<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><div><div><br><br></div><div>I’ve seen exactly the same problem, it’s definitely fixable but I haven’t tried to tackle it yet. Do you intend to do so? I’m more than happy to help with design / code / reviews. How do you want to proceed?</div></div></div></blockquote><div><br></div><div>We even started working on a related analysis pass, but got distracted. </div><div><a href="https://reviews.llvm.org/D53336">https://reviews.llvm.org/D53336</a><br></div><div><a href="https://reviews.llvm.org/D54541">https://reviews.llvm.org/D54541</a><br></div><div>I hope we can get back to it in a month or so, but can't promise. :( </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><div><br><blockquote type="cite"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Compare to -ftrivial-auto-var-init<b>=zero</b>:</div><div><br></div><div><div><span style="white-space:pre-wrap"> </span>xorps<span style="white-space:pre-wrap"> </span>%xmm0, %xmm0</div><div><span style="white-space:pre-wrap"> </span>movaps<span style="white-space:pre-wrap"> </span>%xmm0, 48(%rsp)</div><div><span style="white-space:pre-wrap"> </span>movaps<span style="white-space:pre-wrap"> </span>%xmm0, 32(%rsp)</div><div><span style="white-space:pre-wrap"> </span>movaps<span style="white-space:pre-wrap"> </span>%xmm0, 16(%rsp)</div><div><span style="white-space:pre-wrap"> </span>movaps<span style="white-space:pre-wrap"> </span>%xmm0, (%rsp)</div><div><span style="white-space:pre-wrap"> </span>movq<span style="white-space:pre-wrap"> </span>$0, 64(%rsp)</div></div><div><br></div><div><div><span style="white-space:pre-wrap"> </span>movi<span style="white-space:pre-wrap"> </span>v0.2d, #0000000000000000</div><div><span style="white-space:pre-wrap"> </span>mov<span style="white-space:pre-wrap"> </span>x0, sp</div><div><span style="white-space:pre-wrap"> </span>str<span style="white-space:pre-wrap"> </span>xzr, [sp, #64]</div><div><span style="white-space:pre-wrap"> </span>stp<span style="white-space:pre-wrap"> </span>q0, q0, [sp, #32]</div><div><span style="white-space:pre-wrap"> </span>stp<span style="white-space:pre-wrap"> </span>q0, q0, [sp]</div></div><div><br></div><div><br></div><div>OTOH, with a relatively simple LTO-based analysis we can get rid of these extra auto-inits completely. <br></div><div><br></div><div>CC <a class="gmail_plusreply" id="gmail-m_1072355842374943900plusReplyChip-5" href="mailto:vitalybuka@google.com" target="_blank">@Vitaly Buka</a> <a class="gmail_plusreply" id="gmail-m_1072355842374943900plusReplyChip-6" href="mailto:pcc@google.com" target="_blank">@Peter Collingbourne</a> <a class="gmail_plusreply" id="gmail-m_1072355842374943900plusReplyChip-7" href="mailto:eugenis@google.com" target="_blank">@Evgeniy Stepanov</a> </div></div></div></div></div></div></div></div></div></blockquote><div><br></div><div>Why LTO? Are you observing this cross-TU? I think we want to first do same-TU, and then teach LTO about it too.</div></div></div></blockquote><div><br></div><div>For the analysis pass, it doesn't matter if it's same-TU or cross-TU -- it will use all information it sees. </div><div>So, it should work for same-TU even w/o LTO. </div><div>We see this either cross-TU or when a CTOR is marked as noinline. </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><div><div><br></div><br><blockquote type="cite"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>--kcc </div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Dec 18, 2018 at 11:38 AM Kostya Serebryany <<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">2019 is going to have one bug class fewer. :) <div>(unless Jann&Co find new bug classes again)</div><div><br></div><div>Looking forward to the followup patches (e.g. padding gaps) </div><div>and to doing the measurements. </div><div><br></div><div>--kcc </div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Dec 18, 2018 at 10:53 AM JF Bastien <<a href="mailto:jfbastien@apple.com" target="_blank">jfbastien@apple.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hello fans of the pre-C++11 `auto` keyword!<div><br></div><div>Thanks to reviews from Peter and Richard, automatic variable initialization landed last night:</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><a href="https://reviews.llvm.org/rL349442" target="_blank">https://reviews.llvm.org/rL349442</a></blockquote><div><br></div>Chandler pointed out that I should have circled back to the RFC in case any of the finer points needed tuning. Let me know if there’s any follow-up you’d like! I’ve made zero-init harder / uglier to use as was requested, while allowing folks like Kostya to test it out.<div><br></div><div>Let me know if you find bugs (in your code, or in the implementation), and please file bugs on any missed optimization opportunities. I know of a handful of missing optimizations which I intend to tackle in the near future. I’d also love to hear what kind of performance / size impact you see from various codebases. </div><div><br></div><div>As pointed out in the patch there’s a few other hardenings that I’ll want to tackle next. I’ll do so in the new year.</div><div><br></div><div>Thanks,</div><div><br></div><div>JF<br><div><br><div><br><blockquote type="cite"><div>On Dec 11, 2018, at 3:18 PM, Joe Bialek via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:</div><br class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-interchange-newline"><div><div class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">We went with zero initialization for production builds in Visual Studio because we anticipate zero being the fastest, smallest code gen, and safest value for the following cases:<u></u><u></u></div><ul type="disc" style="margin-bottom:0in;margin-top:0in"><li class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Pointer: A non-zero pointer could potentially point at valid code. On Windows x64, the first 64kb of the virtual address space is guaranteed to not be mappable and the last 512GB of the virtual address space (today) has the space guarantee. So null pointer or near-null pointer dereferences are denial of service at worst.