diff options
| author | Björn Gustavsson <[email protected]> | 2018-06-25 06:18:47 +0200 |
|---|---|---|
| committer | Björn Gustavsson <[email protected]> | 2018-06-25 13:03:15 +0200 |
| commit | 3dd17613fc7af70bc7f1222d7381533df0bd4eab (patch) | |
| tree | a3064b63660a1b3ef5eebd697271898217f6e1a6 | |
| parent | a0ae44f324576104760a63fe6cf63e0ca31756fc (diff) | |
| download | otp-3dd17613fc7af70bc7f1222d7381533df0bd4eab.tar.gz otp-3dd17613fc7af70bc7f1222d7381533df0bd4eab.tar.bz2 otp-3dd17613fc7af70bc7f1222d7381533df0bd4eab.zip | |
Fix unsafe optimization when running beam_block the second time
The compiler would crash when compiling code such as:
serialize(#{tag := value, id := Id, domain := Domain}) ->
[case Id of
nil ->
error(id({required, id}));
_ ->
<<10, 1:16/signed, Id:16/signed>>
end,
case Domain of
nil ->
error(id({required, domain}));
_ ->
<<8, 2:16/signed, Domain:32/signed>>
end].
The crash would look like this:
Function: serialize/1
t.erl: internal error in block2;
crash reason: {badmatch,false}
in function beam_utils:live_opt/4 (beam_utils.erl, line 861)
in call from beam_utils:live_opt/1 (beam_utils.erl, line 285)
in call from beam_block:function/2 (beam_block.erl, line 47)
in call from beam_block:'-module/2-lc$^0/1-0-'/2 (beam_block.erl, line 33)
in call from beam_block:'-module/2-lc$^0/1-0-'/2 (beam_block.erl, line 33)
in call from beam_block:module/2 (beam_block.erl, line 33)
in call from compile:block2/2 (compile.erl, line 1358)
in call from compile:'-internal_comp/5-anonymous-1-'/3 (compile.erl, line 349)
The reason for the crash is an assertion failure caused by a previous
unsafe optimization. Here is the code before the unsafe optimization:
.
.
.
{bs_init2,{f,0},7,0,0,{field_flags,[]},{x,1}}.
{bs_put_string,3,{string,[8,0,2]}}.
{bs_put_integer,{f,0},{integer,32},1,{field_flags,[signed,big]},{y,1}}.
{move,{x,1},{x,0}}.
{test_heap,4,1}.
.
.
.
beam_block:move_allocate/1 moved up the test_heap/2 instruction past the
move/2 instruction, adjusting the number of live registers at the same
time:
.
.
.
{bs_init2,{f,0},7,0,0,{field_flags,[]},{x,1}}.
%% Only x1 is live now.
{bs_put_string,3,{string,[8,0,2]}}.
{bs_put_integer,{f,0},{integer,32},1,{field_flags,[signed,big]},{y,1}}.
{test_heap,4,2}. %Unsafe. x0 is dead.
{move,{x,1},{x,0}}.
.
.
.
This optimization is unsafe because the bs_init2 instruction killed
x0.
The bug is in beam_utils:anno_defs/1, which adds annotations indicating
the registers that are defined at the beginning of each block. The
annotation before the move/2 instruction incorrectly indicated that
x0 was live.
https://bugs.erlang.org/browse/ERL-650
https://github.com/elixir-lang/elixir/issues/7782
| -rw-r--r-- | lib/compiler/src/beam_utils.erl | 8 | ||||
| -rw-r--r-- | lib/compiler/test/beam_utils_SUITE.erl | 23 |
2 files changed, 29 insertions, 2 deletions
diff --git a/lib/compiler/src/beam_utils.erl b/lib/compiler/src/beam_utils.erl index 5510624b2d..ff587c4982 100644 --- a/lib/compiler/src/beam_utils.erl +++ b/lib/compiler/src/beam_utils.erl @@ -1105,8 +1105,12 @@ defs([{bif,_,{f,Fail},_Src,Dst}=I|Is], Regs0, D) -> defs([{block,Block0}|Is], Regs0, D0) -> {Block,Regs,D} = defs_list(Block0, Regs0, D0), [{block,[make_anno({def,Regs0})|Block]}|defs(Is, Regs, D)]; -defs([{bs_init,{f,L},_,_,_,Dst}=I|Is], Regs0, D) -> - Regs = def_regs([Dst], Regs0), +defs([{bs_init,{f,L},_,Live,_,Dst}=I|Is], Regs0, D) -> + Regs1 = case Live of + none -> Regs0; + _ -> init_def_regs(Live) + end, + Regs = def_regs([Dst], Regs1), [I|defs(Is, Regs, update_regs(L, Regs, D))]; defs([{bs_put,{f,L},_,_}=I|Is], Regs, D) -> [I|defs(Is, Regs, update_regs(L, Regs, D))]; diff --git a/lib/compiler/test/beam_utils_SUITE.erl b/lib/compiler/test/beam_utils_SUITE.erl index 3d35b546fc..360dcc1e84 100644 --- a/lib/compiler/test/beam_utils_SUITE.erl +++ b/lib/compiler/test/beam_utils_SUITE.erl @@ -132,6 +132,15 @@ bs_init(_Config) -> <<"foo/foo">> = do_bs_init_4(<<"foo">>, true), error = do_bs_init_4([], not_boolean), + Id = 17575, + Domain = -8798798, + [<<10,1:16,Id:16/signed>>,<<8,2:16,Domain:32/signed>>] = + do_bs_init_5(#{tag=>value,id=>Id,domain=>Domain}), + {'EXIT',{{required,id},[_|_]}} = + (catch do_bs_init_5(#{tag=>value,id=>nil,domain=>Domain})), + {'EXIT',{{required,domain},[_|_]}} = + (catch do_bs_init_5(#{tag=>value,id=>Id,domain=>nil})), + ok. do_bs_init_1([?MODULE], Sz) -> @@ -189,6 +198,20 @@ do_bs_init_4(Arg1, Arg2) -> error end. +do_bs_init_5(#{tag := value, id := Id, domain := Domain}) -> + [case Id of + nil -> + error(id({required, id})); + _ -> + <<10, 1:16/signed, Id:16/signed>> + end, + case Domain of + nil -> + error(id({required, domain})); + _ -> + <<8, 2:16/signed, Domain:32/signed>> + end]. + bs_save(_Config) -> {a,30,<<>>} = do_bs_save(<<1:1,30:5>>), {b,127,<<>>} = do_bs_save(<<1:1,31:5,0:1,127:7>>), |