Lots of sketchy behaviour masked by RecyclingAllocator #27182
Labels
bugzilla
Issues migrated from bugzilla
Comments
|
Wow. s/sketchy/incorrect/ |
|
r262500 makes us allocate SDNodes with correct sizes |
|
Looking at UpdateChainsAndGlue. The likely culprit is the dead nodes set in MorphNodeTo. We need the nodes killed in MorphNodeTo to be removed from the lists passed to UpdateChainsAndGlue. Also, all of this is horrible! |
|
All of the errors outside of SelectionDAG are fixed as of r266150, r266130, r264470, r264455, r264443, and r264442. SelectionDAG's harder, and I'll continue to dig into that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Extended Description
The attached patch teaches Recycler (and by proxy RecyclingAllocator) to poison and unpoison memory for ASAN. Running ninja check under ASAN with this applied hits a few thousand failures. Some of the issues include:
We don't allocate nodes in SelectionDAG correctly - we always call an SDNode allocator and upcast to the (much larger) subclasses. This mostly works since the RecyclingAllocator is set to allocate 296 bytes per node.
SelectionDAG sets node types to "ISD::DELETED_NODE" before returning them to the free list, ostensibly to detect bugs. Then it uses whether or not the thing is deleted for control flow in places like UpdateChainsAndGlue. This should not work, but apparently it tends to in practice.
SelectionDAG arbitrarily casts from smaller SDNodes to MachineSDNode in MorphNodeTo. This is very much undefined behaviour, but basically works since the allocations happen to be large enough.
There's probably a use-after-free of
Tailin TargetInstrInfo::ReplaceTailWithBranchTo.RegisterCoalescer::reMaterializeTrivialDef appears to have use-after-free bugs regarding MachineInstrs.
The text was updated successfully, but these errors were encountered: