = N.getConstantOperandVal(1); uint64_t Offset = N.getConstantOperandVal(1);
// Rewrite an ADD constant node into a DIExpression. Since we are // Rewrite an ADD constant node into a DIExpression. Since we are
// performing arithmetic to compute the variable's *value* in the // performing arithmetic to compute the variable's *value* in the
// DIExpression, we need to mark the expression with a // DIExpression, we need to mark the expression with a
// DW_OP_stack_value. // DW_OP_stack_value.
auto *DIExpr = DV->getExpression(); auto *DIExpr = DV->getExpression();
DIExpr = DIExpression::prepend(DIExpr, DIExpression::NoDeref, Offset, DIExpr = DIExpression::prepend(DIExpr, DIExpression::NoDeref, Offset,
DIExpression::NoDeref, DIExpression::NoDeref,
DIExpression::WithStackValue); DIExpression::WithStackValue);
SDDbgValue *Clone = SDDbgValue *Clone =
getDbgValue(DV->getVariable(), DIExpr, N0.getNode(), N0.getResNo(), getDbgValue(DV->getVariable(), DIExpr, N0.getNode(), N0.getResNo(),
DV->isIndirect(), DV->getDebugLoc(), DV->getOrder()); DV->isIndirect(), DV->getDebugLoc(), DV->getOrder());
ClonedDVs.push_back(Clone);
DV->setIsInvalidated(); DV->setIsInvalidated();
AddDbgValue(Clone, N0.getNode(), false);
DEBUG(dbgs() << "SALVAGE: Rewriting"; N0.getNode()->dumprFull(this); DEBUG(dbgs() << "SALVAGE: Rewriting"; N0.getNode()->dumprFull(this);
dbgs() << " into " << *DIExpr << '\n'); dbgs() << " into " << *DIExpr << '\n');
} }
} }
} }
for (SDDbgValue *Dbg : ClonedDVs)
AddDbgValue(Dbg, Dbg->getSDNode(), false);
} }
namespace { namespace {
/// RAUWUpdateListener - Helper for ReplaceAllUsesWith - When the node /// RAUWUpdateListener - Helper for ReplaceAllUsesWith - When the node
/// pointed to by a use iterator is deleted, increment the use iterator /// pointed to by a use iterator is deleted, increment the use iterator
/// so that it doesn't dangle. /// so that it doesn't dangle.
/// ///
▲ Show 20 LinesShow All 1,102 LinesShow Last 20 Lines