This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/builtins/
-
lib/
-
builtins/
2/2
floatsidf.c
1/1
floatsisf.c

Differential D146123

[builtins] Avoid undefined behavior when calculating absolute value in floatsidf.c and floatsisf.c
ClosedPublic

Authored by Ka-Ka on Mar 15 2023, 3:27 AM.

Download Raw Diff

Details

Reviewers

MaskRay
atrosinenko
scanon
phosek

Commits

rGff14585eb02f: [builtins] Avoid undefined behavior when calculating absolute value in…

Summary

When compiling compiler-rt with -fsanitize=undefined and running testcases you
end up with the following warning:

UBSan: floatsidf.c:32:9: negation of -2147483648 cannot be represented in type 'si_int' (aka 'long'); cast to an unsigned type to negate this value to itself

The same kind of pattern exists in floatsisf.c

This was found in an out of tree target.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

Ka-Ka created this revision.Mar 15 2023, 3:27 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 15 2023, 3:27 AM

Herald added subscribers: Enna1, dberris. · View Herald Transcript

Ka-Ka requested review of this revision.Mar 15 2023, 3:27 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 15 2023, 3:27 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B219589: Diff 505426.Mar 15 2023, 3:50 AM

uabelho added a subscriber: uabelho.Mar 15 2023, 3:56 AM

Ka-Ka edited the summary of this revision. (Show Details)Mar 15 2023, 8:48 AM

Ka-Ka added a reviewer: phosek.Mar 17 2023, 12:55 AM

MaskRay added inline comments.Aug 21 2023, 11:51 PM

compiler-rt/lib/builtins/floatsidf.c
33	Just use unary `-`: `-(su_int)a`
compiler-rt/lib/builtins/floatsisf.c
33	ditto

[compiler-rt]

[builtins] should be more specific. For many projects, we don't use the top-level project name as the tag (which can be simplified inferred from the toplevel path name, so less useful).

The patch was rebased and updated according to comments.

Ka-Ka retitled this revision from [compiler-rt] Avoid undefined behavior when calculating absolute value in floatsidf.c and floatsisf.c to [builtins] Avoid undefined behavior when calculating absolute value in floatsidf.c and floatsisf.c.Aug 22 2023, 2:00 AM

Ka-Ka edited the summary of this revision. (Show Details)

Harbormaster completed remote builds in B254031: Diff 552268.Aug 22 2023, 2:58 AM

Sorry for just noticing the patch. https://llvm.org/docs/CodeReview.html#lgtm-how-a-patch-is-accepted feel free to ping a patch when there is no response after a week :)

This revision is now accepted and ready to land.Aug 22 2023, 10:53 AM

MaskRay added inline comments.Aug 22 2023, 10:55 AM

compiler-rt/lib/builtins/floatsidf.c
33	I think `aAbs = -aAbs` can be used as well, not sure which is clearer. `aAbs = -aAbs` avoids a type conversion.

Closed by commit rGff14585eb02f: [builtins] Avoid undefined behavior when calculating absolute value in… (authored by Ka-Ka). · Explain WhyAug 22 2023, 11:58 PM

This revision was automatically updated to reflect the committed changes.

Ka-Ka marked an inline comment as done.

Ka-Ka added a commit: rGff14585eb02f: [builtins] Avoid undefined behavior when calculating absolute value in….

In D146123#4607489, @MaskRay wrote:

Sorry for just noticing the patch. https://llvm.org/docs/CodeReview.html#lgtm-how-a-patch-is-accepted feel free to ping a patch when there is no response after a week :)

No problem. I didn't ping the review as this patch was not that important for us, as we in our of tree target have started to, as a workaround, compile compiler-rt with -fwrapv to avoid these kind of problems. I still think there are several signed integer overflow problem left to fix in the builtins in compiler-rt. If it is important to fix those I can probably take another look at this, as we in the future want to remove the use of -fwrapv.

In D146123#4609123, @Ka-Ka wrote:

In D146123#4607489, @MaskRay wrote:

Sorry for just noticing the patch. https://llvm.org/docs/CodeReview.html#lgtm-how-a-patch-is-accepted feel free to ping a patch when there is no response after a week :)

No problem. I didn't ping the review as this patch was not that important for us, as we in our of tree target have started to, as a workaround, compile compiler-rt with -fwrapv to avoid these kind of problems. I still think there are several signed integer overflow problem left to fix in the builtins in compiler-rt. If it is important to fix those I can probably take another look at this, as we in the future want to remove the use of -fwrapv.

Sounds good! How do you build lib/builtins with -fsanitize=undefined?

compiler-rt provides runtime library of sanitizers and many components cannot be instrumented by sanitizers.

Building lib/builtins with non-trap-mode -fsanitize=undefined has a layering issue: sanitizer libraries depend on builtins, so builtins should not depend on sanitizer libraries.
Though with lld's archive semantics this violation is probably fine.

In D146123#4609136, @MaskRay wrote:

In D146123#4609123, @Ka-Ka wrote:

In D146123#4607489, @MaskRay wrote:

Sorry for just noticing the patch. https://llvm.org/docs/CodeReview.html#lgtm-how-a-patch-is-accepted feel free to ping a patch when there is no response after a week :)

No problem. I didn't ping the review as this patch was not that important for us, as we in our of tree target have started to, as a workaround, compile compiler-rt with -fwrapv to avoid these kind of problems. I still think there are several signed integer overflow problem left to fix in the builtins in compiler-rt. If it is important to fix those I can probably take another look at this, as we in the future want to remove the use of -fwrapv.

Sounds good! How do you build lib/builtins with -fsanitize=undefined?

compiler-rt provides runtime library of sanitizers and many components cannot be instrumented by sanitizers.

