[llvm-dev] Confusions around nocapture and sret
David Chisnall via llvm-dev
llvm-dev at lists.llvm.org
Mon Feb 22 01:50:52 PST 2021
On 21/02/2021 18:39, Johannes Doerfert via llvm-dev wrote:
> I strongly suggest to emit nocapture with sret in the frontend
> instead.
I don't think that is actually feasible. For example, consider this C++
file:
```c++
#include <set>
struct Example;
std::set<Example*> live_examples;
struct Example {
Example()
{
live_examples.insert(this);
}
~Example()
{
live_examples.erase(live_examples.find(this));
}
};
Example somefn()
{
Example e;
return e;
}
```
In this example, guaranteed copy elision means that somefn allocates `e`
in the space provided for it in the caller, calling the constructor,
which then captures the value. In the generated IR, the space for `e`
has the `sret` attribute but it is definitely not nocapture.
You can also trigger this in C, though in the C case it is undefined
behaviour. Consider this example:
```c
struct Foo
{
int a[5];
};
int x(struct Foo *);
struct Foo f(void)
{
struct Foo foo;
x(&foo);
return foo;
}
```
The source-language semantics guarantee that no pointers to `foo`
outlive the invocation of `f`, which implies that `x` must not capture
the argument. The optimisers take advantage of the fact that it would
be UB to compare the address of foo after the end of `f` to any other
allocation and we end up generating this IR after optimisation, eliding
the copy:
```
; Function Attrs: nounwind uwtable
define dso_local void @f(%struct.Foo* noalias sret(%struct.Foo) align 4
%0) local_unnamed_addr #0 {
%2 = tail call i32 @x(%struct.Foo* %0) #2
ret void
}
```
Nothing in the IR says that `x`'s argument is nocapture. Whether this
is permitted depends on what we want nocapture to mean. There are two
possible interpretations:
- The callee does not capture the argument, if the callee does capture
the argument then the IR is ill-formed and we have a compiler bug.
- The caller is free to assume that the callee does not capture the
argument, if the callee does capture the argument then it is UB.
The former allows the absence of nocapture to be interpreted as 'we
can't statically prove that the argument is not captured'. This is very
useful for memory-safety work, because it allows us to trust `nocapture`
as a security property: we can emit any further analysis.
The latter allows optimisations to be more aggressive but will sometimes
generate more surprising code for users and may break some security
properties if security-related transforms depend on this information.
My personal bias is towards the former: we would like to be able to use
`nocapture` in stack temporal safety work as a strong guarantee. As
such, the front end could not insert it because transforms may later
insert a capture. Alternatively, the module verifier should be updated
to ensure that a nocapture argument is not passed to any other function
except via a nocapture argument.
David
More information about the llvm-dev
mailing list