This is an archive of the discontinued LLVM Phabricator instance.

Differential D151638

[TRE] icmp does not escape an alloca
AbandonedPublic

Authored by caojoshua on May 28 2023, 8:58 PM.

Details

Reviewers
nikic
efriedma
avl
jdoerfert
Summary

Potentially fixes https://github.com/rust-lang/rust/issues/111603.
Marking tail calls helps MemCpyOptimizer and AliasAnalysis remove a
memcpy.

Diff Detail

Event Timeline

caojoshua created this revision.May 28 2023, 8:58 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 28 2023, 8:58 PM
Herald added subscribers: laytonio, hiraditya. · View Herald Transcript
Harbormaster completed remote builds in B235095: Diff 526365.May 28 2023, 8:59 PM
caojoshua added reviewers: nikic, efriedma, avl.May 28 2023, 9:00 PM
Herald added a subscriber: StephenFan. · View Herald TranscriptMay 28 2023, 9:00 PM
caojoshua updated this revision to Diff 526367.May 28 2023, 9:04 PM
caojoshua edited the summary of this revision. (Show Details)

Add details to commit msg

Herald added subscribers: kmitropoulou, asbirlea, JDevlieghere. · View Herald TranscriptMay 28 2023, 9:04 PM
Harbormaster completed remote builds in B235097: Diff 526367.May 28 2023, 9:05 PM
caojoshua updated this revision to Diff 526380.May 28 2023, 10:05 PM
caojoshua edited the summary of this revision. (Show Details)

edit commit msg

Harbormaster completed remote builds in B235108: Diff 526380.May 28 2023, 10:06 PM
caojoshua published this revision for review.May 28 2023, 10:25 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 28 2023, 10:25 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
nikic requested changes to this revision.May 29 2023, 12:16 AM

This should be implemented in CaptureTracking first and foremost. TRE can be adjusted afterwards, or preferably should use CaptureTracking as well, instead of doing its own, incorrect reimplementation.

Just considering all icmps non-escaping is obviously wrong. The property you are looking for here is that if you have an icmp where both sides are at some offset of the same underlying object, then the icmp will only compare the offsets and not leak any bits of the pointer, and as such is not capturing.

This revision now requires changes to proceed.May 29 2023, 12:16 AM
caojoshua added a comment.May 29 2023, 12:42 AM
In D151638#4378825, @nikic wrote:

This should be implemented in CaptureTracking first and foremost. TRE can be adjusted afterwards, or preferably should use CaptureTracking as well, instead of doing its own, incorrect reimplementation.

Just considering all icmps non-escaping is obviously wrong. The property you are looking for here is that if you have an icmp where both sides are at some offset of the same underlying object, then the icmp will only compare the offsets and not leak any bits of the pointer, and as such is not capturing.

Thanks for review. I don't understand how icmp's leak bits of a pointer. I asked this in https://discord.com/channels/636084430946959380/636732535434510338/1112644263029776414 as well. Could you take a look?

nikic added a comment.May 29 2023, 4:16 AM
In D151638#4378847, @caojoshua wrote:
In D151638#4378825, @nikic wrote:

This should be implemented in CaptureTracking first and foremost. TRE can be adjusted afterwards, or preferably should use CaptureTracking as well, instead of doing its own, incorrect reimplementation.

Just considering all icmps non-escaping is obviously wrong. The property you are looking for here is that if you have an icmp where both sides are at some offset of the same underlying object, then the icmp will only compare the offsets and not leak any bits of the pointer, and as such is not capturing.

Thanks for review. I don't understand how icmp's leak bits of a pointer. I asked this in https://discord.com/channels/636084430946959380/636732535434510338/1112644263029776414 as well. Could you take a look?

In the simplest case, icmp ptr eq %p, %p2 leaks whether the address of %p is the same as %p2. You could loop over all 2^64 possible %p2 to determine the address. Or more realistically, you could use inequality comparisons to bisect the address. Effectively you can implement ptrtoint with it.

That said, I've looked a bit closer at what this specific pass does, and as far as I can tell it does not actually care about address capture, only about provenance escape. So I think the legality question as far as this pass is concerned is, after determining the bits of the alloca address via a sequence of icmps, is it legal to perform an inttoptr operation and dereference the result? That is, does icmp only leak address bits, or can it also leak provenance?

If icmp does not leak provenance, then your patch is correct as-is. Otherwise we need the general reasoning about whether the icmp is capturing or not, as I described above.

I think icmp shouldn't leak provenance, but I couldn't find a definitive statement on this. Possibly this is caught up in the larger question of the provenance model around pointer/integer conversions, which icmps effectively perform.

