This is an archive of the discontinued LLVM Phabricator instance.

Differential D65417

[SCCP] Update condition to avoid overflow.
ClosedPublic

Authored by asbirlea on Jul 29 2019, 1:55 PM.

Details

Reviewers
RKSimon
lebedev.ri
sanjoy.google
Commits
rG7153f2784c11: [SCCP] Update condition to avoid overflow.
rL367461: [SCCP] Update condition to avoid overflow.
Summary

Update condition to remove addition that may cause an overflow.
Resolves PR42814.

Diff Detail

Repository
rL LLVM

Event Timeline

asbirlea created this revision.Jul 29 2019, 1:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 29 2019, 1:56 PM
Herald added a subscriber: jlebar. · View Herald Transcript
Harbormaster completed remote builds in B35767: Diff 212220.Jul 29 2019, 1:56 PM
lebedev.ri added a subscriber: lebedev.ri.Jul 29 2019, 2:02 PM
lebedev.ri added inline comments.
lib/Analysis/ConstantFolding.cpp
550–552 ↗(On Diff #212220)

Is Offset==0 == 0'th byte of the constant?
If so, perhaps this check could simply be done first?

asbirlea updated this revision to Diff 212226.Jul 29 2019, 2:18 PM

Update per comment suggestion: reorder conditions.

asbirlea marked an inline comment as done.Jul 29 2019, 2:18 PM
asbirlea added a reviewer: lebedev.ri.
Harbormaster completed remote builds in B35771: Diff 212226.Jul 29 2019, 2:19 PM
lebedev.ri added inline comments.Jul 29 2019, 2:30 PM
lib/Analysis/ConstantFolding.cpp
551 ↗(On Diff #212226)

This check looks suspicious to me.
I'd expect this to be if (Offset + BytesLoaded >= InitializerSize),
this way we are checking that BytesLoaded bytes lies within the global.

asbirlea marked an inline comment as done.Jul 29 2019, 2:42 PM
asbirlea added inline comments.
lib/Analysis/ConstantFolding.cpp
551 ↗(On Diff #212226)

If Offset can be a negative value, it's possible to get an OOB access when Offset + BytesLoaded <= 0.
We can also get an OOB access if (Offset + BytesLoaded >= InitializerSize), but the two checks seem orthogonal given this section of code (I'm not familiar with the larger scope of this code).

lebedev.ri marked an inline comment as done.Jul 29 2019, 2:46 PM
lebedev.ri added inline comments.
lib/Analysis/ConstantFolding.cpp
551 ↗(On Diff #212226)

Okay, sounds plausible.

fhahn added a subscriber: fhahn.Jul 30 2019, 2:43 AM
fhahn added inline comments.
lib/Analysis/ConstantFolding.cpp
551 ↗(On Diff #212226)

I think with the check as it is, there still could be an overflow *in theory*, e.g. for constants that are int64_max big. Given that we only allow global constants with initializers, this would mean a huge bitcode file, but while you're at it, it might be worth changing the comparisons to if (Offfset <= -BytesLoaded) as well

RKSimon added inline comments.Jul 30 2019, 5:32 AM
test/Transforms/SCCP/ubsan_overflow.ll
1 ↗(On Diff #212226)

Shouldn't this be

opt < %s -sccp -S
asbirlea updated this revision to Diff 212376.Jul 30 2019, 10:05 AM
asbirlea marked 3 inline comments as done.

Address comment.

test/Transforms/SCCP/ubsan_overflow.ll
1 ↗(On Diff #212226)

The behavior is the same.

Harbormaster completed remote builds in B35815: Diff 212376.Jul 30 2019, 10:06 AM
asbirlea updated this revision to Diff 212428.Jul 30 2019, 1:45 PM

Added needed cast from unsigned to int64_t.

Harbormaster completed remote builds in B35834: Diff 212428.Jul 30 2019, 1:46 PM
sanjoy.google edited reviewers, added: sanjoy.google; removed: sanjoy.Jul 30 2019, 3:06 PM
sanjoy.google added inline comments.Jul 30 2019, 3:11 PM
lib/Analysis/ConstantFolding.cpp
551 ↗(On Diff #212428)

Use static_cast? That also makes it obvious whether the cast happens before or after the multiply.

asbirlea updated this revision to Diff 212609.Jul 31 2019, 9:51 AM
asbirlea marked 2 inline comments as done.

