[libc] allow UnitTest suite to be compiled on darwin #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When sram-ecc is enabled 16-bit loads clobber full 32-bit VGPR. A load into a just 16-bit VGPR is not possible. Do a 16-bit extending load and extract a 16-bit subreg in this situation. Also fixes lack of 16-bit store patterns with this combination. Fixes: SC1-6072
This change adds initial support for array new expressions where the array size is constant and the element does not require a cookie. Ported from ClangIR incubator PR [llvm#1286 ](llvm/clangir#1286). This is the first PR in a series intended to close llvm#160383.
… llvm-offload-binary (llvm#161438)"
This adds the dialect handling for CIR_DynamicCastOp and CIR_DynamicCastInfoAttr. Support for generating these operations from source will be added in a later change.
…62217) This test has been flaky failing on sanitizer-ppc64le-linux since at least 9 days ago (https://lab.llvm.org/buildbot/#/builders/72/builds/15257), but the exact cause is unclear because the only output is that `assert(res == 0 || res == ENOENT);` failed. To aid debugging, this patch prints out the result of the `getpwnam_r` call.
The testcase tests atomicupdate header which is not required for testing atomic control attributes. This induces failures due to unrelated changes (like changes in atomic update clauses). This PR removes the unrelated test to keep it minimal.
Follow LLVM Coding Standards for variable names, and remove `namespace llvm` surrounding all the code.
…61678) Relands llvm#149701 which was reverted in llvm@185ae5c because it broke demangling of Itanium symbols on i386. The last commit in this PR adds the fix for this (discussed in llvm#160930). On x86 environments, the prefix of `__cdecl` functions will now be removed to match DWARF. I opened llvm#161676 to discuss this for the other calling conventions.
2499fe1 did remove clang-offload-packager from the GN build, but it didn't add the new tool. This commit does that.
) This PR replaces the forward `ExpiredLoansAnalysis` with a backward `LiveOriginAnalysis` that tracks which origins are live at each program point, along with confidence levels (Definite or Maybe). The new approach: - Tracks liveness of origins rather than expiration of loans - Uses a backward dataflow analysis to determine which origins are live at each point. - Provides more precise confidence levels for use-after-free warnings and avoids previous false-positives The `LifetimeChecker` now checks for use-after-free by examining if an origin is live when a loan expires, rather than checking if a loan is expired when an origin is used. More details describing the design flaw in using `ExpiredLoans` is mentioned in llvm#156959 (comment) Fixes: llvm#156959 (With this, we can build LLVM with no false-positives 🎉 ) <details> <summary> Benchmark report </summary> # Lifetime Analysis Performance Report > Generated on: 2025-09-24 13:08:03 --- ## Test Case: Pointer Cycle in Loop **Timing Results:** | N (Input Size) | Total Time | Analysis Time (%) | Fact Generator (%) | Loan Propagation (%) | Live Origins (%) | |:---------------|-----------:|------------------:|-------------------:|---------------------:|------------------:| | 50 | 54.12 ms | 80.80% | 0.00% | 80.42% | 0.00% | | 75 | 150.22 ms | 91.54% | 0.00% | 91.19% | 0.00% | | 100 | 317.12 ms | 94.90% | 0.00% | 94.77% | 0.00% | | 200 | 2.40 s | 98.58% | 0.00% | 98.54% | 0.03% | | 300 | 9.85 s | 99.25% | 0.00% | 99.24% | 0.01% | **Complexity Analysis:** | Analysis Phase | Complexity O(n<sup>k</sup>) | |:------------------|:--------------------------| | Total Analysis | O(n<sup>3.47</sup> ± 0.06) | | FactGenerator | (Negligible) | | LoanPropagation | O(n<sup>3.47</sup> ± 0.06) | | LiveOrigins | (Negligible) | --- ## Test Case: CFG Merges **Timing Results:** | N (Input Size) | Total Time | Analysis Time (%) | Fact Generator (%) | Loan Propagation (%) | Live Origins (%) | |:---------------|-----------:|------------------:|-------------------:|---------------------:|------------------:| | 400 | 105.22 ms | 72.61% | 0.68% | 71.38% | 0.52% | | 1000 | 610.74 ms | 