This is an archive of the discontinued LLVM Phabricator instance.

Differential D50710

[ADT] Fix Optional ABI mismatch between clang & gcc
AbandonedPublic

Authored by kbenzie on Aug 14 2018, 8:39 AM.

Details

Reviewers
chandlerc
bkramer
timshen
dblaikie
Summary

This patch addresses discussion in
https://bugs.llvm.org/show_bug.cgi?id=35978
and the email thread
https://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20180122/519188.html

Compiling LLVM with either clang or gcc and a dependant project which
uses the opposite compiler results in an ABI incompatibility in Optional
due to the trivially copyable optimisation in the OptionalStorage type
being enabled when compiling with clang and disabled when GCC.

Additionally, this patch removes undefined behavior in the copy assignment
operator of OptionalStorage. When OptionalStorage does not hold a
valid object and the copy assignment operator is invoked, the object
being copied must be copy constructed in the uninitialized storage.buffer.

In the scenario of installing LLVM from the apt packages and a
downstream project choosing to use a different compiler the resulting
application will exhibit runtime failures such as segmentation faults
when calling LLVM functions with an Optional parameter crossing which
cross the ABI boundary.

I believe this is a serious bug and if this patch is accepted should
also be backported to the 7.0 release branch as this has been a latent
issue since late January 2018.

I did not have enough information to be able to reproduce the
"miscompiles" mentioned on the bug tracker so am unable to verify if
those have been fixed this with patch, it is my hope that fixing the
undefined behavior should resolve these issues.

Diff Detail

Event Timeline

kbenzie created this revision.Aug 14 2018, 8:39 AM
Herald added subscribers: llvm-commits, dexonsmith. · View Herald TranscriptAug 14 2018, 8:39 AM
kbenzie added reviewers: bkramer, timshen, dblaikie.Aug 20 2018, 1:28 AM
timshen added inline comments.Aug 20 2018, 10:01 AM
include/llvm/ADT/Optional.h
120

Will this suffice?
if (hasVal) { memcpy(&storage.buffer, &y.storage.buffer, sizeof(T)); }

timshen added inline comments.Aug 20 2018, 10:03 AM
include/llvm/ADT/Optional.h
120

Sorry, I meant

hasVal = y.hasVal;
if (hasVal) { memcpy(...); }
kbenzie added inline comments.Aug 21 2018, 2:58 AM
include/llvm/ADT/Optional.h
120

This assignment operator does not take a const OptionalStorage& so y.hasVal is not a valid expression since T is the type of the object to be copied into storage.buffer e.g. for OptionalStorage<int>
then T is int.

A previous attempt to fix the GCC miscompiles used memmove which was only reported to fix GCC 5.4 release builds.

The expression *reinterpret_cast<T *>(storage.buffer) = y is undefined behaviour in the case where a valid object is not held in storage.buffer according to C++ rules which lead to this implementation.

EwanCrawford added a subscriber: EwanCrawford.Sep 17 2018, 6:50 AM
tstellar added a subscriber: tstellar.Sep 28 2018, 10:33 AM
rsmith added a subscriber: rsmith.Oct 25 2018, 11:50 AM
rsmith added inline comments.
include/llvm/ADT/Optional.h
113

When the type is *actually* trivially-copyable (and not just isPodLike, which lies), we could just store it directly: union { T storage; };

122

This would be more correct as:

#ifdef __cpp_lib_launder
*std::launder(reinterpret_cast<T *>(&storage.buffer)) = y;
#else
*reinterpret_cast<T *>(std::addressof(storage.buffer)) = y;
#endif

(I'd expect the std::launder to also shut up the TBAA warnings.)

