[SR-9871] 'malloc: [...] pointer being freed was not allocated' during runtime when using 'indirect' enum case with '[Self]' associated value #52277
Comments
|
Gets an assertion failure on master: |
|
I have a small fix. |
|
(it is just using ensurePlusOne. No leaks/use-after-free occur. Before we use that though, I would like to understand the problem better). |
|
Slightly simpler (without stdlib type): class Box<T> {
var value: T
init(inputValue: T) { value = inputValue }
}
enum Value<U> {
case inline(U)
indirect case box(Box<U>)
}
func evaluate<U>(v: Value<U>) {
switch v {
case .inline:
return
case .box(let box):
return
}
} |
|
In the following SIL, we are trying to store %12 into memory. // evaluate<A>(v:)
sil hidden [ossa] @$s8testcase8evaluate1vyAA5ValueOyxG_tlF : $@convention(thin) <U> (@in_guaranteed Value<U>) -> () {
// %0 // users: %3, %1
bb0(%0 : $*Value<U>):
debug_value_addr %0 : $*Value<U>, let, name "v", argno 1 // id: %1
%2 = alloc_stack $Value<U> // users: %9, %7, %5, %4, %3
copy_addr %0 to [initialization] %2 : $*Value<U> // id: %3
switch_enum_addr %2 : $*Value<U>, case #Value.inline!enumelt.1: bb1, case #Value.box!enumelt.1: bb2 // id: %4
bb1: // Preds: bb0
%5 = unchecked_take_enum_data_addr %2 : $*Value<U>, #Value.inline!enumelt.1 // user: %6
destroy_addr %5 : $*U // id: %6
dealloc_stack %2 : $*Value<U> // id: %7
br bb6 // id: %8
bb2: // Preds: bb0
%9 = unchecked_take_enum_data_addr %2 : $*Value<U>, #Value.box!enumelt.1 // user: %10
%10 = load [take] %9 : $*<τ_0_0> { var Box<τ_0_0> } <U> // user: %11
%11 = project_box %10 : $<τ_0_0> { var Box<τ_0_0> } <U>, 0 // user: %12
%12 = load_borrow %11 : $*Box<U>
bb3:
bb4:
bb5:
bb6: // Preds: bb1
bb7:
} // end sil function '$s8testcase8evaluate1vyAA5ValueOyxG_tlF' |
|
Ok. This is interesting. The take_borrow has a TakeAlways. We should have copied it before we made that transition. |
|
I found the problem: https://github.com/apple/swift/blob/master/lib/SILGen/SILGenPattern.cpp#L2176 At the same time, I also noticed that we are also /not/ inserting a read access here like we do in the other parts of the code that deals with boxes. |
|
I talked with Andy. He said that the missing accesses will just cause the verifier to be more strict. I am not sure if they matter. |
|
Merged into both 5.0 and master. |
|
Did this fix make it into Xcode 10.2 beta 3? |
|
Comment by Luiz Fernando Silva (JIRA) @tonyarnold seems like this fix didn't make to beta 3 yet. |
|
Comment by Luiz Fernando Silva (JIRA) Appears to be fixed in Xcode 10.2 beta 4! |
|
Closing the bug. |
Environment
Xcode 10.2 beta 2 (10P91b)
Apple Swift version 5.0 (swiftlang-1001.0.60.3 clang-1001.0.37.8)
Target: x86_64-apple-darwin18.2.0
ABI version: 0.7
macOS 10.14.2 (18C54)
Additional Detail from JIRA
md5: 2b8141b3d0e3078efc1e46d9461a4f87
Issue Description:
The following test case traps during runtime in the latest Xcode 10.2 beta 2 (10P91b):
The error reads:
Removing the spurious 'indirect' modifier from 'case all([MatchRule])' fixes the crash and the code behaves normally.
The text was updated successfully, but these errors were encountered: