Extend life of variables in DiagComparison in ExprConstant

[AdvenamTacet]

This commit makes two variables static extending their life span. This patch is designed to address the issue of buildbots failing when AddressSanitizer's (ASan) short string annotations are enabled. It's esentially same as:

• Make two texts static in ReplayInlineAdvisor #79489

however, it's less likely to solve the real problem as those strings change (aren't const). I suspect that there may be use after end of life bug (in StringRef), but it requires confirmation. In that case, one alternative solution, which unfortunately results in memory leaks, is to always allocate new strings instead of overwriting existing (static) ones. This approach would prevent potential data corruption, but I don't suggest it in this PR.

This patch makes Clang :: SemaCXX/builtins.cpp test pass with short string annotations (ASan). With #79489 it fixes known problems with buildbots, while running with short string annotations. However, the potential issue still requires more investigation therefore FIXME comment is added in that patch.

Short string annotations PR (reverted):

• [ASan][libc++] Turn on ASan annotations for short strings #79049

Buildbots (failure) output:

• https://lab.llvm.org/buildbot/#/builders/5/builds/40364/steps/9/logs/stdio

While buildbots should not fail with proposed changes, we still should investigate why buildbots were failing with ASan short string annotations turned on. StringRef objects (made from those strings) can potentially change their contents unexpectedly or even (potentially) use of freed memory may happen. That interpretation is only my educated guess, I still didn't understand exactly why those buildbots are failing.

Edit: I crossed parts of original description which are no longer likely based on discussion below. Reasoning in #79489 could be wrong and may be related to the same underlying issue as here.

[llvmbot]

@llvm/pr-subscribers-clang

Author: Tacet (AdvenamTacet)

Changes

This commit makes two variables static extending their life span. This patch is designed to address the issue of buildbots failing when AddressSanitizer's (ASan) short string annotations are enabled. It's esentially same as:

• Make two texts static in ReplayInlineAdvisor #79489 however, it's less likely to solve the real problem as those strings change (aren't const). I suspect that there may be use after end of life bug (in StringRef), but it requires confirmation. In that case, one alternative solution, which unfortunately results in memory leaks, is to always allocate new strings instead of overwriting existing (static) ones. This approach would prevent potential data corruption, but I don't suggest it in this PR.

This patch makes Clang :: SemaCXX/builtins.cpp test pass with short string annotations (ASan). With #79489 it fixes known problems with buildbots, while running with short string annotations. However, the potential issue still requires more investigation therefore FIXME comment is added in that patch.

Short string annotations PR (reverted):

• [ASan][libc++] Turn on ASan annotations for short strings #79049

Buildbots (failure) output:

• https://lab.llvm.org/buildbot/#/builders/5/builds/40364/steps/9/logs/stdio

While buildbots should not fail with proposed changes, we still should investigate why buildbots were failing with ASan short string annotations turned on. StringRef objects (made from those strings) can potentially change their contents unexpectedly or even (potentially) use of freed memory may happen. That interpretation is only my educated guess, I still didn't understand exactly why those buildbots are failing.

---

Full diff: https://github.com/llvm/llvm-project/pull/79522.diff

1 Files Affected:

• (modified) clang/lib/AST/ExprConstant.cpp (+14-3)

diff --git a/clang/lib/AST/ExprConstant.cpp b/clang/lib/AST/ExprConstant.cpp
index f1d07d022b25848..75cd16c0ae63d28 100644
--- a/clang/lib/AST/ExprConstant.cpp
+++ b/clang/lib/AST/ExprConstant.cpp
@@ -13288,9 +13288,20 @@ EvaluateComparisonBinaryOperator(EvalInfo &Info, const BinaryOperator *E,
     // Reject differing bases from the normal codepath; we special-case
     // comparisons to null.
     if (!HasSameBase(LHSValue, RHSValue)) {
-      auto DiagComparison = [&] (unsigned DiagID, bool Reversed = false) {
-        std::string LHS = LHSValue.toString(Info.Ctx, E->getLHS()->getType());
-        std::string RHS = RHSValue.toString(Info.Ctx, E->getRHS()->getType());
+      auto DiagComparison = [&](unsigned DiagID, bool Reversed = false) {
+        static std::string LHS, RHS;
+        // FIXME: To prevent the use of variables beyond their lifetime, we have
+        // made them static. However, this approach may not fully address the
+        // underlying issue. StringRef objects (made from those strings) can
+        // potentially change their contents unexpectedly.
+        // Or potentially use of freed memory may happen. Therefore, further
+        // investigation is required to ensure that making those variables
+        // static effectively resolves the problem.
+        // We should investigate why buildbots were failing with ASan short string
+        // annotations turned on. Related PR:
+        // https://github.com/llvm/llvm-project/pull/79049
+        LHS = LHSValue.toString(Info.Ctx, E->getLHS()->getType());
+        RHS = RHSValue.toString(Info.Ctx, E->getRHS()->getType());
         Info.FFDiag(E, DiagID)
             << (Reversed ? RHS : LHS) << (Reversed ? LHS : RHS);
         return false;

[github-actions]

✅ With the latest revision this PR passed the C/C++ code formatter.

