This is an archive of the discontinued LLVM Phabricator instance.

Differential D12000

Bugfix - Clang handles __builtin_object_size in wrong way
ClosedPublic

Authored by george.burgess.iv on Aug 12 2015, 5:04 PM.

Details

Reviewers
rsmith
Commits
rGbdb5b2687a41: Make __builtin_object_size always answer correctly
rG232c76213d43: Make __builtin_object_size always answer correctly
rC245403: Make __builtin_object_size always answer correctly
rC245323: Make __builtin_object_size always answer correctly
Summary

Attached is a fix for https://llvm.org/bugs/show_bug.cgi?id=15212 .

Summary: Tighten up some of the results for __builtin_object_size(ptr, type) when given type == 1 or type == 3 + fixed a bug where we would report incorrect results for type == 3.

~90% of the patch is courtesy of Richard Smith. :)

Diff Detail

Event Timeline

george.burgess.iv updated this revision to Diff 32001.Aug 12 2015, 5:04 PM
george.burgess.iv retitled this revision from to Bugfix - Clang handles __builtin_object_size in wrong way.
george.burgess.iv updated this object.
george.burgess.iv added a subscriber: cfe-commits.
rsmith added a subscriber: rsmith.Aug 14 2015, 5:11 PM
rsmith added inline comments.
lib/AST/ExprConstant.cpp
6221–6223

Please add a testcase like this (where the base object is unknown but the designator is known, and thus we can compute the Type == 1 and Type == 3 forms but not the Type == 0 and Type == 2 forms).

6243–6245

Please add testcases for the pointer-to-the-end case:

int n;
static_assert(__builtin_object_size(&n + 1, 1) == 0);

struct X { int a, b, c; } x;
static_assert(__builtin_object_size(&x.a + 1, 1) == 0);
george.burgess.iv updated this revision to Diff 32333.Aug 17 2015, 1:07 PM
george.burgess.iv updated this object.
george.burgess.iv marked an inline comment as done.

Addressed feedback.

lib/AST/ExprConstant.cpp
6221–6223

EvaluatePointer is stricter than I thought -- this is actually not possible without adding a decent amount of complexity to the current patch. Will replace the comment with a TODO, and add the test case in the next patch that makes us support things like this. :)

rsmith accepted this revision.Aug 17 2015, 1:11 PM
rsmith added a reviewer: rsmith.

LGTM with one more testcase :)

lib/AST/ExprConstant.cpp
6243–6245

I think you now have a testcase for the end-of-array case, but not the end-of-nonarray case.

This revision is now accepted and ready to land.Aug 17 2015, 1:11 PM
george.burgess.iv closed this revision.Aug 18 2015, 11:21 AM

r245323

Revision Contents

PathSize
lib/
AST/
126 lines
test/
CodeGen/
70 lines
Sema/
4 lines

Diff 32333

lib/AST/ExprConstant.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 961 Lines▼ Show 20 Lines bool checkNullPointer(EvalInfo &Info, const Expr *E,
return false; return false;
} }
return true; return true;
} }
// Check this LValue refers to an object. If not, set the designator to be // Check this LValue refers to an object. If not, set the designator to be
// invalid and emit a diagnostic. // invalid and emit a diagnostic.
bool checkSubobject(EvalInfo &Info, const Expr *E, CheckSubobjectKind CSK) { bool checkSubobject(EvalInfo &Info, const Expr *E, CheckSubobjectKind CSK) {
// Outside C++11, do not build a designator referring to a subobject of
// any object: we won't use such a designator for anything.
if (!Info.getLangOpts().CPlusPlus11)
Designator.setInvalid();
return (CSK == CSK_ArrayToPointer || checkNullPointer(Info, E, CSK)) && return (CSK == CSK_ArrayToPointer || checkNullPointer(Info, E, CSK)) &&
Designator.checkSubobject(Info, E, CSK); Designator.checkSubobject(Info, E, CSK);
} }
void addDecl(EvalInfo &Info, const Expr *E, void addDecl(EvalInfo &Info, const Expr *E,
const Decl *D, bool Virtual = false) { const Decl *D, bool Virtual = false) {
if (checkSubobject(Info, E, isa<FieldDecl>(D) ? CSK_Field : CSK_Base)) if (checkSubobject(Info, E, isa<FieldDecl>(D) ? CSK_Field : CSK_Base))
Designator.addDeclUnchecked(D, Virtual); Designator.addDeclUnchecked(D, Virtual);
▲ Show 20 LinesShow All 1,726 Lines▼ Show 20 Lines
static bool handleLValueToRValueConversion(EvalInfo &Info, const Expr *Conv, static bool handleLValueToRValueConversion(EvalInfo &Info, const Expr *Conv,
QualType Type, QualType Type,
const LValue &LVal, APValue &RVal) { const LValue &LVal, APValue &RVal) {
if (LVal.Designator.Invalid) if (LVal.Designator.Invalid)
return false; return false;
// Check for special cases where there is no existing APValue to look at. // Check for special cases where there is no existing APValue to look at.
const Expr *Base = LVal.Base.dyn_cast<const Expr*>(); const Expr *Base = LVal.Base.dyn_cast<const Expr*>();
if (!LVal.Designator.Invalid && Base && !LVal.CallIndex && if (Base && !LVal.CallIndex && !Type.isVolatileQualified()) {
!Type.isVolatileQualified()) {
if (const CompoundLiteralExpr *CLE = dyn_cast<CompoundLiteralExpr>(Base)) { if (const CompoundLiteralExpr *CLE = dyn_cast<CompoundLiteralExpr>(Base)) {
// In C99, a CompoundLiteralExpr is an lvalue, and we defer evaluating the // In C99, a CompoundLiteralExpr is an lvalue, and we defer evaluating the
// initializer until now for such expressions. Such an expression can't be // initializer until now for such expressions. Such an expression can't be
// an ICE in C, so this only matters for fold. // an ICE in C, so this only matters for fold.
assert(!Info.getLangOpts().CPlusPlus && "lvalue compound literal in c++?"); assert(!Info.getLangOpts().CPlusPlus && "lvalue compound literal in c++?");
if (Type.isVolatileQualified()) { if (Type.isVolatileQualified()) {
Info.Diag(Conv); Info.Diag(Conv);
return false; return false;
▲ Show 20 LinesShow All 3,267 Lines▼ Show 20 Linespublic:
bool VisitUnaryReal(const UnaryOperator *E); bool VisitUnaryReal(const UnaryOperator *E);
bool VisitUnaryImag(const UnaryOperator *E); bool VisitUnaryImag(const UnaryOperator *E);
bool VisitCXXNoexceptExpr(const CXXNoexceptExpr *E); bool VisitCXXNoexceptExpr(const CXXNoexceptExpr *E);
bool VisitSizeOfPackExpr(const SizeOfPackExpr *E); bool VisitSizeOfPackExpr(const SizeOfPackExpr *E);
private: private:
static QualType GetObjectType(APValue::LValueBase B); bool TryEvaluateBuiltinObjectSize(const CallExpr *E, unsigned Type);
bool TryEvaluateBuiltinObjectSize(const CallExpr *E);
// FIXME: Missing: array subscript of vector, member of vector // FIXME: Missing: array subscript of vector, member of vector
}; };
} // end anonymous namespace } // end anonymous namespace
/// EvaluateIntegerOrLValue - Evaluate an rvalue integral-typed expression, and /// EvaluateIntegerOrLValue - Evaluate an rvalue integral-typed expression, and
