From: Richard Biener <richard.guenther@gmail.com>
To: Jakub Jelinek <jakub@redhat.com>
Cc: Qing Zhao <qing.zhao@oracle.com>,
Joseph Myers <joseph@codesourcery.com>,
Siddhesh Poyarekar <siddhesh@gotplt.org>,
Martin Uecker <uecker@tugraz.at>,
Kees Cook <keescook@chromium.org>,
"isanbard@gmail.com" <isanbard@gmail.com>,
GCC Patches <gcc-patches@gcc.gnu.org>
Subject: Re: RFC: the proposal to resolve the missing dependency issue for counted_by attribute
Date: Thu, 2 Nov 2023 11:18:09 +0100 [thread overview]
Message-ID: <CAFiYyc2dc-6bptHxCfouPA6=654CDWQAomtYr8axdC4Jh39DHg@mail.gmail.com> (raw)
In-Reply-To: <ZUNddpeV+jMY6STc@tucnak>
On Thu, Nov 2, 2023 at 9:27 AM Jakub Jelinek <jakub@redhat.com> wrote:
>
> On Thu, Nov 02, 2023 at 08:57:36AM +0100, Richard Biener wrote:
> > You probably want to specify that when a pointer to the array is taken the
> > pointer has to be to the first array element (or do we want to mangle the
> > 'size' accordingly for the instrumentation?). You also want to specify that
> > the 'size' associated with such pointer is assumed to be unchanging and
> > after changing the size such pointer has to be re-obtained. Plus that
> > changes to the allocated object/size have to be performed through an
> > lvalue where the containing type and thus the 'counted_by' attribute is
> > visible. That is,
> >
> > size_t *s = &a.size;
> > *s = 1;
> >
> > is invoking undefined behavior, likewise modifying 'buf' (makes it a bit
> > awkward since for example that wouldn't support using posix_memalign
> > for allocation, though aligned_alloc would be fine).
>
> Depends on what behavior we want to guarantee and what kind of price we want
> to pay for it. If the size is .ACCESS_WITH_SIZE operand, the size used in
> __bdos will be whatever counted_by size an array had upon taking address of
> the array, wherever that happens in the program. And while we can CSE
> the calls, they'd be CSEd only if they have the same size.
>
> Or, if we want to pay further price, .ACCESS_WITH_SIZE could take as one of
> the arguments not the size value, but its address. Then at __bdos time
> we would dereference that pointer to get the size.
> So,
> struct S { int a; char b __attribute__((counted_by (a))) []; };
> struct S s;
> s.a = 5;
> char *p = &s.b[2];
> int i1 = __builtin_dynamic_object_size (p, 0);
> s.a = 3;
> int i2 = __builtin_dynamic_object_size (p, 0);
> would then yield 3 and 1 rather than 3 and 3.
I fail to see how we can get the __builtin_dynamic_object_size call
data dependent on s.a, thus avoid re-ordering or even DSE of the
store.
Basically the model is that __builtin_dynamic_object_size will get
you the size at the point 'p' was formed from something that "last"
had the container with the counted_by attribute visible (plus adjustments
to 'p' inbetween that we are able to track).
s.a = 5;
char *p = &a.b[0];
will get you '5' as size,
char *p = &a.b[0];
s.a = 7;
will get you whatever was in 's.a' at the point of the address taking,
s.a = 7 will _not_ be honored for __builtin_dynamic_object_size
calls on 'p'.
> But dunno if we wouldn't
> need to drop leaf attribute from __bdos to make that work, that would be
> I think a significant case against doing that, because while in all the
> current plans one just pay code performance price when using counted_by
> attribute, even when not using __bdos for it, if we had to make __bdos
> non-leaf we'd pay extra price even when nobody is using that attribute
> just in -D_FORTIFY_SOURCE=3 / -fhardened compilations, which is how
> several distros build basically everything.
>
> Jakub
>
next prev parent reply other threads:[~2023-11-02 10:21 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-31 16:26 Qing Zhao
2023-10-31 17:35 ` Siddhesh Poyarekar
2023-10-31 18:35 ` Qing Zhao
2023-10-31 22:14 ` Joseph Myers
2023-11-01 14:47 ` Qing Zhao
2023-11-01 15:00 ` Martin Uecker
2023-11-01 15:48 ` Qing Zhao
2023-11-02 7:57 ` Richard Biener
2023-11-02 8:27 ` Jakub Jelinek
2023-11-02 10:18 ` Richard Biener [this message]
2023-11-02 10:39 ` Jakub Jelinek
2023-11-02 11:52 ` Richard Biener
2023-11-02 12:09 ` Jakub Jelinek
2023-11-02 20:35 ` Qing Zhao
2023-11-03 0:28 ` Bill Wendling
2023-11-03 6:07 ` Martin Uecker
2023-11-03 6:22 ` Jakub Jelinek
2023-11-03 6:32 ` Martin Uecker
2023-11-03 16:20 ` Qing Zhao
2023-11-03 16:30 ` Jakub Jelinek
2023-11-03 16:36 ` Qing Zhao
2023-11-03 14:32 ` Qing Zhao
2023-11-03 14:46 ` Jakub Jelinek
2023-11-03 15:22 ` Qing Zhao
2023-11-03 19:33 ` Qing Zhao
2023-11-02 20:47 ` Qing Zhao
2023-11-02 20:45 ` Qing Zhao
2023-11-02 13:50 ` Qing Zhao
2023-11-02 13:54 ` Richard Biener
2023-11-02 14:26 ` Qing Zhao
2023-11-02 14:12 ` Martin Uecker
2023-11-02 15:41 ` Siddhesh Poyarekar
2023-11-03 0:13 ` Bill Wendling
2023-11-03 19:28 ` Qing Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFiYyc2dc-6bptHxCfouPA6=654CDWQAomtYr8axdC4Jh39DHg@mail.gmail.com' \
--to=richard.guenther@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=isanbard@gmail.com \
--cc=jakub@redhat.com \
--cc=joseph@codesourcery.com \
--cc=keescook@chromium.org \
--cc=qing.zhao@oracle.com \
--cc=siddhesh@gotplt.org \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).