Address comment.

Harbormaster completed remote builds in B35898: Diff 212609.Jul 31 2019, 9:54 AM
sanjoy.google accepted this revision.Jul 31 2019, 10:59 AM

lgtm with some nits

lib/Analysis/ConstantFolding.cpp
547 ↗(On Diff #212609)

OOC is there a reason to flip the order of the two checks? If yes, can you please update the commit message (so as to not confuse folks digging through the commit history in the future)?

test/Transforms/SCCP/ubsan_overflow.ll
12 ↗(On Diff #212609)

We probably should remove the unreachable. As written the function has unconditional UB which means some other optimization within SCCP could kick in.

Probably the best thing to do is to return the value you loaded so that it can't get DCE'd away either (SCCP is unlikely to do that, but you never know).

This revision is now accepted and ready to land.Jul 31 2019, 10:59 AM
asbirlea updated this revision to Diff 212628.Jul 31 2019, 11:19 AM

Address comments.
Thank you for the review!

Harbormaster completed remote builds in B35903: Diff 212628.Jul 31 2019, 11:19 AM
asbirlea marked 2 inline comments as done.Jul 31 2019, 11:20 AM
Closed by commit rL367461: [SCCP] Update condition to avoid overflow. (authored by asbirlea). · Explain WhyJul 31 2019, 11:23 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Analysis/
2 lines
test/
Transforms/
SCCP/
13 lines

Diff 212629

llvm/trunk/lib/Analysis/ConstantFolding.cpp

Show First 20 LinesShow All 538 Lines▼ Show 20 LinesConstant *FoldReinterpretLoadFromConstPtr(Constant *C, Type *LoadTy,
if (!GV || !GV->isConstant() || !GV->hasDefinitiveInitializer() || if (!GV || !GV->isConstant() || !GV->hasDefinitiveInitializer() ||
!GV->getInitializer()->getType()->isSized()) !GV->getInitializer()->getType()->isSized())
return nullptr; return nullptr;
int64_t Offset = OffsetAI.getSExtValue(); int64_t Offset = OffsetAI.getSExtValue();
int64_t InitializerSize = DL.getTypeAllocSize(GV->getInitializer()->getType()); int64_t InitializerSize = DL.getTypeAllocSize(GV->getInitializer()->getType());
// If we're not accessing anything in this constant, the result is undefined. // If we're not accessing anything in this constant, the result is undefined.
if (Offset + BytesLoaded <= 0) if (Offset <= -1 * static_cast<int64_t>(BytesLoaded))
return UndefValue::get(IntType); return UndefValue::get(IntType);
// If we're not accessing anything in this constant, the result is undefined. // If we're not accessing anything in this constant, the result is undefined.
if (Offset >= InitializerSize) if (Offset >= InitializerSize)
return UndefValue::get(IntType); return UndefValue::get(IntType);
unsigned char RawBytes[32] = {0}; unsigned char RawBytes[32] = {0};
unsigned char *CurPtr = RawBytes; unsigned char *CurPtr = RawBytes;
▲ Show 20 LinesShow All 1,991 LinesShow Last 20 Lines

llvm/trunk/test/Transforms/SCCP/ubsan_overflow.ll

; RUN: opt -sccp -S %s | FileCheck %s
@0 = private unnamed_addr constant [16 x i8] c"\01\00\00\00\01\01\00\00\01\01\01\00\01\01\01\01"
; CHECK-LABEL: @foo
define i8 @foo() {
entry:
%0 = add nuw nsw i64 0, -1
%1 = lshr i64 %0, 1
%2 = getelementptr inbounds [4 x [4 x i8]], [4 x [4 x i8]]* bitcast ([16 x i8]* @0 to [4 x [4 x i8]]*), i64 0, i64 0, i64 %1
%3 = load i8, i8* %2, align 1
ret i8 %3
}