Building lib/builtins with non-trap-mode -fsanitize=undefined has a layering issue: sanitizer libraries depend on builtins, so builtins should not depend on sanitizer libraries.
Though with lld's archive semantics this violation is probably fine.

I build in our out of tree target with -fsanitize=undefined and our own adapted -fsanitize-minimal-runtime.

Revision Contents

Path

Size

compiler-rt/

lib/

builtins/

floatsidf.c

7 lines

floatsisf.c

11 lines

Diff 505426

compiler-rt/lib/builtins/floatsidf.c

Show All 21 Lines	COMPILER_RT_ABI fp_t __floatsidf(si_int a) {
const int aWidth = sizeof a * CHAR_BIT;		const int aWidth = sizeof a * CHAR_BIT;

// Handle zero as a special case to protect clz		// Handle zero as a special case to protect clz
if (a == 0)		if (a == 0)
return fromRep(0);		return fromRep(0);

// All other cases begin by extracting the sign and absolute value of a		// All other cases begin by extracting the sign and absolute value of a
rep_t sign = 0;		rep_t sign = 0;
		su_int aAbs = (su_int)a;
if (a < 0) {		if (a < 0) {
sign = signBit;		sign = signBit;
a = -a;		aAbs = ~(su_int)a + (su_int)1U;
		MaskRayUnsubmitted Done Reply Inline Actions Just use unary `-`: `-(su_int)a` MaskRay: Just use unary `-`: `-(su_int)a`
		MaskRayUnsubmitted Done Reply Inline Actions I think `aAbs = -aAbs` can be used as well, not sure which is clearer. `aAbs = -aAbs` avoids a type conversion. MaskRay: I think `aAbs = -aAbs` can be used as well, not sure which is clearer. `aAbs = -aAbs` avoids a…
}		}

// Exponent of (fp_t)a is the width of abs(a).		// Exponent of (fp_t)a is the width of abs(a).
const int exponent = (aWidth - 1) - clzsi(a);		const int exponent = (aWidth - 1) - clzsi(aAbs);
rep_t result;		rep_t result;

// Shift a into the significand field and clear the implicit bit. Extra		// Shift a into the significand field and clear the implicit bit. Extra
// cast to unsigned int is necessary to get the correct behavior for		// cast to unsigned int is necessary to get the correct behavior for
// the input INT_MIN.		// the input INT_MIN.
const int shift = significandBits - exponent;		const int shift = significandBits - exponent;
result = (rep_t)(su_int)a << shift ^ implicitBit;		result = (rep_t)aAbs << shift ^ implicitBit;

// Insert the exponent		// Insert the exponent
result += (rep_t)(exponent + exponentBias) << significandBits;		result += (rep_t)(exponent + exponentBias) << significandBits;
// Insert the sign bit and return		// Insert the sign bit and return
return fromRep(result \| sign);		return fromRep(result \| sign);
}		}

#if defined(__ARM_EABI__)		#if defined(__ARM_EABI__)
#if defined(COMPILER_RT_ARMHF_TARGET)		#if defined(COMPILER_RT_ARMHF_TARGET)
AEABI_RTABI fp_t __aeabi_i2d(si_int a) { return __floatsidf(a); }		AEABI_RTABI fp_t __aeabi_i2d(si_int a) { return __floatsidf(a); }
#else		#else
COMPILER_RT_ALIAS(__floatsidf, __aeabi_i2d)		COMPILER_RT_ALIAS(__floatsidf, __aeabi_i2d)
#endif		#endif
#endif		#endif

compiler-rt/lib/builtins/floatsisf.c

Show All 21 Lines	COMPILER_RT_ABI fp_t __floatsisf(si_int a) {
const int aWidth = sizeof a * CHAR_BIT;		const int aWidth = sizeof a * CHAR_BIT;

// Handle zero as a special case to protect clz		// Handle zero as a special case to protect clz
if (a == 0)		if (a == 0)
return fromRep(0);		return fromRep(0);

// All other cases begin by extracting the sign and absolute value of a		// All other cases begin by extracting the sign and absolute value of a
rep_t sign = 0;		rep_t sign = 0;
		su_int aAbs = (su_int)a;
if (a < 0) {		if (a < 0) {
sign = signBit;		sign = signBit;
a = -a;		aAbs = ~(su_int)a + (su_int)1U;
		MaskRayUnsubmitted Done Reply Inline Actions ditto MaskRay: ditto
}		}

// Exponent of (fp_t)a is the width of abs(a).		// Exponent of (fp_t)a is the width of abs(a).
const int exponent = (aWidth - 1) - clzsi(a);		const int exponent = (aWidth - 1) - clzsi(aAbs);
rep_t result;		rep_t result;

// Shift a into the significand field, rounding if it is a right-shift		// Shift a into the significand field, rounding if it is a right-shift
if (exponent <= significandBits) {		if (exponent <= significandBits) {
const int shift = significandBits - exponent;		const int shift = significandBits - exponent;
result = (rep_t)a << shift ^ implicitBit;		result = (rep_t)aAbs << shift ^ implicitBit;
} else {		} else {
const int shift = exponent - significandBits;		const int shift = exponent - significandBits;
result = (rep_t)a >> shift ^ implicitBit;		result = (rep_t)aAbs >> shift ^ implicitBit;
rep_t round = (rep_t)a << (typeWidth - shift);		rep_t round = (rep_t)aAbs << (typeWidth - shift);
if (round > signBit)		if (round > signBit)
result++;		result++;
if (round == signBit)		if (round == signBit)
result += result & 1;		result += result & 1;
}		}

// Insert the exponent		// Insert the exponent
result += (rep_t)(exponent + exponentBias) << significandBits;		result += (rep_t)(exponent + exponentBias) << significandBits;
Show All 11 Lines