This is an archive of the discontinued LLVM Phabricator instance.

Differential D77601

Make SmallVector assert if it cannot grow.
ClosedPublic

Authored by browneee on Apr 6 2020, 3:27 PM.

Details

Reviewers
echristo
tellenbach
Commits
rGa30e7ea88e75: Make SmallVector assert if it cannot grow.
Summary

Context:

/// Double the size of the allocated memory, guaranteeing space for at
/// least one more element or MinSize if specified.
void grow(size_t MinSize = 0) { this->grow_pod(MinSize, sizeof(T)); }

void push_back(const T &Elt) {
  if (LLVM_UNLIKELY(this->size() >= this->capacity()))
    this->grow();
  memcpy(reinterpret_cast<void *>(this->end()), &Elt, sizeof(T));
  this->set_size(this->size() + 1);
}

When grow is called in push_back() without a MinSize specified, this is
relying on the guarantee of space for at least one more element.

There is an edge case bug where the SmallVector is already at its maximum size
and push_back() calls grow() with default MinSize of zero. Grow is unable to
provide space for one more element, but push_back() assumes the additional
element it will be available. This can result in silent memory corruption, as
this->end() will be an invalid pointer and the program may continue executing.

Another alternative to fix would be to remove the default argument from
grow(), which would mean several changing grow() to grow(this->size()+1)
in several places.

No test case added because it would require allocating ~4GB.

Diff Detail

Unit TestsFailed

TimeTest
11,540 mslldb-api.commands/expression/import-std-module/basic::Unknown Unit Message ("")
3,610 mslldb-api.commands/expression/import-std-module/conflicts::Unknown Unit Message ("")
5,630 mslldb-api.commands/expression/import-std-module/deque-basic::Unknown Unit Message ("")
5,490 mslldb-api.commands/expression/import-std-module/deque-dbg-info-content::Unknown Unit Message ("")
5,210 mslldb-api.commands/expression/import-std-module/forward_list::Unknown Unit Message ("")
View Full Test Results (41 Failed)

Event Timeline

browneee created this revision.Apr 6 2020, 3:27 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 6 2020, 3:27 PM
Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript
tellenbach added a reviewer: tellenbach.Apr 6 2020, 4:37 PM
tellenbach added a subscriber: tellenbach.
Harbormaster completed remote builds in B52061: Diff 255517.Apr 6 2020, 4:55 PM
tellenbach added inline comments.Apr 6 2020, 5:03 PM
llvm/lib/Support/SmallVector.cpp
43

Could you change this function's comment to include that the SmallVector needs to be able to grow by at least one element (please also change in llvm/include/llvm/ADT/SmallVector.h)? This is currently only documented for grow but your patch adds a restriction that should be documented locally.

52

Can you use Capacity directly and omit the function call?

browneee updated this revision to Diff 255557.Apr 6 2020, 6:03 PM
browneee marked 2 inline comments as done.

Added function comment on grow_pod.

Herald added a subscriber: dexonsmith. · View Herald TranscriptApr 6 2020, 6:03 PM
browneee added inline comments.Apr 6 2020, 6:04 PM
llvm/lib/Support/SmallVector.cpp
52

I expect this call will be inlined, along with the existing calls to capacity() and size() in this function.
Using capacity() seems consistent with the rest of the SmallVector code.

Harbormaster completed remote builds in B52087: Diff 255557.Apr 6 2020, 7:38 PM
tellenbach added inline comments.Apr 7 2020, 9:25 AM
llvm/include/llvm/ADT/SmallVector.h
49

Here is some word missing: This function will report a fatal error if it cannot increase capactity.?

llvm/lib/Support/SmallVector.cpp
42

Same here: A word is missing.

browneee updated this revision to Diff 255777.Apr 7 2020, 12:44 PM

Add "report a " to comments.

browneee marked 2 inline comments as done.Apr 7 2020, 12:45 PM
Harbormaster completed remote builds in B52215: Diff 255777.Apr 7 2020, 2:10 PM
browneee marked an inline comment as done.Apr 8 2020, 10:17 AM
tellenbach added a comment.Apr 9 2020, 3:30 AM

LGTM, thanks.

tellenbach accepted this revision.Apr 9 2020, 3:30 AM
This revision is now accepted and ready to land.Apr 9 2020, 3:30 AM
browneee added a comment.Apr 9 2020, 10:18 AM

I am not a committer, please submit for me.

browneee abandoned this revision.Apr 10 2020, 11:11 AM

Incorporated into https://reviews.llvm.org/D77621 (because this is not submitted yet, and that change now moves this code).

browneee reclaimed this revision.Apr 21 2020, 10:01 AM
This revision is now accepted and ready to land.Apr 21 2020, 10:01 AM
browneee updated this revision to Diff 259041.Apr 21 2020, 10:02 AM

Update. Add check to SmallVectorTemplateBase<T, TriviallyCopyable>::grow too.

