Download Raw Diff

Details

Reviewers

eugenis
majnemer
chandlerc
efriedma

Commits

rGdf19ad456e7e: [InstCombine] Don't replace allocas with smaller globals
rL306194: [InstCombine] Don't replace allocas with smaller globals

Summary

InstCombine replaces large allocas with small globals consts causing buffer overflows
on valid code, see PR33372.

This fix permits this optimization only if the global is dereference for alloca size.

Diff Detail

Build Status

Buildable 7425
Build 7425: arc lint + arc unit

Event Timeline

vitalybuka created this revision.Jun 16 2017, 5:58 PM

Harbormaster completed remote builds in B7323: Diff 102918.Jun 16 2017, 5:58 PM

Removed file

vitalybuka added reviewers: majnemer, chandlerc.Jun 16 2017, 6:05 PM

vitalybuka retitled this revision from [InstCombine] Don't replace allocas with globals we didn't prove that the global is large enough. to [InstCombine] Don't replace allocas with globals if we can't prove that it's large enough..Jun 16 2017, 6:13 PM

vitalybuka edited the summary of this revision. (Show Details)

vitalybuka edited the summary of this revision. (Show Details)Jun 16 2017, 6:19 PM

Fixed function name

Harbormaster completed remote builds in B7327: Diff 102927.Jun 16 2017, 6:35 PM

I wonder if it makes sense to more aggressively transform the IR in certain cases rather than bail out, since we can prove that the IR is reading uninitialized memory. Something for a future patch, I guess, if someone has a testcase where it matters in practice.

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp
169	Messing with getArraySize() is unnecessary; just return false if isArrayAllocation() is true.
186	If you're going to change the functionality here, you also need to change the name.
test/Transforms/InstCombine/memcpy-from-global.ll
211	Testcase needs comment explaining what it's checking for.

efriedma's comments

Hmm, actually, thinking about it a bit more, I'm not sure this patch is right.

If you were to assume that out-of-bounds loads return undef rather than have undefined behavior, this patch would be unnecessary. There's only one memcpy that writes to the alloca. That memcpy writes N known bytes to the alloca. Any other instruction which accesses the alloca is either reading one of those N bytes, or returns undef, so the returned values are consistent with reading directly from the global.

Of course, that isn't the world we live in; we can't speculate out-of-bounds loads. Therefore, the safety check needs to make sure we aren't introducing any such loads. There are a couple of ways to do that:

Prove that the constant pointer points to at least sizeof(alloca type) bytes of memory. The loads in the rewritten code are out-of-bounds only if they were out-of-bounds in the original code.
Ensure that every load is dominated by the initializing memcpy, and the memcpy copies at least sizeof(alloca type) bytes of memory. If the memcpy is copying too many bytes, it's immediately undefined behavior. Any load dominated by the memcpy is one of the following: in-bounds in the original code, out-of-bounds in the original code, or dominated by undefined behavior.

This patch implements (2)... but only partially: it's missing the dominance check. Testcase something like this:

const char x[1] = { 3 };
char z[10];
int f(bool this_is_false) {
  char y[10];
  if (this_is_false) memcpy(y, x, 10); 
  memcpy(z, y, 10); 
}

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp
175	getZExtValue() will crash on very large lengths.
176	This assertion doesn't seem justified; sure, the memcpy has undefined behavior, but that shouldn't crash the compiler.

In D34311#785745, @efriedma wrote:

Hmm, actually, thinking about it a bit more, I'm not sure this patch is right.

If you were to assume that out-of-bounds loads return undef rather than have undefined behavior, this patch would be unnecessary. There's only one memcpy that writes to the alloca. That memcpy writes N known bytes to the alloca. Any other instruction which accesses the alloca is either reading one of those N bytes, or returns undef, so the returned values are consistent with reading directly from the global.

We have problem with code like this which just crashes even without sanitizers:

const char KKK[] = {1, 1, 2};
char bbb[100000];

void test2() {
  char cc[sizeof(bbb)];
  memcpy(cc, KKK , sizeof(KKK));
  memcpy(bbb, cc, sizeof(bbb));
}

Of course, that isn't the world we live in; we can't speculate out-of-bounds loads. Therefore, the safety check needs to make sure we aren't introducing any such loads. There are a couple of ways to do that:

Prove that the constant pointer points to at least sizeof(alloca type) bytes of memory. The loads in the rewritten code are out-of-bounds only if they were out-of-bounds in the original code.

Yes, but seems this requires more work, and I will have no time to do that any time soon.

Ensure that every load is dominated by the initializing memcpy, and the memcpy copies at least sizeof(alloca type) bytes of memory. If the memcpy is copying too many bytes, it's immediately undefined behavior. Any load dominated by the memcpy is one of the following: in-bounds in the original code, out-of-bounds in the original code, or dominated by undefined behavior.

