[all-commits] [llvm/llvm-project] 38be53: [MLIR] Fix use-after-frees when accessing Distinct...

Artemiy Bulavin via All-commits all-commits at lists.llvm.org
Wed Jul 16 03:12:00 PDT 2025 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 38be53aa04de8c6d494de8074328ac8907f3f631
      https://github.com/llvm/llvm-project/commit/38be53aa04de8c6d494de8074328ac8907f3f631
  Author: Artemiy Bulavin <artemiyb at graphcore.ai>
  Date:   2025-07-16 (Wed, 16 Jul 2025)

  Changed paths:
    M mlir/lib/IR/AttributeDetail.h
    M mlir/lib/IR/MLIRContext.cpp
    M mlir/lib/Pass/PassCrashRecovery.cpp
    M mlir/unittests/IR/CMakeLists.txt
    A mlir/unittests/IR/DistinctAttributeAllocatorTest.cpp

  Log Message:
  -----------
  [MLIR] Fix use-after-frees when accessing DistinctAttr storage (#148666)

This PR fixes a use-after-free error that happens when `DistinctAttr`
instances are created within a `PassManager` running with crash recovery
enabled. The root cause is that `DistinctAttr` storage is allocated in a
thread_local allocator, which is destroyed when the crash recovery
thread joins, invalidating the storage.

Moreover, even without crash reproduction disabling multithreading on
the context will destroy the context's thread pool, and in turn delete
the threadlocal storage. This means a call to
`ctx->disableMulthithreading()` breaks the IR.

This PR replaces the thread local allocator with a synchronised
allocator that's shared between threads. This persists the lifetime of
allocated DistinctAttr storage instances to the lifetime of the context.

### Problem Details:

The `DistinctAttributeAllocator` uses a
`ThreadLocalCache<BumpPtrAllocator>` for lock-free allocation of
`DistinctAttr` storage in a multithreaded context. The issue occurs when
a `PassManager` is run with crash recovery (`runWithCrashRecovery`), the
pass pipeline is executed on a temporary thread spawned by
`llvm::CrashRecoveryContext`. Any `DistinctAttr`s created during this
execution have their storage allocated in the thread_local cache of this
temporary thread. When the thread joins, the thread_local storage is
destroyed, freeing the `DistinctAttr`s' memory. If this attribute is
accessed later, e.g. when printing, it results in a use-after-free.

As mentioned previously, this is also seen after creating some
`DistinctAttr`s and then calling `ctx->disableMulthithreading()`.

### Solution

`DistinctAttrStorageAllocator` uses a synchronised, shared allocator
instead of one wrapped in a `ThreadLocalCache`. The former is what
stores the allocator in transient thread_local storage.

### Testing:

A C++ unit test has been added to validate this fix. (I was previously
reproducing this failure with `mlir-opt` but I can no longer do so and I
am unsure why.)

-----

Note: This is a 2nd attempt at my previous PR
https://github.com/llvm/llvm-project/pull/128566 that was reverted in
https://github.com/llvm/llvm-project/pull/133000. I believe I've
addressed the TSAN and race condition concerns.



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list