88.88% | 0.33% | 88.32% | 0.23% | | 2000 | 2.50 s | 95.32% | 0.21% | 94.99% | 0.11% | | 5000 | 17.20 s | 98.20% | 0.14% | 98.01% | 0.05% | **Complexity Analysis:** | Analysis Phase | Complexity O(n<sup>k</sup>) | |:------------------|:--------------------------| | Total Analysis | O(n<sup>2.14</sup> ± 0.00) | | FactGenerator | O(n<sup>1.59</sup> ± 0.05) | | LoanPropagation | O(n<sup>2.14</sup> ± 0.00) | | LiveOrigins | O(n<sup>1.19</sup> ± 0.04) | --- ## Test Case: Deeply Nested Loops **Timing Results:** | N (Input Size) | Total Time | Analysis Time (%) | Fact Generator (%) | Loan Propagation (%) | Live Origins (%) | |:---------------|-----------:|------------------:|-------------------:|---------------------:|------------------:| | 50 | 141.95 ms | 91.14% | 0.00% | 90.99% | 0.00% | | 100 | 1.09 s | 98.17% | 0.00% | 98.13% | 0.00% | | 150 | 3.87 s | 99.28% | 0.00% | 99.27% | 0.00% | | 200 | 9.81 s | 99.61% | 0.00% | 99.60% | 0.00% | **Complexity Analysis:** | Analysis Phase | Complexity O(n<sup>k</sup>) | |:------------------|:--------------------------| | Total Analysis | O(n<sup>3.23</sup> ± 0.02) | | FactGenerator | (Negligible) | | LoanPropagation | O(n<sup>3.23</sup> ± 0.02) | | LiveOrigins | (Negligible) | --- ## Test Case: Switch Fan-out **Timing Results:** | N (Input Size) | Total Time | Analysis Time (%) | Fact Generator (%) | Loan Propagation (%) | Live Origins (%) | |:---------------|-----------:|------------------:|-------------------:|---------------------:|------------------:| | 500 | 155.10 ms | 72.03% | 0.47% | 67.49% | 4.06% | | 1000 | 568.40 ms | 85.60% | 0.24% | 80.53% | 4.83% | | 2000 | 2.25 s | 93.00% | 0.13% | 86.99% | 5.88% | | 4000 | 9.06 s | 96.62% | 0.10% | 89.68% | 6.84% | **Complexity Analysis:** | Analysis Phase | Complexity O(n<sup>k</sup>) | |:------------------|:--------------------------| | Total Analysis | O(n<sup>2.07</sup> ± 0.01) | | FactGenerator | O(n<sup>1.52</sup> ± 0.13) | | LoanPropagation | O(n<sup>2.06</sup> ± 0.01) | | LiveOrigins | O(n<sup>2.23</sup> ± 0.00) | --- <details>
Summary: There's no real reason to restrict people if they don't want to use `triple`. It's important for the normal pipeline but I can see people using these for other purposes.
Fixes the test failure from llvm#161678 (comment).
This is a performance optimization and does not impact test fidelity. There have been some flakes where this script will fail to download files, exit with code 1, causing the job to fail before it even starts running tests. This is undesirable as the tests will only run 10-15% slower without this, so catch the exceptions and emit a warning we can track later in the rare case we cannot download the timing files. This fixes llvm#162294.
Introduce the "alloc-token" sanitizer kind, in preparation of wiring it up. Currently this is a no-op, and any attempt to enable it will result in failure: clang: error: unsupported option '-fsanitize=alloc-token' for target 'x86_64-unknown-linux-gnu' In this step we can already wire up the `sanitize_alloc_token` IR attribute where the instrumentation is enabled. Subsequent changes will complete wiring up the AllocToken pass. --- This change is part of the following series: 1. llvm#160131 2. llvm#156838 3. llvm#162098 4. llvm#162099 5. llvm#156839 6. llvm#156840 7. llvm#156841 8. llvm#156842
For new expressions, the allocated type is syntactically known and we can trivially emit the !alloc_token metadata. A subsequent change will wire up the AllocToken pass and introduce appropriate tests. --- This change is part of the following series: 1. llvm#160131 2. llvm#156838 3. llvm#162098 4. llvm#162099 5. llvm#156839 6. llvm#156840 7. llvm#156841 8. llvm#156842
Summary: This RPC call does the final exiting. The callbacks were handled on the GPU side and this is only 'valid' in the pretend mode where we treat the GPU like a CPU program. Doing this keeps us from crashing and burning if people continue using the program while this is running as `exit` would tear down the offloading library in memory and lead to segfaults. This just drops everything where it is and lets the process manager clean it up for us.
We already had RV64 RUN lines.
We're shadowing the Python builtin function `globals` in `ir.py` and therefore anywhere someone does `from mlir.ir import *`. So hide it.
…ry (llvm#162257) This fixes spurious failures in std/input.output/filesystems/fs.op.funcs/fs.op.proximate/proximate.pass.cpp on Windows. As part of that test, libcxx tries to open a fake network path such as "//foo/a". Normally, this sets the error ERROR_BAD_NETPATH, which is mapped to no_such_file_or_directory. However occasionally, it can end up setting the error ERROR_NETNAME_DELETED instead. Map ERROR_NETNAME_DELETED to no_such_file_or_directory just like ERROR_BAD_NETPATH is mapped. This makes these cases be treated equally within the create_file_status function in src/filesystem/file_descriptor.h, causing the __weakly_canonical function in operations.cpp to keep iterating, rather than erroring out.
### Summary Add support for unique target ids per Target instance. This is needed for upcoming changes to allow debugger instances to be shared across separate DAP instances for child process debugging. We want the IDE to be able to attach to existing targets in an already runny lldb-dap session, and having a unique ID per target would make that easier. Each Target instance will have its own unique id, and uses a function-local counter in `TargetList::CreateTargetInternal` to assign incremental unique ids. ### Tests Added several unit tests to test basic functionality, uniqueness of targets, and target deletion doesn't affect the uniqueness. ``` bin/lldb-dotest -p TestDebuggerAPI ```
…llvm#162197) Compute the start time *before* registering the callback, rather than after, to avoid the possibility of a small race. The following scenario illustrates the problem. 1. The callback is registered with a 2 second timeout at t=0ms. 2. We compute the start time after registering the callback. For the sake of argument, let's say it took 5ms to return from registering the callback and computing the current time. Start=5ms. 3. The callback fires after exactly 2 seconds, or t=2000ms. 4. We compute the difference between start and now. If it took less than 5ms to compute, then we end up with a difference that's less than 2000ms and the test fails. Let's say it took 3ms this time, then 2003ms-5ms=1998ms < 2000ms. The actual values in the example above are arbitrary. All that matters is that it took longer to compute the start time than the end time. My theory is that this explains why this test is flaky when running under ASan in CI (which has unpredictable timing). rdar://160956999
…inaries with pac-ret hardening" (llvm#162353) Reverts llvm#120064. @gulfemsavrun reported that the patch broke toolchain builders.
VPExpandSCEVRecipes must be at the beginning of the entry block. addMinimumEpilogueIterationCheck currently creates VPInstructions to compute the remaining iterations before potentially creating VPExpandSCEVRecipes. Fix this by first creating any SCEV expansions if needed. Fixes llvm#162128.
…acecast (llvm#161773) LLVM models ConstantPointerNull as all-zero, but some GPUs (e.g. AMDGPU and our downstream GPU target) use a non-zero sentinel for null in private / local address spaces. SPIR-V is a supported input for our GPU target. This PR preserves a canonical zero form in the generic AS while allowing later lowering to substitute the target’s real sentinel.
SimpleNativeMemoryMap is a memory allocation backend for use with ORC. It can... 1. Reserve slabs of address space. 2. Finalize regions of memory within a reserved slab: copying content into requested addresses, applying memory protections, running finalization actions, and storing deallocation actions to be run by deallocate. 3. Deallocate finalized memory regions: running deallocate actions and, if possible, making memory in these regions available for use by future finalization operations. (Some systems prohibit reuse of executable memory. On these systems deallocated memory is no longer usable within the process). 4. Release reserved slabs. This runs deallocate for any not-yet-deallocated finalized regions, and then (if possible) returns the address space to system. (On systems that prohibit reuse of executable memory parts of the released address space may be permanently unusable by the process). SimpleNativeMemoryMap is intended primarily for use by llvm::orc::JITLinkMemoryManager implementations to allocate JIT'd code and data.