[cor3ntin]

We need to understand what's going on here.
I suspect something gets tripped by the ternary.
A temporary fix might be to assign

std::string first  = Reversed ? RHS : LHS;
std::string second  = Reversed ? LHS : RHS;

And use that in the diag.

We should also add a std::string&& overload to the diagnostic engine's operator << to avoid extra copies, although that's mostly a luxury

[AdvenamTacet]

@cor3ntin Thx for your comment! I looked at ternary operator at the very beginning, but discarded this direction as I was unable to create a small example reproducing the error. After your comment I started looking at it again.
Your temporary fix also resolves the problem on buildbots, which may mean that my assumption of the origin of the error is wrong.

We really should understand what is happening here.

Assuming that there is no use after end of life, buffer overflows etc. by looking at shadow memory:

  0x7fc0a5b28e80: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2
=>0x7fc0a5b28f00: 00 00 00 f2 f2 f2 f2 f2 04 fc[fc]f3 f3 f3 f3 f3
  0x7fc0a5b28f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

and backtrace:

    #0 0x5625049af24b in __get_long_pointer /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan_ubsan/include/c++/v1/string:1870:29
    #1 0x5625049af24b in __get_pointer /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan_ubsan/include/c++/v1/string:1882:26
    #2 0x5625049af24b in data /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan_ubsan/include/c++/v1/string:1596:30
    #3 0x5625049af24b in StringRef /b/sanitizer-x86_64-linux-fast/build/llvm-project/llvm/include/llvm/ADT/StringRef.h:101:18
    #4 0x5625049af24b in operator<<<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > /b/sanitizer-x86_64-linux-fast/build/llvm-project/clang/include/clang/Basic/PartialDiagnostic.h:60:11
    #5 0x5625049af24b in operator<<<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > /b/sanitizer-x86_64-linux-fast/build/llvm-project/clang/include/clang/AST/OptionalDiagnostic.h:36:13
    #6 0x5625049af24b in bool EvaluateComparisonBinaryOperator<(anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_0&, (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_1>((anonymous namespace)::EvalInfo&, clang::BinaryOperator const*, (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_0&, (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_1&&)::'lambda'(unsigned int, bool)::operator()(unsigned int, bool) const /b/sanitizer-x86_64-linux-fast/build/llvm-project/clang/lib/AST/ExprConstant.cpp:13295:13
    #7 0x5625049aaabd in bool EvaluateComparisonBinaryOperator<(anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_0&, (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_1>((anonymous namespace)::EvalInfo&, clang::BinaryOperator const*, (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_0&, (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*)::$_1&&) /b/sanitizer-x86_64-linux-fast/build/llvm-project/clang/lib/AST/ExprConstant.cpp
    #8 0x5625049878b1 in (anonymous namespace)::IntExprEvaluator::VisitBinaryOperator(clang::BinaryOperator const*) /b/sanitizer-x86_64-linux-fast/build/llvm-project/clang/lib/AST/ExprConstant.cpp:13584:12
  

One potential option I see are incorrect annotations.
It's possible that a function marked _LIBCPP_STRING_INTERNAL_MEMORY_ACCESS in libcxx/include/string writes over poisoned memory and never updates annotations. There are five functions like that, which write to memory, and I cannot see a single issue with them.

For testing, I will write code not using _LIBCPP_STRING_INTERNAL_MEMORY_ACCESS at all and check if ASan error is raised earlier.

[AdvenamTacet]

I rewrote all functions with turned off instrumentation (I removed _LIBCPP_STRING_INTERNAL_MEMORY_ACCESS completely) and I see no change in behavior. Error happens in the very same way with the very same shadow memory (and backtrace).
I don't see where annotations can be broken, I'm trying to find a place where annotations are updated incorrectly, but I don't see the place.

I'm also trying to reproduce the error with stand alone code, but without luck so far.

So it makes me think that the bug may be completely different and unrelated, but I don't know where to look next.
I don't like the idea of temporary solution, but I have no better suggestion at the moment. For a moment, I assume that annotations work correctly.

[vitalybuka]

They are not const, how can we make them static?

[AdvenamTacet]

They are not const, but we update their value every time visiting the function. Assigning value is moved to the next line, which is executed every time.

It is a workaround, but I'm unsure if a good one. (However, it solved the problem with buildbots.)
Code suggested by @cor3ntin works as well for a reason I don't understand.
It's more confusing than I initially thought.

[shafik]

I agree with @cor3ntin I think we need to understand the problem better.

I think popping into a debugger would likely help here.

[AdvenamTacet]

I think we need to understand the problem better.

Agree as well, I changed PR to WIP. But I don't really know where to look now.

I think popping into a debugger would likely help here.

@shafik What is the correct way of building a single test, so we have access to a stand-alone binary?

I did want to use a debugger, copy pasted many dependencies into one file, it even compiled, but it didn't reproduce the error.

I'm happy to get some help here.

[vitalybuka]

As we figured out what was the issue, this patch should not be needed

[AdvenamTacet]

It's not needed.