<u></u><u></u></li><li class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Size: If you forget to set a size as an out parameter we’d rather it’s set to 0 so you don’t index out of bounds.<u></u><u></u></li><li class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804MsoListParagraph" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Index: Same as size.<u></u><u></u></li></ul><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">We are using this mitigation to downgrade vulnerabilities from remote code execution, elevation of privilege, or information disclosure, down to denial of service at worst.<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Assuming the denial of service isn’t for a scenario where it matters (there are many types of DOS we don’t really worry about for security), we will not bother servicing the vulnerabilities down-level and instead only fix them for new code.<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">It is helpful for us to have deterministic behavior to help accomplish this goal. If an engineer knows a value is always set to 0, they can quickly determine if the bug report is actually exploitable or not. If it is initialized to a random or compile time constant value, we’ll need to do more work to determine if the bug is exploitable.<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">We are not zero initializing CHK builds to prevent folks from taking a dependency on this feature.<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Joe<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>From:</b><span class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-converted-space"> </span>Kostya Serebryany <<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>><span class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-converted-space"> </span><br><b>Sent:</b><span class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-converted-space"> </span>Tuesday, December 11, 2018 3:04 PM<br><b>To:</b><span class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-converted-space"> </span>Mehdi AMINI <<a href="mailto:joker.eph@gmail.com" target="_blank">joker.eph@gmail.com</a>>; Jann Horn <<a href="mailto:jannh@google.com" target="_blank">jannh@google.com</a>><br><b>Cc:</b><span class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-converted-space"> </span>David Blaikie <<a href="mailto:dblaikie@gmail.com" target="_blank">dblaikie@gmail.com</a>>; Richard Smith <<a href="mailto:richard@metafoo.co.uk" target="_blank">richard@metafoo.co.uk</a>>; Clang Dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>>; Joe Bialek <<a href="mailto:jobialek@microsoft.com" target="_blank">jobialek@microsoft.com</a>><br><b>Subject:</b><span class="gmail-m_1072355842374943900gmail-m_8814888969811067093gmail-m_4370604207350482532gmail-m_-4389096554537496804Apple-converted-space"> </span>Re: [cfe-dev] [RFC] automatic variable initialization<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">One more dimension in this discussion (zero-init vs pattern-init) is what will security get from those options.<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">My second-hand knowledge here suggests that zero-init may have *on average* better security guarantees than non-zero init.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">For example if the uninitialized data is interpreted as a length of something, it better be zero than any large number or, worse, a negative signed number. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><a href="mailto:jannh@google.com" style="color:purple;text-decoration:underline" target="_blank">+Jann Horn</a> and Joe Bialek who have first-hand knowledge here. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">--kcc <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Thu, Dec 6, 2018 at 3:58 PM Kostya Serebryany <<a href="mailto:kcc@google.com" style="color:purple;text-decoration:underline" target="_blank">kcc@google.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Thu, Dec 6, 2018 at 3:55 PM Mehdi AMINI <<a href="mailto:joker.eph@gmail.com" style="color:purple;text-decoration:underline" target="_blank">joker.eph@gmail.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Thu, Dec 6, 2018 at 3:43 PM Kostya Serebryany <<a href="mailto:kcc@google.com" style="color:purple;text-decoration:underline" target="_blank">kcc@google.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Thu, Dec 6, 2018 at 3:03 PM Mehdi AMINI <<a href="mailto:joker.eph@gmail.com" style="color:purple;text-decoration:underline" target="_blank">joker.eph@gmail.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Thu, Dec 6, 2018 at 1:01 PM Kostya Serebryany <<a href="mailto:kcc@google.com" style="color:purple;text-decoration:underline" target="_blank">kcc@google.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Wed, Dec 5, 2018 at 6:07 PM Mehdi AMINI via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" style="color:purple;text-decoration:underline" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I have the same question as David: I don't understand why this isn't just an experimental build option disabled by default? (Google, Apple, etc. can just enable it in their build script, no need to patch the source).<u></u><u></u></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I will need to rebuild half a dozen compiler binaries to do the measurements I need.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">This is going to double the cost of the effort for me because it adds too many extra moving pieces. <u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Not sure I follow, you have to build the compiler anyway to get it after the code is patched?<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The only thing you would have to do is one CL to enable the build flag (that expose the command line flag) inside your codebase and then you get your toolchain as usual?<u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Once the JF's patch is in, I'll have it in most production compilers I care about in 2-6 weeks, w/o any effort on my side. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">None of those builders (easily) support adding custom patches, and even a build flag is going to be very non-trivial. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I can deal with one or two of those builds relatively easily, but not with the rest. <u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">What builders are you referring to? So far I was assuming we were talking about your internal infrastructure that produces your production compilers.<u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I am talking about our internal infra. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">But we have multiple independent builders from multiple independent compiler users (e.g. Chrome and Android are using different compiler builds). <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">-- <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Mehdi<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The only argument I read in the thread was about allowing people to make performance measurement without rebuilding the compiler, but I have a hard time reconciliation this with the fact that we're talking about not shipping this before performing the actual measurements?<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I expect that anyone that cares enough about the perf impact of this to influence the development of the feature in clang should already be rebuilding their compiler today. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">-- <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Mehdi<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Mon, Dec 3, 2018 at 5:58 PM David Blaikie via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" style="color:purple;text-decoration:underline" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif">Just out of curiosity - what's the major difference between a build-time off-by-default feature and a build-time on-by-default-but-off-in-release branches feature? If we're only targeting groups that build/release the compiler themselves, then they're likely able to opt-in to a build-time feature easily enough, I'd think? & then there's no need to make our releases different from day-to-day builds?<br><br>But sounds like folks are in general agreement of a way forward, so I don't want to disrupt/delay that.<u></u><u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Wed, Nov 28, 2018 at 11:14 PM Chandler Carruth <<a href="mailto:chandlerc@gmail.com" style="color:purple;text-decoration:underline" target="_blank">chandlerc@gmail.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Suggested compromise technique to at least get an initial set of numbers:<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">1) Require a special, long, ugly flag name.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">2) Make it a CC1 flag, requiring -Xclang ... to use.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">3) Emit a warning by default (that cannot be suppressed with a -Wno-... flag) when this flag is enabled.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">4) Commit to never including this flag in any upstream release. Either we remove it before the next release branches or we revert it on the branch.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Most of the folks we're hoping to get performance data with are willing to use a not-yet-released build of Clang. They won't have to actually patch it in any way. They will have strong reminders to not deploy this in any way due to the warning.<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thoughts?<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Wed, Nov 28, 2018 at 4:34 PM Kostya Serebryany via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" style="color:purple;text-decoration:underline" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<u></u><u></u></div></div></div></div><div><div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Wed, Nov 28, 2018 at 3:28 PM David Blaikie <<a href="mailto:dblaikie@gmail.com" style="color:purple;text-decoration:underline" target="_blank">dblaikie@gmail.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></p><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Wed, Nov 28, 2018 at 3:17 PM Kostya Serebryany <<a href="mailto:kcc@google.com" style="color:purple;text-decoration:underline" target="_blank">kcc@google.com</a>> wrote:<u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>Seems easier to me to separate the two pieces - move ahead with the non-zero options, and separate the discussion on the zero option. You can present performance numbers from what you can measure without shipping a compiler with the feature - and if those numbers are sufficiently compelling compared to the risks of slicing the language, then perhaps we go that way.<u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">This approach will significantly impair my ability to do the measurements I need. <u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>I'm aware waht I'm proposing would make it more difficult for some people to take measurements - that's a tradeoff to be sure - one where I err in this direction.<br><br>Specifically for Google though - would it be that difficult for Google to opt-in to a certain build configuration of LLVM?<u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Absolutely yes. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Google is not just a single <a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdelivery.acm.org%2F10.1145%2F2860000%2F2854146%2Fp78-potvin.pdf%3Fip%3D104.133.8.94%26id%3D2854146%26acc%3DOA%26key%3D4D4702B0C3E38B35%252E4D4702B0C3E38B35%252E4D4702B0C3E38B35%252E5945DC2EABF3343C%26__acm__%3D1543446999_3aadcd36f657e2297430c38bee93f16c&data=02%7C01%7Cjobialek%40microsoft.com%7C533e0fe1444d4b5a3a6b08d65fbcf479%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636801662510848537&sdata=dd4I1xQ5qfawzLwsnBM3iqsypqZ%2BlFswj5IgKa%2FLHbw%3D&reserved=0" style="color:purple;text-decoration:underline" target="_blank">monolithic code base</a>. <u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>Couldn't access this link ("An error occurred while processing your request" - but yeah, I understand there's a bunch of different pieces of Google beyond the "stuff that runs in data centers" piece we mostly support.