This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/trunk/docs/
-
trunk/
-
docs/
-
LangRef.rst

Differential D49041

[LangRef] Clarify undefined behavior for function attributes.
ClosedPublic

Authored by efriedma on Jul 6 2018, 1:45 PM.

Download Raw Diff

Details

Reviewers

nlopes
hfinkel
spatel
fhahn
sanjoy

Commits

rG0f522bdbac1f: [LangRef] Clarify undefined behavior for function attributes.
rL337947: [LangRef] Clarify undefined behavior for function attributes.

Summary

Violating the invariants specified by attributes is undefined behavior. Maybe we could use poison instead for some of the parameter attributes, but I don't think it's worthwhile.

Diff Detail

Repository: rL LLVM

Event Timeline

efriedma created this revision.Jul 6 2018, 1:45 PM

nlopes added inline comments.Jul 8 2018, 8:05 AM

docs/LangRef.rst
1540 ↗	(On Diff #154450)	uhm, in the way it's written, functions marked with readnone, readonly, writeonly, argmemonly cannot e.g. divide by 0. So either all divisions are guarded to ensure that they never trigger UB, or functions with potentially unsafe divisions cannot be marked as *only. Is this intended? For readnone/readonly I can see the motivation: this allows hoisting these functions safely (modulo the non-returning functions problem). For write-only and argmemonly, what's the motivation to block any other UB? Should the has-no-UB bit be split into a separate flag? Are there use cases for the clients of readnone/readonly? I guess at least ModRef could benefit of a readonly without the no-UB bit?

sanjoy added inline comments.Jul 8 2018, 10:47 AM

docs/LangRef.rst
1540 ↗	(On Diff #154450)	We should also state that these properties need to hold for all inputs to the function. I too think the no-UB property should have a different bit, otherwise we will have a harder time inferring `readnone` -- we'd have to do some control flow analysis to ensure that we don't branch on inputs that could possibly be poison and that we don't have (UB via) infloops.

hfinkel added inline comments.Jul 8 2018, 2:47 PM

docs/LangRef.rst
1540 ↗	(On Diff #154450)	I also agree. We need a separate attribute for the no-UB part. I'd like to have it, but it will be a breaking change to add to the semantics for readnone.

a.elovikov added a subscriber: a.elovikov.Jul 9 2018, 1:11 AM

efriedma added inline comments.Jul 9 2018, 12:55 PM

docs/LangRef.rst
1540 ↗	(On Diff #154450)	The intent here is that a function can have undefined behavior even if it's "readnone"; undefined behavior isn't a side-effect. (The "other side-effects" bit is supposed to cover external state changes, like a syscall, which might not modify memory visible to the process.) Do you have a suggested rewrite to make that more clear? We already have a "speculatable" attribute to mark a function as never-UB; some intrinsics have this marking.

hfinkel added inline comments.Jul 10 2018, 9:21 AM

docs/LangRef.rst
1540 ↗	(On Diff #154450)	We already have a "speculatable" attribute to mark a function as never-UB; some intrinsics have this marking. Sadly, I'd completely forgotten that we had finally added this attribute. We aren't inferring it, however. A patch to do that: D49144.

efriedma mentioned this in D49144: [FunctionAttrs] Infer the speculatable attribute.Jul 10 2018, 11:39 AM

Ping

LGTM

This revision is now accepted and ready to land.Jul 19 2018, 10:01 AM

Closed by commit rL337947: [LangRef] Clarify undefined behavior for function attributes. (authored by efriedma). · Explain WhyJul 25 2018, 11:27 AM

This revision was automatically updated to reflect the committed changes.

efriedma mentioned this in D70749: [InstCombine] do not insert nonnull assumption for undef.Nov 27 2019, 4:15 PM

Revision Contents

Path

Size

llvm/

trunk/

docs/

LangRef.rst

29 lines

Diff 157323

llvm/trunk/docs/LangRef.rst

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 1,042 Lines • ▼ Show 20 Lines	``inalloca``
used in conjunction with other attributes that affect argument		used in conjunction with other attributes that affect argument
storage, like ``inreg``, ``nest``, ``sret``, or ``byval``. The		storage, like ``inreg``, ``nest``, ``sret``, or ``byval``. The
``inalloca`` attribute also disables LLVM's implicit lowering of		``inalloca`` attribute also disables LLVM's implicit lowering of
large aggregate return values, which means that frontend authors		large aggregate return values, which means that frontend authors
must lower them with ``sret`` pointers.		must lower them with ``sret`` pointers.

When the call site is reached, the argument allocation must have		When the call site is reached, the argument allocation must have
been the most recent stack allocation that is still live, or the		been the most recent stack allocation that is still live, or the
results are undefined. It is possible to allocate additional stack		behavior is undefined. It is possible to allocate additional stack
space after an argument allocation and before its call site, but it		space after an argument allocation and before its call site, but it
must be cleared off with :ref:`llvm.stackrestore		must be cleared off with :ref:`llvm.stackrestore
<int_stackrestore>`.		<int_stackrestore>`.

