From: Martin Sebor <msebor@gmail.com>
To: Richard Biener <richard.guenther@gmail.com>
Cc: gcc-patches <gcc-patches@gcc.gnu.org>
Subject: Re: [WIP PATCH] add object access attributes (PR 83859)
Date: Mon, 30 Sep 2019 15:41:00 -0000 [thread overview]
Message-ID: <1bcaafbf-5ad8-ae3a-2508-4722f01b294b@gmail.com> (raw)
In-Reply-To: <CAFiYyc1xqQmiLYzH-gTmjjt2JR4iXMVyqPSJGu76YznjfXM=6Q@mail.gmail.com>
On 9/30/19 1:37 AM, Richard Biener wrote:
> On Sun, Sep 29, 2019 at 9:52 PM Martin Sebor <msebor@gmail.com> wrote:
>>
>> -Wstringop-overflow detects a subset of past-the-end read and write
>> accesses by built-in functions such as memcpy and strcpy. It relies
>> on the functions' effects the knowledge of which is hardwired into
>> GCC. Although it's possible for users to create wrappers for their
>> own functions to detect similar problems, it's quite cumbersome and
>> so only lightly used outside system libraries like Glibc. Even Glibc
>> only checks for buffer overflow and not for reading past the end.
>>
>> PR 83859 asks to expose the same checking that GCC does natively for
>> built-in calls via a function attribute that associates a pointer
>> argument with the size argument, such as:
>>
>> __attribute__((buffer_size (1, 2))) void
>> f (char* dst, size_t dstsize);
>>
>> The attached patch is my initial stab at providing this feature by
>> introducing three new attributes:
>>
>> * read_only (ptr-argno, size-argno)
>> * read_only (ptr-argno, size-argno)
>> * read_write (ptr-argno, size-argno)
>>
>> As requested, the attributes associate a pointer parameter to
>> a function with a size parameter. In addition, they also specify
>> how the function accesses the object the pointer points to: either
>> it only reads from it, or it only writes to it, or it does both.
>>
>> Besides enabling the same buffer overflow detection as for built-in
>> string functions they also let GCC issue -Wuninitialized warnings
>> for uninitialized objects passed to read-only functions by reference,
>> and -Wunused-but-set warnings for objects passed to write-only
>> functions that are otherwise unused (PR 80806). The -Wununitialized
>> part is done. The -Wunused-but-set detection is implemented only in
>> the C FE and not yet in C++.
>>
>> Besides the diagnostic improvements above the attributes also open
>> up optimization opportunities such as DCE. I'm still working on this
>> and so it's not yet part of the initial patch.
>
> There's the "fn spec" attribute which you can use for the optimization
> part. Note "fn spec" also likes to know whether the address of the
> argument escapes and whether the argument is only dereferenced
> directly or also indirectly (when passing a pointer to a struct is
> transitively reachable memory through the pointer accessed or not?).
Thanks, I'll look into those.
>
> So you should at least make sure to document the full
> semantics of your proposed read_only/write_only/read_write atributes.
>
> I guess that "read_only" means that direct accesses do not write
> but the attribute does not constrain indirect accesses?
Correct. Some other annotation is necessary to constrain those.
A read-only restrict-qualified pointer would do that. Because
the read-only attribute only applies to const pointers the only
purpose it serves in that combination is the association with
the size parameter. As in:
__attribute__ ((read_only (2, 3))) void*
memcpy (void* restrict, const void *restrict, size_t);
without the pointer-size association the above reduces to this:
__attribute__ ((read_only)) void*
memcpy (void* restrict, const void *restrict, size_t);
which should ultimately have the same effect as the plain
void*
memcpy (void* restrict, const void *restrict, size_t);
As a future extension (GCC 11 or beyond) I'd like to look into
allowing the read/write attributes on object and mainly subobject
declarations. There too, read-only should be paired with restrict
to express the same constraint.
> Note "fn spec" doesn't offer read/write constraints when not at the
> same time constraining escaping since when a pointer escapes
> through a call we cannot make any optimization for a positional
> read/write constraint since a function can access global memory
> (and all escaped pointed-to data ends up as "global memory").
> There's no way to tell (via "fn spec") that the function only accesses
> memory reachable via function arguments.
In my WIP patch I have a no_side_effect attribute that further
constrains what a function can do. It's just like pure except
that it lets the function access objects passed to it by reference.
>
> So I'm not sure there's a 1:1 mapping for your desired semantics
> to "fn spec" plus your desired semantics may offer no
> opportunity for optimization. Useful would be if read_only
> would map to "R" and read_write and write_only would map to "W".
I didn't know about the R and W fnspecs. Let me look into them
for GCC 11 to see if I can make use of them for the optimization.
Martin
>
> Richard.
>
>> I plan to finish the patch for GCC 10 but I don't expect to have
>> the time to start taking advantage of the attributes for optimization
>> until GCC 11.
>>
>> Besides regression testing on x86_64-linux, I also tested the patch
>> by compiling Binutils/GDB, Glibc, and the Linux kernel with it. It
>> found no new problems but caused a handful of -Wunused-but-set-variable
>> false positives due to an outstanding bug in the C front-end introduced
>> by the patch that I still need to fix.
>>
>> Martin
next prev parent reply other threads:[~2019-09-30 15:41 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-29 19:52 Martin Sebor
2019-09-30 7:37 ` Richard Biener
2019-09-30 15:41 ` Martin Sebor [this message]
2019-09-30 21:34 ` Joseph Myers
2019-10-01 2:36 ` Martin Sebor
2019-10-17 16:44 ` [PING] " Martin Sebor
2019-10-24 14:42 ` [PING 2] " Martin Sebor
2019-10-27 17:37 ` Jeff Law
2019-10-28 10:18 ` Richard Biener
2019-11-15 21:41 ` Martin Sebor
2019-11-18 9:00 ` Richard Biener
2019-11-18 16:46 ` Martin Sebor
2019-11-19 8:57 ` Richard Biener
2019-11-21 17:12 ` [PATCH v3] " Martin Sebor
2019-11-21 22:40 ` Jeff Law
2019-11-22 1:12 ` Martin Sebor
2019-11-23 1:10 ` [PATCH] Fix attribute access issues Jakub Jelinek
2019-11-23 10:04 ` Richard Biener
2019-11-25 2:24 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1bcaafbf-5ad8-ae3a-2508-4722f01b294b@gmail.com \
--to=msebor@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=richard.guenther@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).