<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hello all,</div><div><br></div><div>The problem with defining all attributes as yielding poison is that, certain attributes are not meaningful to yield poison or only meaningful when it is conveyed with not_poison.<br></div><div>If a dereferenceable argument can have poison, I don’t think the attribute will be useful by its alone because existing analyses cannot conclude that accessing the pointer is okay; To make the conclusion, it always has to be carried with not_poison. Forgetting not_poison check will lead to a bug.</div><div>Among other attributes, byval seems problematic to me.</div><div>The value pointed by a byval pointer is copied at a temporary space, and the temporary address is passed to the callee.</div><div>This means that byval argument should raise UB if it was not dereferenceable; `f(byval null);` raises segmentation fault even if the null pointer is not used inside f(). (<a href="https://godbolt.org/z/sNC_RF">https://godbolt.org/z/sNC_RF</a> ) So we cannot define it as f(poison).</div><div><br></div><div>If the semantics of attributes should be consistent, I suggest UB should be the one. not_poison will also raise UB if the input was poison, so it also satisfies the consistency as well.</div><div>The gep inbounds optimization should be fixed then. For dead argument elimination and function call hoisting, we should be able to drop relevant attributes.</div><div><br></div><div>Best regards,</div><div>Juneyoung Lee</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 20, 2020 at 10:52 AM Finkel, Hal J. <<a href="mailto:hfinkel@anl.gov">hfinkel@anl.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Two thoughts:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
1. I think that we should aim for regularity, to the extent possible, and so we should treat nonnull, align, etc. similarly w.r.t. to whether they produce poison or UB.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
2. I was thinking about the following last night, and it clarified for me why having an not_poison attribute makes sense and seems useful, and how poison/UB might affect things on a function-call boundary itself. Imagine that we had a fastcc lowering strategy
that took a pointer argument with an alignment attribute, followed by a suitably-small integer argument, and implemented a calling convention that passed both in the same register. If the pointer value might be poison, and thus violate the alignment attribute
(or might violate the alignment attribute otherwise and produce poison), then we can't implement this just by anding together the two values (to pass them in the one register). We need to mask off the low bits first. If the value can't be or generate poison,
and violating the alignment constraint produces UB, then the masking is not needed and we can just and together the two values (confident that the low bits will always be zero).</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
-Hal </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_1175924782087085044Signature">
<div><font size="2"><span style="font-size:10pt">
<div>Hal Finkel<br>
Lead, Compiler Technology and Programming Languages<br>
Leadership Computing Facility<br>
Argonne National Laboratory</div>
</span></font></div>
<div>
<div id="gmail-m_1175924782087085044appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_1175924782087085044divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> llvm-dev <<a href="mailto:llvm-dev-bounces@lists.llvm.org" target="_blank">llvm-dev-bounces@lists.llvm.org</a>> on behalf of Finkel, Hal J. via llvm-dev <<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>><br>
<b>Sent:</b> Wednesday, February 19, 2020 2:29 AM<br>
<b>To:</b> Doerfert, Johannes <<a href="mailto:johannesdoerfert@gmail.com" target="_blank">johannesdoerfert@gmail.com</a>>; Juneyoung Lee <<a href="mailto:juneyoung.lee@sf.snu.ac.kr" target="_blank">juneyoung.lee@sf.snu.ac.kr</a>><br>
<b>Cc:</b> llvm-dev <<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>>; Nuno Lopes <<a href="mailto:nuno.lopes@ist.utl.pt" target="_blank">nuno.lopes@ist.utl.pt</a>>; John Regehr <<a href="mailto:regehr@cs.utah.edu" target="_blank">regehr@cs.utah.edu</a>><br>
<b>Subject:</b> Re: [llvm-dev] The semantics of nonnull attribute</font>
<div> </div>
</div>
<div>
<div>On 2/19/20 1:16 AM, Doerfert, Johannes via llvm-dev wrote:<br>
</div>
<blockquote type="cite">
<pre>On 02/19, Juneyoung Lee via llvm-dev wrote:
</pre>
<blockquote type="cite">
<pre>Hello,
</pre>
<blockquote type="cite">
<pre> Would it be correct to resolve this by saying that dereferenceable(N)
*implies* not_poison? This would be helpful as a clarification of how
it all fits together.
</pre>
</blockquote>
<pre>Yes, I think it makes sense.
</pre>
</blockquote>
<pre>I don't we should do that.
Take the `gep inbounds` example:
char* foo(char *arg) {
return `gep inbounds %arg, -100`
}
Here it depends if we want to deduce the output is dereferenceable(100)
or not. If we do, we need dereferenceable to mean poison if violated, as
with nonnull, because it is derived from poison. Only if we don't derive
dereferenceable for the return value we can go for dereferenceable
violations are UB.</pre>
</blockquote>
<p><br>
</p>
<p>Can you please clarify what it means for the output of dereferenceable to be poison? If we tag a memory address as dereferenceable, is the optimizer free to insert a load of the address immediately following that? Or we need to see some other access (prior
to any thread synchronization?) to say that's valid?</p>
<p>Thanks again,</p>
<p>Hal<br>
</p>
<p><br>
</p>
<blockquote type="cite">
<pre>In the end, I think, it boils down to the question if there are
situations where violation of some attributes should be poison and
violation of others should be UB. If such situations exists it is
unclear to me what makes the UB/poison ones special.
</pre>
<blockquote type="cite">
<pre>On Wed, Feb 19, 2020 at 12:14 PM Nicolai Hähnle <a href="mailto:nhaehnle@gmail.com" target="_blank"><nhaehnle@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre>On Wed, Feb 19, 2020 at 3:51 AM Juneyoung Lee via llvm-dev
<a href="mailto:llvm-dev@lists.llvm.org" target="_blank"><llvm-dev@lists.llvm.org></a> wrote:
</pre>
<blockquote type="cite">
<pre>I think not_poison (Johannes's used keyword) makes sense. We can
</pre>
</blockquote>
<pre>simulate the original UB semantics by simply attaching it, as explained.
</pre>
<blockquote type="cite">
<pre>For the attributes other than nonnull, we may need more discussion;
</pre>
</blockquote>
<pre>align attribute seems to be okay with defining it as poison,
dereferenceable may need UB even without nonnull (because it needs to be
non-poison as shown Nuno's hoisting example).
For reference, the hoisting example was:
f(dereferenceable(4) %p) {
loop() {
%v = load %p
use(%v)
}
}
=>
f(dereferenceable(4) %p) {
%v = load %p
loop() {
use(%v)
}
}
Would it be correct to resolve this by saying that dereferenceable(N)
*implies* not_poison? This would be helpful as a clarification of how
it all fits together.
Cheers,
Nicolai
</pre>
</blockquote>
<pre>--
Juneyoung Lee
Software Foundation Lab, Seoul National University
</pre>
</blockquote>
<pre></pre>
<blockquote type="cite">
<pre>_______________________________________________
LLVM Developers mailing list
<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a>
</pre>
</blockquote>
<pre></pre>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
LLVM Developers mailing list
<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a>
</pre>
</blockquote>
<p><br>
</p>
</div>
</div>
</div>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><br></div><font size="1">Juneyoung Lee</font><div><font size="1">Software Foundation Lab, Seoul National University</font></div></div></div></div>