…ter (llvm#162079) Fix clang-tidy misc-const-correctness of function pointer, because function pointer can't be declared as `const*const` ``` void function_pointer_basic() { void (*const fp)() = nullptr; fp(); } test.cpp:2:3: warning: pointee of variable 'fp' of type 'void (*const)()' can be declared 'const' [misc-const-correctness] 2 | void (*const fp)() = nullptr; | ^ | const ``` --------- Co-authored-by: Congcong Cai <[email protected]>
… cttz. (llvm#161898) When lowering a `table-based cttz` calculation to the `llvm.cttz` intrinsic, `AggressiveInstCombine` was not attaching profile metadata to the newly generated `select` instruction. This PR adds heuristic branch weights to the `select`. It uses a strong 100-to-1 probability favoring the `cttz` path over the zero-input case. This allows later passes to optimize code layout and branch prediction.
Remove setcc instruction by utilizing add/sub carryout. Addresses llvm#152992. --------- Signed-off-by: John Lu <[email protected]>
An orc-rt Session contains a JIT'd program, managing resources and communicating with a remote JIT-controller instance (expected to be an orc::ExecutionSession, though this is not required).
…_MLA (llvm#162513) Using DAG.getSplitVector creates new nodes that need to be legalized. We should use GetSplitVector to get the already legalized copy of the inputs.
This header was a placeholder in the initial project check-in, but is not used. Time to remove it.
…llvm#162587) This fixes the transform to use the correct parameter type for an AssociatedDecl which has been fully specialized. Instead of using the type for the parameter of the specialized template, this uses the type of the argument it has been specialized with. This fixes a regression reported here: llvm#161029 (comment) Since this regression was never released, there are no release notes.
Closes llvm#159614 **Changes:** - Initial implementation of rsqrt for single precision float **Some small unrelated style changes to this PR (that I missed in my rsqrtf16 PR):** - Added extra - to the top comments to make it look nicer in libc/shared/math/rsqrtf16.h - Put rsqrtf16 inside of libc/src/__support/math/CMakeLists.txt in sorted order - Rearanged libc_math_function rsqrtf16 in Bazel to match alphabetical order
…eaders` (llvm#160967) - `IncludeModernizePPCallbacks` creates temporary vectors when all it needs is constant arrays - The header replacement strings are `std::string` when they can just be `StringRef` - `IncludeModernizePPCallbacks`'s constructor 1. Takes `LangOptions` by value (the thing is 832 bytes) 2. Stores it, but none of `IncludeModernizePPCallbacks`'s member functions use it
That have been fixed by llvm@49660e5.
Apple M4: ``` Benchmark Baseline Candidate Difference % Difference --------------------------------------------------------------------------------------------- ---------- ----------- ------------ -------------- std::map<int,_int>::lower_bound(key)_(existent)/0 0.01 0.01 -0.00 -25.78 std::map<int,_int>::lower_bound(key)_(existent)/1024 7.94 4.28 -3.66 -46.09 std::map<int,_int>::lower_bound(key)_(existent)/32 2.73 1.69 -1.03 -37.89 std::map<int,_int>::lower_bound(key)_(existent)/8192 11.63 5.52 -6.11 -52.55 std::map<int,_int>::lower_bound(key)_(non-existent)/0 0.28 0.28 -0.00 -1.35 std::map<int,_int>::lower_bound(key)_(non-existent)/1024 17.21 7.63 -9.58 -55.67 std::map<int,_int>::lower_bound(key)_(non-existent)/32 4.71 3.26 -1.45 -30.71 std::map<int,_int>::lower_bound(key)_(non-existent)/8192 26.82 10.58 -16.24 -60.55 std::map<int,_int>::upper_bound(key)_(existent)/0 0.01 0.01 0.00 20.62 std::map<int,_int>::upper_bound(key)_(existent)/1024 7.93 3.61 -4.32 -54.49 std::map<int,_int>::upper_bound(key)_(existent)/32 2.83 1.98 -0.85 -30.01 