This is an archive of the discontinued LLVM Phabricator instance.

Differential D95329

[llvm-link] Fix crash when materializing appending global
ClosedPublic

Authored by sdmitriev on Jan 24 2021, 10:07 PM.

Details

Reviewers
tra
tejohnson
jdoerfert
Commits
rG13cedcaf4538: [llvm-link] Fix crash when materializing appending global
Summary

This patch fixes llvm-link crash when materializing global variable
with appending linkage and initializer that depends on another
global with appending linkage.

Diff Detail

Event Timeline

sdmitriev created this revision.Jan 24 2021, 10:07 PM
Herald added a subscriber: hiraditya. · View Herald TranscriptJan 24 2021, 10:07 PM
sdmitriev requested review of this revision.Jan 24 2021, 10:07 PM
Herald added a project: Restricted Project. · View Herald TranscriptJan 24 2021, 10:07 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B86504: Diff 318901.Jan 24 2021, 10:50 PM
tra added inline comments.Jan 25 2021, 9:22 AM
llvm/lib/Transforms/Utils/ValueMapper.cpp
822–824

Does the crash happen because mapAppendingVariable attempts to iterate over an array that may change by the loop?
If that's the case, the fix (making a temp copy with relevant items) should probably be done there.

sdmitriev added inline comments.Jan 25 2021, 10:17 AM
llvm/lib/Transforms/Utils/ValueMapper.cpp
822–824

For the IR from test mapAppendingVariable call causes a new item to be added to the AppendingInits vector, but this item gets incorrectly cleaned up from it by the resize call which follows mapAppendingVariable. As a result we are getting PrefixSize == -1 while processing the second appending global which leads to a crash.

tra added inline comments.Jan 25 2021, 10:36 AM
llvm/lib/Transforms/Utils/ValueMapper.cpp
822–824

I see. I'd rename Inits -> NewInits or UnmappedInits to make it more clear that we only want to process new entries.
Perhaps PrefixSize could also use a more descriptive name, too. NumMappedInits ?

825

What's the typical number of inits do you expect to see in practice?
Presumably, it's smaller than that of AppendingInits itself, which is 16.

sdmitriev updated this revision to Diff 319173.Jan 25 2021, 5:24 PM

Addressed review comments.

sdmitriev added inline comments.Jan 25 2021, 5:26 PM
llvm/lib/Transforms/Utils/ValueMapper.cpp
825

I have renamed Inits to NewInits in the updated patch and reduced its size to 8.

tra accepted this revision.Jan 25 2021, 5:47 PM
This revision is now accepted and ready to land.Jan 25 2021, 5:47 PM
Closed by commit rG13cedcaf4538: [llvm-link] Fix crash when materializing appending global (authored by sdmitriev). · Explain WhyJan 25 2021, 6:18 PM
This revision was automatically updated to reflect the committed changes.
sdmitriev added a commit: rG13cedcaf4538: [llvm-link] Fix crash when materializing appending global.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Utils/
10 lines
test/
Linker/
10 lines

Diff 319182

llvm/lib/Transforms/Utils/ValueMapper.cpp

Show First 20 LinesShow All 813 Lines▼ Show 20 Lines while (!Worklist.empty()) {
CurrentMCID = E.MCID; CurrentMCID = E.MCID;
switch (E.Kind) { switch (E.Kind) {
case WorklistEntry::MapGlobalInit: case WorklistEntry::MapGlobalInit:
E.Data.GVInit.GV->setInitializer(mapConstant(E.Data.GVInit.Init)); E.Data.GVInit.GV->setInitializer(mapConstant(E.Data.GVInit.Init));
remapGlobalObjectMetadata(*E.Data.GVInit.GV); remapGlobalObjectMetadata(*E.Data.GVInit.GV);
break; break;
case WorklistEntry::MapAppendingVar: { case WorklistEntry::MapAppendingVar: {
unsigned PrefixSize = AppendingInits.size() - E.AppendingGVNumNewMembers; unsigned PrefixSize = AppendingInits.size() - E.AppendingGVNumNewMembers;
// mapAppendingVariable call can change AppendingInits if initalizer for
// the variable depends on another appending global, because of that inits
// need to be extracted and updated before the call.
traUnsubmitted
Not Done
ReplyInline Actions

