You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The attached patch teaches Recycler (and by proxy RecyclingAllocator) to poison and unpoison memory for ASAN. Running ninja check under ASAN with this applied hits a few thousand failures. Some of the issues include:
We don't allocate nodes in SelectionDAG correctly - we always call an SDNode allocator and upcast to the (much larger) subclasses. This mostly works since the RecyclingAllocator is set to allocate 296 bytes per node.
SelectionDAG sets node types to "ISD::DELETED_NODE" before returning them to the free list, ostensibly to detect bugs. Then it uses whether or not the thing is deleted for control flow in places like UpdateChainsAndGlue. This should not work, but apparently it tends to in practice.
SelectionDAG arbitrarily casts from smaller SDNodes to MachineSDNode in MorphNodeTo. This is very much undefined behaviour, but basically works since the allocations happen to be large enough.
There's probably a use-after-free of Tail in TargetInstrInfo::ReplaceTailWithBranchTo.
RegisterCoalescer::reMaterializeTrivialDef appears to have use-after-free bugs regarding MachineInstrs.
The text was updated successfully, but these errors were encountered:
Looking at UpdateChainsAndGlue. The likely culprit is the dead nodes set in MorphNodeTo. We need the nodes killed in MorphNodeTo to be removed from the lists passed to UpdateChainsAndGlue.
All of the errors outside of SelectionDAG are fixed as of r266150, r266130, r264470, r264455, r264443, and r264442. SelectionDAG's harder, and I'll continue to dig into that.
Extended Description
The attached patch teaches Recycler (and by proxy RecyclingAllocator) to poison and unpoison memory for ASAN. Running ninja check under ASAN with this applied hits a few thousand failures. Some of the issues include:
We don't allocate nodes in SelectionDAG correctly - we always call an SDNode allocator and upcast to the (much larger) subclasses. This mostly works since the RecyclingAllocator is set to allocate 296 bytes per node.
SelectionDAG sets node types to "ISD::DELETED_NODE" before returning them to the free list, ostensibly to detect bugs. Then it uses whether or not the thing is deleted for control flow in places like UpdateChainsAndGlue. This should not work, but apparently it tends to in practice.
SelectionDAG arbitrarily casts from smaller SDNodes to MachineSDNode in MorphNodeTo. This is very much undefined behaviour, but basically works since the allocations happen to be large enough.
There's probably a use-after-free of
Tail
in TargetInstrInfo::ReplaceTailWithBranchTo.RegisterCoalescer::reMaterializeTrivialDef appears to have use-after-free bugs regarding MachineInstrs.
The text was updated successfully, but these errors were encountered: