This is an archive of the discontinued LLVM Phabricator instance.

Differential D89353

Enable overriding `__libcpp_debug_function` invocation
AbandonedPublic

Authored by ldionne on Oct 13 2020, 5:02 PM.

Details

Reviewers
jdoerrie
EricWF
jfb
Quuxplusone
palmer
akhuang
Group Reviewers
Restricted Project
Summary

Enable not just changing the handler function at run-time, but also
enable changing how it's invoked at compile time.

Document that, and update some other Debug Mode documentation as well.

Diff Detail

Unit TestsFailed

TimeTest
560 mslibcxx CI GCC-next/C++20 > libc++.std/atomics/atomics_types_operations/atomics_types_operations_req::atomic_is_lock_free.pass.cpp
1,570 mslibcxx CI GCC-next/C++20 > libc++.std/iterators/iterator_primitives/range_iter_ops/range_iter_ops_advance::advance.pass.cpp
1,200 mslibcxx CI GCC-next/C++20 > libc++.std/iterators/iterator_primitives/range_iter_ops/range_iter_ops_next::iterator_count.pass.cpp
1,200 mslibcxx CI GCC-next/C++20 > libc++.std/iterators/iterator_primitives/range_iter_ops/range_iter_ops_next::iterator_count_sentinel.pass.cpp
1,410 mslibcxx CI GCC-next/C++20 > libc++.std/iterators/iterator_primitives/range_iter_ops/range_iter_ops_next::iterator_sentinel.pass.cpp
View Full Test Results (14 Failed)

Event Timeline

palmer created this revision.Oct 13 2020, 5:02 PM
Herald added a subscriber: dexonsmith. · View Herald TranscriptOct 13 2020, 5:02 PM
palmer requested review of this revision.Oct 13 2020, 5:02 PM

This is following up on the discussion at https://reviews.llvm.org/D70343. Does this overall direction make sense to you? I have hacked it into Chromium and it seems to work.

jdoerrie accepted this revision.Oct 14 2020, 1:37 AM

LGTM, no concerns from my side.

This revision is now accepted and ready to land.Oct 14 2020, 1:37 AM
dexonsmith removed a subscriber: dexonsmith.Oct 19 2020, 6:59 PM
palmer added a comment.Nov 11 2020, 5:19 PM

Thanks, jdoerrie! Does anyone else have thoughts?

palmer updated this revision to Diff 343722.May 7 2021, 10:59 AM

Rebased against the new origin/main.

Harbormaster completed remote builds in B103234: Diff 343722.May 7 2021, 1:58 PM
EricWF accepted this revision.May 11 2021, 7:58 AM
EricWF added a reviewer: Restricted Project.

Assuming this still merges, I don't have any issue with it.

There has been some work done by others on the debug mode. We don't need to wait for their approval, but please be receptive if they have comments.

EricWF accepted this revision.May 11 2021, 7:58 AM
Quuxplusone requested changes to this revision.May 11 2021, 8:29 AM
Quuxplusone added a subscriber: Quuxplusone.
Quuxplusone added inline comments.
libcxx/docs/DesignDocs/DebugMode.rst
83

In what sense does std::locale support iterators?

libcxx/include/__debug
42

(A) Please use #x here instead of (x) (and then x instead of #x in the macro above). This preserves the current assertion messages without extra parens. I don't think there's any reason it's a big deal; but we have a choice between "add an extra set of parens" or "don't", and I think "don't" is clearly if microscopically better.

(B) Even after reading D70343, I don't get the point of this new abstraction. Is it so that you can hard-code #define _LIBCPP_DEBUG_FUNCTION_INVOCATION std::abort() at compile time instead of setting __libcpp_debug_function = std::abort; at runtime? Why is the latter unacceptable to you?
Also, are you aware that libc++ compiles some _LIBCPP_ASSERT checks into its libc++.a binary? — Failures in those checks will respect the runtime setting of __libcpp_debug_function, but they will not respect macros set in the user's code. (I sent an email to libcxx-dev about this issue, specifically that debug iterators are broken because of it, on 2021-05-01, but nobody's replying to my email.)