See :doc:`InAlloca` for more information on how to use this		See :doc:`InAlloca` for more information on how to use this
attribute.		attribute.

``sret``		``sret``
▲ Show 20 Lines • Show All 57 Lines • ▼ Show 20 Lines	``returned``
checked or enforced when generating the callee. The parameter and the		checked or enforced when generating the callee. The parameter and the
function return type must be valid operands for the		function return type must be valid operands for the
:ref:`bitcast instruction <i_bitcast>`. This is not a valid attribute for		:ref:`bitcast instruction <i_bitcast>`. This is not a valid attribute for
return values and can only be applied to one parameter.		return values and can only be applied to one parameter.

``nonnull``		``nonnull``
This indicates that the parameter or return pointer is not null. This		This indicates that the parameter or return pointer is not null. This
attribute may only be applied to pointer typed parameters. This is not		attribute may only be applied to pointer typed parameters. This is not
checked or enforced by LLVM, the caller must ensure that the pointer		checked or enforced by LLVM; if the parameter or return pointer is null,
passed in is non-null, or the callee must ensure that the returned pointer		the behavior is undefined.
is non-null.

``dereferenceable(<n>)``		``dereferenceable(<n>)``
This indicates that the parameter or return pointer is dereferenceable. This		This indicates that the parameter or return pointer is dereferenceable. This
attribute may only be applied to pointer typed parameters. A pointer that		attribute may only be applied to pointer typed parameters. A pointer that
is dereferenceable can be loaded from speculatively without a risk of		is dereferenceable can be loaded from speculatively without a risk of
trapping. The number of bytes known to be dereferenceable must be provided		trapping. The number of bytes known to be dereferenceable must be provided
in parentheses. It is legal for the number of bytes to be less than the		in parentheses. It is legal for the number of bytes to be less than the
size of the pointee type. The ``nonnull`` attribute does not imply		size of the pointee type. The ``nonnull`` attribute does not imply
▲ Show 20 Lines • Show All 246 Lines • ▼ Show 20 Lines	``convergent``

The optimizer may remove the ``convergent`` attribute on functions when it		The optimizer may remove the ``convergent`` attribute on functions when it
can prove that the function does not execute any convergent operations.		can prove that the function does not execute any convergent operations.
Similarly, the optimizer may remove ``convergent`` on calls/invokes when it		Similarly, the optimizer may remove ``convergent`` on calls/invokes when it
can prove that the call/invoke cannot call a convergent function.		can prove that the call/invoke cannot call a convergent function.
``inaccessiblememonly``		``inaccessiblememonly``
This attribute indicates that the function may only access memory that		This attribute indicates that the function may only access memory that
is not accessible by the module being compiled. This is a weaker form		is not accessible by the module being compiled. This is a weaker form
of ``readnone``.		of ``readnone``. If the function reads or writes other memory, the
		behavior is undefined.
``inaccessiblemem_or_argmemonly``		``inaccessiblemem_or_argmemonly``
This attribute indicates that the function may only access memory that is		This attribute indicates that the function may only access memory that is
either not accessible by the module being compiled, or is pointed to		either not accessible by the module being compiled, or is pointed to
by its pointer arguments. This is a weaker form of ``argmemonly``		by its pointer arguments. This is a weaker form of ``argmemonly``. If the
		function reads or writes other memory, the behavior is undefined.
``inlinehint``		``inlinehint``
This attribute indicates that the source code contained a hint that		This attribute indicates that the source code contained a hint that
inlining this function is desirable (such as the "inline" keyword in		inlining this function is desirable (such as the "inline" keyword in
C/C++). It is just a hint; it imposes no requirements on the		C/C++). It is just a hint; it imposes no requirements on the
inliner.		inliner.
``jumptable``		``jumptable``
This attribute indicates that the function should be added to a		This attribute indicates that the function should be added to a
jump-instruction table at code-generation time, and that all address-taken		jump-instruction table at code-generation time, and that all address-taken
▲ Show 20 Lines • Show All 134 Lines • ▼ Show 20 Lines	``readnone``
to callers. This means while it cannot unwind exceptions by calling		to callers. This means while it cannot unwind exceptions by calling
the ``C++`` exception throwing methods (since they write to memory), there may		the ``C++`` exception throwing methods (since they write to memory), there may
be non-``C++`` mechanisms that throw exceptions without writing to LLVM		be non-``C++`` mechanisms that throw exceptions without writing to LLVM
visible memory.		visible memory.

On an argument, this attribute indicates that the function does not		On an argument, this attribute indicates that the function does not
dereference that pointer argument, even though it may read or write the		dereference that pointer argument, even though it may read or write the
memory that the pointer points to if accessed through other pointers.		memory that the pointer points to if accessed through other pointers.

