Page MenuHomePhabricator

LangRef: Attempt to formulate some rules for addrspacecast
Needs ReviewPublic

Authored by arsenm on Jun 18 2019, 4:04 PM.

Details

Summary

If agreed, some work will be needed to comply with these rules.

Diff Detail

Event Timeline

arsenm created this revision.Jun 18 2019, 4:04 PM

Thanks for working on this, it's a seriously underspecified part of LLVM.

docs/LangRef.rst
9716

What does 'is legal' actually mean? For example, if I have a 32-bit VA space and a 64-bit VA space in the same process with a subset of the program understanding only one and a shim layer understanding both, then the cast from 32-bit to 64-bit will always succeed but the converse cast is always a statically valid operation but may dynamically fail (and the failure case may be to return null).

9717

Does this not preclude using address space casts to make pointers visible to GC (or, conversely, to notify the GC that a pointer has escaped)? I think we may need to define what 'capture' means in this context. I believe the goal of this is to state that the compiler is free to elide address space casts with no uses?

9726

I believe that this holds only if both address spaces are permutations. Again, the simple 32/64-bit case, a round trip starting in the 32-bit world is always possible, but the converse does not apply.

arsenm marked 3 inline comments as done.Jun 19 2019, 7:25 AM
arsenm added inline comments.
docs/LangRef.rst
9716

I was thinking legal means a dereferencable result. If you were to access the result when the cast failed, it would be undefined

9717

I'm trying to reiterate that this is not an operation that touches memory in any way. We do allow addrspacecasts in constant expressions, and they can't trap. Elision should be OK.

The intent is addrspacecast has stronger aliasing properties than a ptrtoint/inttoptr pair, which was part of the original intent of adding a new instruction.

9726

This probably needs an additional constraint that the result was also dereferencable / legal as stated before. The goal is it should be legal to insert new addrspacecasts back to the source addrspace in certain contexts. The interesting ones are cases where you are dereferencing the pointer anyway, so it would have been undefined if the cast failed

arsenm updated this revision to Diff 205693.Jun 19 2019, 3:48 PM

Say dereferencable instead of legal

Apparently I forgot to hit submit on the comments I made yesterday, sorry!

docs/LangRef.rst
9716

I'm happy with that clarification. We probably want to explicitly talk about dynamic failure for addrspacecast somewhere in this documentation.

9717

Makes sense, we probably want to clarify what capturing means from the perspective of allowed transforms here. It may be that an addrsoacecast has static side effects (if that's a valid term) causing some extra metadata to be emitted about roots on the stack or in registers, for example, but the compiler is free to move address space casts across other operations and to elide them.

In the CHERI case, we do have one operation that it is not safe to move address space casts across (writes to the default data capability change the meaning of the current address space), but it's also not safe to reorder loads / stores across that and so we probably need to add an explicit address space change barrier intrinsic for things like that.

9726

I think we need to be very careful about eliding user-expected trapping behaviour here. CHERI has similar behaviour, but consider a simple 32/64-bit example where:

  • 32-bit pointers are AS0
  • 64-bit pointers are AS1
  • Cast from 32-bit to 64-bit is a zero extension (always valid)
  • Cast from 64-bit to 32-bit is a truncation, equality test, and conditional move of 0 on failure, so an addrspacecast from AS1 to AS0 gives either a valid result or null.

If I have a sequence of:

%0 is some AS1 pointer
%1 casts to AS0
%2 loads from %1

This would be expected to trap, but with the text as written it would be valid to elide %1 and have %2 be a load from %0. This is probably not what the programmer expected. Would you need to mark one of these as non-integral to achieve those guarantees? Or have some ordering of permissiveness? In this scenario, it's fine to do the elision the other way around:

%0 is some AS0 pointer
%1 casts to AS1
%2 loads from %1

In this version, eliding %1 and making %2 load from %0 is totally fine. I think we really need to model three kinds of cast:

  • Ones that are always valid (statically known)
  • Ones that are always invalid (statically known)
  • Ones that are sometimes valid (dynamically known)

I'd suggest making the last case the default and adding metadata for the first two. Front ends generally know which of these are the case and can add the metadata and some later analyses may be able to once some more is known about the values. Optimisers are then free to elide any always-valid addrspacecast instructions. If the metadata is accidentally dropped then that's also fine.

In the CHERI case, an AS0 to AS200 cast is always valid (and clang could be taught to add the metadata). An AS200 to AS0 cast is always valid if you can statically prove that it was the result of a cast in the opposite direction, or if it came from a specific allocator. Most AS0 to AS200 casts are followed by a call to an intrinsic that sets bounds / permissions, and this is the only use of the addrspacecast instruction, which prohibits these optimisations (correctly).

arsenm marked an inline comment as done.Jun 20 2019, 9:06 AM
arsenm added inline comments.
docs/LangRef.rst
9726

Loading from the failed cast would be undefined behavior, so transforming the load and avoiding the trap should be legal. I wouldn't expect this to be any different from the compiler eliminating the a trap from a store to NULL. I do think this is an argument for not allowing changing the address space of volatile operations (see D63401).

arsenm updated this revision to Diff 205986.Jun 21 2019, 6:21 AM

Add some notes about changing the address space of accesses

jdoerfert added inline comments.
docs/LangRef.rst
2721

I'd change the last sentence, maybe as shown below, but the meaning is fine.

"In general, "null-pointers" have to be assumed dereferenceable in non-zero address spaces."

dereferencable -> dereferenceable

2728

For a non-volatile access, if an object can be proven accessible through a pointer with a different address space, the access may be modified to use that address space.

I'm not happy with this wording,... but I can't quite put my finger on it.

9718

same memory location.

Is it necessarily the same memory location or the same "logical" memory location? This is an honest question.

theraven added inline comments.Jun 27 2019, 5:25 AM
docs/LangRef.rst
2721

I am also unhappy with this as a claim. null pointers should always be non-dereferenceable. The semantics of inttoptr of 0 may not yield null for a given address space and the semantics of ptrtoint of null may not yield the integer 0, but the definition of a null pointer is a guaranteed non-dereferenceable pointer.

arsenm marked an inline comment as done.Jun 27 2019, 9:19 AM
arsenm added inline comments.
docs/LangRef.rst
2721

I'm unhappy with the claim, but I'm also unhappy with the state of null in llvm. "i8 addrspace(N)* null" is always interpreted as bit pattern 0. I would like to fix this by defining the invalid pointer value in the datalayout, and remove all special treatment of addrspace(0). As-is I don't think there is a way to describe a constant, known-invalid/null pointer in the IR.

arsenm updated this revision to Diff 206883.Jun 27 2019, 9:40 AM

Fix spelling. Rephrase and move volatile note to volatile section

Sorry for the delay.

I have a few more notes/questions.

docs/LangRef.rst
2230

Why, "In general,"? Do we have exceptions?

2726

Again, why "possible" and "may". Don't we "just" want to say "Exceptions apply for `volatile` operations"?

9726

I'm confused by:

both source and destination address spaces are :ref:integral pointers <nointptrtype>

why are address spaces pointer types (or am I reading this wrong)?

Do we want "is assumed" and "should"? As above, that sounds like the are alternative options.