(C) If you want libc++ to support this abstraction long-term, you absolutely need to "put a test on it." libcxx/test/libcxx/debug/ would probably be the right place for a new test that verifies the behavior of defining _LIBCPP_DEBUG_FUNCTION_INVOCATION.

This revision now requires changes to proceed.May 11 2021, 8:29 AM
Quuxplusone added inline comments.May 11 2021, 8:30 AM
libcxx/docs/DesignDocs/DebugMode.rst
83

I should add: Other than this std::locale diff which I don't understand (yet?), I love this documentation change; feel free to land it separately from the rest of this PR.

thakis added a subscriber: thakis.May 19 2021, 6:03 PM
thakis added inline comments.
libcxx/include/__debug
42

(For B: We build libc++ from source and statically link it, so that's fine for us.)

palmer added inline comments.May 24 2021, 11:44 AM
libcxx/docs/DesignDocs/DebugMode.rst
83

The implementation in include/__locale includes some iterators. If you have turned on this debugging mode, those iterators will be checked. Nothing directly API-exposed, but under the hood, debug checks could fire. I figure people might want to know.

libcxx/include/__debug
42

Why do we (Chromium) want this: in Chromium, we want these debugging/hardening checks in production. But, we are very sensitive to object code size, and the standard implementation has those print statements (which can get big). This macro allows us to use the smallest possible crash code (e.g. a ud2 on Intel, or the like), and thus have the least impact on our overall object code size.

Quuxplusone added inline comments.May 24 2021, 12:19 PM
libcxx/docs/DesignDocs/DebugMode.rst
83

Ah, that makes sense. But then I repeat: "Are you aware that libc++ compiles some _LIBCPP_ASSERT checks into its libc++.a binary? — Failures in those checks will respect the runtime setting of __libcpp_debug_function, but they will not respect macros set in the user's code. (I sent an email to libcxx-dev about this issue, specifically that debug iterators are broken because of it, on 2021-05-01, but nobody's replying to my email.)"
As of 2021-05-24, nobody is still replying to that email. I don't think we should pursue this PR D89353 until someone does.

palmer added inline comments.May 24 2021, 1:32 PM
libcxx/docs/DesignDocs/DebugMode.rst
83

In Chromium, we build libcxx entirely from source, so I don't think we have that problem.

akhuang commandeered this revision.May 24 2021, 2:58 PM
akhuang added a reviewer: palmer.
akhuang added a subscriber: akhuang.

apparently i'll take over this patch from here!

akhuang updated this revision to Diff 350714.Jun 8 2021, 2:28 PM

Remove parens from macro and add test case

akhuang added a comment.Jun 8 2021, 2:29 PM

thought I'd updated this patch but apparently I hadn't--

Harbormaster completed remote builds in B108285: Diff 350714.Jun 8 2021, 4:01 PM
ldionne requested changes to this revision.Jun 10 2021, 11:47 AM
ldionne added a subscriber: ldionne.

For some reason this went entirely under my radar.

I think we should have a broader discussion about what to do with the debug mode (top of thread: https://lists.llvm.org/pipermail/libcxx-dev/2021-June/001168.html) before we make this change.

If I understand correctly, the main problem being solved by this patch is that Chromium does not want to have those __FILE__ string constants stored in the compiled binaries (because it doesn't use that information anyway)?

This revision now requires changes to proceed.Jun 10 2021, 11:47 AM
palmer added a comment.Jun 10 2021, 11:53 AM

If I understand correctly, the main problem being solved by this patch is that Chromium does not want to have those __FILE__ string constants stored in the compiled binaries (because it doesn't use that information anyway)?

It's not just the string constants, it's that we want everything about the code to be as small as possible:

"But, we are very sensitive to object code size, and the standard implementation has those print statements (which can get big). This macro allows us to use the smallest possible crash code (e.g. a ud2 on Intel, or the like), and thus have the least impact on our overall object code size."

rnk added a subscriber: rnk.Jun 15 2021, 2:32 PM
In D89353#2811149, @ldionne wrote:

If I understand correctly, the main problem being solved by this patch is that Chromium does not want to have those __FILE__ string constants stored in the compiled binaries (because it doesn't use that information anyway)?

