This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/docs/
-
docs/
1/1
BitCodeFormat.rst
11/15
LangRef.rst

Differential D82316

[LangRef] Add `noundef` attribute to documentation
ClosedPublic

Authored by guiand on Jun 22 2020, 10:03 AM.

Download Raw Diff

Details

Reviewers

jdoerfert
aqjune
efriedma
eugenis
nlopes

Commits

rG89f1ad88b3f1: [LangRef] Introduce `noundef` attribute for fully defined function params

Summary

[LangRef] Introduce noundef attribute for fully-defined function params

LLVM currently does not require function parameters or return values
to be fully initialized, and does not care if they are poison. This can
be useful if the frontend ABI makes no such demands, but may prevent
helpful backend transformations in case they do. Specifically, the C
and C++ languages require all scalar function operands to be fully
determined.

Introducing this attribute is of particular use to MemorySanitizer
today, although other transformations may benefit from it as well.
We can modify MemorySanitizer instrumentation to provide modest (17%)
space savings where frozen is present.

This commit only adds the attribute to the Language Reference, and
the actual implementation of the attribute will follow in a separate
commit.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

guiand created this revision.Jun 22 2020, 10:03 AM

Herald added a project: Restricted Project. · View Herald TranscriptJun 22 2020, 10:03 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

nikic added a subscriber: nikic.Jun 22 2020, 10:34 AM

sstefan1 added a subscriber: sstefan1.Jun 22 2020, 10:55 AM

Harbormaster completed remote builds in B61264: Diff 272481.Jun 22 2020, 11:49 AM

nikic mentioned this in D82305: [Attr] Introduce the `nopoison` attribute.Jun 22 2020, 1:53 PM

nikic added inline comments.Jun 22 2020, 1:59 PM

llvm/docs/LangRef.rst
1255	Should be just `frozen`, without the quotes. Quotes indicate a string attribute.
1259	This description is a bit too frontend-centric. I'd suggest to at least add If the parameter is poison or contains undefined bits, the behavior is undefined. to describe the actual IR semantic this has. Also, can this be applied to return values? If so, it should say so.

Thanks for splitting this off!

I'm still in favor of nopoison as a name but so far no one else supports that name it seems. At least I would prefer that name if this means "not poison or instant UB".
Now, the documentation talks about undefined bits, which is something different. Maybe frozen makes sense after all.

As mentioned by @nikic, we should not talk about ABI, frontends, backends, etc. in the lang ref if not strictly necessary. I think describing the attribute as the absence of undefined or poison bits in the value representation is what we want :)

llvm/docs/LangRef.rst
3666	Can we make this two bullet points. Return values are not really operands so maybe: "The operand of a return instruction if the function or invoking call site has a `frozen` attribute in the return value position". I would also not talk about Arguments here as we describe instructions. So maybe say "The operand of a :ref:`call <i_call>` or :ref:`invoke <i_invoke>` instruction for which the call site has a `frozen` attribute at the respective position."

How about "noundef" for a name? I'm not a fan of names that start with "no", but "frozen" is not so obvious at a glance.

noundef seems better to me, as it means the value can't be poison as well (because a poison value can change to undef).
I'm fine with the suggestion as far as it is added to LangRef that the value is frozen if noundef is attached and it isn't an aggregate type with padding bits (if definition is changed as I suggested).

llvm/docs/LangRef.rst
1259	For aggregate types, I think it is okay to relax this constraint to allowing aggregates with undef padding bits. It will be great if an aggregate value that is constructed with a chain of `v = insertvalue (insertvalue undef, const1, idx), const2, idx2` can have this attribute attached regardless of whether the aggregate type has paddings or not. Inspecting padding bits which are not accessible without using memory operation may be overly restrictive. For my previous concern (giving a guarantee that it has no undef bit in memory representation), this should be needed in certain future cases, but not now maybe.

eugenis added inline comments.Jun 22 2020, 5:01 PM

llvm/docs/LangRef.rst
1259	Yes, that's a good point. From MSan point of view, if {i8, i32} is passed as a call argument, we don't care about the padding in the middle - the type definition has all we need to understand which bits must be checked for definedness, and we'd like the attribute to reflect that - i.e. the property of the IR value itself and not its storage representation. (if it's coerced to i64, then we care).

