This is an archive of the discontinued LLVM Phabricator instance.

Differential D59552

[Linker] Fix crash handling appending linkage
ClosedPublic

Authored by rafauler on Mar 19 2019, 10:32 AM.

Details

Reviewers
pcc
efriedma
mehdi_amini
dexonsmith
tejohnson
Commits
rG6dc53ccb0b09: [Linker] Fix crash handling appending linkage
rL356597: [Linker] Fix crash handling appending linkage
Summary

When linking two llvm.used arrays, if the resulting merged
array ends up with duplicated elements (with the same name) but with
different types, the IRLinker was crashing. This was supposed to be
legal, as the IRLinker bitcasts elements to match types in these
situations.

This bug was exposed by D56928 in clang to support attribute used
in member functions of class templates. Crash happened when self-hosting
with LTO. Since LLVM depends on attribute used to generate code
for the dump() method, ubiquitous in the code base, many input bc
had a definition of this method referenced in their llvm.used array.
Some of these classes got optimized, changing the type of the first
parameter (this) in the dump method, leading to a scenario with a
pool of valid definitions but some with a different type, triggering
this bug.

This is a memory bug: ValueMapper depends on (calls) the materializer
provided by IRLinker, and this materializer was freely calling RAUW
methods whenever a global definition was updated in the temporary merged
output file. However, replaceAllUsesWith may or may not destroy
constants that use this global. If the linked definition has a type
mismatch regarding the new def and the old def, the materializer would
bitcast the old type to the new type and the elements of the llvm.used
array, which already uses bitcast to i8*, would end up with elements
cascading two bitcasts. RAUW would then indirectly call the
constantfolder to update the constant to the new ref, which would,
instead of updating the constant, destroy it to be able to create
a new constant that folds the two bitcasts into one. The problem is that
ValueMapper works with pointers to the same constants that may be
getting destroyed by RAUW. Obviously, RAUW can update references in the
Module to do not use the old destroyed constant, but it can't update
ValueMapper's internal pointers to these constants, which are now
invalid.

The approach here is to move the task of RAUWing old definitions
outside of the materializer.

Test Plan:
Added LIT test case, tested clang self-hosting with D56928 and
verified it works

Diff Detail

Repository
rL LLVM

Event Timeline

rafauler created this revision.Mar 19 2019, 10:32 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 19 2019, 10:32 AM
Herald added a subscriber: steven_wu. · View Herald Transcript
Harbormaster completed remote builds in B29359: Diff 191346.Mar 19 2019, 10:32 AM
efriedma added inline comments.Mar 19 2019, 12:44 PM
lib/Linker/IRMover.cpp
1059 ↗(On Diff #191346)

Why is the call to std::reverse() necessary? There shouldn't be any other code touching the worklist, so you can just iterate over it normally.

1067 ↗(On Diff #191346)

ValueMap and AliasValueMap use raw pointers for keys. Do we need to update them if one of those pointers is deleted?

1396 ↗(On Diff #191346)

I guess you can just flush the worklist here because the mapValue() invariant only applies inside a single call?

rafauler marked 3 inline comments as done.Mar 19 2019, 3:01 PM

Thanks for your feedback, Eli

lib/Linker/IRMover.cpp
1059 ↗(On Diff #191346)

Indeed, I'll fix this

1067 ↗(On Diff #191346)

This is handled in Value's destructor

1396 ↗(On Diff #191346)

That's correct

rafauler updated this revision to Diff 191404.Mar 19 2019, 3:02 PM

Eli's suggestions

Harbormaster completed remote builds in B29373: Diff 191404.Mar 19 2019, 3:02 PM
efriedma added inline comments.Mar 19 2019, 3:21 PM
lib/Linker/IRMover.cpp
1067 ↗(On Diff #191346)

I don't follow; how could ~Value() possibly find the key of a ValueMap? (The values are ValueHandles, but that's separate.)

rafauler marked an inline comment as done.Mar 19 2019, 3:32 PM
rafauler added inline comments.
lib/Linker/IRMover.cpp
1067 ↗(On Diff #191346)

Isn't it the opposite: the values are arbitrary, and the keys are ValueHandles? From ValueMap.h:179:

auto MapResult = Map.insert(std::make_pair(Wrap(KV.first), KV.second));

Wrap() installs the callback paraphernalia that updates the map on deletions/ RAUWs at ValueMapCallbackVH::allUsesReplacedWith / deleted

efriedma accepted this revision.Mar 19 2019, 3:46 PM

LGTM

lib/Linker/IRMover.cpp
1067 ↗(On Diff #191346)

You're right, sorry, I misread the code.