/// produce either the integer value or a pointer. /// produce either the integer value or a pointer.
/// ///
/// GCC has a heinous extension which folds casts between pointer types and /// GCC has a heinous extension which folds casts between pointer types and
▲ Show 20 LinesShow All 155 Lines▼ Show 20 Linesstatic bool EvaluateBuiltinConstantP(ASTContext &Ctx, const Expr *Arg) {
} }
// Anything else isn't considered to be sufficiently constant. // Anything else isn't considered to be sufficiently constant.
return false; return false;
} }
/// Retrieves the "underlying object type" of the given expression, /// Retrieves the "underlying object type" of the given expression,
/// as used by __builtin_object_size. /// as used by __builtin_object_size.
QualType IntExprEvaluator::GetObjectType(APValue::LValueBase B) { static QualType getObjectType(APValue::LValueBase B) {
if (const ValueDecl *D = B.dyn_cast<const ValueDecl*>()) { if (const ValueDecl *D = B.dyn_cast<const ValueDecl*>()) {
if (const VarDecl *VD = dyn_cast<VarDecl>(D)) if (const VarDecl *VD = dyn_cast<VarDecl>(D))
return VD->getType(); return VD->getType();
} else if (const Expr *E = B.get<const Expr*>()) { } else if (const Expr *E = B.get<const Expr*>()) {
if (isa<CompoundLiteralExpr>(E)) if (isa<CompoundLiteralExpr>(E))
return E->getType(); return E->getType();
} }
return QualType(); return QualType();
} }
bool IntExprEvaluator::TryEvaluateBuiltinObjectSize(const CallExpr *E) { bool IntExprEvaluator::TryEvaluateBuiltinObjectSize(const CallExpr *E,
unsigned Type) {
// Determine the denoted object.
LValue Base; LValue Base;
{ {
// The operand of __builtin_object_size is never evaluated for side-effects. // The operand of __builtin_object_size is never evaluated for side-effects.
// If there are any, but we can determine the pointed-to object anyway, then // If there are any, but we can determine the pointed-to object anyway, then
// ignore the side-effects. // ignore the side-effects.
SpeculativeEvaluationRAII SpeculativeEval(Info); SpeculativeEvaluationRAII SpeculativeEval(Info);
FoldConstant Fold(Info, true);
if (!EvaluatePointer(E->getArg(0), Base, Info)) if (!EvaluatePointer(E->getArg(0), Base, Info))
return false; return false;
} }
if (!Base.getLValueBase()) { CharUnits BaseOffset = Base.getLValueOffset();
// It is not possible to determine which objects ptr points to at compile time,
// __builtin_object_size should return (size_t) -1 for type 0 or 1 // If we point to before the start of the object, there are no
// and (size_t) 0 for type 2 or 3. // accessible bytes.
llvm::APSInt TypeIntVaue; if (BaseOffset < CharUnits::Zero())
const Expr *ExprType = E->getArg(1);
if (!ExprType->EvaluateAsInt(TypeIntVaue, Info.Ctx))
return false;
if (TypeIntVaue == 0 || TypeIntVaue == 1)
return Success(-1, E);
if (TypeIntVaue == 2 || TypeIntVaue == 3)
return Success(0, E); return Success(0, E);
return Error(E);
// If Type & 1 is 0, the object in question is the complete object; reset to
// a complete object designator in that case.
//
// If Type is 1 and we've lost track of the subobject, just find the complete
// object instead. (If Type is 3, that's not correct behavior and we should
// return 0 instead.)
LValue End = Base;
if (((Type & 1) == 0) || (End.Designator.Invalid && Type == 1)) {
QualType T = getObjectType(End.getLValueBase());
if (T.isNull())
End.Designator.setInvalid();
else {
End.Designator = SubobjectDesignator(T);
End.Offset = CharUnits::Zero();
}
} }
QualType T = GetObjectType(Base.getLValueBase()); // FIXME: We should produce a valid object size for an unknown object with a
if (T.isNull() || // known designator, if Type & 1 is 1. For instance:
T->isIncompleteType() || //
T->isFunctionType() || // extern struct X { char buff[32]; int a, b, c; } *p;
T->isVariablyModifiedType() || // int a = __builtin_object_size(p->buff + 4, 3); // returns 28
T->isDependentType()) // int b = __builtin_object_size(p->buff + 4, 2); // returns 0, not 40
rsmithUnsubmitted
Not Done
ReplyInline Actions

