<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=big5">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:0 0 0 0 0 0 0 0 0 0;}

@font-face

        {font-family:"MS Gothic";

        panose-1:2 11 6 9 7 2 5 8 2 4;}

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:"\@MS Gothic";

        panose-1:2 11 6 9 7 2 5 8 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;

        mso-fareast-language:EN-US;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#0563C1;

        text-decoration:underline;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:72.0pt 72.0pt 72.0pt 72.0pt;}

div.WordSection1

        {page:WordSection1;}

--></style>

</head>

<body lang="en-DE" link="#0563C1" vlink="purple" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal"><span lang="EN-US">Hi Chuanqi,<br>

<br>

Amazing! Already fixed bugs are the nicest type of bugs :)<br>

(I guess I should have checked trunk, too)<br>

<br>

FYI: It seems this was fixed by https://reviews.llvm.org/D90990<br>

<br>

Cheers,<br>

Adrian<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:

</span></b><span style="font-size:12.0pt;color:black">chuanqi.xcq <yedeng.yd@linux.alibaba.com><br>

<b>Date: </b>Monday, 8. February 2021 at 10:46<br>

<b>To: </b>cfe-dev@lists.llvm.org <cfe-dev@lists.llvm.org>, Adrian Vogelsgesang <avogelsgesang@tableau.com><br>

<b>Subject: </b>Re: [cfe-dev] Miscompilation: heap-use-after-free in C++ coroutines</span><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-GB"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Hi Adrian,</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Sorry for disturbing. When I am trying to look into this, I find that this bug is fixed in llvm trunk. (</span><a href="https://godbolt.org/z/ehTa78"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif">https://godbolt.org/z/ehTa78</span></a><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">).</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<blockquote style="margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">------------------------------------------------------------------</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">From:chuanqi.xcq via cfe-dev <cfe-dev@lists.llvm.org></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Send Time:2021</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">年</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">2</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">月</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">8</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">日</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">(</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">星期一</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">)

 16:27</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">To:cfe-dev@lists.llvm.org <cfe-dev@lists.llvm.org>; Adrian Vogelsgesang <avogelsgesang@tableau.com></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Subject:Re: [cfe-dev] Miscompilation: heap-use-after-free in C++ coroutines</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Hi Adrian,</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">Oh yes, the corourtine should be considered as suspended in await_suspend from the wording. I'm trying to fix this.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">------------------------------------------------------------------</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">From:Adrian Vogelsgesang <avogelsgesang@tableau.com></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Send Time:2021</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">年</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">2</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">月</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">6</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">日</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">(</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">星期六</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">)

 04:33</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">To:chuanqi.xcq <yedeng.yd@linux.alibaba.com>; cfe-dev@lists.llvm.org <cfe-dev@lists.llvm.org></span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Subject:Re: [cfe-dev] Miscompilation: heap-use-after-free in C++ coroutines</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<p class="MsoNormal">HI Chuanqi,<br>

<br>

> I met this problem before. I agree that this behavior would make symmetric transfer much harder.<br>

<br>

Thanks for taking a look at this - I really appreciate it!<br>

<br>

> the coroutine **isn't suspended** in the await_suspend. So it is an undefined behavior if we call `coroutine_handle::destroy()` in await_suspend.</p>

<p class="MsoNormal"><br>

I think section <a href="http://7.6.2.4">

7.6.2.4</a>, subpoint 5.1 is the relevant part of the standard here:<br>

```<br>

The await-expression evaluates the (possibly-converted) o expression and the await-ready expression, then:</p>

<p class="MsoNormal">(5.1) — If the result of await-ready is false, the coroutine is considered suspended. Then:</p>

<p class="MsoNormal" style="margin-bottom:12.0pt">(5.1.1) — If the type of await-suspend is std::coroutine_handle<Z>, await-suspend.resume() is evaluated.<br>

```<br>

<br>

My understanding of this sections, if mapped to my example, is:<br>

`await_ready` was called and returned false -> the coroutine is suspended.<br>

Now, await_suspend gets called. The coroutine should still be suspended and it should be valid to destroy it.<br>

<br>

Cheers,<br>

Adrian</p>

<p class="MsoNormal"> </p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:0cm 0cm 0cm 0cm">

<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:

</span></b><span style="font-size:12.0pt;color:black">chuanqi.xcq <yedeng.yd@linux.alibaba.com><br>

<b>Date: </b>Thursday, 4. February 2021 at 03:07<br>

<b>To: </b>cfe-dev@lists.llvm.org <cfe-dev@lists.llvm.org>, Adrian Vogelsgesang <avogelsgesang@tableau.com><br>

