This is an archive of the discontinued LLVM Phabricator instance.

[mlir][Vector][Affine] Fix heap-use-after-free in vectorizer
ClosedPublic

Authored by dcaballe on Mar 10 2021, 6:49 PM.

Download Raw Diff

Details

Reviewers

nicolasvasilache
aartbik
sgrechanik
ftynse

Commits

rGed193bce9d3b: [mlir][Vector][Affine] Fix heap-use-after-free in vectorizer

Summary

This patch fixes a heap-use-after-free introduced by the recent changes
in the vectorizer: https://reviews.llvm.org/rG95db7b4aeaad590f37720898e339a6d54313422f
The problem is due to the way candidate loops are visited. All candidate loops
are pattern-matched beforehand using the 'NestedMatch' utility. These matches may
intersect with each other so it may happen that we try to vectorize a loop that
was previously vectorized. The new vectorization algorithm replaces the original
loops that are vectorized with new loops and, therefore, any reference to the
original loops in the pre-computed matches becomes invalid.

This patch fixes the problem by classifying the candidate matches into buckets
before vectorization. Each bucket contains all the matches that intersect. The
vectorizer uses these buckets to make sure that we only vectorize *one* match from
each bucket, at most.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

dcaballe created this revision.Mar 10 2021, 6:49 PM

Herald added subscribers: cota, teijeong, rdzhabarov and 14 others. · View Herald TranscriptMar 10 2021, 6:49 PM

dcaballe requested review of this revision.Mar 10 2021, 6:49 PM

Herald added a project: Restricted Project. · View Herald TranscriptMar 10 2021, 6:49 PM

Herald added a subscriber: stephenneuendorffer. · View Herald Transcript

Harbormaster completed remote builds in B93201: Diff 329820.Mar 11 2021, 4:11 AM

Thanks for the fix! Don't forget to reland the patches I rolled back.

This revision is now accepted and ready to land.Mar 11 2021, 4:47 AM

Closed by commit rGed193bce9d3b: [mlir][Vector][Affine] Fix heap-use-after-free in vectorizer (authored by dcaballe). · Explain WhyMar 11 2021, 10:51 AM

This revision was automatically updated to reflect the committed changes.

dcaballe added a commit: rGed193bce9d3b: [mlir][Vector][Affine] Fix heap-use-after-free in vectorizer.

Revision Contents

Path

Size

mlir/

include/

mlir/

Analysis/

NestedMatcher.h

2 lines

lib/

Dialect/

Affine/

Transforms/

SuperVectorize.cpp

118 lines

Diff 329820

mlir/include/mlir/Analysis/NestedMatcher.h

	Show First 20 Lines • Show All 46 Lines • ▼ Show 20 Lines
	public:			public:
	static NestedMatch build(Operation *operation,			static NestedMatch build(Operation *operation,
	ArrayRef<NestedMatch> nestedMatches);			ArrayRef<NestedMatch> nestedMatches);
	NestedMatch(const NestedMatch &) = default;			NestedMatch(const NestedMatch &) = default;
	NestedMatch &operator=(const NestedMatch &) = default;			NestedMatch &operator=(const NestedMatch &) = default;

	explicit operator bool() { return matchedOperation != nullptr; }			explicit operator bool() { return matchedOperation != nullptr; }

	Operation *getMatchedOperation() { return matchedOperation; }			Operation *getMatchedOperation() const { return matchedOperation; }
	ArrayRef<NestedMatch> getMatchedChildren() { return matchedChildren; }			ArrayRef<NestedMatch> getMatchedChildren() { return matchedChildren; }

	private:			private:
	friend class NestedPattern;			friend class NestedPattern;
	friend class NestedPatternContext;			friend class NestedPatternContext;

	/// Underlying global bump allocator managed by a NestedPatternContext.			/// Underlying global bump allocator managed by a NestedPatternContext.
	static llvm::BumpPtrAllocator *&allocator();			static llvm::BumpPtrAllocator *&allocator();
	▲ Show 20 Lines • Show All 124 Lines • Show Last 20 Lines

mlir/lib/Dialect/Affine/Transforms/SuperVectorize.cpp

	Show First 20 Lines • Show All 532 Lines • ▼ Show 20 Lines
	static FilterFunctionType			static FilterFunctionType
	isVectorizableLoopPtrFactory(const DenseSet<Operation *> &parallelLoops,			isVectorizableLoopPtrFactory(const DenseSet<Operation *> &parallelLoops,
	int fastestVaryingMemRefDimension);			int fastestVaryingMemRefDimension);