<br> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Besides that monolithic thing, we have Android, Chrome, ChromeOS, Fuchsia, and a bazillion of smaller efforts that use their own toolchains. <u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>Still, most/all of these build their own compilers, I think? But yeah, that adds an opt-in overhead to each project, for sure.<br> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">In some cases the most reliable and complete way of measuring performance changes is to submit the changes to revision control, <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">and let the performance bots shew it for a couple of days. That's how we iterated with the LLVM's CFI in Chrome. <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">We will also need to work with the upstream Linux kernel -- it's hard enough for them to use clang and a modified clang will cost us much more effort. <u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>Yeah, I can imagine that one's a bit trickier - how's performance evaluation of the kernel done?<u></u><u></u></div></div></div></div></blockquote><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">I don't think anyone knows that. :-|<u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">And requiring a compiler patch will shift the problem from "hard" to "I'd better do something else". <u></u><u></u></div></div></div></div><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">(though, again, I imagine a fair amount of progress could be made without the zero-init feature - perhaps enough to say "hey, here are all the places we have run tests & seen the performance tradeoff is worthwhile for us (& possibly that it's close to the zero-init case, but that's sort of orthogonal, imho - that it's worthwhile is the main thing) - perhaps other folks would be willing to test it (non-zero init) & see if it's worthwhile to them - and if it isn't/they're interested in more performance, maybe all that evidence we can gain from the places where it's easy for us to rebuild compilers, etc, would make it interesting enough to motivate someone to do build the kernel with a custom compiler & do some performance measurements, etc... <br><br>Sorry that was a bit rambly, anyway.<br><br>- Dave<br> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></div></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div><div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">We/Google do build the compiler from scratch, I assume we pick the configuration options we build with & some of them probably aren't the defaults for a release build of LLVM. So if it was important that Google's production compiler had these features enabled (rather than building a test compiler for running some experiments), that doesn't seem (at least to me, at this moment) especially prohibitive, is it?<br> <u></u><u></u></div></div></div></div></blockquote></div></div></blockquote></div></div></blockquote></div></div></blockquote></div></div><div><div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">_______________________________________________<u></u><u></u></div></blockquote></div></div><div><div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br>cfe-dev mailing list<br><a href="mailto:cfe-dev@lists.llvm.org" style="color:purple;text-decoration:underline" target="_blank">cfe-dev@lists.llvm.org</a><br><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.llvm.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fcfe-dev&data=02%7C01%7Cjobialek%40microsoft.com%7C533e0fe1444d4b5a3a6b08d65fbcf479%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636801662510858549&sdata=J1qIBl35xJOU4LXt2pmJKrl7Jo3RzuG04e7mWmXdULo%3D&reserved=0" style="color:purple;text-decoration:underline" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><u></u><u></u></div></blockquote></div></div></blockquote></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">_______________________________________________<br>cfe-dev mailing list<br><a href="mailto:cfe-dev@lists.llvm.org" style="color:purple;text-decoration:underline" target="_blank">cfe-dev@lists.llvm.org</a><br><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.llvm.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fcfe-dev&data=02%7C01%7Cjobialek%40microsoft.com%7C533e0fe1444d4b5a3a6b08d65fbcf479%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636801662510868553&sdata=wC0zWaGYC6YVWA3W7X3PEUjbePjhZdOoKVy5vzD6y2I%3D&reserved=0" style="color:purple;text-decoration:underline" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><u></u><u></u></div></blockquote></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">_______________________________________________<br>cfe-dev mailing list<br><a href="mailto:cfe-dev@lists.llvm.org" style="color:purple;text-decoration:underline" target="_blank">cfe-dev@lists.llvm.org</a><br><a href="https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.llvm.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fcfe-dev&data=02%7C01%7Cjobialek%40microsoft.com%7C533e0fe1444d4b5a3a6b08d65fbcf479%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636801662510868553&sdata=wC0zWaGYC6YVWA3W7X3PEUjbePjhZdOoKVy5vzD6y2I%3D&reserved=0" style="color:purple;text-decoration:underline" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><u></u><u></u></div></blockquote></div></div></blockquote></div></div></blockquote></div></div></blockquote></div></div></blockquote></div></div></blockquote></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">cfe-dev mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline"><a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline"><a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a></span></div></blockquote></div><br></div></div></div></blockquote></div>
</blockquote></div>
</div></blockquote></div><br></div></blockquote></div></div></div></div>