Herald added a subscriber: kristina. · View Herald TranscriptOct 25 2018, 11:50 AM
Rakete1111 added a subscriber: Rakete1111.Oct 27 2018, 1:56 PM
foutrelis added a subscriber: foutrelis.Nov 1 2018, 5:38 PM
kbenzie abandoned this revision.Jan 15 2019, 2:51 AM

Revision Contents

PathSize
include/
llvm/
ADT/
13 lines

Diff 160596

include/llvm/ADT/Optional.h

Show First 20 LinesShow All 102 Lines▼ Show 20 Lines T *getPointer() {
return reinterpret_cast<T *>(storage.buffer); return reinterpret_cast<T *>(storage.buffer);
} }
const T *getPointer() const { const T *getPointer() const {
assert(hasVal); assert(hasVal);
return reinterpret_cast<const T *>(storage.buffer); return reinterpret_cast<const T *>(storage.buffer);
} }
}; };
#if !defined(__GNUC__) || defined(__clang__) // GCC up to GCC7 miscompiles this.
/// Storage for trivially copyable types only. /// Storage for trivially copyable types only.
template <typename T> struct OptionalStorage<T, true> { template <typename T> struct OptionalStorage<T, true> {
AlignedCharArrayUnion<T> storage; AlignedCharArrayUnion<T> storage;
rsmithUnsubmitted
Not Done
ReplyInline Actions

When the type is *actually* trivially-copyable (and not just isPodLike, which lies), we could just store it directly: union { T storage; };

rsmith: When the type is *actually* trivially-copyable (and not just `isPodLike`, which lies), we could…
bool hasVal = false; bool hasVal = false;
OptionalStorage() = default; OptionalStorage() = default;
OptionalStorage(const T &y) : hasVal(true) { new (storage.buffer) T(y); } OptionalStorage(const T &y) : hasVal(true) { new (storage.buffer) T(y); }
OptionalStorage &operator=(const T &y) { OptionalStorage &operator=(const T &y) {
*reinterpret_cast<T *>(storage.buffer) = y; if (hasVal) {
timshenUnsubmitted
Not Done
ReplyInline Actions

Will this suffice?
if (hasVal) { memcpy(&storage.buffer, &y.storage.buffer, sizeof(T)); }

timshen: Will this suffice? `if (hasVal) { memcpy(&storage.buffer, &y.storage.buffer, sizeof(T)); }`
timshenUnsubmitted
Not Done
ReplyInline Actions

Sorry, I meant

hasVal = y.hasVal;
if (hasVal) { memcpy(...); }
timshen: Sorry, I meant hasVal = y.hasVal; if (hasVal) { memcpy(...); }
kbenzieAuthorUnsubmitted
Not Done
ReplyInline Actions

This assignment operator does not take a const OptionalStorage& so y.hasVal is not a valid expression since T is the type of the object to be copied into storage.buffer e.g. for OptionalStorage<int>
then T is int.

A previous attempt to fix the GCC miscompiles used memmove which was only reported to fix GCC 5.4 release builds.

The expression *reinterpret_cast<T *>(storage.buffer) = y is undefined behaviour in the case where a valid object is not held in storage.buffer according to C++ rules which lead to this implementation.

kbenzie: This assignment operator does not take a `const OptionalStorage&` so `y.hasVal` is not a valid…
// Use std::addressof to silence strict-aliasing warnings from gcc.
*reinterpret_cast<T *>(std::addressof(storage.buffer)) = y;
rsmithUnsubmitted
Not Done
ReplyInline Actions

This would be more correct as:

#ifdef __cpp_lib_launder
*std::launder(reinterpret_cast<T *>(&storage.buffer)) = y;
#else
*reinterpret_cast<T *>(std::addressof(storage.buffer)) = y;
#endif

(I'd expect the std::launder to also shut up the TBAA warnings.)

rsmith: This would be more correct as: ``` #ifdef __cpp_lib_launder *std::launder(reinterpret_cast<T…
} else {
// Copy assignment to uninitialized storage is undefined behavior so copy
// construct with placement new when no value is held.
new (storage.buffer) T(y);
hasVal = true; hasVal = true;
}
return *this; return *this;
} }
void reset() { hasVal = false; } void reset() { hasVal = false; }
}; };
#endif
} // namespace optional_detail } // namespace optional_detail
template <typename T> class Optional { template <typename T> class Optional {
optional_detail::OptionalStorage<T, isPodLike<T>::value> Storage; optional_detail::OptionalStorage<T, isPodLike<T>::value> Storage;
public: public:
using value_type = T; using value_type = T;
▲ Show 20 LinesShow All 210 LinesShow Last 20 Lines