	/// Creates a vectorization pattern from the command line arguments.			/// Creates a vectorization pattern from the command line arguments.
	/// Up to 3-D patterns are supported.			/// Up to 3-D patterns are supported.
	/// If the command line argument requests a pattern of higher order, returns an			/// If the command line argument requests a pattern of higher order, returns an
	/// empty pattern list which will conservatively result in no vectorization.			/// empty pattern list which will conservatively result in no vectorization.
	static std::vector<NestedPattern>			static Optional<NestedPattern>
	makePatterns(const DenseSet<Operation *> &parallelLoops, int vectorRank,			makePattern(const DenseSet<Operation *> &parallelLoops, int vectorRank,
	ArrayRef<int64_t> fastestVaryingPattern) {			ArrayRef<int64_t> fastestVaryingPattern) {
	using matcher::For;			using matcher::For;
	int64_t d0 = fastestVaryingPattern.empty() ? -1 : fastestVaryingPattern[0];			int64_t d0 = fastestVaryingPattern.empty() ? -1 : fastestVaryingPattern[0];
	int64_t d1 = fastestVaryingPattern.size() < 2 ? -1 : fastestVaryingPattern[1];			int64_t d1 = fastestVaryingPattern.size() < 2 ? -1 : fastestVaryingPattern[1];
	int64_t d2 = fastestVaryingPattern.size() < 3 ? -1 : fastestVaryingPattern[2];			int64_t d2 = fastestVaryingPattern.size() < 3 ? -1 : fastestVaryingPattern[2];
	switch (vectorRank) {			switch (vectorRank) {
	case 1:			case 1:
	return {For(isVectorizableLoopPtrFactory(parallelLoops, d0))};			return For(isVectorizableLoopPtrFactory(parallelLoops, d0));
	case 2:			case 2:
	return {For(isVectorizableLoopPtrFactory(parallelLoops, d0),			return For(isVectorizableLoopPtrFactory(parallelLoops, d0),
	For(isVectorizableLoopPtrFactory(parallelLoops, d1)))};			For(isVectorizableLoopPtrFactory(parallelLoops, d1)));
	case 3:			case 3:
	return {For(isVectorizableLoopPtrFactory(parallelLoops, d0),			return For(isVectorizableLoopPtrFactory(parallelLoops, d0),
	For(isVectorizableLoopPtrFactory(parallelLoops, d1),			For(isVectorizableLoopPtrFactory(parallelLoops, d1),
	For(isVectorizableLoopPtrFactory(parallelLoops, d2))))};			For(isVectorizableLoopPtrFactory(parallelLoops, d2))));
	default: {			default: {
	return std::vector<NestedPattern>();			return llvm::None;
	}			}
	}			}
	}			}

	static NestedPattern &vectorTransferPattern() {			static NestedPattern &vectorTransferPattern() {
	static auto pattern = matcher::Op([](Operation &op) {			static auto pattern = matcher::Op([](Operation &op) {
	return isa<vector::TransferReadOp, vector::TransferWriteOp>(op);			return isa<vector::TransferReadOp, vector::TransferWriteOp>(op);
	});			});
	▲ Show 20 Lines • Show All 686 Lines • ▼ Show 20 Lines
	/// below it fails.			/// below it fails.
	static LogicalResult vectorizeRootMatch(NestedMatch m,			static LogicalResult vectorizeRootMatch(NestedMatch m,
	const VectorizationStrategy &strategy) {			const VectorizationStrategy &strategy) {
	std::vector<SmallVector<AffineForOp, 2>> loopsToVectorize;			std::vector<SmallVector<AffineForOp, 2>> loopsToVectorize;
	getMatchedAffineLoops(m, loopsToVectorize);			getMatchedAffineLoops(m, loopsToVectorize);
	return vectorizeLoopNest(loopsToVectorize, strategy);			return vectorizeLoopNest(loopsToVectorize, strategy);
	}			}

				/// Traverses all the loop matches and classifies them into intersection
				/// buckets. Two matches intersect if any of them encloses the other one. A
				/// match intersects with a bucket if the match intersects with the root
				/// (outermost) loop in that bucket.
				static void computeIntersectionBuckets(
				ArrayRef<NestedMatch> matches,
				std::vector<SmallVector<NestedMatch, 8>> &intersectionBuckets) {
				assert(intersectionBuckets.empty() && "Expected empty output");
				// Keeps track of the root (outermost) loop of each bucket.
				SmallVector<AffineForOp, 8> bucketRoots;

				for (const NestedMatch &match : matches) {
				AffineForOp matchRoot = cast<AffineForOp>(match.getMatchedOperation());
				bool intersects = false;
				for (int i = 0, end = intersectionBuckets.size(); i < end; ++i) {
				AffineForOp bucketRoot = bucketRoots[i];
				// Add match to the bucket if the bucket root encloses the match root.
				if (bucketRoot->isAncestor(matchRoot)) {
				intersectionBuckets[i].push_back(match);
				intersects = true;
				break;
				}
				// Add match to the bucket if the match root encloses the bucket root. The
				// match root becomes the new bucket root.
				if (matchRoot->isAncestor(bucketRoot)) {
				bucketRoots[i] = matchRoot;
				intersectionBuckets[i].push_back(match);
				intersects = true;
				break;
				}
				}

				// Match doesn't intersect with any existing bucket. Create a new bucket for
				// it.
				if (!intersects) {
				bucketRoots.push_back(matchRoot);
				intersectionBuckets.push_back(SmallVector<NestedMatch, 8>());
				intersectionBuckets.back().push_back(match);
				}
				}
				}