bbn added a subscriber: bbn.Jun 22 2020, 7:46 PM

uenoku added a subscriber: uenoku.Jun 22 2020, 11:18 PM

nlopes added a subscriber: nlopes.Jun 23 2020, 7:07 AM

nlopes added inline comments.

llvm/docs/LangRef.rst
1260	What happens when this condition is violated? e.g., when one passes a poison value as argument? Do we get UB? (I think so, but it's worth to make it clear)

jdoerfert added inline comments.Jun 23 2020, 7:57 AM

llvm/docs/LangRef.rst
1259	Does this mean we still need more than `nopoison`?
1260	Yes, this should be one of the only "value attribute" that will cause UB. The others should poison the value on violation and combined with this one you get UB.

eugenis added inline comments.Jun 23 2020, 12:31 PM

llvm/docs/LangRef.rst
1259	Sorry, I don't understand - are saying the attribute can be specified in terms of poison values and not undef? I don't think it would work, we need it to cover something that's loaded from an uninitialized memory location and passed to a function call as is, and those are undef, not poison.

aqjune added inline comments.Jun 24 2020, 12:18 AM

llvm/docs/LangRef.rst
1259	Yes, we need an attribute for undef bits; a constraint for absence of poison may not be enough. In the long term, I'd prefer merging the notion of undef value poison value into one (by leaving poison only), then nopoison should be enough. But seems like it is a pretty tough way to go.

noundef seems better to me, as it means the value can't be poison as well (because a poison value can change to undef).

Other comments in this patch still need to be addressed as well.

Changed attribute name from frozen to noundef, addressed comments

guiand marked 5 inline comments as done.Jun 25 2020, 10:13 AM

arsenm added a subscriber: arsenm.Jun 25 2020, 10:17 AM

arsenm added inline comments.

llvm/docs/BitCodeFormat.rst
1061	Can you commit this documentation change for the existing attributes separately

nlopes added inline comments.Jun 25 2020, 11:36 AM

llvm/docs/LangRef.rst
1257	can we write undef instead of uninitialized pls? LLVM doesn't really have uninitialized values. Otherwise LGTM.

nikic added inline comments.Jun 25 2020, 12:54 PM

llvm/docs/LangRef.rst
1258	I don't understand what "inferable" is intended to mean in this context.

guiand marked an inline comment as done.Jun 25 2020, 1:15 PM

guiand added inline comments.

llvm/docs/LangRef.rst
1258	Quoting from other comments here: For aggregate types, I think it is okay to relax this constraint to allowing aggregates with undef padding bits. It will be great if an aggregate value that is constructed with a chain of v = insertvalue (insertvalue undef, const1, idx), const2, idx2 can have this attribute attached regardless of whether the aggregate type has paddings or not. Inspecting padding bits which are not accessible without using memory operation may be overly restrictive. From MSan point of view, if {i8, i32} is passed as a call argument, we don't care about the padding in the middle - the type definition has all we need to understand which bits must be checked for definedness, and we'd like the attribute to reflect that - i.e. the property of the IR value itself and not its storage representation. This is what I tried to capture with this description. Is there some better way I might express this succinctly?

efriedma added inline comments.Jun 25 2020, 2:24 PM

llvm/docs/LangRef.rst
1258	Not sure we have any existing terminology to describe this concept. C++ calls these bits "pading bits" (vs. the "value representation"). Maybe we need a section in LangRef to describe this. Probably doesn't belong specifically in the discussion of the meaning of noundef, though, since it applies more generally. Maybe add some description in the definition of struct/array types, and link to it from here.

nikic added inline comments.Jun 25 2020, 11:59 PM

llvm/docs/LangRef.rst
1258	I think if you replace "inferable" with "inaccessible" or "unobservable", that would be more obvious. At least, I don't think there is any way to access/observe these padding bits or even their existence from LLVM IR (without a pre-existing pointer indirection).

I think, we could even remove the padding sentence and say "undefined or poison" bits. The latter seems to match our existing language. The former should be OK because a value of type { i8, i32 } has 8 + 32 bits. The fact that the store and alloca size is different does not mean the value has undefined bits. If people agree with this interpretation we could also add a sentence explaining this difference.

In D82316#2117857, @jdoerfert wrote:

I think, we could even remove the padding sentence and say "undefined or poison" bits. The latter seems to match our existing language. The former should be OK because a value of type { i8, i32 } has 8 + 32 bits. The fact that the store and alloca size is different does not mean the value has undefined bits. If people agree with this interpretation we could also add a sentence explaining this difference.

