From: Jeff Law <law@redhat.com>
To: Martin Sebor <msebor@gmail.com>, gcc-patches <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] warn on returning alloca and VLA (PR 71924, 90549)
Date: Fri, 31 May 2019 15:50:00 -0000 [thread overview]
Message-ID: <66d21304-8dd3-cd97-5ee8-317413c45ffb@redhat.com> (raw)
In-Reply-To: <030f897f-a074-8319-96ae-c86e6c9a8551@gmail.com>
On 5/30/19 4:56 PM, Martin Sebor wrote:
> On 5/30/19 10:15 AM, Jeff Law wrote:
>> On 5/30/19 9:34 AM, Martin Sebor wrote:
>>
>>>>> If the alias oracle can be used to give the same results without
>>>>> excessive false positives then I think it would be fine to make
>>>>> use of it. Is that something you consider a prerequisite for
>>>>> this change or should I look into it as a followup?
>>>> I think we should explore it a bit before making a final decision. It
>>>> may guide us for other work in this space (like detecting escaping
>>>> locals).  I think a dirty prototype to see if it's even in the right
>>>> ballpark would make sense.
>>>
>>> Okay, let me look into it.
>> Sounds good. Again, go with a quick prototype to see if it's likely
>> feasible. The tests you've added should dramatically help evaluating if
>> the oracle is up to the task.
>
> So to expand on what I said on the phone when we spoke: the problem
> I quickly ran into with the prototype is that I wasn't able to find
> a way to identify pointers to alloca/VLA storage.
Your analysis matches my very quick read of the aliasing code. It may
be the case that the Steensgaard patent got in the way here.
>
> In the the points-to solution for the pointer being returned they
> both have the vars_contains_escaped_heap flag set. That seems like
> an omission that shouldn't be hard to fix, but on its own, I don't
> think it would be sufficient.
RIght. In theory the result of an alloca call shouldn't alias anything
in the heap -- but there were some implementations of alloca that were
built on top of malloc (ugh). That flag may be catering to that case.
But in the case of a __builtin_alloca that shouldn't apply. Hmm. That
ultimately might be a bug.
>
> In the IL a VLA is represented as a pointer to an array, but when
> returning a pointer into a VLA (at some offset so it's an SSA_NAME),
> the pointer's point-to solution doesn't include the VLA pointer or
> (AFAICS) make it possible to tell even that it is a VLA. For example
> here:
>
> Â f (int n)
> Â {
> Â Â Â int * p;
> Â Â Â int[0:D.1912] * a.1;
> Â Â Â sizetype _1;
> Â Â Â void * saved_stack.3_3;
> Â Â Â sizetype _6;
>
> Â Â Â <bb 2> [local count: 1073741824]:
> Â Â Â saved_stack.3_3 = __builtin_stack_save ();
> Â Â Â _1 = (sizetype) n_2(D);
> Â Â Â _6 = _1 * 4;
> Â Â Â a.1_8 = __builtin_alloca_with_align (_6, 32);
> Â Â Â p_9 = a.1_8 + _6;
> Â Â Â __builtin_stack_restore (saved_stack.3_3);
> Â Â Â return p_9;
> Â }
>
> p_9's solution's is:
>
> Â p_9, points-to vars: { D.1925 } (escaped, escaped heap)
>
> I couldn't find out how to determine that D.1925 is a VLA (or even
> what it is). It's not among the function's local variables that
> FOR_EACH_LOCAL_DECL iterates over.
It's possible that decl was created internally as part of the alias
oracle's analysis.
See make_heapvar in tree-ssa-structalias.c
>
> By replacing the VLA in the test case with a call to malloc I get
> this for the returned p_7:
>
> Â p_7, points-to NULL, points-to vars: { D.1916 } (escaped, escaped heap)
>
> Again, I see no way to quickly tell that this pointer points into
> the block returned from malloc.
If there's a way to make that determination it'd have to be on the
variable since the pt_solution flag bits don't carry a storage class
directly.
You might try to get a handle on those decls and dump them to see if
there's anything easily identifiable. But it may be easier to dig into
the code that creates them. A real quick scan of the aliasing code also
shows the "variable_info" structure. It's private to the aliasing code,
but might guide you at things to look at.
Regardless, I don't see an immediate path forward using the oracle to
identify objects in the stack for your patch. WHich is unfortunate.
Jeff
next prev parent reply other threads:[~2019-05-31 15:35 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 21:34 Martin Sebor
2019-05-29 18:08 ` Jeff Law
2019-05-30 14:58 ` Martin Sebor
2019-05-30 15:21 ` Jeff Law
2019-05-30 15:48 ` Martin Sebor
2019-05-30 16:20 ` Jeff Law
2019-05-30 17:27 ` Jason Merrill
2019-05-31 0:26 ` Jeff Law
2019-05-30 23:35 ` Martin Sebor
2019-05-31 15:50 ` Jeff Law [this message]
2019-06-03 9:37 ` Richard Biener
2019-06-03 11:28 ` Richard Biener
2019-06-04 11:45 ` Richard Biener
2019-06-03 17:24 ` Jeff Law
2019-05-31 21:19 ` Jeff Law
2019-06-03 23:24 ` Martin Sebor
2019-06-04 19:40 ` Martin Sebor
[not found] ` <224f8161-e370-bcbc-3ee6-5cff5835e016@redhat.com>
2019-06-19 3:19 ` Martin Sebor
2019-06-26 14:59 ` [PING] " Martin Sebor
2019-06-27 0:12 ` Jeff Law
2019-06-30 21:50 ` Martin Sebor
2019-07-02 20:59 ` Jeff Law
2019-07-11 6:45 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66d21304-8dd3-cd97-5ee8-317413c45ffb@redhat.com \
--to=law@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=msebor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).