Does the crash happen because mapAppendingVariable attempts to iterate over an array that may change by the loop?
If that's the case, the fix (making a temp copy with relevant items) should probably be done there.

tra: Does the crash happen because `mapAppendingVariable` attempts to iterate over an array that may…
sdmitrievAuthorUnsubmitted
Not Done
ReplyInline Actions

For the IR from test mapAppendingVariable call causes a new item to be added to the AppendingInits vector, but this item gets incorrectly cleaned up from it by the resize call which follows mapAppendingVariable. As a result we are getting PrefixSize == -1 while processing the second appending global which leads to a crash.

sdmitriev: For the IR from test `mapAppendingVariable` call causes a new item to be added to the…
traUnsubmitted
Not Done
ReplyInline Actions

I see. I'd rename Inits -> NewInits or UnmappedInits to make it more clear that we only want to process new entries.
Perhaps PrefixSize could also use a more descriptive name, too. NumMappedInits ?

tra: I see. I'd rename `Inits` -> `NewInits` or `UnmappedInits` to make it more clear that we only…
SmallVector<Constant *, 8> NewInits(
traUnsubmitted
Not Done
ReplyInline Actions

What's the typical number of inits do you expect to see in practice?
Presumably, it's smaller than that of AppendingInits itself, which is 16.

tra: What's the typical number of inits do you expect to see in practice? Presumably, it's smaller…
sdmitrievAuthorUnsubmitted
Done
ReplyInline Actions

I have renamed Inits to NewInits in the updated patch and reduced its size to 8.

sdmitriev: I have renamed `Inits` to `NewInits` in the updated patch and reduced its size to 8.
drop_begin(AppendingInits, PrefixSize));
AppendingInits.resize(PrefixSize);
mapAppendingVariable(*E.Data.AppendingGV.GV, mapAppendingVariable(*E.Data.AppendingGV.GV,
E.Data.AppendingGV.InitPrefix, E.Data.AppendingGV.InitPrefix,
E.AppendingGVIsOldCtorDtor, E.AppendingGVIsOldCtorDtor, makeArrayRef(NewInits));
makeArrayRef(AppendingInits).slice(PrefixSize));
AppendingInits.resize(PrefixSize);
break; break;
} }
case WorklistEntry::MapGlobalIndirectSymbol: case WorklistEntry::MapGlobalIndirectSymbol:
E.Data.GlobalIndirectSymbol.GIS->setIndirectSymbol( E.Data.GlobalIndirectSymbol.GIS->setIndirectSymbol(
mapConstant(E.Data.GlobalIndirectSymbol.Target)); mapConstant(E.Data.GlobalIndirectSymbol.Target));
break; break;
case WorklistEntry::RemapFunction: case WorklistEntry::RemapFunction:
remapFunction(*E.Data.RemapF); remapFunction(*E.Data.RemapF);
▲ Show 20 LinesShow All 303 LinesShow Last 20 Lines

llvm/test/Linker/appending-global-crash.ll

  • This file was added.
; RUN: llvm-link %s -S -o - | FileCheck %s
; Check that llvm-link does not crash when materializing appending global with
; initializer depending on another appending global.
; CHECK-DAG: @use = appending global [1 x i8*] [i8* bitcast ([1 x i8*]* @var to i8*)]
; CHECK-DAG: @var = appending global [1 x i8*] undef
@use = appending global [1 x i8*] [i8* bitcast ([1 x i8*]* @var to i8*)]
@var = appending global [1 x i8*] undef