This revision is now accepted and ready to land.Mar 19 2019, 3:46 PM
Closed by commit rL356597: [Linker] Fix crash handling appending linkage (authored by rafauler). · Explain WhyMar 20 2019, 12:18 PM
This revision was automatically updated to reflect the committed changes.
rafauler mentioned this in rC356598: Recommit "Support attribute used in member funcs of class templates".Mar 20 2019, 12:21 PM
rafauler mentioned this in rL356598: Recommit "Support attribute used in member funcs of class templates".
rafauler mentioned this in rG9dde31ecc157: Recommit "Support attribute used in member funcs of class templates".Mar 20 2019, 12:25 PM

Revision Contents

PathSize
llvm/
trunk/
lib/
Linker/
35 lines
test/
LTO/
Resolution/
X86/
Inputs/
14 lines
16 lines

Diff 191555

llvm/trunk/lib/Linker/IRMover.cpp

Show First 20 LinesShow All 396 Lines▼ Show 20 Linesclass IRLinker {
/// in DstM. ValueToValueMapTy is a ValueMap, which involves some overhead /// in DstM. ValueToValueMapTy is a ValueMap, which involves some overhead
/// due to the use of Value handles which the Linker doesn't actually need, /// due to the use of Value handles which the Linker doesn't actually need,
/// but this allows us to reuse the ValueMapper code. /// but this allows us to reuse the ValueMapper code.
ValueToValueMapTy ValueMap; ValueToValueMapTy ValueMap;
ValueToValueMapTy AliasValueMap; ValueToValueMapTy AliasValueMap;
DenseSet<GlobalValue *> ValuesToLink; DenseSet<GlobalValue *> ValuesToLink;
std::vector<GlobalValue *> Worklist; std::vector<GlobalValue *> Worklist;
std::vector<std::pair<GlobalValue *, Value*>> RAUWWorklist;
void maybeAdd(GlobalValue *GV) { void maybeAdd(GlobalValue *GV) {
if (ValuesToLink.insert(GV).second) if (ValuesToLink.insert(GV).second)
Worklist.push_back(GV); Worklist.push_back(GV);
} }
/// Whether we are importing globals for ThinLTO, as opposed to linking the /// Whether we are importing globals for ThinLTO, as opposed to linking the
/// source module. If this flag is set, it means that we can rely on some /// source module. If this flag is set, it means that we can rely on some
▲ Show 20 LinesShow All 76 Lines▼ Show 20 Linesclass IRLinker {
Error linkGlobalValueBody(GlobalValue &Dst, GlobalValue &Src); Error linkGlobalValueBody(GlobalValue &Dst, GlobalValue &Src);
/// Functions that take care of cloning a specific global value type /// Functions that take care of cloning a specific global value type
/// into the destination module. /// into the destination module.
GlobalVariable *copyGlobalVariableProto(const GlobalVariable *SGVar); GlobalVariable *copyGlobalVariableProto(const GlobalVariable *SGVar);
Function *copyFunctionProto(const Function *SF); Function *copyFunctionProto(const Function *SF);
GlobalValue *copyGlobalAliasProto(const GlobalAlias *SGA); GlobalValue *copyGlobalAliasProto(const GlobalAlias *SGA);
/// Perform "replace all uses with" operations. These work items need to be
/// performed as part of materialization, but we postpone them to happen after
/// materialization is done. The materializer called by ValueMapper is not
/// expected to delete constants, as ValueMapper is holding pointers to some
/// of them, but constant destruction may be indirectly triggered by RAUW.
/// Hence, the need to move this out of the materialization call chain.
void flushRAUWWorklist();
/// When importing for ThinLTO, prevent importing of types listed on /// When importing for ThinLTO, prevent importing of types listed on
/// the DICompileUnit that we don't need a copy of in the importing /// the DICompileUnit that we don't need a copy of in the importing
/// module. /// module.
void prepareCompileUnitsForImport(); void prepareCompileUnitsForImport();
void linkNamedMDNodes(); void linkNamedMDNodes();
public: public:
IRLinker(Module &DstM, MDMapT &SharedMDs, IRLinker(Module &DstM, MDMapT &SharedMDs,
▲ Show 20 LinesShow All 373 Lines▼ Show 20 LinesIRLinker::linkAppendingVarProto(GlobalVariable *DstGV,
Mapper.scheduleMapAppendingVariable(*NG, Mapper.scheduleMapAppendingVariable(*NG,
DstGV ? DstGV->getInitializer() : nullptr, DstGV ? DstGV->getInitializer() : nullptr,
IsOldStructor, SrcElements); IsOldStructor, SrcElements);
// Replace any uses of the two global variables with uses of the new // Replace any uses of the two global variables with uses of the new
// global. // global.
if (DstGV) { if (DstGV) {
DstGV->replaceAllUsesWith(ConstantExpr::getBitCast(NG, DstGV->getType())); RAUWWorklist.push_back(
DstGV->eraseFromParent(); std::make_pair(DstGV, ConstantExpr::getBitCast(NG, DstGV->getType())));
