This is an archive of the discontinued LLVM Phabricator instance.

Differential D50717

[SimplifyCFG] Remove pointer from SmallPtrSet before deletion
ClosedPublic

Authored by NutshellySima on Aug 14 2018, 9:22 AM.

Details

Reviewers
kuhar
dmgreen
davide
trentxintong
Commits
rGe8263f33d93c: [SimplifyCFG] Remove pointer from SmallPtrSet before deletion
rL339773: [SimplifyCFG] Remove pointer from SmallPtrSet before deletion
Summary

Previously, eraseFromParent() calls delete which invalidates the value of the pointer. Copying the value of the pointer later is undefined behavior in C++11 and implementation-defined (which may cause a segfault on implementations having strict pointer safety) in C++14.

This patch removes the BasicBlock pointer from related SmallPtrSet before delete invalidates it in the SimplifyCFG pass.

Diff Detail

Repository
rL LLVM

Event Timeline

NutshellySima created this revision.Aug 14 2018, 9:22 AM
Herald added a subscriber: llvm-commits. · View Herald TranscriptAug 14 2018, 9:22 AM
dmgreen accepted this revision.Aug 14 2018, 9:35 AM

LGTM

I guess because it's only erasing it from a SmallPtrSet, it's not actually _using_ it, but this looks like a very sensible change.

This revision is now accepted and ready to land.Aug 14 2018, 9:35 AM
NutshellySima added a comment.Aug 14 2018, 9:50 AM
In D50717#1199198, @dmgreen wrote:

LGTM

I guess because it's only erasing it from a SmallPtrSet, it's not actually _using_ it, but this looks like a very sensible change.

Thanks for pointing it out. I didn't notice that. :)

NutshellySima retitled this revision from [SimplifyCFG] Fix BasicBlock use-after-free to [NFC][SimplifyCFG] Remove pointer from SmallPtrSet before deletion.Aug 14 2018, 9:54 AM
NutshellySima edited the summary of this revision. (Show Details)
kuhar added a comment.EditedAug 14 2018, 9:55 AM
In D50717#1199198, @dmgreen wrote:

I guess because it's only erasing it from a SmallPtrSet, it's not actually _using_ it, but this looks like a very sensible change.

I thought that erase calls delete on the link list node which invalidates not only the node itself but also the pointer, doesn't it?

dmgreen added a comment.Aug 14 2018, 10:05 AM

I'm no expert, but I thought that SmallPtrSet->erase(BB) would treat BB as an opaque value that it removes from it's set, not accessing it's content in any way. You may be right about the eraseFromParent invalidating things though.

It's certainly much better this new way :)

kuhar added a comment.Aug 14 2018, 10:18 AM
In D50717#1199288, @dmgreen wrote:

I'm no expert, but I thought that SmallPtrSet->erase(BB) would treat BB as an opaque value that it removes from it's set, not accessing it's content in any way. You may be right about the eraseFromParent invalidating things though.

It's certainly much better this new way :)

I found this (C++14 [basic.stc.dynamic.deallocation]/4):

Indirection through an invalid pointer value and passing an invalid pointer value to a deallocation function have undefined behavior. Any other use of an invalid pointer value has implementation-defined behavior.

[ Footnote: Some implementations might define that copying an invalid pointer value causes a system-generated runtime fault. — end footnote ]

Seems like erasing from a set can cause both a copy (possibly a segfault) and produce unexpected values when used in comparison with other pointers.

kuhar accepted this revision.Aug 14 2018, 10:21 AM
NutshellySima retitled this revision from [NFC][SimplifyCFG] Remove pointer from SmallPtrSet before deletion to [SimplifyCFG] Remove pointer from SmallPtrSet before deletion.Aug 14 2018, 11:44 PM
NutshellySima edited the summary of this revision. (Show Details)
Closed by commit rL339773: [SimplifyCFG] Remove pointer from SmallPtrSet before deletion (authored by sima). · Explain WhyAug 15 2018, 6:56 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Utils/
6 lines

