From patchwork Mon Jun 26 00:51:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Iain Buclaw X-Patchwork-Id: 112686 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp7170624vqr; Sun, 25 Jun 2023 17:52:33 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5Dl++iqrWyeKXI4lgf1Wi5sJM9TGX8SSsz2zFoXq45NMzFASbvd8aGh0BRhu01Rp0yktcZ X-Received: by 2002:a05:6402:498:b0:519:b784:b157 with SMTP id k24-20020a056402049800b00519b784b157mr17257778edv.12.1687740752851; Sun, 25 Jun 2023 17:52:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687740752; cv=none; d=google.com; s=arc-20160816; b=GWKh8pIc4j/sOHGmsumJ+peliL+g3SBzzr1xbkVU+3DgVE6nNmoxYJcZfFD5hy7daL 6vt8jP1REdwpbBKP+zDsEq6vZP1satz+dzq37dtm9yUkkzkb1IesHr+j6i1jV69Xkxwo fxaPKAXFbPF7HSsSzNQ7UV+CD+KT+rjFM30r0co8XmUA12bvKVcB+7UnLsVcvNOSNwOZ bN6p1QO3IQgUaGxk/c5tfd9w6PynESR5NoOhYwBwucftpZLie4e4k1ccmf3bEUeicLs7 8UcgFIOL9r8xkPBRyRf2Jyh2AyW6PXtcQg8KLFxssssXScVp/OcRvoi3/aUepdpwwe+3 WQMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-transfer-encoding:mime-version:message-id:date:subject:cc :to:dmarc-filter:delivered-to:dkim-signature:dkim-filter; bh=QF9ZBx8tIWNxqGruSMokrBTPLCE/j0VWSdfiFxbD9H4=; fh=D2tRalIjW6KCgVuqwFHStdMb9uqe8HSQc2WEvRJ6uLE=; b=lZ8V/kIxoJqNVRGg6jg3rh8zgfYQBD7jg11LCoLzvFlWjqZ/pKcLiOxEievU3+seIa IuJ63JaVCZmUXnrihkBn3mnUA7fmfwEIbyhg9WVZaVHVqYrmoWLlde1rGFvak+ZVs0Jn V4H8eGtTAnR6vD2z79+P9+CzXyDxNvpWvHPjLN1wjgfdnmJEoCWSjtRuTkA1XbvFnsz7 XRfaJVPsXeDPlAnNYSpxj8TgGLU4C+nFphZZAhSeof4brPLMaQGrET3lLlriXudhnRNM UgtA6OrCaweNQQ4SdCyziD83yWEbywB1gaacqw6vtuGcYQ58uY0VIxcqpbUBJS8JNtrz Ke4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=sCM7eofI; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id x18-20020aa7dad2000000b0051d9a7c1d1asi462597eds.505.2023.06.25.17.52.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Jun 2023 17:52:32 -0700 (PDT) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=sCM7eofI; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8AF423858D35 for ; Mon, 26 Jun 2023 00:52:31 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8AF423858D35 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1687740751; bh=QF9ZBx8tIWNxqGruSMokrBTPLCE/j0VWSdfiFxbD9H4=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=sCM7eofIxsKt+wUazZ3WdKH8tVr7Xq0uioTNGIfWVnr3dCI1iFwbuzV7uHRK6HDQa klzJcqKKAUgd0xQTAJaXUlIBjDpfe54H65iCltoUCvQjdjuvzVewOgifSk2nYJyztJ exr4w6b9UmqT/v4O963SPOQKaivB8Au8PFgfA0j8= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) by sourceware.org (Postfix) with ESMTPS id 8B8903858C36 for ; Mon, 26 Jun 2023 00:51:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8B8903858C36 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Qq8S02p9hz9sT6; Mon, 26 Jun 2023 02:51:44 +0200 (CEST) To: gcc-patches@gcc.gnu.org Cc: Iain Buclaw Subject: [GCC13][committed] d: Fix crash in d/dmd/root/aav.d:127 dmd_aaGetRvalue from DsymbolTable::lookup (PR110113) Date: Mon, 26 Jun 2023 02:51:42 +0200 Message-Id: <20230626005142.333366-1-ibuclaw@gdcproject.org> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4Qq8S02p9hz9sT6 X-Spam-Status: No, score=-13.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Iain Buclaw via Gcc-patches From: Iain Buclaw Reply-To: Iain Buclaw Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1769724447195390528?= X-GMAIL-MSGID: =?utf-8?q?1769724447195390528?