That matches my understanding as well.

We could also add a note that value bits here explicitly do NOT mean storage representation to avoid any misunderstanding.

Addressed comments

guiand marked 6 inline comments as done.Jun 26 2020, 5:33 PM

Harbormaster failed remote builds in B62011: Diff 273869!Jun 26 2020, 5:45 PM

nlopes accepted this revision.Jun 27 2020, 1:21 AM

This revision is now accepted and ready to land.Jun 27 2020, 1:21 AM

LGTM. Thanks for working on this. This was needed for a long while and I think the new wording is proper.

reverse ping. Let's land this :)

Should I land this without waiting for the other two patches?

In D82316#2137939, @guiand wrote:

Should I land this without waiting for the other two patches?

Either way works. Don't want us to forget to land it ;)

In D82316#2137939, @guiand wrote:

Should I land this without waiting for the other two patches?

I'd suggest to land this together with the LLVM part of D81678 (which LGTM) and land the clang part that actually starts using this and requires the massive test changes separately.

guiand mentioned this in D83412: [LLVM] Accept `noundef` attribute in function definitions/calls.Jul 8 2020, 10:30 AM

Closed by commit rG89f1ad88b3f1: [LangRef] Introduce `noundef` attribute for fully defined function params (authored by guiand). · Explain WhyJul 8 2020, 12:02 PM

This revision was automatically updated to reflect the committed changes.

guiand mentioned this in D82317: [Clang/Test]: Update tests where `noundef` attribute is necessary.Aug 6 2020, 3:04 PM

Revision Contents

Path

Size

llvm/

docs/

BitCodeFormat.rst

1 line

LangRef.rst

11 lines

Diff 273869

llvm/docs/BitCodeFormat.rst

	Show First 20 Lines • Show All 1,052 Lines • ▼ Show 20 Lines
	* code 51: ``allocsize(<EltSizeParam>[, <NumEltsParam>])``			* code 51: ``allocsize(<EltSizeParam>[, <NumEltsParam>])``
	* code 52: ``writeonly``			* code 52: ``writeonly``
	* code 53: ``speculatable``			* code 53: ``speculatable``
	* code 54: ``strictfp``			* code 54: ``strictfp``
	* code 55: ``sanitize_hwaddress``			* code 55: ``sanitize_hwaddress``
	* code 56: ``nocf_check``			* code 56: ``nocf_check``
	* code 57: ``optforfuzzing``			* code 57: ``optforfuzzing``
	* code 58: ``shadowcallstack``			* code 58: ``shadowcallstack``
	* code 59: ``speculative_load_hardening``			* code 59: ``speculative_load_hardening``
				arsenmUnsubmitted Done Reply Inline Actions Can you commit this documentation change for the existing attributes separately arsenm: Can you commit this documentation change for the existing attributes separately
	* code 60: ``immarg``			* code 60: ``immarg``
	* code 61: ``willreturn``			* code 61: ``willreturn``
	* code 62: ``nofree``			* code 62: ``nofree``
	* code 63: ``nosync``			* code 63: ``nosync``
	* code 64: ``sanitize_memtag``			* code 64: ``sanitize_memtag``
	* code 65: ``preallocated``			* code 65: ``preallocated``
	* code 66: ``no_merge``			* code 66: ``no_merge``
	* code 67: ``null_pointer_is_valid``			* code 67: ``null_pointer_is_valid``
				* code 68: ``noundef``

	.. note::			.. note::
	The ``allocsize`` attribute has a special encoding for its arguments. Its two			The ``allocsize`` attribute has a special encoding for its arguments. Its two
	arguments, which are 32-bit integers, are packed into one 64-bit integer value			arguments, which are 32-bit integers, are packed into one 64-bit integer value
	(i.e. ``(EltSizeParam << 32) \| NumEltsParam``), with ``NumEltsParam`` taking on			(i.e. ``(EltSizeParam << 32) \| NumEltsParam``), with ``NumEltsParam`` taking on
	the sentinel value -1 if it is not specified.			the sentinel value -1 if it is not specified.

	.. _TYPE_BLOCK:			.. _TYPE_BLOCK:
	▲ Show 20 Lines • Show All 295 Lines • Show Last 20 Lines

llvm/docs/LangRef.rst

This file is larger than 256 KB, so syntax highlighting is disabled by default.

	Show First 20 Lines • Show All 1,246 Lines • ▼ Show 20 Lines

	``immarg``			``immarg``
	This indicates the parameter is required to be an immediate			This indicates the parameter is required to be an immediate
	value. This must be a trivial immediate integer or floating-point			value. This must be a trivial immediate integer or floating-point
	constant. Undef or constant expressions are not valid. This is			constant. Undef or constant expressions are not valid. This is
	only valid on intrinsic declarations and cannot be applied to a			only valid on intrinsic declarations and cannot be applied to a
	call site or arbitrary function.			call site or arbitrary function.

				``noundef``
				nikicUnsubmitted Done Reply Inline Actions Should be just `frozen`, without the quotes. Quotes indicate a string attribute. nikic: Should be just `frozen`, without the quotes. Quotes indicate a string attribute.
				This attribute applies to parameters and return values. If the value
				representation contains any undefined or poison bits, the behavior is
				nlopesUnsubmitted Done Reply Inline Actions can we write undef instead of uninitialized pls? LLVM doesn't really have uninitialized values. Otherwise LGTM. nlopes: can we write undef instead of uninitialized pls? LLVM doesn't really have uninitialized values.
				undefined. Note that this does not refer to padding introduced by the
				nikicUnsubmitted Done Reply Inline Actions I don't understand what "inferable" is intended to mean in this context. nikic: I don't understand what "inferable" is intended to mean in this context.
				guiandAuthorUnsubmitted Done Reply Inline Actions Quoting from other comments here: For aggregate types, I think it is okay to relax this constraint to allowing aggregates with undef padding bits. It will be great if an aggregate value that is constructed with a chain of v = insertvalue (insertvalue undef, const1, idx), const2, idx2 can have this attribute attached regardless of whether the aggregate type has paddings or not. Inspecting padding bits which are not accessible without using memory operation may be overly restrictive. From MSan point of view, if {i8, i32} is passed as a call argument, we don't care about the padding in the middle - the type definition has all we need to understand which bits must be checked for definedness, and we'd like the attribute to reflect that - i.e. the property of the IR value itself and not its storage representation. This is what I tried to capture with this description. Is there some better way I might express this succinctly? guiand: Quoting from other comments here: > For aggregate types, I think it is okay to relax this…
				efriedmaUnsubmitted Done Reply Inline Actions Not sure we have any existing terminology to describe this concept. C++ calls these bits "pading bits" (vs. the "value representation"). Maybe we need a section in LangRef to describe this. Probably doesn't belong specifically in the discussion of the meaning of noundef, though, since it applies more generally. Maybe add some description in the definition of struct/array types, and link to it from here. efriedma: Not sure we have any existing terminology to describe this concept. C++ calls these bits…
				nikicUnsubmitted Done Reply Inline Actions I think if you replace "inferable" with "inaccessible" or "unobservable", that would be more obvious. At least, I don't think there is any way to access/observe these padding bits or even their existence from LLVM IR (without a pre-existing pointer indirection). nikic: I think if you replace "inferable" with "inaccessible" or "unobservable", that would be more…
				type's storage representation.
				nikicUnsubmitted Done Reply Inline Actions This description is a bit too frontend-centric. I'd suggest to at least add If the parameter is poison or contains undefined bits, the behavior is undefined. to describe the actual IR semantic this has. Also, can this be applied to return values? If so, it should say so. nikic: This description is a bit too frontend-centric. I'd suggest to at least add > If the parameter…
				aqjuneUnsubmitted Not Done Reply Inline Actions For aggregate types, I think it is okay to relax this constraint to allowing aggregates with undef padding bits. It will be great if an aggregate value that is constructed with a chain of `v = insertvalue (insertvalue undef, const1, idx), const2, idx2` can have this attribute attached regardless of whether the aggregate type has paddings or not. Inspecting padding bits which are not accessible without using memory operation may be overly restrictive. For my previous concern (giving a guarantee that it has no undef bit in memory representation), this should be needed in certain future cases, but not now maybe. aqjune: For aggregate types, I think it is okay to relax this constraint to allowing aggregates with…
				eugenisUnsubmitted Done Reply Inline Actions Yes, that's a good point. From MSan point of view, if {i8, i32} is passed as a call argument, we don't care about the padding in the middle - the type definition has all we need to understand which bits must be checked for definedness, and we'd like the attribute to reflect that - i.e. the property of the IR value itself and not its storage representation. (if it's coerced to i64, then we care). eugenis: Yes, that's a good point. From MSan point of view, if {i8, i32} is passed as a call argument…
				jdoerfertUnsubmitted Not Done Reply Inline Actions Does this mean we still need more than `nopoison`? jdoerfert: Does this mean we still need more than `nopoison`?
				eugenisUnsubmitted Not Done Reply Inline Actions Sorry, I don't understand - are saying the attribute can be specified in terms of poison values and not undef? I don't think it would work, we need it to cover something that's loaded from an uninitialized memory location and passed to a function call as is, and those are undef, not poison. eugenis: Sorry, I don't understand - are saying the attribute can be specified in terms of poison values…
				aqjuneUnsubmitted Not Done Reply Inline Actions Yes, we need an attribute for undef bits; a constraint for absence of poison may not be enough. In the long term, I'd prefer merging the notion of undef value poison value into one (by leaving poison only), then nopoison should be enough. But seems like it is a pretty tough way to go. aqjune: Yes, we need an attribute for undef bits; a constraint for absence of poison may not be enough.