Please add a testcase like this (where the base object is unknown but the designator is known, and thus we can compute the Type == 1 and Type == 3 forms but not the Type == 0 and Type == 2 forms).

rsmith: Please add a testcase like this (where the base object is unknown but the designator is known…
george.burgess.ivAuthorUnsubmitted
Not Done
ReplyInline Actions

EvaluatePointer is stricter than I thought -- this is actually not possible without adding a decent amount of complexity to the current patch. Will replace the comment with a TODO, and add the test case in the next patch that makes us support things like this. :)

george.burgess.iv: EvaluatePointer is stricter than I thought -- this is actually not possible without adding a…
//
// This is GCC's behavior. We currently don't do this, but (hopefully) will in
// the near future.
// If it is not possible to determine which objects ptr points to at compile
// time, __builtin_object_size should return (size_t) -1 for type 0 or 1
// and (size_t) 0 for type 2 or 3.
if (End.Designator.Invalid)
return false;
// According to the GCC documentation, we want the size of the subobject
// denoted by the pointer. But that's not quite right -- what we actually
// want is the size of the immediately-enclosing array, if there is one.
int64_t AmountToAdd = 1;
if (End.Designator.MostDerivedArraySize &&
End.Designator.Entries.size() == End.Designator.MostDerivedPathLength) {
// We got a pointer to an array. Step to its end.
AmountToAdd = End.Designator.MostDerivedArraySize -
End.Designator.Entries.back().ArrayIndex;
} else if (End.Designator.IsOnePastTheEnd) {
// We're already pointing at the end of the object.
AmountToAdd = 0;
rsmithUnsubmitted
Done
ReplyInline Actions

Please add testcases for the pointer-to-the-end case:

int n;
static_assert(__builtin_object_size(&n + 1, 1) == 0);

struct X { int a, b, c; } x;
static_assert(__builtin_object_size(&x.a + 1, 1) == 0);
rsmith: Please add testcases for the pointer-to-the-end case: int n; static_assert…
rsmithUnsubmitted
Not Done
ReplyInline Actions

I think you now have a testcase for the end-of-array case, but not the end-of-nonarray case.