Diff 160799

llvm/trunk/lib/Transforms/Utils/SimplifyCFG.cpp

Show First 20 LinesShow All 3,855 Lines▼ Show 20 Linesbool SimplifyCFGOpt::SimplifySingleResume(ResumeInst *RI) {
// Turn all invokes that unwind here into calls and delete the basic block. // Turn all invokes that unwind here into calls and delete the basic block.
for (pred_iterator PI = pred_begin(BB), PE = pred_end(BB); PI != PE;) { for (pred_iterator PI = pred_begin(BB), PE = pred_end(BB); PI != PE;) {
BasicBlock *Pred = *PI++; BasicBlock *Pred = *PI++;
removeUnwindEdge(Pred); removeUnwindEdge(Pred);
} }
// The landingpad is now unreachable. Zap it. // The landingpad is now unreachable. Zap it.
BB->eraseFromParent();
if (LoopHeaders) if (LoopHeaders)
LoopHeaders->erase(BB); LoopHeaders->erase(BB);
BB->eraseFromParent();
return true; return true;
} }
static bool removeEmptyCleanup(CleanupReturnInst *RI) { static bool removeEmptyCleanup(CleanupReturnInst *RI) {
// If this is a trivial cleanup pad that executes no instructions, it can be // If this is a trivial cleanup pad that executes no instructions, it can be
// eliminated. If the cleanup pad continues to the caller, any predecessor // eliminated. If the cleanup pad continues to the caller, any predecessor
// that is an EH pad will be updated to continue to the caller and any // that is an EH pad will be updated to continue to the caller and any
// predecessor that terminates with an invoke instruction will have its invoke // predecessor that terminates with an invoke instruction will have its invoke
▲ Show 20 LinesShow All 203 Lines▼ Show 20 Lines while (!UncondBranchPreds.empty()) {
LLVM_DEBUG(dbgs() << "FOLDING: " << *BB LLVM_DEBUG(dbgs() << "FOLDING: " << *BB
<< "INTO UNCOND BRANCH PRED: " << *Pred); << "INTO UNCOND BRANCH PRED: " << *Pred);
(void)FoldReturnIntoUncondBranch(RI, BB, Pred); (void)FoldReturnIntoUncondBranch(RI, BB, Pred);
} }
// If we eliminated all predecessors of the block, delete the block now. // If we eliminated all predecessors of the block, delete the block now.
if (pred_empty(BB)) { if (pred_empty(BB)) {
// We know there are no successors, so just nuke the block. // We know there are no successors, so just nuke the block.
BB->eraseFromParent();
if (LoopHeaders) if (LoopHeaders)
LoopHeaders->erase(BB); LoopHeaders->erase(BB);
BB->eraseFromParent();
} }
return true; return true;
} }
// Check out all of the conditional branches going to this return // Check out all of the conditional branches going to this return
// instruction. If any of them just select between returns, change the // instruction. If any of them just select between returns, change the
// branch itself into a select/return pair. // branch itself into a select/return pair.
▲ Show 20 LinesShow All 143 Lines▼ Show 20 Lines if (auto *BI = dyn_cast<BranchInst>(TI)) {
TI->eraseFromParent(); TI->eraseFromParent();
Changed = true; Changed = true;
} }
} }
// If this block is now dead, remove it. // If this block is now dead, remove it.
if (pred_empty(BB) && BB != &BB->getParent()->getEntryBlock()) { if (pred_empty(BB) && BB != &BB->getParent()->getEntryBlock()) {
// We know there are no successors, so just nuke the block. // We know there are no successors, so just nuke the block.
BB->eraseFromParent();
if (LoopHeaders) if (LoopHeaders)
LoopHeaders->erase(BB); LoopHeaders->erase(BB);
BB->eraseFromParent();
return true; return true;
} }
return Changed; return Changed;
} }
static bool CasesAreContiguous(SmallVectorImpl<ConstantInt *> &Cases) { static bool CasesAreContiguous(SmallVectorImpl<ConstantInt *> &Cases) {
assert(Cases.size() >= 1); assert(Cases.size() >= 1);
▲ Show 20 LinesShow All 1,819 LinesShow Last 20 Lines