Skip to content

miscompiled TLS wrapper, likely coroutine related, with sanitizer #91312

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
avikivity opened this issue May 7, 2024 · 28 comments · Fixed by #91483
Closed

miscompiled TLS wrapper, likely coroutine related, with sanitizer #91312

avikivity opened this issue May 7, 2024 · 28 comments · Fixed by #91483
Assignees
@dianqk
Labels
ipo Interprocedural optimizations miscompilation release:backport
Milestone
LLVM 18.X Release

Comments

@avikivity
Copy link
Contributor

avikivity commented May 7, 2024
edited by VoltrexKeyva
Loading

Prior to 533b7c1, compiling some coroutine that references a TLS variable generates this wrapper:

0000000000029d80 <_ZTWN2db13schema_tablesL14the_merge_lockE>:
   29d80: 50                           	pushq	%rax
   29d81: e8 4a b3 10 00               	callq	0x1350d0 <__tls_init>
   29d86: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   29d8f: 48 8d 80 00 00 00 00         	leaq	(%rax), %rax
		0000000000029d92:  R_X86_64_TPOFF32	_ZN2db13schema_tablesL14the_merge_lockE
   29d96: 59                           	popq	%rcx
   29d97: c3                           	retq
   29d98: 0f 1f 84 00 00 00 00 00      	nopl	(%rax,%rax)

It correctly calls __tls_init.

With 533b7c1 and later, up to 18.1.1, the following TLS wrapper is generated:

0000000000029d80 <_ZTWN2db13schema_tablesL14the_merge_lockE>:
   29d80: 50                           	pushq	%rax
   29d81: e8 00 00 00 00               	callq	0x29d86 <_ZTWN2db13schema_tablesL14the_merge_lockE+0x6>
		0000000000029d82:  R_X86_64_PLT32	_ZTH15data_type_for_vIN7seastar13basic_sstringIcjLj15ELb1EEEE-0x4
   29d86: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   29d8f: 48 8d 80 00 00 00 00         	leaq	(%rax), %rax
		0000000000029d92:  R_X86_64_TPOFF32	_ZN2db13schema_tablesL14the_merge_lockE
   29d96: 59                           	popq	%rcx
   29d97: c3                           	retq
   29d98: 0f 1f 84 00 00 00 00 00      	nopl	(%rax,%rax)

The call to __tls_init was replaced by a call to some random function. When the coroutine is then called, it does not initialize the object.

I will follow up with a full reproducer.
@avikivity avikivity mentioned this issue May 7, 2024
Closed
@avikivity
Copy link
Contributor Author

Copying @dianqk, the author of the patch.

@avikivity avikivity changed the title miscompile TLS wrapper, likely coroutine related, with sanitizer miscompiled TLS wrapper, likely coroutine related, with sanitizer May 7, 2024
@tchaikov
Copy link
Contributor

tchaikov commented May 7, 2024
edited
Loading

another data point is that if the source is compiled with -O0, the issue goes away. i guess the reason is that -O0 disables the globalopt pass.

@avikivity
Copy link
Contributor Author

Reproducer:

wget https://scratch.scylladb.com/schema_tables.ii


clang++ -MD -MT build/debug/db/schema_tables.o -MF build/debug/db/schema_tables.o.d -std=c++20 -I/home/avi/scylla/seastar/include -I/home/avi/scylla/build/debug/seastar/gen/include -U_FORTIFY_SOURCE -Werror=unused-result -fstack-clash-protection -fsanitize=address -fsanitize=undefined -fno-sanitize=vptr -DSEASTAR_API_LEVEL=7 -DSEASTAR_BUILD_SHARED_LIBS -DSEASTAR_SSTRING -DSEASTAR_LOGGER_COMPILE_TIME_FMT -DSEASTAR_SCHEDULING_GROUPS_COUNT=16 -DSEASTAR_DEBUG -DSEASTAR_DEFAULT_ALLOCATOR -DSEASTAR_SHUFFLE_TASK_QUEUE -DSEASTAR_DEBUG_SHARED_PTR -DSEASTAR_DEBUG_PROMISE -DSEASTAR_LOGGER_TYPE_STDOUT -DSEASTAR_TYPE_ERASE_MORE -DFMT_SHARED -I/usr/include/p11-kit-1 -ffile-prefix-map=/home/avi/scylla=. -march=westmere -DDEBUG -DSANITIZE -DDEBUG_LSA_SANITIZER -DSCYLLA_ENABLE_ERROR_INJECTION -Og -DSCYLLA_BUILD_MODE=debug -g -gz -iquote. -iquote build/debug/gen -std=gnu++20  -ffile-prefix-map=/home/avi/scylla=. -march=westmere -DBOOST_ALL_DYN_LINK    -fvisibility=hidden -isystem abseil -Wall -Werror -Wextra -Wimplicit-fallthrough -Wno-mismatched-tags -Wno-c++11-narrowing -Wno-overloaded-virtual -Wno-unused-parameter -Wno-unsupported-friend -Wno-missing-field-initializers -Wno-deprecated-copy -Wno-psabi -Wno-enum-constexpr-conversion -Wno-error=deprecated-declarations -DXXH_PRIVATE_API -DSEASTAR_TESTING_MAIN  -S  schema_tables.ii -o schema_tables.s