rsmith: I think you now have a testcase for the end-of-array case, but not the end-of-nonarray case.
}
if (End.Designator.MostDerivedType->isIncompleteType() ||
End.Designator.MostDerivedType->isFunctionType())
return Error(E); return Error(E);
CharUnits Size = Info.Ctx.getTypeSizeInChars(T); if (!HandleLValueArrayAdjustment(Info, E, End, End.Designator.MostDerivedType,
CharUnits Offset = Base.getLValueOffset(); AmountToAdd))
return false;
auto EndOffset = End.getLValueOffset();
if (BaseOffset > EndOffset)
return Success(0, E);
if (!Offset.isNegative() && Offset <= Size) return Success(EndOffset - BaseOffset, E);
Size -= Offset;
else
Size = CharUnits::Zero();
return Success(Size, E);
} }
bool IntExprEvaluator::VisitCallExpr(const CallExpr *E) { bool IntExprEvaluator::VisitCallExpr(const CallExpr *E) {
switch (unsigned BuiltinOp = E->getBuiltinCallee()) { switch (unsigned BuiltinOp = E->getBuiltinCallee()) {
default: default:
return ExprEvaluatorBaseTy::VisitCallExpr(E); return ExprEvaluatorBaseTy::VisitCallExpr(E);
case Builtin::BI__builtin_object_size: { case Builtin::BI__builtin_object_size: {
if (TryEvaluateBuiltinObjectSize(E)) // The type was checked when we built the expression.
unsigned Type =
E->getArg(1)->EvaluateKnownConstInt(Info.Ctx).getZExtValue();
assert(Type <= 3 && "unexpected type");
if (TryEvaluateBuiltinObjectSize(E, Type))
return true; return true;
// If evaluating the argument has side-effects, we can't determine the size // If evaluating the argument has side-effects, we can't determine the size
// of the object, and so we lower it to unknown now. CodeGen relies on us to // of the object, and so we lower it to unknown now. CodeGen relies on us to
// handle all cases where the expression has side-effects. // handle all cases where the expression has side-effects.
if (E->getArg(0)->HasSideEffects(Info.Ctx)) { // Likewise, if Type is 3, we must handle this because CodeGen cannot give a
if (E->getArg(1)->EvaluateKnownConstInt(Info.Ctx).getZExtValue() <= 1) // conservatively correct answer in that case.
return Success(-1ULL, E); if (E->getArg(0)->HasSideEffects(Info.Ctx) || Type == 3)
return Success(0, E); return Success((Type & 2) ? 0 : -1, E);
}
// Expression had no side effects, but we couldn't statically determine the // Expression had no side effects, but we couldn't statically determine the
// size of the referenced object. // size of the referenced object.
switch (Info.EvalMode) { switch (Info.EvalMode) {
case EvalInfo::EM_ConstantExpression: case EvalInfo::EM_ConstantExpression:
case EvalInfo::EM_PotentialConstantExpression: case EvalInfo::EM_PotentialConstantExpression:
case EvalInfo::EM_ConstantFold: case EvalInfo::EM_ConstantFold:
case EvalInfo::EM_EvaluateForOverflow: case EvalInfo::EM_EvaluateForOverflow:
case EvalInfo::EM_IgnoreSideEffects: case EvalInfo::EM_IgnoreSideEffects:
// Leave it to IR generation.
return Error(E); return Error(E);
case EvalInfo::EM_ConstantExpressionUnevaluated: case EvalInfo::EM_ConstantExpressionUnevaluated:
case EvalInfo::EM_PotentialConstantExpressionUnevaluated: case EvalInfo::EM_PotentialConstantExpressionUnevaluated:
return Success(-1ULL, E); // Reduce it to a constant now.
return Success((Type & 2) ? 0 : -1, E);
} }
} }
case Builtin::BI__builtin_bswap16: case Builtin::BI__builtin_bswap16:
case Builtin::BI__builtin_bswap32: case Builtin::BI__builtin_bswap32:
case Builtin::BI__builtin_bswap64: { case Builtin::BI__builtin_bswap64: {
APSInt Val; APSInt Val;
if (!EvaluateInteger(E->getArg(0), Val, Info)) if (!EvaluateInteger(E->getArg(0), Val, Info))
▲ Show 20 LinesShow All 2,940 LinesShow Last 20 Lines

test/CodeGen/object-size.c

Show First 20 LinesShow All 140 Lines▼ Show 20 Lines
// CHECK: @test18 // CHECK: @test18
unsigned test18(int cond) { unsigned test18(int cond) {
int a[4], b[4]; int a[4], b[4];
// CHECK: phi i32* // CHECK: phi i32*
// CHECK: call i64 @llvm.objectsize.i64 // CHECK: call i64 @llvm.objectsize.i64
return __builtin_object_size(cond ? a : b, 0); return __builtin_object_size(cond ? a : b, 0);
} }
// CHECK: @test19
void test19() {
struct {
int a, b;
} foo;
// CHECK: store i32 8
gi = __builtin_object_size(&foo.a, 0);
// CHECK: store i32 4
gi = __builtin_object_size(&foo.a, 1);
// CHECK: store i32 8
gi = __builtin_object_size(&foo.a, 2);
// CHECK: store i32 4
gi = __builtin_object_size(&foo.a, 3);
}
// CHECK: @test20
void test20() {
struct { int t[10]; } t[10];
// CHECK: store i32 380
gi = __builtin_object_size(&t[0].t[5], 0);
// CHECK: store i32 20
gi = __builtin_object_size(&t[0].t[5], 1);
// CHECK: store i32 380
gi = __builtin_object_size(&t[0].t[5], 2);
// CHECK: store i32 20
gi = __builtin_object_size(&t[0].t[5], 3);
}
// CHECK: @test21
void test21() {
struct { int t[10]; } t[10];
// CHECK: store i32 0
gi = __builtin_object_size(&t[10], 0);
// CHECK: store i32 0
gi = __builtin_object_size(&t[10], 1);
// CHECK: store i32 0
gi = __builtin_object_size(&t[10], 2);
// CHECK: store i32 0
gi = __builtin_object_size(&t[10], 3);
// CHECK: store i32 0
gi = __builtin_object_size(&t[9].t[10], 0);
// CHECK: store i32 0
gi = __builtin_object_size(&t[9].t[10], 1);
// CHECK: store i32 0
gi = __builtin_object_size(&t[9].t[10], 2);
// CHECK: store i32 0
gi = __builtin_object_size(&t[9].t[10], 3);
}
struct Test22Ty { int t[10]; };
// CHECK: @test22
void test22(struct Test22Ty *p) {
// CHECK: call i64 @llvm.objectsize.i64.p0i8(i8* %{{.*}}, i1 false)
gi = __builtin_object_size(p, 0);
// CHECK: call i64 @llvm.objectsize.i64.p0i8(i8* %{{.*}}, i1 false)
gi = __builtin_object_size(p, 1);
// CHECK:= call i64 @llvm.objectsize.i64.p0i8(i8* %{{.*}}, i1 true)
gi = __builtin_object_size(p, 2);
// Note: this is currently fixed at 0 because LLVM doesn't have sufficient
// data to correctly handle type=3
// CHECK: store i32 0
gi = __builtin_object_size(p, 3);
}

