Re: [patch][version 6] add -ftrivial-auto-var-init and variable attribute "uninitialized" to gcc

[Qing Zhao <qing.zhao@oracle.com>]

Hi, Richard,

Thanks a lot for you review.

Although these comments are not made on the latest patch (7th version) :-), all the comments are valid since the parts you commented
are not changed in the 7th version.


> On Aug 9, 2021, at 9:09 AM, Richard Biener <rguenther@suse.de> wrote:
> 
> On Tue, 27 Jul 2021, Qing Zhao wrote:
> 
>> Hi,
>> 
>> This is the 6th version of the patch for the new security feature for GCC.
>> 
>> I have tested it with bootstrap on both x86 and aarch64, regression testing on both x86 and aarch64.
>> Also compile CPU2017 (running is ongoing), without any issue. (With the fix to bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101586).
>> 
>> Please take a look and let me know any issue.
> 
> +/* Handle an "uninitialized" attribute; arguments as in
> +   struct attribute_spec.handler.  */
> +
> +static tree
> +handle_uninitialized_attribute (tree *node, tree name, tree ARG_UNUSED 
> (args),
> +                               int ARG_UNUSED (flags), bool 
> *no_add_attrs)
> +{
> +  if (!VAR_P (*node))
> +    {
> +      warning (OPT_Wattributes, "%qE attribute ignored", name);
> +      *no_add_attrs = true;
> +    }
> 
> you are documenting this attribute for automatic variables but
> here you allow placement on globals as well (not sure if at this
> point TREE_STATIC / DECL_EXTERNAL are set correctly).

Right, I should warn when the attribute is placed for globals or static variables. 
I will try TREE_STATIC/DECL_EXTERNAL to see whether it’s work or not.

> 
> +  /* for languages that do not support BUILT_IN_CLEAR_PADDING, create the
> +     function node for padding initialization.  */
> +  if (!fn)
> +    {
> +      tree ftype = build_function_type_list (void_type_node,
> +                                            ptr_type_node,
> 
> the "appropriate" place to do this would be 
> tree.c:build_common_builtin_nodes

Sure, will move the creation of  function node of BUILT_IN_CLEAR_PADDING for Fortran etc. to tree.c:build_common_builtin_nodes.

> 
> You seem to marshall the is_vla argument as for_auto_init when
> expanding/folding the builtin and there it's used to suppress
> diagnostics (and make covered pieces not initialized?).

Yes, I added an extra argument “for_auto_init” for “BUILT_IN_CLEAR_PADDING”, this argument is added to suppress errors emitted during folding
BUILT_IN_CLEAR_PADDING for flexible array member . Such errors should Not be emitted when “BUILT_IN_CLEAR_PADDING” is called with compiler automatic initialization.
Please see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101586, comment #6 from Jakub Jelinek.

>  I suggest
> to re-name is_vla/for_auto_init to something more descriptive.

Okay, I will. 
> 
> +   gimple_fold_builtin_clear_padding. If FOR_AUTO_INIT,
> +   not emit some of the error messages since doing that
> +   might confuse the end user.  */
> 
> doesn't explain to me whether errors still might be raised or
> what the actual behavior is.

Okay, will make this more clear in the comments.

> 
> +static gimple *
> +build_deferred_init (tree decl,
> +                    enum auto_init_type init_type,
> +                    bool is_vla)
> +{
> +  gcc_assert ((is_vla && TREE_CODE (decl) == WITH_SIZE_EXPR)
> +             || (!is_vla && TREE_CODE (decl) != WITH_SIZE_EXPR));
> 
> so the is_vla parameter looks redundant (and the assert dangerous?).
> Either the caller knows it deals with a VLA, then that should be
> passed through - constant sizes can also later appear during
> optimization after all - or is_vla should be determined here
> based on whether the size at gimplification time is constant.

The routine “build_deferred_init” is ONLY called during gimplification phase by the routine “gimple_add_init_for_auto_var", at this place,
Is_vla should be determined by the caller to check the size of the DECL. If it’s a vla, the “maybe_with_size_expr” will be applied for
DECL to make it to a WITH_SIZE_EXPR.  So, the assertion is purely to make sure this at gimplification phase.

Yes, the size of the VLA decl might become a constant later due to constant propagation, etc.  but during the gimplification phase, the assertion should be true.
> 
> +         /* If the user requests to initialize automatic variables, we
> +            should initialize paddings inside the variable. Add a call to
> +            __BUILTIN_CLEAR_PADDING (&object, 0, for_auto_init = true) to
> +            initialize paddings of object always to zero regardless of
> +            INIT_TYPE.  */
> +         if (opt_for_fn (current_function_decl, flag_auto_var_init)
> +               > AUTO_INIT_UNINITIALIZED
> +             && VAR_P (object)
> +             && !DECL_EXTERNAL (object)
> +             && !TREE_STATIC (object))
> +           gimple_add_padding_init_for_auto_var (object, false, pre_p);
> +         return ret;
> 
> I think you want to use either auto_var_p (object) or
> auto_var_in_fn_p (object, current_function_decl).  Don't you also
> want to check for the 'uninitialized' attribute here?  I suggest
> to abstract the check on whether 'object' should be subject
> to autoinit to a helper function.

Thanks for the suggestion, I will do this.


> 
> There's another path above this calling gimplify_init_constructor
> for the case of
> 
> const struct S x = { ... };
> struct S y = x;
> 
> where it will try to init 'y' from the CTOR directly, it seems you
> do not cover this case.

Yes, you are right, this case was not covered right now, and this should be covered.