} }
return Ret; return Ret;
} }
bool IRLinker::shouldLink(GlobalValue *DGV, GlobalValue &SGV) { bool IRLinker::shouldLink(GlobalValue *DGV, GlobalValue &SGV) {
if (ValuesToLink.count(&SGV) || SGV.hasLocalLinkage()) if (ValuesToLink.count(&SGV) || SGV.hasLocalLinkage())
return true; return true;
▲ Show 20 LinesShow All 82 Lines▼ Show 20 LinesExpected<Constant *> IRLinker::linkGlobalValueProto(GlobalValue *SGV,
// the same as DGV and NewGV, and TypeMap.get() will assert since it // the same as DGV and NewGV, and TypeMap.get() will assert since it
// assumes it is being invoked on a type in the source module. // assumes it is being invoked on a type in the source module.
if (DGV && NewGV != SGV) { if (DGV && NewGV != SGV) {
C = ConstantExpr::getPointerBitCastOrAddrSpaceCast( C = ConstantExpr::getPointerBitCastOrAddrSpaceCast(
NewGV, TypeMap.get(SGV->getType())); NewGV, TypeMap.get(SGV->getType()));
} }
if (DGV && NewGV != DGV) { if (DGV && NewGV != DGV) {
DGV->replaceAllUsesWith( // Schedule "replace all uses with" to happen after materializing is
ConstantExpr::getPointerBitCastOrAddrSpaceCast(NewGV, DGV->getType())); // done. It is not safe to do it now, since ValueMapper may be holding
DGV->eraseFromParent(); // pointers to constants that will get deleted if RAUW runs.
RAUWWorklist.push_back(std::make_pair(
DGV,
ConstantExpr::getPointerBitCastOrAddrSpaceCast(NewGV, DGV->getType())));
} }
return C; return C;
} }
/// Update the initializers in the Dest module now that all globals that may be /// Update the initializers in the Dest module now that all globals that may be
/// referenced are in Dest. /// referenced are in Dest.
void IRLinker::linkGlobalVariable(GlobalVariable &Dst, GlobalVariable &Src) { void IRLinker::linkGlobalVariable(GlobalVariable &Dst, GlobalVariable &Src) {
▲ Show 20 LinesShow All 41 Lines▼ Show 20 LinesError IRLinker::linkGlobalValueBody(GlobalValue &Dst, GlobalValue &Src) {
if (auto *GVar = dyn_cast<GlobalVariable>(&Src)) { if (auto *GVar = dyn_cast<GlobalVariable>(&Src)) {
linkGlobalVariable(cast<GlobalVariable>(Dst), *GVar); linkGlobalVariable(cast<GlobalVariable>(Dst), *GVar);
return Error::success(); return Error::success();
} }
linkAliasBody(cast<GlobalAlias>(Dst), cast<GlobalAlias>(Src)); linkAliasBody(cast<GlobalAlias>(Dst), cast<GlobalAlias>(Src));
return Error::success(); return Error::success();
} }
void IRLinker::flushRAUWWorklist() {
for (const auto Elem : RAUWWorklist) {
GlobalValue *Old;
Value *New;
std::tie(Old, New) = Elem;
Old->replaceAllUsesWith(New);
Old->eraseFromParent();
}
RAUWWorklist.clear();
}
void IRLinker::prepareCompileUnitsForImport() { void IRLinker::prepareCompileUnitsForImport() {
NamedMDNode *SrcCompileUnits = SrcM->getNamedMetadata("llvm.dbg.cu"); NamedMDNode *SrcCompileUnits = SrcM->getNamedMetadata("llvm.dbg.cu");
if (!SrcCompileUnits) if (!SrcCompileUnits)
return; return;
// When importing for ThinLTO, prevent importing of types listed on // When importing for ThinLTO, prevent importing of types listed on
// the DICompileUnit that we don't need a copy of in the importing // the DICompileUnit that we don't need a copy of in the importing
// module. They will be emitted by the originating module. // module. They will be emitted by the originating module.
for (unsigned I = 0, E = SrcCompileUnits->getNumOperands(); I != E; ++I) { for (unsigned I = 0, E = SrcCompileUnits->getNumOperands(); I != E; ++I) {
▲ Show 20 LinesShow All 309 Lines▼ Show 20 Lines while (!Worklist.empty()) {
if (ValueMap.find(GV) != ValueMap.end() || if (ValueMap.find(GV) != ValueMap.end() ||
AliasValueMap.find(GV) != AliasValueMap.end()) AliasValueMap.find(GV) != AliasValueMap.end())
continue; continue;
assert(!GV->isDeclaration()); assert(!GV->isDeclaration());
Mapper.mapValue(*GV); Mapper.mapValue(*GV);
if (FoundError) if (FoundError)
return std::move(*FoundError); return std::move(*FoundError);
flushRAUWWorklist();
} }
// Note that we are done linking global value bodies. This prevents // Note that we are done linking global value bodies. This prevents
// metadata linking from creating new references. // metadata linking from creating new references.
DoneLinkingBodies = true; DoneLinkingBodies = true;
Mapper.addFlags(RF_NullMapMissingGlobalValues); Mapper.addFlags(RF_NullMapMissingGlobalValues);
// Remap all of the named MDNodes in Src into the DstM module. We do this // Remap all of the named MDNodes in Src into the DstM module. We do this
▲ Show 20 LinesShow All 114 LinesShow Last 20 Lines

