<div class="gmail_quote">On Tue, May 15, 2012 at 3:01 PM, Eli Friedman <span dir="ltr"><<a href="mailto:eli.friedman@gmail.com" target="_blank">eli.friedman@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, May 15, 2012 at 1:53 PM, Benjamin Kramer<br>
<div><div class="h5"><<a href="mailto:benny.kra@googlemail.com">benny.kra@googlemail.com</a>> wrote:<br>
><br>
> On 15.05.2012, at 22:31, Eli Friedman wrote:<br>
><br>
>> On Tue, May 15, 2012 at 12:10 PM, Benjamin Kramer<br>
>> <<a href="mailto:benny.kra@googlemail.com">benny.kra@googlemail.com</a>> wrote:<br>
>>><br>
>>> On 15.05.2012, at 20:47, Eli Friedman wrote:<br>
>>><br>
>>>> On Tue, May 15, 2012 at 11:03 AM, Chandler Carruth <<a href="mailto:chandlerc@google.com">chandlerc@google.com</a>> wrote:<br>
>>>>> On Tue, May 15, 2012 at 11:36 AM, Eli Friedman <<a href="mailto:eli.friedman@gmail.com">eli.friedman@gmail.com</a>><br>
>>>>> wrote:<br>
>>>>>><br>
>>>>>> On Tue, May 15, 2012 at 10:03 AM, Benjamin Kramer<br>
>>>>>> <<a href="mailto:benny.kra@googlemail.com">benny.kra@googlemail.com</a>> wrote:<br>
>>>>>>><br>
>>>>>>> On 15.05.2012, at 18:16, Chandler Carruth wrote:<br>
>>>>>>><br>
>>>>>>>> On Tue, May 15, 2012 at 9:08 AM, Benjamin Kramer<br>
>>>>>>>> <<a href="mailto:benny.kra@googlemail.com">benny.kra@googlemail.com</a>> wrote:<br>
>>>>>>>> This will be used to implement __builtin_va_arg_pack[len] in clang<br>
>>>>>>>> (PR7219).<br>
>>>>>>>><br>
>>>>>>>> Awesome, thanks for working on this...<br>
>>>>>>>><br>
>>>>>>>> Since this is used to model a pretty crazy gcc extension (used by<br>
>>>>>>>> glibc) we have<br>
>>>>>>>> to expand the intrinsics in the inliner. When it replaces a vararg call<br>
>>>>>>>> site with<br>
>>>>>>>> a copy of the function another pass over all instructions is performed<br>
>>>>>>>> which<br>
>>>>>>>> replaces any pack intrinsics with the values from the call site. There<br>
>>>>>>>> are some<br>
>>>>>>>> rather narrow requirements where the intrinsics can occur, documented<br>
>>>>>>>> in LangRef<br>
>>>>>>>> and enforced by the verifier.<br>
>>>>>>>><br>
>>>>>>>> This patch has two other side effects:<br>
>>>>>>>> - DAE is not allowed to remove varargs if a va_pack intrinsic is used.<br>
>>>>>>>> - Inliner can now inline vararg functions iff they don't use va_start.<br>
>>>>>>>> This can<br>
>>>>>>>> happen if DAE doesn't remove the varargs because there is a va_pack<br>
>>>>>>>> intrinsic<br>
>>>>>>>> or if the AlwaysInliner tries to inline the function.<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>> I'm pretty OK wit this strategy. It actually has some other interesting<br>
>>>>>>>> artifacts I'd like to explore later. Specifically, I think we can generalize<br>
>>>>>>>> this to allow inlining of varargs functions when the va_start is in dead<br>
>>>>>>>> code...<br>
>>>>>><br>
>>>>>> I'm actually mildly concerned about this strategy: the LLVM IR inliner<br>
>>>>>> can't actually reason correctly about the ABI rules for a varargs<br>
>>>>>> call, and will therefore screw up if you try to pass anything<br>
>>>>>> complicated (_Complex, structs) through the varargs list. This might<br>
>>>>>> not matter in practice if it isn't used for anything other than the<br>
>>>>>> printf and scanf families of functions, but it's still worth thinking<br>
>>>>>> about.<br>
>>>>><br>
>>>>><br>
>>>>> I share your concerns here regarding the pack and pack_len builtins...<br>
>>>>> However, I think in the extremely limited context they are used, this is<br>
>>>>> safe.<br>
>>>>><br>
>>>>> The idea is that these builtins can only be used inside of some other vararg<br>
>>>>> function, and the only arguments we move from the outer call to the inner<br>
>>>>> are ones that would already have gone through Clang's vararg lowering. The<br>
>>>>> goal seems specifically to re-use the way that the outer call is lowered<br>
>>>>> when setting up the inlined inner call.<br>
>>>>><br>
>>>>> I've been trying to think of a construct that breaks this, but so far I<br>
>>>>> can't come up with any...<br>
>>>><br>
>>>> Consider the following on x86-64:<br>
>>>> void f(int x, int y, ...);<br>
>>>> struct A { long long x,y; };<br>
>>>> void g(int a, int b, int c, int d, ...) {<br>
>>>> //f(a,b,__builtin_va_pack());<br>
>>>> f(a,b,(struct A){},(struct A){});<br>
>>>> }<br>
>>>> void h() {<br>
>>>> struct A x;<br>
>>>> g(0,0,0,0,x,x);<br>
>>>> }<br>
>>><br>
>>> This is pretty insane and I'm afraid there is no solution without putting an inliner into clang :(<br>
>>><br>
>>> Are you okay with "Passing aggregate types to a function using llvm.va_pack is undefined behavior." in the LangRef?<br>
>><br>
>> It's "anything which doesn't map to a single LLVM scalar type". I<br>
><br>
> ok<br>
><br>
>> really have two concerns here: one, we don't want to silently<br>
>> miscompile code, and two, we need to make sure this limitation doesn't<br>
>> actually bite in the cases we care about.<br>
><br>
> We can't rule out miscompiling code as the information what's passed to<br>
> the function is lost at the IR level. I'm only aware of one (sadly high-profile)<br>
> user of __builtin_va_arg_pack, glibc. It uses it to wrap certain functions<br>
> like printf, open or syslog, which should be safe.<br>
<br>
</div></div>If someone generates the IR intrinsic, fine, they should know what<br>
they're doing. I'm more worried about the clang side.</blockquote><div><br></div><div>Should we check this in, and start working on the Clang side, or do we need to get a Clang patch in place and make sure we can reject the dangerous constructs first?</div>
<div><br></div><div>Or, are you indicating you think we *need* to do the inlining in Clang to make this work at all? In discussing this on IRC, it doesn't seem likely that there will be any arguments passed to these functions which are actually risky here, so my goal is just to teach clang to plunder all the callers and reject the whole thing if we see anything that can't be handled. </div>
</div>