[PATCH] Speed-up use-after-scope (re-writing to SSA) (version 2)

Martin Liška mliska@suse.cz
Thu Dec 22 17:11:00 GMT 2016

On 12/21/2016 09:52 AM, Jakub Jelinek wrote:
> On Tue, Dec 20, 2016 at 12:26:41PM +0100, Martin Liška wrote:
>> Ok, llvm folks are unwilling to accept the new API function, thus I've decided to come up
>> with approach suggested by Jakub. Briefly, when expanding ASAN_POISON internal function,
>> we create a new variable (with the same name as the original one). The variable is poisoned
>> at the location of the ASAN_POISON and all usages just call ASAN_CHECK that would trigger
>> use-after-scope run-time error. Situation where ASAN_POISON has a LHS is very rare and
>> is very likely to be a bug. Thus suggested not super-optimized approach should not be
>> problematic.
> Do you have a testcase for the case where there is a write to the var after
> poison that is then made non-addressable?  use-after-scope-9.c only covers
> the read.
>> I'm not sure about the introduction of 'create_var' function, maybe we would need some
>> refactoring. Thoughts?
> It doesn't belong to gimple-expr.c and the name is way too generic, we have
> many create var functions already.  And this one is very specialized.
>> 2016-12-19  Martin Liska  <mliska@suse.cz>
>> 	* asan.c (asan_expand_poison_ifn): New function.
>> 	* asan.h (asan_expand_poison_ifn):  Likewise.
> Too many spaces.
>> +  tree shadow_var = create_var (TREE_TYPE (poisoned_var),
>> +				IDENTIFIER_POINTER (DECL_NAME (var_decl)));
> For the shadow var creation, IMHO you should
> 1) use a hash table, once you add a shadow variable for a certain variable
>    for the first time, reuse it for all the other cases; you can have many
>    ASAN_POISON () calls for the same underlying variable

Thanks for review.

Done by hash_map.

> 2) as I said, use just a function in sanopt.c for this,
>    create_asan_shadow_var or whatever

Also done.

> 3) I think you just want to do copy_node, plus roughly what
>    copy_decl_for_dup_finish does (and set DECL_ARTIFICIAL and
>    DECL_IGNORED_P) - except that you don't have copy_body_data
>    so you can't use it directly (well, you could create copy_body_data
>    just for that purpose and set src_fn and dst_fn to current_function_decl
>    and the rest to NULL)

I decided to use the function with prepared copy_body_data ;)

> I'd really like to see the storing to poisoned var becoming non-addressable
> in action (if it can ever happen, so it isn't just theoretical) to look at
> what it does.

Well, having following sample:

main (int argc, char **argv)
  int *ptr = 0;

    int a;
    ptr = &a;
    *ptr = 12345;

  *ptr = 12345;
  return *ptr;

Right after rewriting into SSA it looks as follows:

main (int argc, char * * argv)
  int a;
  int * ptr;
  int _8;

  <bb 2> [0.00%]:
  a_9 = 12345;
  a_10 = ASAN_POISON ();
  a_11 = 12345;
  _8 = a_11;
  return _8;


Thus, I guess it not possible to do a write.

Following v2 can bootstrap on ppc64le-redhat-linux and survives regression tests.


> 	Jakub

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Speed-up-use-after-scope-v2-rewrite-into-SSA-v2.patch
Type: text/x-patch
Size: 13824 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20161222/27f0b09c/attachment.bin>

More information about the Gcc-patches mailing list