* Straw poll on shifts with out of range operands
@ 2024-06-26 2:44 Andrew Pinski
2024-06-26 2:57 ` Jeff Law
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Pinski @ 2024-06-26 2:44 UTC (permalink / raw)
To: GCC Mailing List
I am in the middle of improving the isolation path pass for shifts
with out of range operands.
There are 3 options we could do really:
1) isolate the path to __builtin_unreachable
2) isolate the path to __builtin_trap
This is what is currently done for null pointer and divide by zero
3) isolate the path and turn the shift into zero constant
This happens currently for explicit use in both match (in many
cases) and VRP for others.
All 3 are not hard to implement.
This comes up in the context of https://gcc.gnu.org/PR115636 where the
original requestor thinks it should be #3 but I suspect they didn't
realize it was undefined behavior then.
2 seems the best for user experience.
1 seems like the best for optimizations.
3 is more in line with how other parts of the compiler handle it.
So the question I have is which one should we go for? (is there
another option I missed besides not do anything)
Thanks,
Andrew Pinski
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Straw poll on shifts with out of range operands
2024-06-26 2:44 Straw poll on shifts with out of range operands Andrew Pinski
@ 2024-06-26 2:57 ` Jeff Law
2024-06-26 6:46 ` Richard Biener
0 siblings, 1 reply; 3+ messages in thread
From: Jeff Law @ 2024-06-26 2:57 UTC (permalink / raw)
To: Andrew Pinski, GCC Mailing List
On 6/25/24 8:44 PM, Andrew Pinski via Gcc wrote:
> I am in the middle of improving the isolation path pass for shifts
> with out of range operands.
> There are 3 options we could do really:
> 1) isolate the path to __builtin_unreachable
> 2) isolate the path to __builtin_trap
> This is what is currently done for null pointer and divide by zero
> 3) isolate the path and turn the shift into zero constant
> This happens currently for explicit use in both match (in many
> cases) and VRP for others.
>
> All 3 are not hard to implement.
> This comes up in the context of https://gcc.gnu.org/PR115636 where the
> original requestor thinks it should be #3 but I suspect they didn't
> realize it was undefined behavior then.
> 2 seems the best for user experience.
> 1 seems like the best for optimizations.
> 3 is more in line with how other parts of the compiler handle it.
>
> So the question I have is which one should we go for? (is there
> another option I missed besides not do anything)
There was a time when we were thinking about having a knob that would
allow one to select which of the 3 approaches makes the most sense given
the expected execution environment.
While I prefer #2, some have (reasonably) argued that it's not
appropriate behavior for code in a library.
I'm not a fan of #1 because it allows unpredictable code execution.
Essentially you just fall into whatever code was after the bogus shift
in the executable and hope for the best. One day this is going to bite
us hard from a security standpoint.
#3 isn't great, but it's not terrible either.
Jeff
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Straw poll on shifts with out of range operands
2024-06-26 2:57 ` Jeff Law
@ 2024-06-26 6:46 ` Richard Biener
0 siblings, 0 replies; 3+ messages in thread
From: Richard Biener @ 2024-06-26 6:46 UTC (permalink / raw)
To: Jeff Law; +Cc: Andrew Pinski, GCC Mailing List
On Wed, Jun 26, 2024 at 4:59 AM Jeff Law via Gcc <gcc@gcc.gnu.org> wrote:
>
>
>
> On 6/25/24 8:44 PM, Andrew Pinski via Gcc wrote:
> > I am in the middle of improving the isolation path pass for shifts
> > with out of range operands.
> > There are 3 options we could do really:
> > 1) isolate the path to __builtin_unreachable
> > 2) isolate the path to __builtin_trap
> > This is what is currently done for null pointer and divide by zero
> > 3) isolate the path and turn the shift into zero constant
> > This happens currently for explicit use in both match (in many
> > cases) and VRP for others.
How is isolation if we do 3) any useful? IIRC the path isolation pass
would only look for literal out-of-range shifts? Or do you plan to use
range info? If we do 3) why not let range folding deal with this then?
> >
> > All 3 are not hard to implement.
> > This comes up in the context of https://gcc.gnu.org/PR115636 where the
> > original requestor thinks it should be #3 but I suspect they didn't
> > realize it was undefined behavior then.
> > 2 seems the best for user experience.
> > 1 seems like the best for optimizations.
> > 3 is more in line with how other parts of the compiler handle it.
> >
> > So the question I have is which one should we go for? (is there
> > another option I missed besides not do anything)
> There was a time when we were thinking about having a knob that would
> allow one to select which of the 3 approaches makes the most sense given
> the expected execution environment.
Since we do 3) already elsewhere I'd say we should do that by default and
have the other options behind a command-line switch - though we already
have UBSAN for that and that is going to be much more reliable than the late
path isolation done after folding catched most cases via 3)?
> While I prefer #2, some have (reasonably) argued that it's not
> appropriate behavior for code in a library.
>
> I'm not a fan of #1 because it allows unpredictable code execution.
> Essentially you just fall into whatever code was after the bogus shift
> in the executable and hope for the best. One day this is going to bite
> us hard from a security standpoint.
>
> #3 isn't great, but it's not terrible either.
>
> Jeff
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-06-26 6:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-26 2:44 Straw poll on shifts with out of range operands Andrew Pinski
2024-06-26 2:57 ` Jeff Law
2024-06-26 6:46 ` Richard Biener
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).