Track deletion of merged constants

Keno · Keno · commit a12693fd4808 · 2023-03-06T04:18:19.000Z
This fixes an intermittent segfault in the Diffractor test.
The error very closely depends on the order of events,
but essentially what happens is that a
GlobalVariable gets stored into mergedConstants, but then
deleted in jl_merge_module when the opaque closure module
is merged into its parent. A test case is included, but it
is quite specific to current codegen, so it'll probably stop
being useful the next time we restructure things. It's also
intermittent (though would show up under valgrind/asan).
Hopefully, it'll nevertheless be useful.
diff --git a/src/codegen.cpp b/src/codegen.cpp
@@ -1750,9 +1750,10 @@ static inline GlobalVariable *prepare_global_in(Module *M, GlobalVariable *G)
 
 static GlobalVariable *get_pointer_to_constant(jl_codegen_params_t &emission_context, Constant *val, StringRef name, Module &M)
 {
-    GlobalVariable *&gv = emission_context.mergedConstants[val];
+    WeakVH &vh = emission_context.mergedConstants[val];
     StringRef localname;
     std::string ssno;
+    GlobalVariable *gv = cast_or_null<GlobalVariable>((Value*)vh);
     if (gv == nullptr) {
         raw_string_ostream(ssno) << name << emission_context.mergedConstants.size();
         localname = StringRef(ssno);
@@ -1771,6 +1772,7 @@ static GlobalVariable *get_pointer_to_constant(jl_codegen_params_t &emission_con
                 val,
                 localname);
         gv->setUnnamedAddr(GlobalValue::UnnamedAddr::Global);
+        vh = gv;
     }
     assert(localname == gv->getName());
     assert(val == gv->getInitializer());
diff --git a/src/jitlayers.h b/src/jitlayers.h
@@ -193,7 +193,7 @@ typedef struct _jl_codegen_params_t {
     std::map<std::tuple<jl_code_instance_t*,bool>, GlobalVariable*> external_fns;
     std::map<jl_datatype_t*, DIType*> ditypes;
     std::map<jl_datatype_t*, Type*> llvmtypes;
-    DenseMap<Constant*, GlobalVariable*> mergedConstants;
+    DenseMap<Constant*, WeakVH /* GlobalVariable* */> mergedConstants;
     // Map from symbol name (in a certain library) to its GV in sysimg and the
     // DL handle address in the current session.
     StringMap<std::pair<GlobalVariable*,SymMapGV>> libMapGV;
diff --git a/test/opaque_closure.jl b/test/opaque_closure.jl
@@ -270,3 +270,28 @@ let ci = code_typed((x, y...)->(x, y), (Int, Int))[1][1]
         @test_throws MethodError oc(1,2,3)
     end
 end
+
+# Regression test for emission of string constants from opaque closures.
+# This test is very specific to the structure of codegen. In particular,
+# what this test is trying to force is that the inner `g` opaque closure
+# gets merged into the module for `f`, overwriting the `typeassert`
+# string constant, but because `f` has its own typeassert after the
+# definition of `g`, it gets remembered and a use-after-free is forced
+# during the emission of `oc_string_const`.
+using Base.Experimental: @opaque
+@noinline function oc_string_const(x)
+   x::Int
+end
+function oc_string_const2(x)
+    f = @opaque x->begin
+        @inline
+        g = @opaque y->begin
+            y::Int
+        end
+        @noinline g(Base.inferencebarrier(x))
+        x::Int
+    end
+    @noinline f(Base.inferencebarrier(x))
+    oc_string_const(x)
+end
+@test_throws TypeError oc_string_const2(1.0)