grep -A10 '_ZTWN2db13schema_tablesL14the_merge_lockE.*:' schema_tables.s

@dianqk
Copy link
Member

dianqk commented May 7, 2024

Thanks. I can reproduce it. The bisected outcome might not be the issue itself, but I'll investigate this first.

@avikivity
Copy link
Contributor Author

Simplified command line:

clang++    -fsanitize=address       -Og    -std=gnu++20       -Wno-c++11-narrowing -Wno-unsupported-friend  -S  schema_tables.ii -o schema_tables.s && grep -A10 '_ZTWN2db13schema_tablesL14the_merge_lockE.*:' schema_tables.s

I verified that -fsanitize=address is required.

@avikivity
Copy link
Contributor Author

Yes it's probably coroutines not emitting llvm.used. I remember bugs in this area.

@EugeneZelenko EugeneZelenko added coroutines C++20 coroutines and removed new issue labels May 7, 2024
@llvmbot
Copy link
Member

llvmbot commented May 7, 2024

@llvm/issue-subscribers-coroutines

Author: Avi Kivity (avikivity)

Prior to 533b7c1, compiling some coroutine that references a TLS variable generates this wrapper: 
0000000000029d80 &lt;_ZTWN2db13schema_tablesL14the_merge_lockE&gt;:
   29d80: 50                           	pushq	%rax
   29d81: e8 4a b3 10 00               	callq	0x1350d0 &lt;__tls_init&gt;
   29d86: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   29d8f: 48 8d 80 00 00 00 00         	leaq	(%rax), %rax
		0000000000029d92:  R_X86_64_TPOFF32	_ZN2db13schema_tablesL14the_merge_lockE
   29d96: 59                           	popq	%rcx
   29d97: c3                           	retq
   29d98: 0f 1f 84 00 00 00 00 00      	nopl	(%rax,%rax)

It correctly calls __tls_init.

With 533b7c1 and later, up to 18.1.1, the following TLS wrapper is generated:

0000000000029d80 &lt;_ZTWN2db13schema_tablesL14the_merge_lockE&gt;:
   29d80: 50                           	pushq	%rax
   29d81: e8 00 00 00 00               	callq	0x29d86 &lt;_ZTWN2db13schema_tablesL14the_merge_lockE+0x6&gt;
		0000000000029d82:  R_X86_64_PLT32	_ZTH15data_type_for_vIN7seastar13basic_sstringIcjLj15ELb1EEEE-0x4
   29d86: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   29d8f: 48 8d 80 00 00 00 00         	leaq	(%rax), %rax
		0000000000029d92:  R_X86_64_TPOFF32	_ZN2db13schema_tablesL14the_merge_lockE
   29d96: 59                           	popq	%rcx
   29d97: c3                           	retq
   29d98: 0f 1f 84 00 00 00 00 00      	nopl	(%rax,%rax)

The call to __tls_init was replaced by a call to some random function. When the coroutine is then called, it does not initialize the object.

I will follow up with a full reproducer.

@dianqk
Copy link
Member

dianqk commented May 7, 2024

Simplified command line:

clang++    -fsanitize=address       -Og    -std=gnu++20       -Wno-c++11-narrowing -Wno-unsupported-friend  -S  schema_tables.ii -o schema_tables.s && grep -A10 '_ZTWN2db13schema_tablesL14the_merge_lockE.*:' schema_tables.s

I verified that -fsanitize=address is required.

It should also need -fvisibility=hidden.

@dianqk
Copy link
Member

dianqk commented May 7, 2024

I haven't found any obvious issues, unless I missed something.