This patch implements (2)... but only partially: it's missing the dominance check. Testcase something like this:
const char x[1] = { 3 };
char z[10];
int f(bool this_is_false) {
  char y[10];
  if (this_is_false) memcpy(y, x, 10); 
  memcpy(z, y, 10);
}

This is probably separate issue. And I am not sure if understand the problem. If we get to "memcpy(z, y, 10);" without "memcpy(y, x, 10);" I'd expect we don't care if "y" is uninitialized bytes or global constant. We will have no buffer overflow which I am trying to fix.

Removed assert and getZExtValue

If we get to "memcpy(z, y, 10);" without "memcpy(y, x, 10);" I'd expect we don't care if "y" is uninitialized bytes or global constant. We will have no buffer overflow which I am trying to fix.

If "this_is_false" is true, the function has undefined behavior, if it's false, it overwrites z with uninitialized memory, which is fine (in IR). But it incorrectly passes the isCompletelyOverwritten() check, so instcombine will transform it to "memcpy(z, x, 10);", which is reading past the end of the global.

In D34311#785988, @efriedma wrote:

If we get to "memcpy(z, y, 10);" without "memcpy(y, x, 10);" I'd expect we don't care if "y" is uninitialized bytes or global constant. We will have no buffer overflow which I am trying to fix.

If "this_is_false" is true, the function has undefined behavior, if it's false, it overwrites z with uninitialized memory, which is fine (in IR). But it incorrectly passes the isCompletelyOverwritten() check, so instcombine will transform it to "memcpy(z, x, 10);", which is reading past the end of the global.

Oh, I see now, I didn't noticed that "if" already had overflow.

Prove that the constant pointer points to at least sizeof(alloca type) bytes of memory. The loads in the rewritten code are out-of-bounds only if they were out-of-bounds in the original code.

I will try to look into this. Any pointers on how to find available size in the constant? I guess we need to handle the case when memcpy source points into a middle of the global.

There's a isDereferenceableAndAlignedPointer helper which does this sort of check. See also https://reviews.llvm.org/D34467.

vitalybuka retitled this revision from [InstCombine] Don't replace allocas with globals if we can't prove that it's large enough. to [InstCombine] Don't replace allocas with smaller globals.Jun 23 2017, 5:05 PM

vitalybuka edited the summary of this revision. (Show Details)

Use isDereferenceableAndAlignedPointer to check global size

efriedma added inline comments.Jun 23 2017, 5:22 PM

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp
203	Doesn't the alignment here need to be the alignment of the alloca, rather than "1"?

Use alloca alignment

Harbormaster completed remote builds in B7551: Diff 103814.Jun 23 2017, 5:49 PM

vitalybuka marked an inline comment as done.Jun 23 2017, 5:50 PM

vitalybuka added inline comments.Jun 23 2017, 5:55 PM

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp
203	I'd expect it's not important as alignment of the source is not less than alloca.

vitalybuka marked an inline comment as done.Jun 23 2017, 5:56 PM

LGTM.

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp
203	If you don't check the alignment, you need to check that the memcpy dominates the reads from the alloca.

efriedma accepted this revision.Jun 23 2017, 6:14 PM

This revision is now accepted and ready to land.Jun 23 2017, 6:14 PM

Closed by commit rL306194: [InstCombine] Don't replace allocas with smaller globals (authored by vitalybuka). · Explain WhyJun 23 2017, 6:36 PM

This revision was automatically updated to reflect the committed changes.

vitalybuka mentioned this in rL306193: Make visible isDereferenceableAndAlignedPointer(..., const APInt &Size, ...).

Diff 103266

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp

Show First 20 Lines • Show All 151 Lines • ▼ Show 20 Lines	for (auto &U : ValuePair.first->uses()) {

// Otherwise, the transform is safe. Remember the copy instruction.		// Otherwise, the transform is safe. Remember the copy instruction.
TheCopy = MI;		TheCopy = MI;
}		}
}		}
return true;		return true;
}		}

		/// Returns true if MemTransferInst overwrites entire alloca.
		static bool isCompletelyOverwritten(const AllocaInst &AI,
		const MemTransferInst &TheCopy) {
		if (AI.isArrayAllocation())
		return false;

		const DataLayout &DL = AI.getModule()->getDataLayout();
		uint64_t AllocaSize = DL.getTypeStoreSize(AI.getAllocatedType());
		if (!AllocaSize)
		return false;
		efriedmaUnsubmitted Done Reply Inline Actions Messing with getArraySize() is unnecessary; just return false if isArrayAllocation() is true. efriedma: Messing with getArraySize() is unnecessary; just return false if isArrayAllocation() is true.