llvm/trunk/test/LTO/Resolution/X86/Inputs/appending-var-2.ll

target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
%"foo" = type { i8 }
@llvm.used = appending global [1 x i8*] [i8* bitcast (i32 (%"foo"*)* @bar to i8*)], section "llvm.metadata"
; Function Attrs: norecurse nounwind readnone uwtable
define dso_local i32 @bar(%"foo"* nocapture readnone %this) align 2 !type !0 {
entry:
ret i32 0
}
!0 = !{i64 0, !"typeid1"}

llvm/trunk/test/LTO/Resolution/X86/appending-var.ll

; Check we don't crash when linking a global variable with appending linkage
; if the types in their elements don't have a straightforward mapping, forcing
; us to use bitcasts.
; RUN: opt %s -o %t1.o
; RUN: opt %p/Inputs/appending-var-2.ll -o %t2.o
; RUN: llvm-lto2 run -o %t3.o %t1.o %t2.o -r %t1.o,bar, -r %t2.o,bar,px
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
%"foo.1" = type { i8, i8 }
declare dso_local i32 @bar(%"foo.1"* nocapture readnone %this) local_unnamed_addr
@llvm.used = appending global [1 x i8*] [i8* bitcast (i32 (%"foo.1"*)* @bar to i8*)], section "llvm.metadata"