std::map<int,_int>::upper_bound(key)_(existent)/8192 11.69 5.72 -5.97 -51.06 std::map<int,_int>::upper_bound(key)_(non-existent)/0 0.28 0.28 -0.00 -1.36 std::map<int,_int>::upper_bound(key)_(non-existent)/1024 17.21 8.00 -9.21 -53.53 std::map<int,_int>::upper_bound(key)_(non-existent)/32 4.70 2.93 -1.78 -37.76 std::map<int,_int>::upper_bound(key)_(non-existent)/8192 26.54 11.18 -15.36 -57.89 std::map<std::string,_int>::lower_bound(key)_(existent)/0 0.04 0.04 -0.00 -3.26 std::map<std::string,_int>::lower_bound(key)_(existent)/1024 27.46 26.25 -1.22 -4.43 std::map<std::string,_int>::lower_bound(key)_(existent)/32 19.17 15.71 -3.46 -18.07 std::map<std::string,_int>::lower_bound(key)_(existent)/8192 35.33 35.03 -0.30 -0.84 std::map<std::string,_int>::lower_bound(key)_(non-existent)/0 0.27 0.27 -0.00 -1.45 std::map<std::string,_int>::lower_bound(key)_(non-existent)/1024 24.88 24.17 -0.70 -2.83 std::map<std::string,_int>::lower_bound(key)_(non-existent)/32 11.67 11.63 -0.04 -0.32 std::map<std::string,_int>::lower_bound(key)_(non-existent)/8192 31.81 32.33 0.52 1.64 std::map<std::string,_int>::upper_bound(key)_(existent)/0 0.04 0.04 -0.00 -2.22 std::map<std::string,_int>::upper_bound(key)_(existent)/1024 29.91 26.51 -3.40 -11.38 std::map<std::string,_int>::upper_bound(key)_(existent)/32 19.69 17.74 -1.95 -9.92 std::map<std::string,_int>::upper_bound(key)_(existent)/8192 32.55 35.24 2.69 8.25 std::map<std::string,_int>::upper_bound(key)_(non-existent)/0 0.27 0.27 -0.00 -1.74 std::map<std::string,_int>::upper_bound(key)_(non-existent)/1024 23.87 26.77 2.91 12.18 std::map<std::string,_int>::upper_bound(key)_(non-existent)/32 11.44 11.81 0.37 3.24 std::map<std::string,_int>::upper_bound(key)_(non-existent)/8192 33.02 32.59 -0.43 -1.29 std::set<int>::lower_bound(key)_(existent)/0 0.01 0.01 0.00 0.48 std::set<int>::lower_bound(key)_(existent)/1024 7.83 4.21 -3.62 -46.23 std::set<int>::lower_bound(key)_(existent)/32 2.74 1.68 -1.06 -38.81 std::set<int>::lower_bound(key)_(existent)/8192 22.75 11.12 -11.63 -51.12 std::set<int>::lower_bound(key)_(non-existent)/0 0.28 0.27 -0.01 -3.52 std::set<int>::lower_bound(key)_(non-existent)/1024 17.15 8.40 -8.75 -51.03 std::set<int>::lower_bound(key)_(non-existent)/32 4.63 2.50 -2.13 -46.03 std::set<int>::lower_bound(key)_(non-existent)/8192 28.88 11.05 -17.82 -61.72 std::set<int>::upper_bound(key)_(existent)/0 0.01 0.01 -0.00 -7.79 std::set<int>::upper_bound(key)_(existent)/1024 7.80 3.63 -4.16 -53.42 std::set<int>::upper_bound(key)_(existent)/32 2.81 1.90 -0.91 -32.44 std::set<int>::upper_bound(key)_(existent)/8192 21.93 11.35 -10.58 -48.26 std::set<int>::upper_bound(key)_(non-existent)/0 0.28 0.27 -0.01 -3.81 std::set<int>::upper_bound(key)_(non-existent)/1024 16.76 7.38 -9.38 -55.98 std::set<int>::upper_bound(key)_(non-existent)/32 4.58 3.10 -1.48 -32.31 std::set<int>::upper_bound(key)_(non-existent)/8192 26.95 10.70 -16.25 -60.29 std::set<std::string>::lower_bound(key)_(existent)/0 0.04 0.04 0.00 0.02 std::set<std::string>::lower_bound(key)_(existent)/1024 28.08 27.04 -1.04 -3.71 std::set<std::string>::lower_bound(key)_(existent)/32 17.53 16.94 -0.58 -3.34 std::set<std::string>::lower_bound(key)_(existent)/8192 32.79 33.28 0.49 1.49 std::set<std::string>::lower_bound(key)_(non-existent)/0 0.28 0.28 -0.00 -0.06 std::set<std::string>::lower_bound(key)_(non-existent)/1024 25.23 24.38 -0.85 -3.38 std::set<std::string>::lower_bound(key)_(non-existent)/32 11.45 11.68 0.24 2.07 std::set<std::string>::lower_bound(key)_(non-existent)/8192 32.30 36.80 4.50 13.95 std::set<std::string>::upper_bound(key)_(existent)/0 0.04 0.04 -0.00 -0.14 std::set<std::string>::upper_bound(key)_(existent)/1024 26.71 26.37 -0.34 -1.27 std::set<std::string>::upper_bound(key)_(existent)/32 20.07 19.06 -1.02 -5.06 std::set<std::string>::upper_bound(key)_(existent)/8192 36.69 35.50 -1.19 -3.25 std::set<std::string>::upper_bound(key)_(non-existent)/0 0.28 0.28 -0.00 -0.16 std::set<std::string>::upper_bound(key)_(non-existent)/1024 24.48 24.90 0.42 1.73 std::set<std::string>::upper_bound(key)_(non-existent)/32 11.68 11.77 0.09 0.77 std::set<std::string>::upper_bound(key)_(non-existent)/8192 33.16 34.12 0.96 2.89 ```
