[PATCH] avoid calling alloca(0)
Martin Sebor
msebor@gmail.com
Thu Nov 24 01:15:00 GMT 2016
On 11/23/2016 01:57 PM, Jeff Law wrote:
> On 11/20/2016 04:06 PM, Martin Sebor wrote:
>> On 11/20/2016 01:03 AM, Bernd Edlinger wrote:
>>> On 11/20/16 00:43, Martin Sebor wrote:
>>>> As best I can tell the result isn't actually used (the code that
>>>> uses the result gets branched over). GCC just doesn't see it.
>>>> I verified this by changing the XALLOCAVEC macro to
>>>>
>>>> #define XALLOCAVEC(T, N) (N ? alloca (sizeof (T) * N) : 0)
>>>>
>>>> and bootstrapping and running the regression test suite with
>>>> no apparent regressions.
>>>>
>>>
>>> I would like this solution with braces around N better than
>>> allocating one element when actually zero were requested.
>>>
>>> The disadvantage of N+1 or N+!N is that it will hide true
>>> programming errors from the sanitizer.
>>
>> I agree. Let me post an updated patch with the above fix and
>> leave it to others to choose which approach to go with.
> Just so I'm clear, this part of the discussions is talking about
> mitigation strategies within GCC itself, right?
That's right.
> Can't we just
> gcc_assert (x != 0) before the problematical calls? That avoids
> unnecessary over-allocation and gets us a clean ICE if we were to try
> and call alloca with a problematical value.
gcc_assert works only in some instances (e.g., in c-ada-spec.c:191)
but not in others because some actually do make the alloca(0) call
at runtime: at a minimum, lto.c:3285, reg-stack.c:2008, and
tree-ssa-threadedge.c:344 assert during bootstrap.
After reviewing a few more of the XALLOCAVEC calls in the affected
files I suspect that those to alloca(0) pointed out by the warning
may be just a subset that GCC happens to see thanks to constant
propagation. If that's so then changing this subset to
alloca(N + !N) or some such is probably not the right approach
because it will miss all the other calls where GCC doesn't see that
N is zero. I think the most robust solution is to do as Bernd
suggests: change XALLOCAVEC as shown above. That will let us
prevent any and all unsafe assumptions about the result of
alloca(0) being either non-null or distinct. The other approach
would be to change XALLOCAVEC to add 1 to the byte count. That
would be in line with what XMALLOC does.
> I'm not sure we need to break things up. I haven't seen a good argument
> for that yet.
>
> Is there an updated patch to post? Or has it already been posted?
Given the above I suggest going with one of the attached two patches.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-libiberty-xallocavec-null.diff
Type: text/x-patch
Size: 710 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20161124/07e1723c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-libiberty-xallocavec-nonzero.diff
Type: text/x-patch
Size: 696 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20161124/07e1723c/attachment-0001.bin>
More information about the Gcc-patches
mailing list