[llvm-dev] Possible soundness issue with available_externally (split from "RFC: Add guard intrinsics")

Fri Feb 26 19:01:48 PST 2016

I think this will have a much higher cost than my proposal to constrain how
we deduce function attributes (which still fixes Sanjoy's latest example).

Specifically, I think this will force us to constrain far too many
transformations for the sake of code size in functions that we won't
inline. Even if we were never going to deduce function attributes for
anything in the function (because its big and reads and writes everything),
we'll still have to constrain our transformations just because we *might*
later deduce a function attribute that triggers these kinds of bugs.

Essentially, you're proposing to limit intraprocedural optimization to when
we can successfully to interprocedural optimization ("privatization"),
where I'm suggesting we limit interprocedural optimization to leave
intraprocedural optimization unconstrained. Given the ratio of our
optimizations (almost all are intra, very few are inter), I'm much more
comfortable with the latter.

On Fri, Feb 26, 2016 at 6:10 PM Hal Finkel <hfinkel at anl.gov> wrote:

> Hi Sanjoy,
>
> These are both very interesting examples, and demonstrate that the
> problems extends beyond function attributes (encompassing dead-argument
> elimination, etc.).
>
> I'm beginning to think that the best solution, at least when optimizing
> for speed, is the one that David Li suggested: we need to internalize
> functions that have been optimized in certain ways (e.g. instructions with
> potential side effects are removed). The trick here may be to be as
> intelligent about this as possible to minimize the effect on code size.
> Maybe this is as easy as checking whether isSafeToSpeculativelyExecute
> returns false on the deleted instruction? Perhaps when optimizing for size,
> we need to forbid such deletions.
>
> Thanks again,
> Hal
>
> ----- Original Message -----
> > From: "Sanjoy Das" <sanjoy at playingwithpointers.com>
> > To: "Hal Finkel" <hfinkel at anl.gov>
> > Cc: "Chandler Carruth" <chandlerc at google.com>, "llvm-dev" <
> llvm-dev at lists.llvm.org>, "Philip Reames"
> > <listmail at philipreames.com>, "Duncan P. N. Exon Smith" <
> dexonsmith at apple.com>
> > Sent: Thursday, February 25, 2016 11:59:27 AM
> > Subject: Re: [llvm-dev] Possible soundness issue with
> available_externally (split from "RFC: Add guard intrinsics")
> >
> > Couple of other examples:
> >
> >   void @foo(i32* %ptr) available_externally {
> >     %discard = load i32, i32* %ptr
> >   }
> >   void bar() {
> >     call @foo(i32* %x)
> >   }
> >
> > ==>
> >
> >   void @foo(i32* %ptr) available_externally {
> >   }
> >   void bar() {
> >     call @foo(i32* %x)
> >   }
> >
> > ==>
> >
> >   void @foo(i32* %ptr) available_externally {
> >   }
> >   void bar() {
> >     call @foo(i32* undef) ;; non optimized @foo will crash
> >   }
> >
> >   ;; Similar example if @foo was dividing something by an integer
> >   ;; argument
> >
> > We've actually seen the above in our VM (though back then we
> > didn't realize that the problem was more general than the one
> > case above).
> >
> > Another one involving `undef` (semantically same as "folding undef",
> > but different enough to state separately):
> >
> >   void @foo(i32* %ptr) available_externally {
> >     store i32 undef, i32* %ptr
> >   }
> >   void bar() {
> >     %val = load i32, i32* %x
> >     call @foo(i32* %x)
> >   }
> >
> > ==>
> >
> >   void @foo(i32* %ptr) readonly available_externally {
> >   }
> >   void bar() {
> >     %val = load i32, i32* %x
> >     call @foo(i32* %x)
> >   }
> >
> > ==>
> >
> >   void @foo(i32* %ptr) readonly available_externally {
> >   }
> >   void bar() {
> >     call @foo(i32* %x)
> >     %val = load i32, i32* %x
> >   }
> >
> > With a non-optimized @foo, %val can be garbage.
> >
> >
> > I'll also note we've not really had bug reports (that I'm aware of)
> > around this issue.  Given that, it is possible that this is a purely
> > theoretical problem.
> >
> > -- Sanjoy
> >
>
> --
> Hal Finkel
> Assistant Computational Scientist
> Leadership Computing Facility
> Argonne National Laboratory
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20160227/cd788364/attachment.html>