test/Sema/const-eval.c

Show First 20 LinesShow All 112 Lines▼ Show 20 Lines
struct PR11391 { _Complex float f; } pr11391; struct PR11391 { _Complex float f; } pr11391;
EVAL_EXPR(42, __builtin_constant_p(pr11391.f = 1)) EVAL_EXPR(42, __builtin_constant_p(pr11391.f = 1))
// PR12043 // PR12043
float varfloat; float varfloat;
const float constfloat = 0; const float constfloat = 0;
EVAL_EXPR(43, varfloat && constfloat) // expected-error {{must have a constant size}} EVAL_EXPR(43, varfloat && constfloat) // expected-error {{must have a constant size}}
// <rdar://problem/11205586>
// (Make sure we continue to reject this.)
EVAL_EXPR(44, "x"[0]); // expected-error {{variable length array}}
// <rdar://problem/10962435> // <rdar://problem/10962435>
EVAL_EXPR(45, ((char*)-1) + 1 == 0 ? 1 : -1) EVAL_EXPR(45, ((char*)-1) + 1 == 0 ? 1 : -1)
EVAL_EXPR(46, ((char*)-1) + 1 < (char*) -1 ? 1 : -1) EVAL_EXPR(46, ((char*)-1) + 1 < (char*) -1 ? 1 : -1)
EVAL_EXPR(47, &x < &x + 1 ? 1 : -1) EVAL_EXPR(47, &x < &x + 1 ? 1 : -1)
EVAL_EXPR(48, &x != &x - 1 ? 1 : -1) EVAL_EXPR(48, &x != &x - 1 ? 1 : -1)
EVAL_EXPR(49, &x < &x - 100 ? 1 : -1) // expected-error {{must have a constant size}} EVAL_EXPR(49, &x < &x - 100 ? 1 : -1) // expected-error {{must have a constant size}}
extern struct Test50S Test50; extern struct Test50S Test50;
EVAL_EXPR(50, &Test50 < (struct Test50S*)((unsigned)&Test50 + 10)) // expected-error {{must have a constant size}} EVAL_EXPR(50, &Test50 < (struct Test50S*)((unsigned)&Test50 + 10)) // expected-error {{must have a constant size}}
// <rdar://problem/11874571> // <rdar://problem/11874571>
EVAL_EXPR(51, 0 != (float)1e99) EVAL_EXPR(51, 0 != (float)1e99)
// PR21945 // PR21945
void PR21945() { int i = (({}), 0l); } void PR21945() { int i = (({}), 0l); }