Harbormaster failed remote builds in B54118: Diff 259041!Apr 21 2020, 11:21 AM
browneee updated this revision to Diff 259123.Apr 21 2020, 4:14 PM

Rebase to head.

Harbormaster failed remote builds in B54166: Diff 259123!Apr 21 2020, 5:21 PM
dexonsmith added a comment.Apr 21 2020, 6:02 PM
In D77601#1974745, @browneee wrote:

Incorporated into https://reviews.llvm.org/D77621 (because this is not submitted yet, and that change now moves this code).

Based on this comment I thought you'd abandoned this patch...

In D77601#1995667, @browneee wrote:

Rebase to head.

But since you're updating here, I should note that the patch as it looks here is still working with UINT32_MAX instead of max_size(). It should be updated in light of https://reviews.llvm.org/D77621.

browneee closed this revision.Apr 21 2020, 6:07 PM

Landed as a30e7ea88e75568feed020aedae73c52de888835

browneee added a comment.Apr 21 2020, 6:49 PM
In D77601#1995831, @dexonsmith wrote:
In D77601#1974745, @browneee wrote:

Incorporated into https://reviews.llvm.org/D77621 (because this is not submitted yet, and that change now moves this code).

Based on this comment I thought you'd abandoned this patch...

I should have been more explicit here. After D77621 was reverted, I picked it up again to make this change separately.

In D77601#1995667, @browneee wrote:

Rebase to head.

But since you're updating here, I should note that the patch as it looks here is still working with UINT32_MAX instead of max_size(). It should be updated in light of https://reviews.llvm.org/D77621.

Sorry, I didn't see this comment before pushing.

I think UINT32_MAX is consistent with existing usage in these functions. In D77621 the max_size() part of the change was necessary because it could vary. Here we can leave that change to a separate patch.

browneee mentioned this in D77621: ADT: SmallVector size/capacity use word-size integers when elements are small.Apr 23 2020, 11:09 AM

Revision Contents

PathSize
llvm/
include/
llvm/
ADT/
7 lines
lib/
Support/
7 lines

Diff 259123

llvm/include/llvm/ADT/SmallVector.h

Show All 40 Linesprotected:
unsigned Size = 0, Capacity; unsigned Size = 0, Capacity;
SmallVectorBase() = delete; SmallVectorBase() = delete;
SmallVectorBase(void *FirstEl, size_t TotalCapacity) SmallVectorBase(void *FirstEl, size_t TotalCapacity)
: BeginX(FirstEl), Capacity(TotalCapacity) {} : BeginX(FirstEl), Capacity(TotalCapacity) {}
/// This is an implementation of the grow() method which only works /// This is an implementation of the grow() method which only works
/// on POD-like data types and is out of line to reduce code duplication. /// on POD-like data types and is out of line to reduce code duplication.
/// This function will report a fatal error if it cannot increase capacity.
tellenbachUnsubmitted
Done
ReplyInline Actions

Here is some word missing: This function will report a fatal error if it cannot increase capactity.?

tellenbach: Here is some word missing: `This function will report a fatal error if it cannot increase…
void grow_pod(void *FirstEl, size_t MinCapacity, size_t TSize); void grow_pod(void *FirstEl, size_t MinCapacity, size_t TSize);
public: public:
size_t size() const { return Size; } size_t size() const { return Size; }
size_t capacity() const { return Capacity; } size_t capacity() const { return Capacity; }
LLVM_NODISCARD bool empty() const { return !Size; } LLVM_NODISCARD bool empty() const { return !Size; }
▲ Show 20 LinesShow All 172 Lines▼ Show 20 Lines
}; };
// Define this out-of-line to dissuade the C++ compiler from inlining it. // Define this out-of-line to dissuade the C++ compiler from inlining it.
template <typename T, bool TriviallyCopyable> template <typename T, bool TriviallyCopyable>
void SmallVectorTemplateBase<T, TriviallyCopyable>::grow(size_t MinSize) { void SmallVectorTemplateBase<T, TriviallyCopyable>::grow(size_t MinSize) {
if (MinSize > UINT32_MAX) if (MinSize > UINT32_MAX)
report_bad_alloc_error("SmallVector capacity overflow during allocation"); report_bad_alloc_error("SmallVector capacity overflow during allocation");
// Ensure we can meet the guarantee of space for at least one more element.
// The above check alone will not catch the case where grow is called with a
// default MinCapacity of 0, but the current capacity cannot be increased.
if (this->capacity() == size_t(UINT32_MAX))
report_bad_alloc_error("SmallVector capacity unable to grow");
// Always grow, even from zero. // Always grow, even from zero.
size_t NewCapacity = size_t(NextPowerOf2(this->capacity() + 2)); size_t NewCapacity = size_t(NextPowerOf2(this->capacity() + 2));
NewCapacity = std::min(std::max(NewCapacity, MinSize), size_t(UINT32_MAX)); NewCapacity = std::min(std::max(NewCapacity, MinSize), size_t(UINT32_MAX));
T *NewElts = static_cast<T*>(llvm::safe_malloc(NewCapacity*sizeof(T))); T *NewElts = static_cast<T*>(llvm::safe_malloc(NewCapacity*sizeof(T)));
// Move the elements over. // Move the elements over.
this->uninitialized_move(this->begin(), this->end(), NewElts); this->uninitialized_move(this->begin(), this->end(), NewElts);
▲ Show 20 LinesShow All 697 LinesShow Last 20 Lines

llvm/lib/Support/SmallVector.cpp

Show All 33 Lines
static_assert(sizeof(SmallVector<Struct32B, 0>) >= alignof(Struct32B), static_assert(sizeof(SmallVector<Struct32B, 0>) >= alignof(Struct32B),
"missing padding for 32-byte aligned T"); "missing padding for 32-byte aligned T");
static_assert(sizeof(SmallVector<void *, 1>) == static_assert(sizeof(SmallVector<void *, 1>) ==
sizeof(unsigned) * 2 + sizeof(void *) * 2, sizeof(unsigned) * 2 + sizeof(void *) * 2,
"wasted space in SmallVector size 1"); "wasted space in SmallVector size 1");
/// grow_pod - This is an implementation of the grow() method which only works /// grow_pod - This is an implementation of the grow() method which only works
/// on POD-like datatypes and is out of line to reduce code duplication. /// on POD-like datatypes and is out of line to reduce code duplication.
/// This function will report a fatal error if it cannot increase capacity.
tellenbachUnsubmitted
Done
ReplyInline Actions

Same here: A word is missing.

tellenbach: Same here: A word is missing.
void SmallVectorBase::grow_pod(void *FirstEl, size_t MinCapacity, void SmallVectorBase::grow_pod(void *FirstEl, size_t MinCapacity,
tellenbachUnsubmitted
Done
ReplyInline Actions

Could you change this function's comment to include that the SmallVector needs to be able to grow by at least one element (please also change in llvm/include/llvm/ADT/SmallVector.h)? This is currently only documented for grow but your patch adds a restriction that should be documented locally.

tellenbach: Could you change this function's comment to include that the SmallVector needs to be able to…
size_t TSize) { size_t TSize) {
// Ensure we can fit the new capacity in 32 bits. // Ensure we can fit the new capacity in 32 bits.
if (MinCapacity > UINT32_MAX) if (MinCapacity > UINT32_MAX)
report_bad_alloc_error("SmallVector capacity overflow during allocation"); report_bad_alloc_error("SmallVector capacity overflow during allocation");
// Ensure we can meet the guarantee of space for at least one more element.
// The above check alone will not catch the case where grow is called with a
// default MinCapacity of 0, but the current capacity cannot be increased.
if (capacity() == size_t(UINT32_MAX))
tellenbachUnsubmitted
Done
ReplyInline Actions

Can you use Capacity directly and omit the function call?

tellenbach: Can you use `Capacity` directly and omit the function call?
browneeeAuthorUnsubmitted
Done
ReplyInline Actions

I expect this call will be inlined, along with the existing calls to capacity() and size() in this function.
Using capacity() seems consistent with the rest of the SmallVector code.

browneee: I expect this call will be inlined, along with the existing calls to capacity() and size() in…
report_bad_alloc_error("SmallVector capacity unable to grow");
size_t NewCapacity = 2 * capacity() + 1; // Always grow. size_t NewCapacity = 2 * capacity() + 1; // Always grow.
NewCapacity = NewCapacity =
std::min(std::max(NewCapacity, MinCapacity), size_t(UINT32_MAX)); std::min(std::max(NewCapacity, MinCapacity), size_t(UINT32_MAX));
void *NewElts; void *NewElts;
if (BeginX == FirstEl) { if (BeginX == FirstEl) {
NewElts = safe_malloc(NewCapacity * TSize); NewElts = safe_malloc(NewCapacity * TSize);
Show All 10 Lines