[PATCH] D81678: Introduce partialinit attribute at call sites for stricter poison analysis
Evgenii Stepanov via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Thu Jun 11 13:47:52 PDT 2020
eugenis added a comment.
In D81678#2088284 <https://reviews.llvm.org/D81678#2088284>, @efriedma wrote:
> I usually like to start reading this sort of patch with the proposed LangRef change, but I'm not seeing one.
>
> There are a couple of related issues here in the existing representation of IR:
>
> 1. The way that call argument coercion works is unsound in the presence of poison. An integer can't be partially poisoned: it's either poison, or not poison. We probably need to come up with some safer way to pass structs/unions.
> 2. We don't currently have a way for frontends to indicate that a value is guaranteed not to be poison, so we have to conservatively assume arguments might be poison. Whatever solution we come up with here should apply whether or not msan is enabled. An attribute like this will probably be useful for "freeze" optimizations.
>
> The partialinit attribute is, in some sense, backwards: the definition is essentially "an argument *not* marked partialinit must not contain any poison values". We usually try to avoid negative reasoning like this; I'm afraid it'll make transforms harder to reason about.
Yes, this is a bit awkward. There is a module flag "DisallowPoisonedCallArguments" that basically confirms that the frontend is aware of partialinit and any arguments not marked as such can be assumed strict (no-poison).
An alternative is to invert the meaning of the attribute and put it on all arguments that must be not poison. Those are a lot more common though.
The idea is that MSan can apply strict checking to arguments that are not "partialinit", and propagate the shadow to the callee for the rest.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D81678/new/
https://reviews.llvm.org/D81678
More information about the cfe-commits
mailing list