Skip to content

Fix ForEachLoopUnroll use-after-free miscompile. #35302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 8, 2021
Merged

Fix ForEachLoopUnroll use-after-free miscompile. #35302

merged 1 commit into from
Jan 8, 2021

Conversation

atrick
Copy link
Contributor

@atrick atrick commented Jan 7, 2021

This pass generated incorrect borrow scopes:

%stack = alloc_stack
%borrow = begin_borrow %element
store_borrow %borrow to %stack
end_borrow %borrow
try_apply %f(%stack) normal bb1, error bb2
...
destroy_value %element

This was not showing up as a miscompile before because:

  • an array holds an extra copy of the unrolled elements, that array is
    now being optimized away completely.

  • CopyPropagation now canonicalizes OSSA lifetimes independent of
    unrelated program side effects.

So, since there is no explicit relationship between %borrow and the
OSSA value in %stack, we end up with:

%stack = alloc_stack
%borrow = begin_borrow %element
store_borrow %borrow to %stack
end_borrow %borrow
destroy_value %element
try_apply %f(%stack) normal bb1, error bb2

Fixes rdar://72904101 ([CanonicalOSSA] Fix ForEachLoopUnroll use-after-free miscompile.)

@atrick
Fix ForEachLoopUnroll use-after-free miscompile.
cec5513 
This pass generated incorrect borrow scopes:

%stack = alloc_stack
%borrow = begin_borrow %element
store_borrow %borrow to %stack
end_borrow %borrow
try_apply %f(%stack) normal bb1, error bb2
...
destroy_value %element

This was not showing up as a miscompile before because:

- an array holds an extra copy of the unrolled elements, that array is
  now being optimized away completely.

- CopyPropagation now canonicalizes OSSA lifetimes independent of
  unrelated program side effects.

So, since there is no explicit relationship between %borrow and the
OSSA value in %stack, we end up with:

%stack = alloc_stack
%borrow = begin_borrow %element
store_borrow %borrow to %stack
end_borrow %borrow
destroy_value %element
try_apply %f(%stack) normal bb1, error bb2

Fixes rdar://72904101 ([CanonicalOSSA] Fix ForEachLoopUnroll use-after-free miscompile.)
@atrick
Copy link
Contributor Author

atrick commented Jan 7, 2021

@swift-ci test

@atrick
Copy link
Contributor Author

atrick commented Jan 7, 2021

@swift-ci benchmark

@atrick atrick requested a review from meg-gupta January 7, 2021 22:12
meg-gupta
meg-gupta approved these changes Jan 7, 2021
View reviewed changes
Copy link
Contributor

@meg-gupta meg-gupta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@swift-ci
Copy link
Contributor

swift-ci commented Jan 7, 2021

Build failed
Swift Test Linux Platform
Git Sha - cec5513

@swift-ci
Copy link
Contributor

swift-ci commented Jan 7, 2021

Performance: -O

Improvement OLD NEW DELTA RATIO
FlattenListFlatMap 6810 4421 -35.1% 1.54x (?)
String.data.Medium 112 100 -10.7% 1.12x (?)

Code size: -O

Performance: -Osize

Regression OLD NEW DELTA RATIO
FlattenListLoop 1627 2505 +54.0% 0.65x (?)
FlattenListFlatMap 5608 6628 +18.2% 0.85x (?)
 
Improvement OLD NEW DELTA RATIO
DataReplaceMedium 4600 4200 -8.7% 1.10x (?)

Code size: -Osize

Performance: -Onone

Regression OLD NEW DELTA RATIO
SevenBoom 1761 2052 +16.5% 0.86x (?)

Code size: -swiftlibs

How to read the data The tables contain differences in performance which are larger than 8% and differences in code size which are larger than 1%.

If you see any unexpected regressions, you should consider fixing the
regressions before you merge the PR.

Noise: Sometimes the performance results (not code size!) contain false
alarms. Unexpected regressions which are marked with '(?)' are probably noise.
If you see regressions which you cannot explain you can try to run the
benchmarks again. If regressions still show up, please consult with the
performance team (@eeckstein).

Hardware Overview 
  Model Name: Mac Pro
  Model Identifier: MacPro6,1
  Processor Name: 12-Core Intel Xeon E5
  Processor Speed: 2.7 GHz
  Number of Processors: 1
  Total Number of Cores: 12
  L2 Cache (per Core): 256 KB
  L3 Cache: 30 MB
  Memory: 64 GB

@atrick
Copy link
Contributor Author

atrick commented Jan 8, 2021

@swift-ci smoke test linux

@atrick
Copy link
Contributor Author

atrick commented Jan 8, 2021

@swift-ci smoke test windows

@swift-ci
Copy link
Contributor

swift-ci commented Jan 8, 2021

Build failed
Swift Test OS X Platform
Git Sha - cec5513

@atrick
Copy link
Contributor Author

atrick commented Jan 8, 2021

@swift-ci smoke test

@atrick atrick merged commit d25ce3d into swiftlang:main Jan 8, 2021
@atrick atrick deleted the fix-foreachloop branch January 8, 2021 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meg-gupta meg-gupta meg-gupta approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@atrick @swift-ci @meg-gupta