	/// Internal implementation to vectorize affine loops in 'loops' using the n-D			/// Internal implementation to vectorize affine loops in 'loops' using the n-D
	/// vectorization factors in 'vectorSizes'. By default, each vectorization			/// vectorization factors in 'vectorSizes'. By default, each vectorization
	/// factor is applied inner-to-outer to the loops of each loop nest.			/// factor is applied inner-to-outer to the loops of each loop nest.
	/// 'fastestVaryingPattern' can be optionally used to provide a different loop			/// 'fastestVaryingPattern' can be optionally used to provide a different loop
	/// vectorization order.			/// vectorization order.
	static void vectorizeLoops(Operation parentOp, DenseSet<Operation > &loops,			static void vectorizeLoops(Operation parentOp, DenseSet<Operation > &loops,
	ArrayRef<int64_t> vectorSizes,			ArrayRef<int64_t> vectorSizes,
	ArrayRef<int64_t> fastestVaryingPattern) {			ArrayRef<int64_t> fastestVaryingPattern) {
	for (auto &pat :			// Compute 1-D, 2-D or 3-D loop pattern to be matched on the target loops.
	makePatterns(loops, vectorSizes.size(), fastestVaryingPattern)) {			Optional<NestedPattern> pattern =
				makePattern(loops, vectorSizes.size(), fastestVaryingPattern);
				if (!pattern.hasValue()) {
				LLVM_DEBUG(dbgs() << "\n[early-vect] pattern couldn't be computed\n");
				return;
				}

	LLVM_DEBUG(dbgs() << "\n******************************************");			LLVM_DEBUG(dbgs() << "\n******************************************");
	LLVM_DEBUG(dbgs() << "\n******************************************");			LLVM_DEBUG(dbgs() << "\n******************************************");
	LLVM_DEBUG(dbgs() << "\n[early-vect] new pattern on parent op\n");			LLVM_DEBUG(dbgs() << "\n[early-vect] new pattern on parent op\n");
	LLVM_DEBUG(parentOp->print(dbgs()));			LLVM_DEBUG(dbgs() << *parentOp << "\n");

	unsigned patternDepth = pat.getDepth();			unsigned patternDepth = pattern->getDepth();

	SmallVector<NestedMatch, 8> matches;			// Compute all the pattern matches and classify them into buckets of
	pat.match(parentOp, &matches);			// intersecting matches.
	// Iterate over all the top-level matches and vectorize eagerly.			SmallVector<NestedMatch, 32> allMatches;
	// This automatically prunes intersecting matches.			pattern->match(parentOp, &allMatches);
	for (auto m : matches) {			std::vector<SmallVector<NestedMatch, 8>> intersectionBuckets;
				computeIntersectionBuckets(allMatches, intersectionBuckets);

				// Iterate over all buckets and vectorize the matches eagerly. We can only
				// vectorize one match from each bucket since all the matches within a bucket
				// intersect.
				for (auto &intersectingMatches : intersectionBuckets) {
				for (NestedMatch &match : intersectingMatches) {
	VectorizationStrategy strategy;			VectorizationStrategy strategy;
	// TODO: depending on profitability, elect to reduce the vector size.			// TODO: depending on profitability, elect to reduce the vector size.
	strategy.vectorSizes.assign(vectorSizes.begin(), vectorSizes.end());			strategy.vectorSizes.assign(vectorSizes.begin(), vectorSizes.end());
	if (failed(analyzeProfitability(m.getMatchedChildren(), 1, patternDepth,			if (failed(analyzeProfitability(match.getMatchedChildren(), 1,
	&strategy))) {			patternDepth, &strategy))) {
	continue;			continue;
	}			}
	vectorizeLoopIfProfitable(m.getMatchedOperation(), 0, patternDepth,			vectorizeLoopIfProfitable(match.getMatchedOperation(), 0, patternDepth,
	&strategy);			&strategy);
	// TODO: if pattern does not apply, report it; alter the			// Vectorize match. Skip the rest of intersecting matches in the bucket if
	// cost/benefit.			// vectorization succeeded.
	(void)vectorizeRootMatch(m, strategy);			// TODO: if pattern does not apply, report it; alter the cost/benefit.
	// TODO: some diagnostics if failure to vectorize occurs.			// TODO: some diagnostics if failure to vectorize occurs.
				if (succeeded(vectorizeRootMatch(match, strategy)))
				break;
	}			}
	}			}

	LLVM_DEBUG(dbgs() << "\n");			LLVM_DEBUG(dbgs() << "\n");
	}			}

	std::unique_ptr<OperationPass<FuncOp>>			std::unique_ptr<OperationPass<FuncOp>>
	createSuperVectorizePass(ArrayRef<int64_t> virtualVectorSize) {			createSuperVectorizePass(ArrayRef<int64_t> virtualVectorSize) {
	return std::make_unique<Vectorize>(virtualVectorSize);			return std::make_unique<Vectorize>(virtualVectorSize);
	}			}
	std::unique_ptr<OperationPass<FuncOp>> createSuperVectorizePass() {			std::unique_ptr<OperationPass<FuncOp>> createSuperVectorizePass() {
	▲ Show 20 Lines • Show All 132 Lines • Show Last 20 Lines