		ConstantInt *CopyLength = dyn_cast<ConstantInt>(TheCopy.getLength());
		if (!CopyLength)
		return false;

		uint64_t CopySize = CopyLength->getLimitedValue();
		efriedmaUnsubmitted Done Reply Inline Actions getZExtValue() will crash on very large lengths. efriedma: getZExtValue() will crash on very large lengths.
		if (CopySize < AllocaSize)
		efriedmaUnsubmitted Done Reply Inline Actions This assertion doesn't seem justified; sure, the memcpy has undefined behavior, but that shouldn't crash the compiler. efriedma: This assertion doesn't seem justified; sure, the memcpy has undefined behavior, but that…
		return false;

		return true;
		}

/// isOnlyCopiedFromConstantGlobal - Return true if the specified alloca is only		/// isOnlyCopiedFromConstantGlobal - Return true if the specified alloca is only
/// modified by a copy from a constant global. If we can prove this, we can		/// modified by a copy from a constant global. If we can prove this, we can
/// replace any uses of the alloca with uses of the global directly.		/// replace any uses of the alloca with uses of the global directly.
static MemTransferInst *		static MemTransferInst *
isOnlyCopiedFromConstantGlobal(AllocaInst *AI,		isOnlyCopiedFromConstantGlobal(AllocaInst *AI,
		efriedmaUnsubmitted Done Reply Inline Actions If you're going to change the functionality here, you also need to change the name. efriedma: If you're going to change the functionality here, you also need to change the name.
SmallVectorImpl<Instruction *> &ToDelete) {		SmallVectorImpl<Instruction *> &ToDelete) {
MemTransferInst *TheCopy = nullptr;		MemTransferInst *TheCopy = nullptr;
if (isOnlyCopiedFromConstantGlobal(AI, TheCopy, ToDelete))		if (isOnlyCopiedFromConstantGlobal(AI, TheCopy, ToDelete) && TheCopy &&
		isCompletelyOverwritten(AI, TheCopy))
return TheCopy;		return TheCopy;
return nullptr;		return nullptr;
}		}

static Instruction *simplifyAllocaArraySize(InstCombiner &IC, AllocaInst &AI) {		static Instruction *simplifyAllocaArraySize(InstCombiner &IC, AllocaInst &AI) {
// Check for array size of 1 (scalar allocation).		// Check for array size of 1 (scalar allocation).
if (!AI.isArrayAllocation()) {		if (!AI.isArrayAllocation()) {
// i32 1 is the canonical array size for scalar allocations.		// i32 1 is the canonical array size for scalar allocations.
if (AI.getArraySize()->getType()->isIntegerTy(32))		if (AI.getArraySize()->getType()->isIntegerTy(32))
return nullptr;		return nullptr;

// Canonicalize it.		// Canonicalize it.
Value *V = IC.Builder->getInt32(1);		Value *V = IC.Builder->getInt32(1);
		efriedmaUnsubmitted Done Reply Inline Actions Doesn't the alignment here need to be the alignment of the alloca, rather than "1"? efriedma: Doesn't the alignment here need to be the alignment of the alloca, rather than "1"?
		vitalybukaAuthorUnsubmitted Done Reply Inline Actions I'd expect it's not important as alignment of the source is not less than alloca. vitalybuka: I'd expect it's not important as alignment of the source is not less than alloca.
		efriedmaUnsubmitted Not Done Reply Inline Actions If you don't check the alignment, you need to check that the memcpy dominates the reads from the alloca. efriedma: If you don't check the alignment, you need to check that the memcpy dominates the reads from…
AI.setOperand(0, V);		AI.setOperand(0, V);
return &AI;		return &AI;
}		}

// Convert: alloca Ty, C - where C is a constant != 1 into: alloca [C x Ty], 1		// Convert: alloca Ty, C - where C is a constant != 1 into: alloca [C x Ty], 1
if (const ConstantInt *C = dyn_cast<ConstantInt>(AI.getArraySize())) {		if (const ConstantInt *C = dyn_cast<ConstantInt>(AI.getArraySize())) {
Type *NewTy = ArrayType::get(AI.getAllocatedType(), C->getZExtValue());		Type *NewTy = ArrayType::get(AI.getAllocatedType(), C->getZExtValue());
AllocaInst *New = IC.Builder->CreateAlloca(NewTy, nullptr, AI.getName());		AllocaInst *New = IC.Builder->CreateAlloca(NewTy, nullptr, AI.getName());
▲ Show 20 Lines • Show All 1,365 Lines • Show Last 20 Lines