Looks like that I need to move the “gimple_add_padding_init_for_auto_var” inside the routine “gimplify_init_constructor” to
Cover all the cases. 

>  I also think that the above place applies
> to all aggregate assignment statements, not only to INIT_EXPRs?

> So don't you want to restrict clear-padding emit here?

You are right, I might need to restrict it Only to INIT_EXPR. 
Will update.

> 
> +static void
> +expand_DEFERRED_INIT (internal_fn, gcall *stmt)
> +{
> +  tree var = gimple_call_lhs (stmt);
> +  tree size_of_var = gimple_call_arg (stmt, 0);
> +  tree vlaaddr = NULL_TREE;
> +  tree var_type = TREE_TYPE (var);
> +  bool is_vla = (bool) TREE_INT_CST_LOW (gimple_call_arg (stmt, 2));
> +  enum auto_init_type init_type
> +    = (enum auto_init_type) TREE_INT_CST_LOW (gimple_call_arg (stmt, 1));
> +
> +  gcc_assert (init_type > AUTO_INIT_UNINITIALIZED);
> +
> +  /* if this variable is a VLA, get its SIZE and ADDR first.  */
> +  if (is_vla)
> +    {
> +      /* The temporary address variable for this vla should have been
> +        created during gimplification phase.  Refer to gimplify_vla_decl
> +        for details.  */
> +      tree var_decl = (TREE_CODE (var) == SSA_NAME) ?
> +                      SSA_NAME_VAR (var) : var;
> +      gcc_assert (DECL_HAS_VALUE_EXPR_P (var_decl));
> +      gcc_assert (TREE_CODE (DECL_VALUE_EXPR (var_decl)) == 
> INDIRECT_REF);
> +      /* Get the address of this vla variable.  */
> +      vlaaddr = TREE_OPERAND (DECL_VALUE_EXPR (var_decl), 0);
> 
> err - isn't the address of the decl represented by the LHS 
> regardless whether this is a VLA or not?

The LHS of the call to .DEFERRED_INIT is the DECL itself whatever it’s a VLA or not. 

In order to create a memset call, we need the Address of this DECL as the first argument. 
If the DECL is not a VLA, we just simply apply “build_fold_addr_expr” on this DECL to get its address,
However, for VLA, during gimplification phase “gimplify_vla_decl”, we have already created a temporary
address variable for this DECL, and recorded this address variable with “DECL_VALUE_EXPR(DECL), 
We should use this already created address variable  for VLAs. 


>  Looking at DECL_VALUE_EXPR
> looks quite fragile since that's not sth data dependence honors.
> It looks you only partly gimplify the build init here?  All
> DECL_VALUE_EXPRs should have been resolved.

Don’t quite understand here. you mean that all the “DECL_VALUE_EXPRs” have been resolved at the phase RTL expansion,
So I cannot use this to get the address variable of the VLA?

(However, my unit testing cases for VLAs are all looks fine).

> 
> +  if (is_vla || (!use_register_for_decl (var)))
> ...
> +  else
> +    {
> +    /* If this variable is in a register, use expand_assignment might
> +       generate better code.  */
> 
> you compute the patter initializer even when not needing it,
> that's wasteful.

Okay, I will restrict the pattern initializer computation when really needed. 

>  It's also quite ugly, IMHO you should
> use can_native_interpret_type_p (var_type) and native_interpret
> a char [] array initialized to the pattern and if
> !can_native_interpret_type_p () go the memset route.

Thanks for the suggestion. 

Will try this. 

> 
> +  /* We will not verify the arguments for the calls to .DEFERRED_INIT.
> +     Such call is not a real call, just a placeholder for a later
> +     initialization during expand phase.
> +     This is mainly to avoid assertion failure for the following
> +     case:
> +
> +     uni_var = .DEFERRED_INIT (var_size, INIT_TYPE, is_vla);
> +     foo (&uni_var);
> +
> +     in the above, the uninitialized auto variable "uni_var" is
> +     addressable, therefore should not be in registers, resulting
> +     the assertion failure in the following argument verification.  */
> +  if (gimple_call_internal_p (stmt, IFN_DEFERRED_INIT))
> +    return false;
> +
>   /* ???  The C frontend passes unpromoted arguments in case it
>      didn't see a function declaration before the call.  So for now
>      leave the call arguments mostly unverified.  Once we gimplify
>      unit-at-a-time we have a chance to fix this.  */
> 
> -  for (i = 0; i < gimple_call_num_args (stmt); ++i)
> 
> isn't that from the time there was a decl argument to .DEFERRED_INIT?

You mean this issue is only there when the decl is the first argument (the old design for .DEFERRED_INIT).
With the new design, this issue is not there anymore?

> 
> +  if (gimple_call_internal_p (stmt, IFN_DEFERRED_INIT))
> +    {
> +      tree size_of_arg0 = gimple_call_arg (stmt, 0);
> +      tree size_of_lhs = TYPE_SIZE_UNIT (TREE_TYPE (lhs));
> +      tree is_vla_node = gimple_call_arg (stmt, 2);
> +      bool is_vla = (bool) TREE_INT_CST_LOW (is_vla_node);
> +
> +      if (TREE_CODE (lhs) == SSA_NAME)
> +       lhs = SSA_NAME_VAR (lhs);
> +
> 
> 'lhs' is not looked at after this, no need to look at SSA_NAME_VAR.

Okay, will update this.

> 
> 
> Thanks and sorry for the delay in reviewing this (again).

Thanks again for your detailed review and suggestions.

I will update the patch accordingly and send the updated patch soon.

Qing
> 
> Richard.
> 
> 
>> Thanks
>>