As I understand it, the plan is to actually ship with these checks enabled. This expands the scope of these debug mode checks from a testing tool to a security hardening tool. That's why the binary size matters: it will ship to users. It starts from the simple idea that std::vector<>::operator[] could have bounds checks, and one way to get there is to enable debug checks and add this override mechanism.

jfb added a comment.Jun 15 2021, 3:06 PM

FWIW I support something along the lines of what Palmer is trying to do: many users of the STL would like to be able to handle particular types of library UB instead of performing potentially unbounded effects. Which ones is a bit of an art that we need to figure out, for example I wouldn't want to unduly affect performance (by e.g. changing algorithmic complexity) or code size (here, with diagnostic bloat). In a way we're experimenting on the edges of what contract checking would be for the STL, and I would approach it with this optic: could we have a mode of the STL which enforces contracts, and a mode where you get whatever. If so, what should be checked and what should remain unchecked, and what are the principles to distinguish these. I think in this discussion it's important to separate the invariants that are details of libc++'s implementation, from what are actual contracts at the STL API level.

ldionne commandeered this revision.Aug 31 2023, 8:09 AM
ldionne edited reviewers, added: akhuang; removed: ldionne.

[Github PR Transition cleanup]

The Debug mode doesn't exist anymore, but this was done in D141326. I will close this to clean up the queue (which requires commandeering and abandoning, sorry if that seems rude but it's how Phabricator works).

Herald added a project: Restricted Project. · View Herald TranscriptAug 31 2023, 8:09 AM
ldionne abandoned this revision.Aug 31 2023, 8:10 AM
rnk added a comment.Aug 31 2023, 9:08 AM

+1, this use case has long been addressed by the assertion mode, and then the new safe and hardened modes.

Revision Contents

PathSize
libcxx/
docs/
DesignDocs/
63 lines
include/
8 lines
test/
libcxx/
debug/
25 lines

Diff 350714

libcxx/docs/DesignDocs/DebugMode.rst

Show First 20 LinesShow All 74 Lines▼ Show 20 Lines.. code-block:: cpp
int main(int, char**) { int main(int, char**) {
std::__libcpp_debug_function = &my_handler; std::__libcpp_debug_function = &my_handler;
std::string::iterator bad_it; std::string::iterator bad_it;
std::string str("hello world"); std::string str("hello world");
str.insert(bad_it, '!'); // causes debug assertion str.insert(bad_it, '!'); // causes debug assertion
// control flow doesn't return // control flow doesn't return
} }
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

In what sense does std::locale support iterators?

Quuxplusone: In what sense does `std::locale` support iterators?
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

I should add: Other than this std::locale diff which I don't understand (yet?), I love this documentation change; feel free to land it separately from the rest of this PR.

Quuxplusone: I should add: Other than this `std::locale` diff which I don't understand (yet?), I love this…
palmerUnsubmitted
Done
ReplyInline Actions

The implementation in include/__locale includes some iterators. If you have turned on this debugging mode, those iterators will be checked. Nothing directly API-exposed, but under the hood, debug checks could fire. I figure people might want to know.

palmer: The implementation in include/__locale includes some iterators. If you have turned on this…
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

Ah, that makes sense. But then I repeat: "Are you aware that libc++ compiles some _LIBCPP_ASSERT checks into its libc++.a binary? — Failures in those checks will respect the runtime setting of __libcpp_debug_function, but they will not respect macros set in the user's code. (I sent an email to libcxx-dev about this issue, specifically that debug iterators are broken because of it, on 2021-05-01, but nobody's replying to my email.)"
As of 2021-05-24, nobody is still replying to that email. I don't think we should pursue this PR D89353 until someone does.