test/Transforms/InstCombine/memcpy-from-global.ll

Show First 20 Lines • Show All 198 Lines • ▼ Show 20 Lines	define void @test9_addrspacecast() {
%A = alloca %U, align 4		%A = alloca %U, align 4
%a = bitcast %U* %A to i8*		%a = bitcast %U* %A to i8*
call void @llvm.memcpy.p0i8.p1i8.i64(i8* %a, i8 addrspace(1)* addrspacecast (%U* getelementptr ([2 x %U], [2 x %U]* @H, i64 0, i32 1) to i8 addrspace(1)*), i64 20, i32 4, i1 false)		call void @llvm.memcpy.p0i8.p1i8.i64(i8* %a, i8 addrspace(1)* addrspacecast (%U* getelementptr ([2 x %U], [2 x %U]* @H, i64 0, i32 1) to i8 addrspace(1)*), i64 20, i32 4, i1 false)
call void @bar(i8* %a) readonly		call void @bar(i8* %a) readonly
; CHECK-LABEL: @test9_addrspacecast(		; CHECK-LABEL: @test9_addrspacecast(
; CHECK-NEXT: call void @bar(i8* bitcast (%U* getelementptr inbounds ([2 x %U], [2 x %U]* @H, i64 0, i64 1) to i8*))		; CHECK-NEXT: call void @bar(i8* bitcast (%U* getelementptr inbounds ([2 x %U], [2 x %U]* @H, i64 0, i64 1) to i8*))
ret void		ret void
}		}

		@bbb = local_unnamed_addr global [1000000 x i8] zeroinitializer, align 16
		@_ZL3KKK = internal unnamed_addr constant [3 x i8] c"\01\01\02", align 1

		; Should not replace alloca with global because of size mismatch.
		efriedmaUnsubmitted Done Reply Inline Actions Testcase needs comment explaining what it's checking for. efriedma: Testcase needs comment explaining what it's checking for.
		define void @test9_small_global() {
		; CHECK-LABEL: @test9_small_global(
		; CHECK-NOT: call void @llvm.memcpy.p0i8.p0i8.i64({{.}}@bbb,{{.}}@_ZL3KKK,
		; CHECK: alloca [1000000 x i8]
		entry:
		%cc = alloca [1000000 x i8], align 16
		%cc.0..sroa_idx = getelementptr inbounds [1000000 x i8], [1000000 x i8]* %cc, i64 0, i64 0
		%arraydecay = getelementptr inbounds [1000000 x i8], [1000000 x i8]* %cc, i32 0, i32 0
		call void @llvm.memcpy.p0i8.p0i8.i64(i8* %arraydecay, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @_ZL3KKK, i32 0, i32 0), i64 3, i32 1, i1 false)
		call void @llvm.memcpy.p0i8.p0i8.i64(i8* getelementptr inbounds ([1000000 x i8], [1000000 x i8]* @bbb, i32 0, i32 0), i8* %arraydecay, i64 1000000, i32 16, i1 false)
		ret void
		}

		; Should replace alloca with global as they have exactly the same size.
		define void @test10_same_global() {
		; CHECK-LABEL: @test10_same_global(
		; CHECK-NOT: alloca
		; CHECK: call void @llvm.memcpy.p0i8.p0i8.i64({{.}}@bbb,{{.}}@_ZL3KKK,{{.*}}, i64 3, i32 1, i1 false)
		entry:
		%cc = alloca [3 x i8], align 1
		%cc.0..sroa_idx = getelementptr inbounds [3 x i8], [3 x i8]* %cc, i64 0, i64 0
		%arraydecay = getelementptr inbounds [3 x i8], [3 x i8]* %cc, i32 0, i32 0
		call void @llvm.memcpy.p0i8.p0i8.i64(i8* %arraydecay, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @_ZL3KKK, i32 0, i32 0), i64 3, i32 1, i1 false)
		call void @llvm.memcpy.p0i8.p0i8.i64(i8* getelementptr inbounds ([1000000 x i8], [1000000 x i8]* @bbb, i32 0, i32 0), i8* %arraydecay, i64 3, i32 1, i1 false)
		ret void
		}

This is an archive of the discontinued LLVM Phabricator instance.

[InstCombine] Don't replace allocas with smaller globals
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 103266

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp

test/Transforms/InstCombine/memcpy-from-global.ll

This is an archive of the discontinued LLVM Phabricator instance.

[InstCombine] Don't replace allocas with smaller globalsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 103266

lib/Transforms/InstCombine/InstCombineLoadStoreAlloca.cpp

test/Transforms/InstCombine/memcpy-from-global.ll

[InstCombine] Don't replace allocas with smaller globals
ClosedPublic