…llvm#161640) Apple dropped support for some older platforms, so we can also remove the annotations for them. See https://developer.apple.com/support/xcode/ for the supported versions.
…n_ia32_pmadd implementations (llvm#162504) The interp__builtin_ia32_pmadd implementation can be correctly used for PMULDQ/PMULUDQ evaluation as well as we're ignoring the "hi" integers in each pair I've replaced the PMULDQ/PMULUDQ evaluation with callbacks and renamed interp__builtin_ia32_pmadd to interp__builtin_ia32_pmul for consistency
…2284) The `cmpxchg` instruction has two memory orders, one for success and one for failure. Prior to this patch `LegalityQuery` only exposed a single memory order, that of the success case. This meant that it was not generally possible to legalize `cmpxchg` instructions based on their memory orders. Add a `FailureOrdering` field to `LegalityQuery::MemDesc`; it is only set for `cmpxchg` instructions, otherwise it is `NotAtomic`. I didn't rename `Ordering` to `SuccessOrdering` or similar to avoid breaking changes for out of tree targets. The new field does not increase `sizeof(MemDesc)`, it falls into previous padding bits due to alignment, so I'd expect there to be no performance impact for this change. Verified no breakage via check-llvm in build with AMDGPU, AArch64, and X86 targets enabled.
Added factory methods for vocabulary creation. This also would fix UB issue introduced by llvm#161713
… uniform AMDGPU lane Intrinsics. (llvm#116953) This pass introduces optimizations for AMDGPU intrinsics by leveraging the uniformity of their arguments. When an intrinsic's arguments are detected as uniform, redundant computations are eliminated, and the intrinsic calls are simplified accordingly. By utilizing the UniformityInfo analysis, this pass identifies cases where intrinsic calls are uniform across all lanes, allowing transformations that reduce unnecessary operations and improve the IR's efficiency. These changes enhance performance by streamlining intrinsic usage in uniform scenarios without altering the program's semantics. For background, see PR llvm#99878
llvm#156841) For the AllocToken pass to accurately calculate token ID hints, we need to attach `!alloc_token` metadata for allocation calls. Unlike new expressions, untyped allocation calls (like `malloc`, `calloc`, `::operator new(..)`, `__builtin_operator_new`, etc.) have no syntactic type associated with them. For -fsanitize=alloc-token, type hints are sufficient, and we can attempt to infer the type based on common idioms. When encountering allocation calls (with `__attribute__((malloc))` or `__attribute__((alloc_size(..))`), attach `!alloc_token` by inferring the allocated type from (a) sizeof argument expressions such as `malloc(sizeof(MyType))`, and (b) casts such as `(MyType*)malloc(4096)`. Note that non-standard allocation functions with these attributes are not instrumented by default. Use `-fsanitize-alloc-token-extended` to instrument them as well. Link: https://discourse.llvm.org/t/rfc-a-framework-for-allocator-partitioning-hints/87434 --- This change is part of the following series: 1. llvm#160131 2. llvm#156838 3. llvm#162098 4. llvm#162099 5. llvm#156839 6. llvm#156840 7. llvm#156841 8. llvm#156842
…lvm#161322) This simplifies the code quite a bit and seems to improve code size slightly in some cases.