Quuxplusone: Ah, that makes sense. But then I repeat: "Are you aware that libc++ compiles some…
palmerUnsubmitted
Done
ReplyInline Actions

In Chromium, we build libcxx entirely from source, so I don't think we have that problem.

palmer: In Chromium, we build libcxx entirely from source, so I don't think we have that problem.
The above example overrides the bug handler at run-time, but it is also possible
to override it at compile time using the ``_LIBCPP_DEBUG_FUNCTION_INVOCATION``
macro. This macro takes 2 arguments: the expression ``x`` to trigger the
assertion, and an error message ``m``. The default invocation uses these
arguments to construct the ``std::__libcpp_debug_info`` argument, but you can do
whatever you like with them (including nothing):
.. code-block:: cpp
#define _LIBCPP_DEBUG_FUNCTION_INVOCATION(x, m) abort()
#include <string>
int main(int, char**) {
std::string::iterator bad_it;
std::string str("hello world");
str.insert(bad_it, '!'); // causes debug assertion
// control flow doesn't return
}
Debug Mode Checks
=================
Libc++'s debug mode offers two levels of checking. The first enables various
precondition checks throughout libc++. The second additionally enables
"iterator debugging" which checks the validity of iterators used by the program.
Basic Checks
============
These checks are enabled when ``_LIBCPP_DEBUG`` is defined to either 0 or 1.
The following checks are enabled by ``_LIBCPP_DEBUG``:
* Many algorithms, such as ``binary_search``, ``merge``, ``next_permutation``, and ``sort``,
wrap the user-provided comparator to assert that `!comp(y, x)` whenever
`comp(x, y)`. This can cause the user-provided comparator to be evaluated
up to twice as many times as it would be without ``_LIBCPP_DEBUG``, and
causes the library to violate some of the Standard's complexity clauses.
* Bounds checks in containers (e.g ``operator[]``)
* Validity of dereferencing (e.g. ``operator*``, ``operator->``)
* Invariants and preconditions (e.g. ``has_value`` for ``std::optional``)
Iterator Debugging Checks
=========================
These checks are enabled when ``_LIBCPP_DEBUG`` is defined to 1.
The following containers and STL classes support iterator debugging:
* ``std::string``
* ``std::vector<T>`` (``T != bool``)
* ``std::list``
* ``std::locale``
* ``std::unordered_map``
* ``std::unordered_multimap``
* ``std::unordered_set``
* ``std::unordered_multiset``
The remaining includes do not currently support iterator debugging.
Patches welcome.

libcxx/include/__debug

Show All 21 Lines
#endif #endif
#if _LIBCPP_DEBUG_LEVEL >= 1 || defined(_LIBCPP_BUILDING_LIBRARY) #if _LIBCPP_DEBUG_LEVEL >= 1 || defined(_LIBCPP_BUILDING_LIBRARY)
# include <cstdlib> # include <cstdlib>
# include <cstdio> # include <cstdio>
# include <cstddef> # include <cstddef>
#endif #endif
#if !defined(_LIBCPP_DEBUG_FUNCTION_INVOCATION)
# define _LIBCPP_DEBUG_FUNCTION_INVOCATION(x, m) _VSTD::__libcpp_debug_function(_VSTD::__libcpp_debug_info(__FILE__, __LINE__, x, m))
#endif
#if _LIBCPP_DEBUG_LEVEL == 0 #if _LIBCPP_DEBUG_LEVEL == 0
# define _LIBCPP_DEBUG_ASSERT(x, m) ((void)0) # define _LIBCPP_DEBUG_ASSERT(x, m) ((void)0)
# define _LIBCPP_ASSERT_IMPL(x, m) ((void)0) # define _LIBCPP_ASSERT_IMPL(x, m) ((void)0)
#elif _LIBCPP_DEBUG_LEVEL == 1 #elif _LIBCPP_DEBUG_LEVEL == 1
# define _LIBCPP_DEBUG_ASSERT(x, m) ((void)0) # define _LIBCPP_DEBUG_ASSERT(x, m) ((void)0)
# define _LIBCPP_ASSERT_IMPL(x, m) ((x) ? (void)0 : _VSTD::__libcpp_debug_function(_VSTD::__libcpp_debug_info(__FILE__, __LINE__, #x, m))) # define _LIBCPP_ASSERT_IMPL(x, m) ((x) ? (void)0 : _LIBCPP_DEBUG_FUNCTION_INVOCATION(#x, m))
#elif _LIBCPP_DEBUG_LEVEL == 2 #elif _LIBCPP_DEBUG_LEVEL == 2
# define _LIBCPP_DEBUG_ASSERT(x, m) _LIBCPP_ASSERT(x, m) # define _LIBCPP_DEBUG_ASSERT(x, m) _LIBCPP_ASSERT(x, m)
# define _LIBCPP_ASSERT_IMPL(x, m) ((x) ? (void)0 : _VSTD::__libcpp_debug_function(_VSTD::__libcpp_debug_info(__FILE__, __LINE__, #x, m))) # define _LIBCPP_ASSERT_IMPL(x, m) ((x) ? (void)0 : _LIBCPP_DEBUG_FUNCTION_INVOCATION(#x, m))
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

