[llvm-bugs] [Bug 83775] llvm-mca hits sanitizer error in cycleEnd

LLVM Bugs via llvm-bugs Sun, 03 Mar 2024 22:58:21 -0800

Issue	83775
Summary	llvm-mca hits sanitizer error in cycleEnd
Labels	tools:llvm-mca, crash-on-valid
Assignees
Reporter	arsenm

    f0484e08bdcf64106592808e3ca80404937b4657 was reverted in 31295bbe83c3ea9d8a3372efe34342a299d1018a due to breaking the sanitizer bot.


Reduced testcase:

```
# RUN: llvm-mca -mtriple=amdgcn -mcpu=gfx940 --timeline --iterations=1 --timeline-max-cycles=0 < %s | FileCheck %s

# CHECK: Iterations: 1
# CHECK: Instructions:      71
# CHECK: Total Cycles:      562
# CHECK: Total uOps:        77

# CHECK: Resources:
# CHECK: [0]   - HWBranch
# CHECK: [1]   - HWExport
# CHECK: [2]   - HWLGKM
# CHECK: [3]   - HWSALU
# CHECK: [4]   - HWVALU
# CHECK: [5]   - HWVMEM
# CHECK: [6]   - HWXDL


v_pk_mov_b32 v[0:1], v[2:3], v[4:5]
v_pk_add_f32 v[0:1], v[0:1], v[0:1]
v_pk_mul_f32 v[0:1], v[0:1], v[0:1]
v_add_co_u32 v5, s[0:1], v1, v2
v_sub_co_u32 v5, s[0:1], v1, v2
v_add_u32 v5, v1, v2
v_sub_u32 v5, v1, v2


# CHECK: [0]    [1]    [2]    [3]    [4]    [5]    [6]    Instructions:
# CHECK-NEXT: -      -      -      -     1.00    -      -     v_pk_mov_b32 v[0:1], v[2:3], v[4:5]
# CHECK-NEXT: -      -      -      -     1.00    - -     v_pk_add_f32 v[0:1], v[0:1], v[0:1]
# CHECK-NEXT: -      - -      -     1.00    -      -     v_pk_mul_f32 v[0:1], v[0:1], v[0:1]
# CHECK-NEXT: -      -      -     1.00   1.00    -      -     v_add_co_u32_e64 v5, s[0:1], v1, v2
# CHECK-NEXT: -      -      -     1.00   1.00    - -     v_sub_co_u32_e64 v5, s[0:1], v1, v2
# CHECK-NEXT: -      -      - -     1.00    -      -     v_add_u32_e32 v5, v1, v2
# CHECK-NEXT: - -      -      -     1.00    -      -     v_sub_u32_e32 v5, v1, v2
```


```
=================================================================
==28215==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107d0149c at pc 0x000100e8afe8 bp 0x00016f97ade0 sp 0x00016f97add8
READ of size 1 at 0x000107d0149c thread T0
    #0 0x100e8afe4 in llvm::mca::InOrderIssueStage::updateCarriedOver() InOrderIssueStage.cpp:327
    #1 0x100e8b458 in llvm::mca::InOrderIssueStage::cycleStart() InOrderIssueStage.cpp:395
 #2 0x100e7b194 in llvm::mca::Pipeline::runCycle() Pipeline.cpp:60
    #3 0x100e7a84c in llvm::mca::Pipeline::run() Pipeline.cpp:43
    #4 0x100492730 in runPipeline(llvm::mca::Pipeline&) llvm-mca.cpp:308
    #5 0x10048afe0 in main llvm-mca.cpp:750
    #6 0x185c6d0dc  (<unknown module>)

0x000107d0149c is located 540 bytes inside of 608-byte region [0x000107d01280,0x000107d014e0)
freed by thread T0 here:
    #0 0x1056e952c in wrap__ZdlPv+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x6152c)
    #1 0x100e7f89c in llvm::SmallVectorImpl<std::__1::unique_ptr<llvm::mca::Instruction, std::__1::default_delete<llvm::mca::Instruction>>>::erase(std::__1::unique_ptr<llvm::mca::Instruction, std::__1::default_delete<llvm::mca::Instruction>> const*, std::__1::unique_ptr<llvm::mca::Instruction, std::__1::default_delete<llvm::mca::Instruction>> const*) SmallVector.h:775
    #2 0x100e7f66c in llvm::mca::EntryStage::cycleEnd() EntryStage.cpp:78
    #3 0x100e7b420 in llvm::mca::Pipeline::runCycle() Pipeline.cpp:78
    #4 0x100e7a84c in llvm::mca::Pipeline::run() Pipeline.cpp:43
    #5 0x100492730 in runPipeline(llvm::mca::Pipeline&) llvm-mca.cpp:308
    #6 0x10048afe0 in main llvm-mca.cpp:750
    #7 0x185c6d0dc  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x1056e90ec in wrap__Znwm+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x610ec)
    #1 0x100e7ed88 in llvm::mca::EntryStage::getNextInstruction() EntryStage.cpp:40
    #2 0x100e7b2f8 in llvm::mca::Pipeline::runCycle() Pipeline.cpp:69
    #3 0x100e7a84c in llvm::mca::Pipeline::run() Pipeline.cpp:43
    #4 0x100492730 in runPipeline(llvm::mca::Pipeline&) llvm-mca.cpp:308
    #5 0x10048afe0 in main llvm-mca.cpp:750
    #6 0x185c6d0dc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free InOrderIssueStage.cpp:327 in llvm::mca::InOrderIssueStage::updateCarriedOver()
Shadow bytes around the buggy address:
  0x000107d01200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x000107d01280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000107d01300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x000107d01380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x000107d01400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x000107d01480: fd fd fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa
 0x000107d01500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x000107d01580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x000107d01600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x000107d01680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x000107d01700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope: f8
  Global redzone:          f9
  Global init order:       f6
 Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal: fe
  Left alloca redzone:     ca
  Right alloca redzone: cb
==28215==ABORTING

```


cycleEnd is erasing a subset of the Instructions vector, but that vector is later read in updateCarriedOver

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 83775] llvm-mca hits sanitizer error in cycleEnd

Reply via email to