_ZTH15data_type_for_vIN7seastar13basic_sstringIcjLj15ELb1EEEE is an alias for __tls_init:

@_ZTHN2db13schema_tablesL14the_merge_lockE = internal alias void (), ptr @__tls_init
@_ZTH15data_type_for_vIN7seastar13basic_sstringIcjLj15ELb1EEEE = linkonce_odr alias void (), ptr @__tls_init
@_ZTH15data_type_for_vIiE = linkonce_odr alias void (), ptr @__tls_init

Perhaps we need a runtime issue reproduction?

@avikivity
Copy link
Contributor Author

Aha. The runtime reproducer is quite heavy. If you want, I can provide a pre-built docker image and instructions to expose the problem with gdb.

@avikivity
Copy link
Contributor Author

My guess is that it's related. The compiler lost some information about TLS, so it started aliasing __tls_init to some other function. I'm single-stepping through it now, and I'm seeing that it's not initializing the variable.

@avikivity
Copy link
Contributor Author

I think what happens is that the guard variable is set when __tls_init (or its alias) is called, so the initializers aren't run.

I set a watchpoint on the variable:

(gdb) bt
#0  0x0000000003fa2dc7 in __tls_init ()
#1  0x0000000003fc2ff6 in TLS wrapper function for data_type_for_v<utils::UUID> ()
#2  0x0000000003fc16c4 in data_type_for<utils::UUID> () at ./types/types.hh:728
#3  cql3::untyped_result_set_row::get_as<utils::UUID> (this=<optimized out>, name=...) at ./cql3/untyped_result_set.hh:71
#4  0x00000000062f5a13 in db::system_keyspace::load_local_info (this=<optimized out>) at ./db/system_keyspace.cc:1431
#5  0x000000000634e487 in std::__n4861::coroutine_handle<seastar::internal::coroutine_traits_base<db::system_keyspace::local_info>::promise_type>::resume (this=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-redhat-linux/14/../../../../include/c++/14/coroutine:242
#6  seastar::internal::coroutine_traits_base<db::system_keyspace::local_info>::promise_type::run_and_dispose (this=<optimized out>) at ./seastar/include/seastar/core/coroutine.hh:83
#7  0x00007ffff616cd9f in seastar::reactor::run_tasks (this=0x52400001c100, tq=...) at ./build/debug/seastar/./seastar/src/core/reactor.cc:2690
#8  0x00007ffff6178c76 in seastar::reactor::run_some_tasks (this=0x52400001c100) at ./build/debug/seastar/./seastar/src/core/reactor.cc:3152
#9  0x00007ffff617e0ba in seastar::reactor::do_run (this=0x52400001c100) at ./build/debug/seastar/./seastar/src/core/reactor.cc:3320
#10 0x00007ffff617c14a in seastar::reactor::run (this=0x52400001c100) at ./build/debug/seastar/./seastar/src/core/reactor.cc:3210
#11 0x00007ffff5d0e3e1 in seastar::app_template::run_deprecated(int, char**, std::function<void ()>&&) (this=0x7fffecc110f0, ac=7, av=0x7fffffffd618, func=...) at ./build/debug/seastar/./seastar/src/core/app-template.cc:276
#12 0x00007ffff5d0bd6b in seastar::app_template::run(int, char**, std::function<seastar::future<int> ()>&&) (this=0x7fffecc110f0, ac=7, av=0x7fffffffd618, func=...) at ./build/debug/seastar/./seastar/src/core/app-template.cc:167
#13 0x0000000002e8f2ba in scylla_main (ac=<optimized out>, av=<optimized out>) at ./main.cc:677
#14 0x0000000002e8d348 in std::function<int (int, char**)>::operator()(int, char**) const (this=0x7fffeca0a510, __args=<optimized out>, __args=<optimized out>)
    at /usr/bin/../lib/gcc/x86_64-redhat-linux/14/../../../../include/c++/14/bits/std_function.h:591
#15 main (ac=7, av=<optimized out>) at ./main.cc:2162

So some unrelated __tls_init set it.

@avikivity
Copy link
Contributor Author

Confirmed. So a local __tls_init is generated, but then another gets called, perhaps due to the aliasing.

@avikivity
Copy link
Contributor Author

I verified that a binary built before the patch works, and after the patch fails. So the bisection is still accurate.

@avikivity
Copy link
Contributor Author

diff of the generated assembly:

$ diff -u schema_tables.s.full.{good,bad}
--- schema_tables.s.full.good	2024-05-07 20:02:55.038613957 +0300
+++ schema_tables.s.full.bad	2024-05-07 20:50:43.162254156 +0300
@@ -396,7 +396,6 @@
 0000000000000f40 l     O .rodata	0000000000000060 __PRETTY_FUNCTION__._ZN2db13schema_tables15hold_merge_lockEv
 0000000000000000 l    d  .text._ZN7seastar9get_unitsINS_35semaphore_default_exception_factoryENSt6chrono3_V212steady_clockEEENS_6futureINS_15semaphore_unitsIT_T0_EEEERNS_15basic_semaphoreIS7_S8_EEm	0000000000000000 .text._ZN7seastar9get_unitsINS_35semaphore_default_exception_factoryENSt6chrono3_V212steady_clockEEENS_6futureINS_15semaphore_unitsIT_T0_EEEERNS_15basic_semaphoreIS7_S8_EEm
 0000000000003c5a l     O .rodata.str1.1	0000000000000039 .L___asan_gen_.4441
-00000000001350d0 l     F .text	000000000000011c __tls_init
 0000000000000138 l       .tbss	0000000000000050 db::schema_tables::the_merge_lock
 0000000000003c93 l     O .rodata.str1.1	000000000000006b .L___asan_gen_.4442
 000000000018d900 l     F .text	0000000000000778 db::schema_tables::merge_schema(seastar::sharded<db::system_keyspace>&, seastar::sharded<service::storage_proxy>&, gms::feature_service&, std::vector<mutation, std::allocator<mutation>>, bool) (.resume)
@@ -7220,6 +7219,7 @@
 0000000000000000  w    F .text._ZN7seastar20noncopyable_functionIFNS_6futureINS_15semaphore_unitsINS_35semaphore_default_exception_factoryENSt6chrono3_V212steady_clockEEEEEvEED2Ev	00000000000000ce .hidden seastar::noncopyable_function<seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>> ()>::~noncopyable_function()
 0000000000000000  w    F .text._ZN7seastar20noncopyable_functionIFNS_6futureINS_15semaphore_unitsINS_35semaphore_default_exception_factoryENSt6chrono3_V212steady_clockEEEEEvEEC2EOSA_	0000000000000112 .hidden seastar::noncopyable_function<seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>> ()>::noncopyable_function(seastar::noncopyable_function<seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>> ()>&&)
 0000000000000000  w    F .text._ZN7seastar6futureIvE14then_impl_nrvoINS_20noncopyable_functionIFNS0_INS_15semaphore_unitsINS_35semaphore_default_exception_factoryENSt6chrono3_V212steady_clockEEEEEvEEESA_EET0_OT_	00000000000001cd .hidden seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>> seastar::future<void>::then_impl_nrvo<seastar::noncopyable_function<seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>> ()>, seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>>>(seastar::noncopyable_function<seastar::future<seastar::semaphore_units<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>> ()>&&)
+00000000001350d0  w    F .text	000000000000011c .hidden thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>
 0000000000029da0 g     F .text	00000000000019a7 .hidden db::schema_tables::merge_schema(seastar::sharded<db::system_keyspace>&, seastar::sharded<service::storage_proxy>&, gms::feature_service&, std::vector<mutation, std::allocator<mutation>>, bool)
 0000000000000000         *UND*	0000000000000000 freeze(std::vector<mutation, std::allocator<mutation>> const&)
 0000000000000000  w    F .text._ZN7seastar8internal13futurize_baseIvE21make_exception_futureINSt15__exception_ptr13exception_ptrEEENS_6futureIvEEOT_	00000000000000ca .hidden seastar::future<void> seastar::internal::futurize_base<void>::make_exception_future<std::__exception_ptr::exception_ptr>(std::__exception_ptr::exception_ptr&&)
@@ -57984,7 +57984,8 @@
 
 0000000000029d80 <thread-local wrapper routine for db::schema_tables::the_merge_lock>:
    29d80: 50                           	pushq	%rax
-   29d81: e8 4a b3 10 00               	callq	0x1350d0 <__tls_init>
+   29d81: e8 00 00 00 00               	callq	0x29d86 <thread-local wrapper routine for db::schema_tables::the_merge_lock+0x6>
+		0000000000029d82:  R_X86_64_PLT32	thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>-0x4
    29d86: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
    29d8f: 48 8d 80 00 00 00 00         	leaq	(%rax), %rax
 		0000000000029d92:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock
@@ -336033,11 +336034,11 @@
   1350c5: 66 2e 0f 1f 84 00 00 00 00 00	nopw	%cs:(%rax,%rax)
   1350cf: 90                           	nop
 
-00000000001350d0 <__tls_init>:
+00000000001350d0 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>>:
   1350d0: 53                           	pushq	%rbx
   1350d1: 64 80 3c 25 00 00 00 00 00   	cmpb	$0x0, %fs:0x0
 		00000000001350d5:  R_X86_64_TPOFF32	__tls_guard
-  1350da: 74 02                        	je	0x1350de <__tls_init+0xe>
+  1350da: 74 02                        	je	0x1350de <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xe>
   1350dc: 5b                           	popq	%rbx
   1350dd: c3                           	retq
   1350de: 64 c6 04 25 00 00 00 00 01   	movb	$0x1, %fs:0x0
@@ -336047,7 +336048,7 @@
 		00000000001350f3:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock
   1350f7: 48 c1 e8 03                  	shrq	$0x3, %rax
   1350fb: 80 b8 00 80 ff 7f 00         	cmpb	$0x0, 0x7fff8000(%rax)
-  135102: 0f 85 a5 00 00 00            	jne	0x1351ad <__tls_init+0xdd>
+  135102: 0f 85 a5 00 00 00            	jne	0x1351ad <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xdd>
   135108: 64 48 c7 04 25 00 00 00 00 01 00 00 00       	movq	$0x1, %fs:0x0
 		000000000013510d:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock
   135115: 64 48 8b 1c 25 00 00 00 00   	movq	%fs:0x0, %rbx
@@ -336055,13 +336056,13 @@
 		0000000000135121:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock+0x8
   135125: ba 38 00 00 00               	movl	$0x38, %edx
   13512a: 31 f6                        	xorl	%esi, %esi
-  13512c: e8 00 00 00 00               	callq	0x135131 <__tls_init+0x61>
+  13512c: e8 00 00 00 00               	callq	0x135131 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0x61>
 		000000000013512d:  R_X86_64_PLT32	__asan_memset-0x4
   135131: 48 8d 83 00 00 00 00         	leaq	(%rbx), %rax
 		0000000000135134:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock+0x40
   135138: 48 c1 e8 03                  	shrq	$0x3, %rax
   13513c: 80 b8 00 80 ff 7f 00         	cmpb	$0x0, 0x7fff8000(%rax)
-  135143: 75 7d                        	jne	0x1351c2 <__tls_init+0xf2>
+  135143: 75 7d                        	jne	0x1351c2 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xf2>
   135145: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   13514e: 48 8d 88 00 00 00 00         	leaq	(%rax), %rcx
 		0000000000135151:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock
@@ -336071,37 +336072,37 @@
 		0000000000135161:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock+0x48
   135165: 48 c1 e8 03                  	shrq	$0x3, %rax
   135169: 80 b8 00 80 ff 7f 00         	cmpb	$0x0, 0x7fff8000(%rax)
-  135170: 75 65                        	jne	0x1351d7 <__tls_init+0x107>
+  135170: 75 65                        	jne	0x1351d7 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0x107>
   135172: 64 48 c7 04 25 00 00 00 00 00 00 00 00       	movq	$0x0, %fs:0x0
 		0000000000135177:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock+0x48
   13517f: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   135188: 48 8d b0 00 00 00 00         	leaq	(%rax), %rsi
 		000000000013518b:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock
-  13518f: 48 8d 3d 00 00 00 00         	leaq	(%rip), %rdi            # 0x135196 <__tls_init+0xc6>
+  13518f: 48 8d 3d 00 00 00 00         	leaq	(%rip), %rdi            # 0x135196 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xc6>
 		0000000000135192:  R_X86_64_PC32	seastar::basic_semaphore<seastar::semaphore_default_exception_factory, std::chrono::_V2::steady_clock>::~basic_semaphore()-0x4
-  135196: 48 8d 15 00 00 00 00         	leaq	(%rip), %rdx            # 0x13519d <__tls_init+0xcd>
+  135196: 48 8d 15 00 00 00 00         	leaq	(%rip), %rdx            # 0x13519d <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xcd>
 		0000000000135199:  R_X86_64_PC32	__dso_handle-0x4
-  13519d: e8 00 00 00 00               	callq	0x1351a2 <__tls_init+0xd2>
+  13519d: e8 00 00 00 00               	callq	0x1351a2 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xd2>
 		000000000013519e:  R_X86_64_PLT32	__cxa_thread_atexit-0x4
-  1351a2: e8 00 00 00 00               	callq	0x1351a7 <__tls_init+0xd7>
+  1351a2: e8 00 00 00 00               	callq	0x1351a7 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xd7>
 		00000000001351a3:  R_X86_64_PLT32	.text.startup+0x28c
   1351a7: 5b                           	popq	%rbx
-  1351a8: e9 00 00 00 00               	jmp	0x1351ad <__tls_init+0xdd>
+  1351a8: e9 00 00 00 00               	jmp	0x1351ad <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xdd>
 		00000000001351a9:  R_X86_64_PLT32	.text.startup+0x2fc
   1351ad: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   1351b6: 48 8d b8 00 00 00 00         	leaq	(%rax), %rdi
 		00000000001351b9:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock
-  1351bd: e8 00 00 00 00               	callq	0x1351c2 <__tls_init+0xf2>
+  1351bd: e8 00 00 00 00               	callq	0x1351c2 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0xf2>
 		00000000001351be:  R_X86_64_PLT32	__asan_report_store8-0x4
   1351c2: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   1351cb: 48 8d b8 00 00 00 00         	leaq	(%rax), %rdi
 		00000000001351ce:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock+0x40
-  1351d2: e8 00 00 00 00               	callq	0x1351d7 <__tls_init+0x107>
+  1351d2: e8 00 00 00 00               	callq	0x1351d7 <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0x107>
 		00000000001351d3:  R_X86_64_PLT32	__asan_report_store8-0x4
   1351d7: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
   1351e0: 48 8d b8 00 00 00 00         	leaq	(%rax), %rdi
 		00000000001351e3:  R_X86_64_TPOFF32	db::schema_tables::the_merge_lock+0x48
-  1351e7: e8 00 00 00 00               	callq	0x1351ec <__tls_init+0x11c>
+  1351e7: e8 00 00 00 00               	callq	0x1351ec <thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0x11c>
 		00000000001351e8:  R_X86_64_PLT32	__asan_report_store8-0x4
   1351ec: 0f 1f 40 00                  	nopl	(%rax)
 
@@ -763956,7 +763957,7 @@
 0000000000000000 <thread-local wrapper routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>>:
        0: 50                           	pushq	%rax
        1: e8 00 00 00 00               	callq	0x6 <thread-local wrapper routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>+0x6>
-		0000000000000002:  R_X86_64_PLT32	.text+0x1350cc
+		0000000000000002:  R_X86_64_PLT32	thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>-0x4
        6: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
 		000000000000000b:  R_X86_64_TPOFF32	data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>
        f: 59                           	popq	%rcx
@@ -763967,7 +763968,7 @@
 0000000000000000 <thread-local wrapper routine for data_type_for_v<int>>:
        0: 50                           	pushq	%rax
        1: e8 00 00 00 00               	callq	0x6 <thread-local wrapper routine for data_type_for_v<int>+0x6>
-		0000000000000002:  R_X86_64_PLT32	.text+0x1350cc
+		0000000000000002:  R_X86_64_PLT32	thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>-0x4
        6: 64 48 8b 04 25 00 00 00 00   	movq	%fs:0x0, %rax
 		000000000000000b:  R_X86_64_TPOFF32	data_type_for_v<int>
        f: 59                           	popq	%rcx

@avikivity
Copy link
Contributor Author

My explanation: the patch changed a local symbol __tls_init to a global weak symbol thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>. Another translation unit also emitted the same symbol (but with different contents), and it got linked into the executable in preference to ours.

@avikivity
Copy link
Contributor Author

Is there a way to disable the pass as a workaround? I tried -mllvm -disablepass=globalopt, but it didn't work.

@dianqk
Copy link
Member

dianqk commented May 8, 2024

Is there a way to disable the pass as a workaround? I tried -mllvm -disablepass=globalopt, but it didn't work.

AFAIK, there is no way to disable arbitrary passes.

@dianqk
Copy link
Member

dianqk commented May 8, 2024

My explanation: the patch changed a local symbol __tls_init to a global weak symbol thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>. Another translation unit also emitted the same symbol (but with different contents), and it got linked into the executable in preference to ours.

Thank you for your analysis. I will continue to look into this issue tonight.

@avikivity
Copy link
Contributor Author

My explanation: the patch changed a local symbol __tls_init to a global weak symbol thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>. Another translation unit also emitted the same symbol (but with different contents), and it got linked into the executable in preference to ours.

Thank you for your analysis. I will continue to look into this issue tonight.

Thanks!

@dianqk dianqk mentioned this issue May 8, 2024
Merged
@dianqk
Copy link
Member

dianqk commented May 8, 2024

My explanation: the patch changed a local symbol __tls_init to a global weak symbol thread-local initialization routine for data_type_for_v<seastar::basic_sstring<char, unsigned int, 15u, true>>. Another translation unit also emitted the same symbol (but with different contents), and it got linked into the executable in preference to ours.

Agreed, I believe this is key to the issue. This is a minimal reproducer: https://llvm.godbolt.org/z/n5berxjfo.

@f2 = linkonce_odr hidden alias void (), ptr @f1

define void @foo() {
  call void @f1()
  ret void
}

define void @bar() {
  call void @f2()
  ret void
}

define internal void @f1() {
  ret void
}

IIUC, both LLVM 16 and LLVM 17 miscompiled. I expect that the call to f1 in foo can be overridden at link time, while the f2 in bar cannot.

I've created a draft PR #91483, but I still need some time to confirm this PR. Feel free giving it a try to see if everything is working as expected. :)

@avikivity
Copy link
Contributor Author

The original reproducer now generates the call to __tls_init. I'll test the executable later.

@avikivity
Copy link
Contributor Author

The executable also works.

@dianqk dianqk self-assigned this May 9, 2024
@dianqk dianqk added miscompilation and removed coroutines C++20 coroutines labels May 9, 2024
@dianqk dianqk added this to the LLVM 18.X Release milestone May 16, 2024
@github-project-automation github-project-automation bot moved this to Needs Triage in LLVM Release Status May 16, 2024
@tstellar tstellar moved this from Needs Triage to Needs Fix in LLVM Release Status May 16, 2024
dianqk added a commit that referenced this issue May 16, 2024
@dianqk
[GlobalOpt] Don't replace aliasee with alias that has weak linkage (#…
c796900 
…91483)

Fixes #91312.

Don't perform the transform if the alias may be replaced at link time.
@github-project-automation github-project-automation bot moved this from Needs Fix to Done in LLVM Release Status May 16, 2024
@EugeneZelenko EugeneZelenko added ipo Interprocedural optimizations and removed llvm:optimizations labels May 16, 2024
@dianqk
Copy link
Member

dianqk commented May 16, 2024

/cherry-pick c796900

llvmbot pushed a commit to llvmbot/llvm-project that referenced this issue May 16, 2024
@dianqk @llvmbot
[GlobalOpt] Don't replace aliasee with alias that has weak linkage (l…
012e13b 
…lvm#91483)

Fixes llvm#91312.

Don't perform the transform if the alias may be replaced at link time.

(cherry picked from commit c796900)
@llvmbot
Copy link
Member

llvmbot commented May 16, 2024

/pull-request #92468

@MaskRay
Copy link
Member

MaskRay commented May 17, 2024

Simplified command line:

clang++    -fsanitize=address       -Og    -std=gnu++20       -Wno-c++11-narrowing -Wno-unsupported-friend  -S  schema_tables.ii -o schema_tables.s && grep -A10 '_ZTWN2db13schema_tablesL14the_merge_lockE.*:' schema_tables.s

I verified that -fsanitize=address is required.

#92468 should be safe, but I have a question about suppressing the optimization for linkonce_odr/weak_odr, so I want to compile this example myself. However, trunk clang currently crashes