= Hi, This backports patch from upstream dmd mainline for fixing PR110113. The data being Mem.xrealloc'd contains many Array(T) fields, some of which have self references in their data.ptr field thanks to the smallarray optimization used by Array. Naturally then, the memcpy from old GC data to new retains those self referenced addresses, and the GC marks the old data as "free". Some time later GC.malloc will return a pointer to said "free" data. So now we have two GC references to the same memory. One that is treating the data as an Array(VarDeclaration) in dmd.escape.escapeByStorage, and the other as an AA in the symtab of a dmd.dsymbol.ScopeDsymbol. Fix this memory corruption by not storing the data in a global variable for reuse. If there are no more live references, the GC will free it. Bootstrapped and regression tested on x86_64-linux-gnu/-m32, committed to releases/gcc-13, and backported to releases/gcc-12. Regards, Iain. --- PR d/110113 gcc/d/ChangeLog: * dmd/escape.d (checkMutableArguments): Always allocate new buffer for computing escapeBy. gcc/testsuite/ChangeLog: * gdc.test/compilable/test23978.d: New test. Reviewed-on: https://github.com/dlang/dmd/pull/15302 --- gcc/d/dmd/escape.d | 24 +-------------- gcc/testsuite/gdc.test/compilable/test23978.d | 30 +++++++++++++++++++ 2 files changed, 31 insertions(+), 23 deletions(-) create mode 100644 gcc/testsuite/gdc.test/compilable/test23978.d diff --git a/gcc/d/dmd/escape.d b/gcc/d/dmd/escape.d index 420fa7f80bb..7586e5c7184 100644 --- a/gcc/d/dmd/escape.d +++ b/gcc/d/dmd/escape.d @@ -93,22 +93,7 @@ bool checkMutableArguments(Scope* sc, FuncDeclaration fd, TypeFunction tf, bool isMutable; // true if reference to mutable } - /* Store escapeBy as static data escapeByStorage so we can keep reusing the same - * arrays rather than reallocating them. - */ - __gshared EscapeBy[] escapeByStorage; - auto escapeBy = escapeByStorage; - if (escapeBy.length < len) - { - auto newPtr = cast(EscapeBy*)mem.xrealloc(escapeBy.ptr, len * EscapeBy.sizeof); - // Clear the new section - memset(newPtr + escapeBy.length, 0, (len - escapeBy.length) * EscapeBy.sizeof); - escapeBy = newPtr[0 .. len]; - escapeByStorage = escapeBy; - } - else - escapeBy = escapeBy[0 .. len]; - + auto escapeBy = new EscapeBy[len]; const paramLength = tf.parameterList.length; // Fill in escapeBy[] with arguments[], ethis, and outerVars[] @@ -228,13 +213,6 @@ bool checkMutableArguments(Scope* sc, FuncDeclaration fd, TypeFunction tf, escape(i, eb, false); } - /* Reset the arrays in escapeBy[] so we can reuse them next time through - */ - foreach (ref eb; escapeBy) - { - eb.er.reset(); - } - return errors; } diff --git a/gcc/testsuite/gdc.test/compilable/test23978.d b/gcc/testsuite/gdc.test/compilable/test23978.d new file mode 100644 index 00000000000..cc30f728dee --- /dev/null +++ b/gcc/testsuite/gdc.test/compilable/test23978.d @@ -0,0 +1,30 @@ +// REQUIRED_ARGS: -preview=dip1021 -lowmem +// https://issues.dlang.org/show_bug.cgi?id=23978 + +// Note: this is a memory corruption bug. +// Memory returned by `GC.realloc` retains references to old memory in it, +// mostly because of the smallarray optimization for `Array(T)`. +// If this fails again, it might not be consistent, so try running it multiple times. + +class LUBench { } +void lup(ulong , ulong , int , int = 1) +{ + new LUBench; +} +void lup_3200(ulong iters, ulong flops) +{ + lup(iters, flops, 3200); +} +void raytrace() +{ + struct V + { + float x, y, z; + auto normalize() { } + struct Tid { } + auto spawnLinked() { } + string[] namesByTid; + class MessageBox { } + auto cross() { } + } +}