This is an archive of the discontinued LLVM Phabricator instance.

Differential D96349

[instcombine] Exploit UB implied by nofree attributes
ClosedPublic

Authored by reames on Feb 9 2021, 9:08 AM.

Details

Reviewers
jdoerfert
apilipenko
bollu
Commits
rG86664638898e: [instcombine] Exploit UB implied by nofree attributes
Summary

This patch simply implements the documented UB of the current nofree attributes as specified. It doesn't try to be fancy about inference (yet), it just implements the cases already specified and inferred.

Note: When this lands, it may expose miscompiles. If so, please revert and provide a test case. It's likely the bug is in the existing inference code and without a relatively complete test case, it will be hard to debug.

Diff Detail

Event Timeline

reames created this revision.Feb 9 2021, 9:08 AM
Herald added a reviewer: bollu. · View Herald TranscriptFeb 9 2021, 9:08 AM
Herald added subscribers: dantrushin, hiraditya, mcrosier. · View Herald Transcript
reames requested review of this revision.Feb 9 2021, 9:08 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 9 2021, 9:08 AM
Harbormaster completed remote builds in B88476: Diff 322414.Feb 9 2021, 9:57 AM
jdoerfert accepted this revision.Feb 9 2021, 11:07 AM

LGTM. We should probably add the following negative test case:

; Freeing in a nonfree function is fine if the effect is invisible to the outside
define void @test16() nofree {
  i8* %foo = call i8* @malloc(i32 1)
  call void @free(i8* %foo)
  ret void
}
This revision is now accepted and ready to land.Feb 9 2021, 11:07 AM
reames added a comment.Feb 9 2021, 2:40 PM
In D96349#2551984, @jdoerfert wrote:

LGTM. We should probably add the following negative test case:

; Freeing in a nonfree function is fine if the effect is invisible to the outside
define void @test16() nofree {
  i8* %foo = call i8* @malloc(i32 1)
  call void @free(i8* %foo)
  ret void
}

Er, no. That's not okay. Either by the implementation in this patch, or by my reading of the LangRef. The langref says "This function attribute indicates that the function does not, directly or indirectly, call a memory-deallocation function (free, for example). " There's no exception there for memory allocated in scope, nor should there be.

jdoerfert added a comment.Feb 9 2021, 3:03 PM
In D96349#2552491, @reames wrote:
In D96349#2551984, @jdoerfert wrote:

LGTM. We should probably add the following negative test case:

; Freeing in a nonfree function is fine if the effect is invisible to the outside
define void @test16() nofree {
  i8* %foo = call i8* @malloc(i32 1)
  call void @free(i8* %foo)
  ret void
}

Er, no. That's not okay. Either by the implementation in this patch, or by my reading of the LangRef. The langref says "This function attribute indicates that the function does not, directly or indirectly, call a memory-deallocation function (free, for example). " There's no exception there for memory allocated in scope, nor should there be.

Right, we want to tweak the lang ref. Generally, I believe this is is one of those cases where it is "as if" it doesn't free. I mean, you can't tell it does from the outside. Imagine a backend that realizes the stack allocation is too big and puts it on the heap with a proper free. If the function was nofree before it would not be anymore even though we might have "thought so" during the compilation. Similarly, a writenone function can write to some alloca without it being a problem (IMHO).

reames added a comment.Feb 9 2021, 3:56 PM
In D96349#2552559, @jdoerfert wrote:
In D96349#2552491, @reames wrote:
In D96349#2551984, @jdoerfert wrote:

LGTM. We should probably add the following negative test case:

; Freeing in a nonfree function is fine if the effect is invisible to the outside
define void @test16() nofree {
  i8* %foo = call i8* @malloc(i32 1)
  call void @free(i8* %foo)
  ret void
}

Er, no. That's not okay. Either by the implementation in this patch, or by my reading of the LangRef. The langref says "This function attribute indicates that the function does not, directly or indirectly, call a memory-deallocation function (free, for example). " There's no exception there for memory allocated in scope, nor should there be.

Right, we want to tweak the lang ref.

I'm not going to enter a debate on whether the LangRef is right here. We can do that on llvm-dev or private conversation. This patch is solely implementing the semantics as currently specified.

Does your LGTM still stand with that understanding?

jdoerfert added a comment.Feb 9 2021, 4:01 PM
In D96349#2552672, @reames wrote:
In D96349#2552559, @jdoerfert wrote:
In D96349#2552491, @reames wrote:
In D96349#2551984, @jdoerfert wrote:

LGTM. We should probably add the following negative test case:

; Freeing in a nonfree function is fine if the effect is invisible to the outside
define void @test16() nofree {
  i8* %foo = call i8* @malloc(i32 1)
  call void @free(i8* %foo)
  ret void
}

Er, no. That's not okay. Either by the implementation in this patch, or by my reading of the LangRef. The langref says "This function attribute indicates that the function does not, directly or indirectly, call a memory-deallocation function (free, for example). " There's no exception there for memory allocated in scope, nor should there be.

Right, we want to tweak the lang ref.

I'm not going to enter a debate on whether the LangRef is right here. We can do that on llvm-dev or private conversation. This patch is solely implementing the semantics as currently specified.

Does your LGTM still stand with that understanding?

