<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 31, 2015 at 11:40 AM, Duncan P. N. Exon Smith <span dir="ltr"><<a href="mailto:dexonsmith@apple.com" target="_blank">dexonsmith@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
> On 2015-Aug-31, at 10:42, Reid Kleckner <<a href="mailto:rnk@google.com">rnk@google.com</a>> wrote:<br>
><br>
> On Mon, Aug 31, 2015 at 10:12 AM, Rafael Espíndola <<a href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>> wrote:<br>
><br>
> > Not sure I follow? Generally LTO inputs are going to be "user provided" (in the sense that they're not produced immediately prior by the same process - or you'd have just produced a single Module in the first place, I would imagine) so changing the default still seems problematic in the sense of allowing 'unbounded' input without verification...<br>
><br>
> The common case is for the bitcode to be generated by a paired clang. Even when it is an old bitcode compiled module, the Module itself is created by the bitcode reader.<br>
><br>
> Sure, but it is not uncommon to LTO with old bitcode. We all know it's pretty easy to crash LLVM with bad bitcode or bad IR. These interfaces are not thoroughly tested.<br>
><br>
> I think verifying the result of the bitcode reader by default during LTO is probably the right thing for the foreseeable future. It's the only thing that has any hope of telling the user something useful when things go wrong.<br>
><br>
> I'd like it if we spent a little effort understanding why it's slow before flipping it off. Maybe the verifier is running multiple times, instead of after deserialization. We shouldn't need that in release builds.<br>
<br>
</div></div>LTO runs the verifier three times:<br>
<br>
1. On each input module after it's parsed from bitcode.<br>
2. At the beginning of the optimization pipeline (post lib/Linker).<br>
3. At the end of the optimization pipeline.<br>
<br>
If we're worried about user input, then I agree we should still run it<br>
at (1). But I don't think we need to run it at (2) and (3). Maybe we<br>
agree on this?<br></blockquote><div><br></div><div>I would agree on that.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Someone asked elsewhere in the thread about numbers: I had a look at a<br>
CPU profile (for linking verify-uselistorder with debug info). For<br>
this (not-necessarily-representative) sample, (1) takes 1.6% of ld64<br>
runtime, and (2) and (3) combined take 3.2% of ld64 runtime. Total of<br>
4.8%.</blockquote></div><br></div></div>