[llvm-bugs] [Bug 25846] New: [Statepoint] Dangling pointer in RS4GC

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Dec 15 17:19:46 PST 2015 

https://llvm.org/bugs/show_bug.cgi?id=25846

            Bug ID: 25846
           Summary: [Statepoint] Dangling pointer in RS4GC
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: me at manueljacob.de
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

Created attachment 15459
  --> https://llvm.org/bugs/attachment.cgi?id=15459&action=edit
Example IR, exposing the bug

In RS4GC, ReplaceBaseInstWith() deletes an instruction without removing it from
the `States` mapping sometimes.  I've attached a crashing example and two
patches, applying *one* of them is sufficient to make the dangling pointer show
up early.  Otherwise the dangling pointer will get into the cache, crashing
`opt` at some later point nondeterministically.

You can reproduce it by: opt -spp-no-entry -spp-no-backedge -place-safepoints
-rewrite-statepoints-for-gc test.ll

Here's why I think it fails:

0) `States` before first call of ReplaceBaseInstWith():
%phi1 -> %phi1.base [won't change, omitted below]
%select1 -> %select1.base
%select2 -> %select2.base

1) ReplaceBaseInstWith() is called with BDV = %select2, BaseI = %select2.base,
Replacement = %select1.base, because simplify(%select2.base) = %select1.base
%select1 -> %select1.base
%select2 -> %select1.base

2) ReplaceBaseInstWith() is called with BDV = %select1, BaseI = %select1.base,
Replacement = %select1, because %select1.base is "identical" to %select1
%select1 -> %select1
%select2 -> %select1.base

Now deleting %select1.base is wrong because it's still in `States`.

The code assumes (`ReverseMap`) that `States`'s BDV -> base mapping is
injective, but it's not after 1).  Therefore it's not sufficient to replace
only the BDV -> BaseI entry with BDV -> Replacement, since multiple BDVs (and
not only the one from `ReverseMap`) might map to BaseI.

Instructions:
%select1 = select i1 undef, i8 addrspace(1)* %in1, i8 addrspace(1)* %in2
%select1.base = select i1 undef, i8 addrspace(1)* %in1, i8 addrspace(1)* %in2,
!is_base_value !0
%select2 = select i1 undef, i8 addrspace(1)* %select1, i8 addrspace(1)*
%select1
%select2.base = select i1 undef, i8 addrspace(1)* %select1.base, i8
addrspace(1)* %select1.base, !is_base_value !0

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151216/d42c6543/attachment.html>

More information about the llvm-bugs mailing list