[Patch] Use uintptr_t instead of ptr comparisons in BumpPtrAllocator (Was: Re: [llvm] r215841 - BumpPtrAllocator: remove 'no slabs allocated yet' check)

Hans Wennborg hans at chromium.org
Wed Sep 3 09:36:30 PDT 2014 

On Wed, Sep 3, 2014 at 7:20 AM, Duncan P. N. Exon Smith
<dexonsmith at apple.com> wrote:
>
>> On 2014 Sep 2, at 21:34, Chandler Carruth <chandlerc at google.com> wrote:
>>
>>> On Tue, Sep 2, 2014 at 10:44 AM, Hans Wennborg <hans at chromium.org> wrote:
>>> I'm attaching a patch that should make this UB-proof. Let me know what
>>> you think.
>>
>> The reason I didn't suggest this originally is that it doesn't actually make anything UB-proof. You're still potentially walking a pointer far past the end of the allocated array and comparing it with a pointer one past the end of the array. You need to check every single time prior to adding that there is space within the allocated array.
>
> I think the attached/committed patch is an incremental improvement.
> The pointer isn't walking anywhere; all addition and comparison is
> done as `uintptr_t`.  So it removed the "common case" reliance on UB.
>
>> As an example of how I think this could fail, imagine that your system maps pointers to uintptr_t such that 'End' becomes std::numeric_limits<uintptr_t>::max() and either the aligning or the size addition wrap.
>
> Overflowing `uintptr_t` is the only UB left.  Is this a practical
> concern?  I assumed not, but maybe that was naive?
>
>> If you want to go this route, at least use intptr_t so we get a UBSan failure if this state ever arises. Better would be to just reformulate the entire thing in terms that are guaranteed to only use pointers within the allocated array.
>
> It should be sufficient to check that the final `uintptr_t` is `>=`
> the unmodified `Ptr` before converting back to `char*`.
>
> Reformulating might be better anyway, though.  I wouldn't mind
> something like this:
>
>     uintptr_t Adjustment = getAlignmentAdjustment(Ptr, Alignment);
>     assert(Adjustment + Size >= Size && "overflow");
>     if (Adjustment + Size <= uintptr_t(End - Ptr)) {
>       Ptr += Adjustment;
>
>       // allocate in current slab.
>       return;
>     }
>     // allocate in new slab.

I like this idea. How about the attached patch?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: allocator.patch
Type: application/octet-stream
Size: 3156 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20140903/f16ab3e5/attachment.obj>

More information about the llvm-commits mailing list