[llvm-dev] Possible soundness issue with available_externally (split from "RFC: Add guard intrinsics")

James Y Knight via llvm-dev llvm-dev at lists.llvm.org
Thu Feb 25 11:41:43 PST 2016


While we're talking about this, I'd just mention again that the same issue
arises for *normal* functions too, when linked into a shared library:
   int foo() { return 1; }
   int bar() { return foo(); }

Now, compare:
  clang -fPIC -O1 -S -o - test.c
  gcc -fPIC -O1 -S -o - test.c

GCC will refuse to inline foo into bar, or use any information about foo in
compiling bar, because foo is exported in the dynamic symbol table, and
thus replaceable via symbol interposition.

Clang assumes that you won't do that, or that you don't care what happens
if you do. It will happily inline. And, in absense of inlining (e.g. if foo
is too long to inline), clang will deduce function attributes about foo and
rely on those in bar -- despite that the call goes through the PLT and
could in fact be an entirely different unrelated implementation (or, for
that matter, a differently-optimized version of the same implementation).

Is that *really* okay?


On Wed, Feb 24, 2016 at 6:57 PM, Sanjoy Das via llvm-dev <
llvm-dev at lists.llvm.org> wrote:

> Hi all,
>
> This is something that came up in the "RFC: Add guard intrinsics to
> LLVM" thread; and while I'm not exactly blocked on this, figuring out
> a path forward here will be helpful in deciding if we can use the
> available_externally linkage type to expression certain semantic
> properties guard intrinsics will have.
>
> Let's start with an example that shows that we have a problem (direct
> copy/paste from the guard intrinsics thread). Say we have:
>
> ```
> void foo() available_externally {
>   %t0 = load atomic %ptr
>   %t1 = load atomic %ptr
>   if (%t0 != %t1) print("X");
> }
> void main() {
>   foo();
>   print("Y");
> }
> ```
>
> The possible behaviors of the above program are {print("X"),
> print("Y")} or {print("Y")}.  But if we run opt then we have
>
> ```
> void foo() available_externally readnone nounwind {
>   ;; After CSE'ing the two loads and folding the condition
> }
> void main() {
>   foo();
>   print("Y");
> }
> ```
>
> and some generic reordering
>
> ```
> void foo() available_externally readnone nounwind {
>   ;; After CSE'ing the two loads and folding the condition
> }
> void main() {
>   print("Y");
>   foo();  // legal since we're moving a readnone nounwind function that
>           // was guaranteed to execute (hence can't have UB)
> }
> ```
>
> If we do not inline @foo(), and instead re-link the call site in @main
> to some non-optimized copy (or differently optimized copy) of @foo,
> then it is possible for the program to have the behavior {print("Y");
> print ("X")}, which was disallowed in the earlier program.
>
> In other words, opt refined the semantics of @foo() (i.e. reduced the
> set of behaviors it may have) in ways that would make later
> optimizations invalid if we de-refine the implementation of @foo().
>
> The above example is clearly fabricated, but such cases can come up
> even if everything is optimized to the same level.  E.g. one of the
> atomic loads in the unrefined implementation of @foo() could have been
> hidden behind a function call, whose body existed in only one module.
> That module would then be able to refine @foo() to `ret void` but
> other modules won't.
>
> The only solution I can think of is to redefine available_externally
> to mean "the only kind of IPO/IPA you can do over a call to this
> function is to inline it".  Redefining available_externally this way
> will also let us soundly use it to represent calls to functions that
> have guard intrinsics, since a failed guard intrinsic basically
> replaces the function with a "very de-refined" implementation (the
> interpreter).
>
> What do you think?  I don't think implementing the above above will be
> very difficult, but needless to say, it will still be a fairly
> non-trivial semantic change (hence I'm not directly jumping to
> implementation).
>
>
> -- Sanjoy
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160225/f4b0f420/attachment.html>


More information about the llvm-dev mailing list