Yes, this is restrictive enough to be correct either way.

This revision was landed with ongoing or failed builds.Feb 18 2021, 8:34 AM
Closed by commit rG86664638898e: [instcombine] Exploit UB implied by nofree attributes (authored by reames). · Explain Why
This revision was automatically updated to reflect the committed changes.
reames added a commit: rG86664638898e: [instcombine] Exploit UB implied by nofree attributes.
reames added a comment.Apr 19 2021, 11:29 AM

FYI, there was a nasty bug found in this patch. A fix is on review in https://reviews.llvm.org/D100779.

reames added a reverting change: rG15e19a259986: Revert "[instcombine] Exploit UB implied by nofree attributes".Apr 22 2021, 10:53 AM

Revision Contents

PathSize
llvm/
lib/
Transforms/
InstCombine/
14 lines
test/
Transforms/
InstCombine/
31 lines

Diff 324656

llvm/lib/Transforms/InstCombine/InstructionCombining.cpp

Show First 20 LinesShow All 2,793 Lines▼ Show 20 Lines if (isa<UndefValue>(Op)) {
return eraseInstFromFunction(FI); return eraseInstFromFunction(FI);
} }
// If we have 'free null' delete the instruction. This can happen in stl code // If we have 'free null' delete the instruction. This can happen in stl code
// when lots of inlining happens. // when lots of inlining happens.
if (isa<ConstantPointerNull>(Op)) if (isa<ConstantPointerNull>(Op))
return eraseInstFromFunction(FI); return eraseInstFromFunction(FI);
// If we free a pointer we've been explicitly told won't be freed, this
// would be full UB and thus we can conclude this is unreachable. Cases:
// 1) freeing a pointer which is explicitly nofree
// 2) calling free from a call site marked nofree
// 3) calling free in a function scope marked nofree
if (auto *A = dyn_cast<Argument>(Op->stripPointerCasts()))
if (A->hasAttribute(Attribute::NoFree) ||
FI.hasFnAttr(Attribute::NoFree) ||
FI.getFunction()->hasFnAttribute(Attribute::NoFree)) {
// Leave a marker since we can't modify the CFG here.
CreateNonTerminatorUnreachable(&FI);
return eraseInstFromFunction(FI);
}
// If we optimize for code size, try to move the call to free before the null // If we optimize for code size, try to move the call to free before the null
// test so that simplify cfg can remove the empty block and dead code // test so that simplify cfg can remove the empty block and dead code
// elimination the branch. I.e., helps to turn something like: // elimination the branch. I.e., helps to turn something like:
// if (foo) free(foo); // if (foo) free(foo);
// into // into
// free(foo); // free(foo);
// //
// Note that we can only do this for 'free' and not for any flavor of // Note that we can only do this for 'free' and not for any flavor of
▲ Show 20 LinesShow All 1,325 LinesShow Last 20 Lines

llvm/test/Transforms/InstCombine/malloc-free-delete.ll

Show First 20 LinesShow All 345 Lines▼ Show 20 Lines
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
call void @_ZdlPv(i8* null) call void @_ZdlPv(i8* null)
ret void ret void
} }
define void @test11() { define void @test11() {
; CHECK-LABEL: @test11( ; CHECK-LABEL: @test11(
; CHECK-NEXT: [[CALL:%.*]] = call dereferenceable(8) i8* @_Znwm(i64 8) #7 ; CHECK-NEXT: [[CALL:%.*]] = call dereferenceable(8) i8* @_Znwm(i64 8) #8
; CHECK-NEXT: call void @_ZdlPv(i8* nonnull [[CALL]]) ; CHECK-NEXT: call void @_ZdlPv(i8* nonnull [[CALL]])
; CHECK-NEXT: ret void ; CHECK-NEXT: ret void
; ;
%call = call i8* @_Znwm(i64 8) builtin %call = call i8* @_Znwm(i64 8) builtin
call void @_ZdlPv(i8* %call) call void @_ZdlPv(i8* %call)
ret void ret void
} }
Show All 22 Linesif.then: ; preds = %entry
%bitcast = bitcast i32* %foo to i8* %bitcast = bitcast i32* %foo to i8*
tail call void @free(i8* %bitcast) tail call void @free(i8* %bitcast)
br label %if.end br label %if.end
if.end: ; preds = %entry, %if.then if.end: ; preds = %entry, %if.then
ret void ret void
} }
; Freeing a no-free pointer -> full UB
define void @test13(i8* nofree %foo) {
; CHECK-LABEL: @test13(
; CHECK-NEXT: store i1 true, i1* undef, align 1
; CHECK-NEXT: ret void
;
call void @free(i8* %foo)
ret void
}
; Freeing a no-free pointer -> full UB
define void @test14(i8* %foo) nofree {
; CHECK-LABEL: @test14(
; CHECK-NEXT: store i1 true, i1* undef, align 1
; CHECK-NEXT: ret void
;
call void @free(i8* %foo)
ret void
}
; free call marked no-free -> full UB
define void @test15(i8* %foo) {
; CHECK-LABEL: @test15(
; CHECK-NEXT: store i1 true, i1* undef, align 1
; CHECK-NEXT: ret void
;
call void @free(i8* %foo) nofree
ret void
}