Maybe @efriedma could comment on this.

caojoshua added a comment.May 29 2023, 11:20 AM

I also think that icmp should not leak provenance. However, after looking at your example, I think TRE actually does care about address capture. If the address is captured by another pointer such as %p2 in your example, and we pass that pointer as an argument to a capturing call, %p is also captured and we can't mark tail calls. In this case, my patch is incorrect.

This should be implemented in CaptureTracking first and foremost. TRE can be adjusted afterwards, or preferably should use CaptureTracking as well, instead of doing its own, incorrect reimplementation.
Just considering all icmps non-escaping is obviously wrong. The property you are looking for here is that if you have an icmp where both sides are at some offset of the same underlying object, then the icmp will only compare the offsets and not leak any bits of the pointer, and as such is not capturing.

Extending CaptureTracking to support icmp's of pointers with the same underlying object seems like a reasonable choice. TRE's ad-hoc escape analysis has some specifics that may make it non-trivial to port to CaptureTracking, but we can look at that afterwards.

jdoerfert requested changes to this revision.May 29 2023, 11:27 AM
jdoerfert added a subscriber: jdoerfert.

ICMP, in general, captures. Check the tests for the capture tracker for examples.

khei4 added a subscriber: khei4.May 29 2023, 6:58 PM
Dushistov added a subscriber: Dushistov.May 31 2023, 3:31 PM
caojoshua abandoned this revision.May 31 2023, 8:54 PM

I'm going to abandon this. This issue can be solved in other ways. CaptureTracking can be improved, and this TRE-specific escape analysis can probably be rewritten in ways that depend on capture tracking

Revision Contents

PathSize
llvm/
lib/
Transforms/
Scalar/
1 line
test/
Transforms/
TailCallElim/
2 lines

Diff 526380

llvm/lib/Transforms/Scalar/TailRecursionElimination.cpp

Show First 20 LinesShow All 137 Lines▼ Show 20 Lines while (!Worklist.empty()) {
callUsesLocalStack(CB, IsNocapture); callUsesLocalStack(CB, IsNocapture);
if (IsNocapture) { if (IsNocapture) {
// If the alloca-derived argument is passed in as nocapture, then it // If the alloca-derived argument is passed in as nocapture, then it
// can't propagate to the call's return. That would be capturing. // can't propagate to the call's return. That would be capturing.
continue; continue;
} }
break; break;
} }
case Instruction::ICmp:
case Instruction::Load: { case Instruction::Load: {
// The result of a load is not alloca-derived (unless an alloca has // The result of a load is not alloca-derived (unless an alloca has
// otherwise escaped, but this is a local analysis). // otherwise escaped, but this is a local analysis).
continue; continue;
} }
case Instruction::Store: { case Instruction::Store: {
if (U->getOperandNo() == 0) if (U->getOperandNo() == 0)
EscapePoints.insert(I); EscapePoints.insert(I);
▲ Show 20 LinesShow All 788 LinesShow Last 20 Lines

llvm/test/Transforms/TailCallElim/basic.ll

Show First 20 LinesShow All 239 Lines▼ Show 20 Linesentry:
call void @llvm.memcpy.p0.p0.i64(ptr %agg.tmp, ptr %f, i64 40, i1 false) call void @llvm.memcpy.p0.p0.i64(ptr %agg.tmp, ptr %f, i64 40, i1 false)
call void @bar(ptr byval(%struct.foo) %agg.tmp) call void @bar(ptr byval(%struct.foo) %agg.tmp)
ret void ret void
} }
; Test that using an alloca in a icmp does not escape it ; Test that using an alloca in a icmp does not escape it
define void @test16() { define void @test16() {
; CHECK-LABEL: @test16 ; CHECK-LABEL: @test16
; CHECK-NOT: tail call void @noarg ; CHECK: tail call void @noarg
; CHECK-NOT: tail call void @use ; CHECK-NOT: tail call void @use
entry: entry:
%alloca = alloca [100 x i32] %alloca = alloca [100 x i32]
%add.ptr = getelementptr inbounds i32, ptr %alloca, i64 200 %add.ptr = getelementptr inbounds i32, ptr %alloca, i64 200
br label %while.cond br label %while.cond
while.cond: ; preds = %while.body, %entry while.cond: ; preds = %while.body, %entry
%iter.0 = phi ptr [ %alloca, %entry ], [ %add.ptr2, %while.body ] %iter.0 = phi ptr [ %alloca, %entry ], [ %add.ptr2, %while.body ]
Show All 16 Lines