 #9 0x000055bcabb61095 clang::NestedNameSpecifier::print(llvm::raw_ostream&, clang::PrintingPolicy const&, bool) const (/tmp/Rel/bin/clang+++0xab55095)
#10 0x000055bcabb60d40 clang::NestedNameSpecifier::print(llvm::raw_ostream&, clang::PrintingPolicy const&, bool) const (/tmp/Rel/bin/clang+++0xab54d40)
#11 0x000055bcab381dd8 (anonymous namespace)::FailedBooleanConditionPrinterHelper::handledStmt(clang::Stmt*, llvm::raw_ostream&) SemaTemplate.cpp:0:0
#12 0x000055bcabc0be88 (anonymous namespace)::StmtPrinter::PrintExpr(clang::Expr*) StmtPrinter.cpp:0:0
#13 0x000055bcabbf85ef (anonymous namespace)::StmtPrinter::VisitUnaryOperator(clang::UnaryOperator*) StmtPrinter.cpp:0:0
#14 0x000055bcabbf7172 clang::Stmt::printPretty(llvm::raw_ostream&, clang::PrinterHelper*, clang::PrintingPolicy const&, unsigned int, llvm::StringRef, clang::ASTContext const*) const (/tmp/Rel/bin/clang+++0xabeb1
72)
#15 0x000055bcab2e558f clang::Sema::findFailedBooleanCondition[abi:cxx11](clang::Expr*) (/tmp/Rel/bin/clang+++0xa2d958f)
#16 0x000055bcab2e5d60 clang::Sema::CheckTemplateIdType(clang::TemplateName, clang::SourceLocation, clang::TemplateArgumentListInfo&) (/tmp/Rel/bin/clang+++0xa2d9d60)
#17 0x000055bcab4817ab clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformTemplateSpecializationType(clang::TypeLocBuilder&, clang::TemplateSpecializationTypeLoc, clang::TemplateName) Sema
TemplateInstantiate.cpp:0:0
#18 0x000055bcab489ab0 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformTemplateSpecializationType(clang::TypeLocBuilder&, clang::TemplateSpecializationTypeLoc) SemaTemplateInstantiate.c
pp:0:0
#19 0x000055bcab45a5ac clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformType(clang::TypeLocBuilder&, clang::TypeLoc) SemaTemplateInstantiate.cpp:0:0
#20 0x000055bcab486503 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformElaboratedType(clang::TypeLocBuilder&, clang::ElaboratedTypeLoc) SemaTemplateInstantiate.cpp:0:0
#21 0x000055bcab45a726 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformType(clang::TypeLocBuilder&, clang::TypeLoc) SemaTemplateInstantiate.cpp:0:0
#22 0x000055bcab45a136 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformType(clang::TypeSourceInfo*) SemaTemplateInstantiate.cpp:0:0
#23 0x000055bcab459d89 clang::Sema::SubstType(clang::TypeSourceInfo*, clang::MultiLevelTemplateArgumentList const&, clang::SourceLocation, clang::DeclarationName, bool) (/tmp/Rel/bin/clang+++0xa44dd89)
#24 0x000055bcab2f1e5e SubstDefaultTemplateArgument(clang::Sema&, clang::TemplateDecl*, clang::SourceLocation, clang::SourceLocation, clang::TemplateTypeParmDecl*, llvm::ArrayRef<clang::TemplateArgument>, llvm::Ar
rayRef<clang::TemplateArgument>) SemaTemplate.cpp:0:0
#25 0x000055bcab2f182f clang::Sema::SubstDefaultTemplateArgumentIfAvailable(clang::TemplateDecl*, clang::SourceLocation, clang::SourceLocation, clang::Decl*, llvm::ArrayRef<clang::TemplateArgument>, llvm::ArrayRef
<clang::TemplateArgument>, bool&) (/tmp/Rel/bin/clang+++0xa2e582f)

@MaskRay MaskRay reopened this May 17, 2024
@github-project-automation github-project-automation bot moved this from Done to Needs Triage in LLVM Release Status May 17, 2024
@dianqk dianqk mentioned this issue May 17, 2024
Merged
tstellar pushed a commit to llvmbot/llvm-project that referenced this issue May 17, 2024
@dianqk @tstellar
[GlobalOpt] Don't replace aliasee with alias that has weak linkage (l…
3d0752b 
…lvm#91483)

Fixes llvm#91312.

Don't perform the transform if the alias may be replaced at link time.

(cherry picked from commit c796900)
@avikivity
Copy link
Contributor Author

Thanks a lot for the fix and backport.

@dianqk dianqk mentioned this issue May 20, 2024
Open
@dianqk
Copy link
Member

dianqk commented May 20, 2024

I have created an issue for the assertion at #92757. Per #92619, we should be able to close this PR again.

@dianqk dianqk closed this as completed May 20, 2024
@github-project-automation github-project-automation bot moved this from Needs Triage to Done in LLVM Release Status May 20, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@dianqk dianqk

Labels
ipo Interprocedural optimizations miscompilation release:backport
Projects
LLVM Release Status
Status: Done
Milestone
LLVM 18.X Release
Development

Successfully merging a pull request may close this issue.

[GlobalOpt] Don't replace aliasee with alias that has weak linkage dianqk/llvm-project
7 participants
@tchaikov @MaskRay @avikivity @EugeneZelenko @dianqk @llvmbot @ChuanqiXu9