		If a readnone function reads or writes memory visible to the program, or
		has other side-effects, the behavior is undefined. If a function reads from
		or writes to a readnone pointer argument, the behavior is undefined.
``readonly``		``readonly``
On a function, this attribute indicates that the function does not write		On a function, this attribute indicates that the function does not write
through any pointer arguments (including ``byval`` arguments) or otherwise		through any pointer arguments (including ``byval`` arguments) or otherwise
modify any state (e.g. memory, control registers, etc) visible to		modify any state (e.g. memory, control registers, etc) visible to
caller functions. It may dereference pointer arguments and read		caller functions. It may dereference pointer arguments and read
state that may be set in the caller. A readonly function always		state that may be set in the caller. A readonly function always
returns the same value (or unwinds an exception identically) when		returns the same value (or unwinds an exception identically) when
called with the same set of arguments and global state. This means while it		called with the same set of arguments and global state. This means while it
cannot unwind exceptions by calling the ``C++`` exception throwing methods		cannot unwind exceptions by calling the ``C++`` exception throwing methods
(since they write to memory), there may be non-``C++`` mechanisms that throw		(since they write to memory), there may be non-``C++`` mechanisms that throw
exceptions without writing to LLVM visible memory.		exceptions without writing to LLVM visible memory.

On an argument, this attribute indicates that the function does not write		On an argument, this attribute indicates that the function does not write
through this pointer argument, even though it may write to the memory that		through this pointer argument, even though it may write to the memory that
the pointer points to.		the pointer points to.

		If a readonly function writes memory visible to the program, or
		has other side-effects, the behavior is undefined. If a function writes to
		a readonly pointer argument, the behavior is undefined.
``"stack-probe-size"``		``"stack-probe-size"``
This attribute controls the behavior of stack probes: either		This attribute controls the behavior of stack probes: either
the ``"probe-stack"`` attribute, or ABI-required stack probes, if any.		the ``"probe-stack"`` attribute, or ABI-required stack probes, if any.
It defines the size of the guard region. It ensures that if the function		It defines the size of the guard region. It ensures that if the function
may use more stack space than the size of the guard region, stack probing		may use more stack space than the size of the guard region, stack probing
sequence will be emitted. It takes one required integer value, which		sequence will be emitted. It takes one required integer value, which
is 4096 by default.		is 4096 by default.

If a function that has a ``"stack-probe-size"`` attribute is inlined into		If a function that has a ``"stack-probe-size"`` attribute is inlined into
a function with another ``"stack-probe-size"`` attribute, the resulting		a function with another ``"stack-probe-size"`` attribute, the resulting
function has the ``"stack-probe-size"`` attribute that has the lower		function has the ``"stack-probe-size"`` attribute that has the lower
numeric value. If a function that has a ``"stack-probe-size"`` attribute is		numeric value. If a function that has a ``"stack-probe-size"`` attribute is
inlined into a function that has no ``"stack-probe-size"`` attribute		inlined into a function that has no ``"stack-probe-size"`` attribute
at all, the resulting function has the ``"stack-probe-size"`` attribute		at all, the resulting function has the ``"stack-probe-size"`` attribute
of the callee.		of the callee.
``"no-stack-arg-probe"``		``"no-stack-arg-probe"``
This attribute disables ABI-required stack probes, if any.		This attribute disables ABI-required stack probes, if any.
``writeonly``		``writeonly``
On a function, this attribute indicates that the function may write to but		On a function, this attribute indicates that the function may write to but
does not read from memory.		does not read from memory.

On an argument, this attribute indicates that the function may write to but		On an argument, this attribute indicates that the function may write to but
does not read through this pointer argument (even though it may read from		does not read through this pointer argument (even though it may read from
the memory that the pointer points to).		the memory that the pointer points to).

		If a writeonly function reads memory visible to the program, or
		has other side-effects, the behavior is undefined. If a function reads
		from a writeonly pointer argument, the behavior is undefined.
``argmemonly``		``argmemonly``
This attribute indicates that the only memory accesses inside function are		This attribute indicates that the only memory accesses inside function are
loads and stores from objects pointed to by its pointer-typed arguments,		loads and stores from objects pointed to by its pointer-typed arguments,
with arbitrary offsets. Or in other words, all memory operations in the		with arbitrary offsets. Or in other words, all memory operations in the
function can refer to memory only using pointers based on its function		function can refer to memory only using pointers based on its function
arguments.		arguments.

Note that ``argmemonly`` can be used together with ``readonly`` attribute		Note that ``argmemonly`` can be used together with ``readonly`` attribute
in order to specify that function reads only from its arguments.		in order to specify that function reads only from its arguments.

		If an argmemonly function reads or writes memory other than the pointer
		arguments, or has other side-effects, the behavior is undefined.
``returns_twice``		``returns_twice``
This attribute indicates that this function can return twice. The C		This attribute indicates that this function can return twice. The C
``setjmp`` is an example of such a function. The compiler disables		``setjmp`` is an example of such a function. The compiler disables
some optimizations (like tail calls) in the caller of these		some optimizations (like tail calls) in the caller of these
functions.		functions.
``safestack``		``safestack``
This attribute indicates that		This attribute indicates that
`SafeStack <http://clang.llvm.org/docs/SafeStack.html>`_		`SafeStack <http://clang.llvm.org/docs/SafeStack.html>`_
▲ Show 20 Lines • Show All 13,657 Lines • Show Last 20 Lines