ExecuteFunctionUnix.cpp which is guarded by this check should reliably work on darwin as it only uses POSIX API - nothing specific to linux.
Owner
Author
|
This change is part of the following stack: Change managed by git-spice. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| source .venv/bin/activate && cd repo | ||
| python -m pip install -r libcxx/utils/requirements.txt | ||
| baseline_commit=$(git merge-base ${{ steps.vars.outputs.pr_base }} ${{ steps.vars.outputs.pr_head }}) | ||
| ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }} |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this code injection vulnerability, we should ensure that the untrusted input (benchmarks) is never interpolated directly in the shell via ${{ ... }} in the run: block, but rather is assigned to an environment variable and referenced using shell native syntax ("$BENCHMARKS"). Specifically, in the affected step (line 67-73 in .github/workflows/libcxx-run-benchmarks.yml), we should:
- Add an
env:declaration to passbenchmarksas an environment variable from${{ steps.vars.outputs.benchmarks }}(just as is done in line 43 forCOMMENT_BODY). - In the shell script under
run:, reference$BENCHMARKS(quoted!) rather than using${{ ... }}. - This change is limited to lines 67-73, but the same fix pattern may be applied to other steps that use
${{ steps.vars.outputs.benchmarks }}unquoted in a shell.
No new methods or imports are required; only the format within the GitHub Actions YAML file should be updated. This will neutralize injection via shell metacharacters.
Suggested changeset
1
.github/workflows/libcxx-run-benchmarks.yml
| @@ -64,17 +64,21 @@ | ||
| path: repo # Avoid nuking the workspace, where we have the Python virtualenv | ||
|
|
||
| - name: Run baseline | ||
| env: | ||
| BENCHMARKS: ${{ steps.vars.outputs.benchmarks }} | ||
| run: | | ||
| source .venv/bin/activate && cd repo | ||
| python -m pip install -r libcxx/utils/requirements.txt | ||
| baseline_commit=$(git merge-base ${{ steps.vars.outputs.pr_base }} ${{ steps.vars.outputs.pr_head }}) | ||
| ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }} | ||
| ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed "$BENCHMARKS" | ||
| ./libcxx/utils/consolidate-benchmarks build/baseline | tee baseline.lnt | ||
|
|
||
| - name: Run candidate | ||
| env: | ||
| BENCHMARKS: ${{ steps.vars.outputs.benchmarks }} | ||
| run: | | ||
| source .venv/bin/activate && cd repo | ||
| ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }} | ||
| ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed "$BENCHMARKS" | ||
| ./libcxx/utils/consolidate-benchmarks build/candidate | tee candidate.lnt | ||
|
|
||
| - name: Compare baseline and candidate runs |
Copilot is powered by AI and may make mistakes. Always verify output.
| - name: Run candidate | ||
| run: | | ||
| source .venv/bin/activate && cd repo | ||
| ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }} |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the code injection vulnerability, untrusted input (benchmarks) should never be passed to the shell using the ${{ ... }} syntax, and instead should be set as an environment variable, then referenced using shell-native variable syntax ("$BENCHMARKS").
- In all
run:steps where${{ steps.vars.outputs.benchmarks }}is used, change to:- Set an
enventry forBENCHMARKS, mapping to${{ steps.vars.outputs.benchmarks }}. - Update the shell command to reference
"$BENCHMARKS"instead of${{ steps.vars.outputs.benchmarks }}.