<b>Subject: </b>Re: [cfe-dev] Miscompilation: heap-use-after-free in C++ coroutines</span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Hi Adrian,</span></p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">I met this problem before. I agree that this behavior would make symmetric transfer much harder.</span></p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">From my point of view, this is an undefined behavior. From

</span><a href="http://17.12.4.6" target="_blank"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif">17.12.4.6</span></a><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">

 of N4878, we can find:</span></p>

</div>

<div>

<p class="MsoNormal">```<o:p></o:p></p>

</div>

<div>

<p style="margin:0cm;font-variant-caps:normal;font-stretch:normal"><span style="font-size:12.0pt;font-family:Helvetica">void destroy() const;</span><o:p></o:p></p>

<p style="margin:0cm;font-variant-caps:normal;font-stretch:normal"><span style="font-size:12.0pt;font-family:Helvetica">4 Preconditions: *this refers to a suspended coroutine.</span><o:p></o:p></p>

<p style="margin:0cm;font-variant-caps:normal;font-stretch:normal"><span style="font-size:12.0pt;font-family:Helvetica">5 Effects: Destroys the coroutine</span></p>

</div>

<div>

<p class="MsoNormal">```</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">To my mind, the coroutine **isn't suspended** in the await_suspend. So it is an undefined behavior if we call `coroutine_handle::destroy()` in await_suspend.</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">But I strongly agree with you it is really suffering that if we want symmetric transfer and we can't destroy the coroutine in final await_suspend directly.</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">I would look into the details and try to fix it.</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal">Thanks,</p>

</div>

<div>

<p class="MsoNormal">Chuanqi</p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">------------------------------------------------------------------</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">From:Adrian Vogelsgesang via cfe-dev <cfe-dev@lists.llvm.org></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Send Time:2021</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">年</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">2</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">月</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">4</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">日</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">(</span><span lang="EN-US" style="font-size:10.5pt;font-family:"MS Gothic";color:black">星期四</span><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">)

 04:21</span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">To:cfe-dev@lists.llvm.org <cfe-dev@lists.llvm.org></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Tahoma",sans-serif;color:black">Subject:[cfe-dev] Miscompilation: heap-use-after-free in C++ coroutines</span></p>

</div>

<div>

<p class="MsoNormal"> </p>

</div>

<p class="MsoNormal"><span style="color:black">Dear Clang community,<br>

<br>

I think I stumbled across a front-end bug in clang’s coroutine implementation.<br>

<br>

Having an awaitable with<br>

<br>

```<br>

template<typename PROMISE> std::experimental::coroutine_handle<> await_suspend(std::experimental::coroutine_handle<PROMISE> coro) noexcept {</span><o:p></o:p></p>

<p class="MsoNormal" style="caret-color:#000000;font-variant-caps:normal;orphans:auto;text-align:start;widows:auto">

<span style="color:black">      coro.destroy();</span><o:p></o:p></p>

<p class="MsoNormal" style="caret-color:#000000;font-variant-caps:normal;orphans:auto;text-align:start;widows:auto">

<span style="color:black">     return std::experimental::noop_coroutine();</span><o:p></o:p></p>

<p class="MsoNormal" style="caret-color:#000000;font-variant-caps:normal;orphans:auto;text-align:start;widows:auto">

<span style="color:black">}<br>

```<br>

<br>

destroys the function’s own coroutine frame. This is valid, as long as no-one afterwards resumes the coroutine anymore. However, address-sanitizer reports a heap-use-after-free error (see

</span><a href="https://godbolt.org/z/eq6eoc" target="_blank">https://godbolt.org/z/eq6eoc</a><span style="color:black"> )<br>

<br>

Afaict, this is because clang stores the return value of `await_suspend` in the coroutine frame. Instead, clang should probably store this return value on the stack. Storing on the stack should be valid, as it is guaranteed that this return value will never

 live across a suspension point.<br>

<br>

You can find a minimal repro in </span><a href="https://godbolt.org/z/eq6eoc" target="_blank">https://godbolt.org/z/eq6eoc</a><span style="color:black"> and a more complex end-to-end version in </span><a href="https://godbolt.org/z/8Yadv1" target="_blank">https://godbolt.org/z/8Yadv1</a><span style="color:black"> .

 See </span><a href="https://stackoverflow.com/questions/65991264/c-coroutines-is-it-valid-to-call-handle-destroy-from-the-final-suspend-poin" target="_blank">https://stackoverflow.com/questions/65991264/c-coroutines-is-it-valid-to-call-handle-destroy-from-the-final-suspend-poin</a><span style="color:black"> (in

 particular the comments to David Haim’s reply) for more context.<br>

<br>

Cheers,<br>

Adrian</span></p>

<p class="MsoNormal"> </p>

<div>

<p class="MsoNormal"> </p>

</div>

</div>

<div>

<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>

</div>

</div>

</div>

</body>

</html>