(A) Please use #x here instead of (x) (and then x instead of #x in the macro above). This preserves the current assertion messages without extra parens. I don't think there's any reason it's a big deal; but we have a choice between "add an extra set of parens" or "don't", and I think "don't" is clearly if microscopically better.

(B) Even after reading D70343, I don't get the point of this new abstraction. Is it so that you can hard-code #define _LIBCPP_DEBUG_FUNCTION_INVOCATION std::abort() at compile time instead of setting __libcpp_debug_function = std::abort; at runtime? Why is the latter unacceptable to you?
Also, are you aware that libc++ compiles some _LIBCPP_ASSERT checks into its libc++.a binary? — Failures in those checks will respect the runtime setting of __libcpp_debug_function, but they will not respect macros set in the user's code. (I sent an email to libcxx-dev about this issue, specifically that debug iterators are broken because of it, on 2021-05-01, but nobody's replying to my email.)

(C) If you want libc++ to support this abstraction long-term, you absolutely need to "put a test on it." libcxx/test/libcxx/debug/ would probably be the right place for a new test that verifies the behavior of defining _LIBCPP_DEBUG_FUNCTION_INVOCATION.

Quuxplusone: (A) Please use `#x` here instead of `(x)` (and then `x` instead of `#x` in the macro above).
thakisUnsubmitted
Not Done
ReplyInline Actions

(For B: We build libc++ from source and statically link it, so that's fine for us.)

thakis: (For B: We build libc++ from source and statically link it, so that's fine for us.)
palmerUnsubmitted
Done
ReplyInline Actions

Why do we (Chromium) want this: in Chromium, we want these debugging/hardening checks in production. But, we are very sensitive to object code size, and the standard implementation has those print statements (which can get big). This macro allows us to use the smallest possible crash code (e.g. a ud2 on Intel, or the like), and thus have the least impact on our overall object code size.

palmer: Why do we (Chromium) want this: in Chromium, we want these debugging/hardening checks in…
#else #else
# error _LIBCPP_DEBUG_LEVEL must be one of 0, 1, 2 # error _LIBCPP_DEBUG_LEVEL must be one of 0, 1, 2
#endif #endif
#if !defined(_LIBCPP_ASSERT) #if !defined(_LIBCPP_ASSERT)
# define _LIBCPP_ASSERT(x, m) _LIBCPP_ASSERT_IMPL(x, m) # define _LIBCPP_ASSERT(x, m) _LIBCPP_ASSERT_IMPL(x, m)
#endif #endif
▲ Show 20 LinesShow All 227 LinesShow Last 20 Lines

libcxx/test/libcxx/debug/debug_function_invocation_macro.pass.cpp

  • This file was added.
// -*- C++ -*-
//===----------------------------------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// ADDITIONAL_COMPILE_FLAGS: -D_LIBCPP_DEBUG=1
// UNSUPPORTED: libcxx-no-debug-mode
// Test that the _LIBCPP_DEBUG_FUNCTION_INVOCATION macro works.
// Define macro so that it doesn't abort.
#define _LIBCPP_DEBUG_FUNCTION_INVOCATION(x, m) std::_Exit(EXIT_SUCCESS)
#include <string>
int main(int, char**) {
std::string::iterator bad_it;
std::string str("hello world");
str.insert(bad_it, '!');
return EXIT_FAILURE;
}