<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body>
<div style="font-family:sans-serif"><div style="white-space:normal">
<p dir="auto">On 14 Jun 2021, at 16:29, Cranmer, Joshua wrote:</p>
</div>
<div style="white-space:normal"><blockquote style="border-left:2px solid #3983C4; color:#3983C4; margin:0 0 5px; padding-left:5px"><p dir="auto">In case anyone reading this thread is unaware, there is currently a proposal before the C standards committee that goes into more details on a future provenance model for C: <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2676.pdf">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2676.pdf</a>. It actually details a few different provenance models, especially several variations on integers-do-not-have-provenance, mainly around what provenance is reconstructed on an inttoptr cast. While I’m not on the standards committee, I believe that something along the lines of this proposal will become the official C provenance rules.<br>
<br>
While LLVM isn’t required to adopt C rules wholesale, the basic form of the proposal already matches applied LLVM semantics better than our own language reference (we do not consider integers to carry provenance). There are several points in the proposal where extra annotations are suggested to effect various provenance properties (e.g., the ability to write word-level memcpy), and offhand, it looks like the byte proposal would be a viable vehicle for those extra annotations, although I’m not entirely persuaded that it’s the best vehicle.</p>
</blockquote></div>
<div style="white-space:normal">
<p dir="auto">To be clear, while that TR represents enormous progress (and I agree that we should be closely following that discussion), it openly acknowledges that it doesn’t know how representation copies are supposed to work. It’s clear that library calls like <code>memcpy</code> are supposed to preserve provenance exactly (rather than doing the more conservative thing that round-tripping through an integer requiring), but code that simply does the same thing inline needs to have the same effect, and nobody knows how that’s supposed to happen if integers don’t carry provenance.</p>
<p dir="auto">John.</p>
</div>
<div style="white-space:normal"><blockquote style="border-left:2px solid #3983C4; color:#3983C4; margin:0 0 5px; padding-left:5px"><p dir="auto">From: llvm-dev <llvm-dev-bounces@lists.llvm.org> On Behalf Of John McCall via llvm-dev<br>
Sent: Monday, June 14, 2021 12:08<br>
To: Ralf Jung <jung@mpi-sws.org><br>
Cc: llvm-dev@lists.llvm.org; cfe-dev@lists.llvm.org<br>
Subject: Re: [llvm-dev] [RFC] Introducing a byte type to LLVM<br>
<br>
<br>
On 14 Jun 2021, at 7:04, Ralf Jung wrote:<br>
<br>
Hi,<br>
<br>
I don't dispute that but I am still not understanding the need for bytes. None of the examples I have seen so far<br>
clearly made the point that it is the byte types that provide a substantial benefit. The AA example below does neither.<br>
<br>
I hope <<a href="https://lists.llvm.org/pipermail/llvm-dev/2021-June/151110.html">https://lists.llvm.org/pipermail/llvm-dev/2021-June/151110.html</a>> makes a convincing case that under the current semantics, when one does an "i64" load of a value that was stored at pointer type, we have to say that this load returns poison. In particular, saying that this implicitly performs a "ptrtoint" is inconsistent with optimizations that are probably too important to be changed to accommodate this implicit "ptrtoint".<br>
<br>
I think it is fact rather obvious that, if this optimization as currently written is indeed in conflict with the current semantics, it is the optimization that will have to give. If the optimization is too important for performance to give up entirely, we will simply have to find some more restricted pattern that wee can still soundly optimize.<br>
<br>
That is certainly a reasonable approach.<br>
However, judging from how reluctant LLVM is to remove optimizations that are much more convincingly wrong [1], my impression was that it is easier to complicate the semantics than to remove an optimization that LLVM already performs.<br>
<br>
[1]: <a href="https://bugs.llvm.org/show_bug.cgi?id=34548">https://bugs.llvm.org/show_bug.cgi?id=34548</a>,<br>
<a href="https://bugs.llvm.org/show_bug.cgi?id=35229">https://bugs.llvm.org/show_bug.cgi?id=35229</a>;<br>
see <a href="https://www.ralfj.de/blog/2020/12/14/provenance.html">https://www.ralfj.de/blog/2020/12/14/provenance.html</a> for a<br>
more detailed explanation<br>
<br>
Perhaps the clearest reason is that, if we did declare that integer types cannot carry pointers and so introduced byte types that could, C frontends would have to switch to byte types for their integer types, and so we would immediately lose this supposedly important optimization for C-like languages, and so, since optimizing C is very important, we would immediately need to find some restricted pattern under which we could soundly apply this optimization to byte types. That’s assuming that this optimization is actually significant, of course.<br>
<br>
At least C with strict aliasing enabled (i.e., standard C) only needs to use the byte type for "(un)signed char". The other integer types remain unaffected. There is no arithmetic on these types ("char + char" is subject to integer promotion), so the IR overhead would consist in a few "bytecast" instructions next to / replacing the existing sign extensions that convert "char" to "int" before performing the arithmetic.<br>
<br>
The semantics you seem to want are that LLVM’s integer types cannot carry information from pointers. But I can cast a pointer to an integer in C and vice-versa, and compilers have de facto defined the behavior of subsequent operations like breaking the integer up (and then putting it back together), adding numbers to it, and so on. So no, as a C compiler writer, I do not have a choice; I will have to use a type that can validly carry pointer information for integers in C.<br>
<br>
Since you seem to find this sort of thing compelling, please note that even a simple assignment like char c2 = c1 technically promotes through int in C, and so int must be able to carry pointer information if char can.<br>
<br>
John.</p>
</blockquote></div>
<div style="white-space:normal">
</div>
</div>
</body>
</html>