- Set an
- This change applies to lines 71 and 77 (and any other future uses).
- No changes to the output setting step required; keep extracting
benchmarksas before. - No additional sanitization is required as using environment variable and shell syntax prevents injection. However, optionally, further input validation could be added in the future.
Suggested changeset
1
.github/workflows/libcxx-run-benchmarks.yml
| @@ -64,17 +64,21 @@ | ||
| path: repo # Avoid nuking the workspace, where we have the Python virtualenv | ||
|
|
||
| - name: Run baseline | ||
| env: | ||
| BENCHMARKS: ${{ steps.vars.outputs.benchmarks }} | ||
| run: | | ||
| source .venv/bin/activate && cd repo | ||
| python -m pip install -r libcxx/utils/requirements.txt | ||
| baseline_commit=$(git merge-base ${{ steps.vars.outputs.pr_base }} ${{ steps.vars.outputs.pr_head }}) | ||
| ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }} | ||
| ./libcxx/utils/test-at-commit --commit ${baseline_commit} -B build/baseline -- -sv -j1 --param optimization=speed "$BENCHMARKS" | ||
| ./libcxx/utils/consolidate-benchmarks build/baseline | tee baseline.lnt | ||
|
|
||
| - name: Run candidate | ||
| env: | ||
| BENCHMARKS: ${{ steps.vars.outputs.benchmarks }} | ||
| run: | | ||
| source .venv/bin/activate && cd repo | ||
| ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed ${{ steps.vars.outputs.benchmarks }} | ||
| ./libcxx/utils/test-at-commit --commit ${{ steps.vars.outputs.pr_head }} -B build/candidate -- -sv -j1 --param optimization=speed "$BENCHMARKS" | ||
| ./libcxx/utils/consolidate-benchmarks build/candidate | tee candidate.lnt | ||
|
|
||
| - name: Compare baseline and candidate runs |
Copilot is powered by AI and may make mistakes. Always verify output.
| repo: ${{ github.repository }} | ||
| steps: | ||
| - name: Install Ninja | ||
| uses: llvm/actions/install-ninja@main |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
Comment on lines
+103
to
+108
| - name: Download source code | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| with: | ||
| ref: ${{ matrix.ref }} | ||
| repository: ${{ matrix.repo }} | ||
| - name: Configure |
Check warning
Code scanning / CodeQL
Checkout of untrusted code in trusted context Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best practice is to separate trusted and untrusted contexts. The unprivileged job that checks out and builds PR code should only run on untrusted triggers (pull_request), should never have access to secrets, and should not interact directly with the repository (e.g., commenting, updating status, etc.). If any privileged post-processing (such as reporting results, commenting, or updating the repo) is needed, it should be done in a separate workflow using workflow_run, triggered only after the untrusted job completes and only using trusted refs or sanitized artifacts.
Steps:
- Split the workflow into two:
(A) An untrusted workflow triggered onpull_requestthat checks out and builds the PR, saving results as artifacts.
(B) A privileged workflow triggered onworkflow_runcompletion of the first, which (if needed) can safely comment, update, or process artifacts, taking proper caution to verify and sanitize artifact contents. - In this workflow, restrict the "abi-dump" job such that it never checks out PR code in a trusted context (i.e., not for
pushorworkflow_dispatch). - One quick fix: Guard downstream, potentially privileged steps so they only run for trusted triggers (i.e.,
pushorworkflow_dispatch), while the untrusted build job only runs forpull_request, and outputs are passed as artifacts.
Implement in .github/workflows/llvm-abi-tests.yml:
- Split
abi-dumpjob into two jobs:abi-dump-pr(forpull_request; builds PR code, uploads artifact—no secrets or privileged operations)abi-dump-trusted(for trusted events only; builds trusted refs only, can use secrets or perform privileged actions as needed)
- Use
if:condition to ensure each job runs only on its appropriate event. - Optionally, transition to fully separate workflows as in the "correct usage" example, but this may be more intrusive and outside the scope of a code-only fix.
Suggested changeset
1
.github/workflows/llvm-abi-tests.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ExecuteFunctionUnix.cpp which is guarded by this check should reliably work
on darwin as it only uses POSIX API - nothing specific to linux.