				nlopesUnsubmitted Done Reply Inline Actions What happens when this condition is violated? e.g., when one passes a poison value as argument? Do we get UB? (I think so, but it's worth to make it clear) nlopes: What happens when this condition is violated? e.g., when one passes a poison value as argument?
				jdoerfertUnsubmitted Done Reply Inline Actions Yes, this should be one of the only "value attribute" that will cause UB. The others should poison the value on violation and combined with this one you get UB. jdoerfert: Yes, this should be one of the only "value attribute" that will cause UB. The others should…
	.. _gc:			.. _gc:

	Garbage Collector Strategy Names			Garbage Collector Strategy Names
	--------------------------------			--------------------------------

	Each function may specify a garbage collector strategy name, which is simply a			Each function may specify a garbage collector strategy name, which is simply a
	string:			string:

	▲ Show 20 Lines • Show All 2,388 Lines • ▼ Show 20 Lines
	- The pointer operand of a :ref:`load <i_load>`, :ref:`store <i_store>` or			- The pointer operand of a :ref:`load <i_load>`, :ref:`store <i_store>` or
	any other pointer dereferencing instruction (independent of address			any other pointer dereferencing instruction (independent of address
	space).			space).
	- The divisor operand of a ``udiv``, ``sdiv``, ``urem`` or ``srem``			- The divisor operand of a ``udiv``, ``sdiv``, ``urem`` or ``srem``
	instruction.			instruction.
	- The condition operand of a :ref:`br <i_br>` instruction.			- The condition operand of a :ref:`br <i_br>` instruction.
	- The callee operand of a :ref:`call <i_call>` or :ref:`invoke <i_invoke>`			- The callee operand of a :ref:`call <i_call>` or :ref:`invoke <i_invoke>`
	instruction.			instruction.
				- The parameter operand of a :ref:`call <i_call>` or :ref:`invoke <i_invoke>`
				instruction, when the function or invoking call site has a ``noundef``
				jdoerfertUnsubmitted Done Reply Inline Actions Can we make this two bullet points. Return values are not really operands so maybe: "The operand of a return instruction if the function or invoking call site has a `frozen` attribute in the return value position". I would also not talk about Arguments here as we describe instructions. So maybe say "The operand of a :ref:`call <i_call>` or :ref:`invoke <i_invoke>` instruction for which the call site has a `frozen` attribute at the respective position." jdoerfert: Can we make this two bullet points. Return values are not really operands so maybe: "The…
				attribute in the corresponding position.
				- The operand of a :ref:`ret <i_ret>` instruction if the function or invoking
				call site has a `noundef` attribute in the return value position.

	Here are some examples:			Here are some examples:

	.. code-block:: llvm			.. code-block:: llvm

	entry:			entry:
	%poison = sub nuw i32 0, 1 ; Results in a poison value.			%poison = sub nuw i32 0, 1 ; Results in a poison value.
	%still_poison = and i32 %poison, 0 ; 0, but also poison.			%still_poison = and i32 %poison, 0 ; 0, but also poison.
	▲ Show 20 Lines • Show All 16,583 Lines • Show Last 20 Lines