[PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)
Jeff Law
law@redhat.com
Sat Jan 21 00:19:00 GMT 2017
On 01/20/2017 04:34 PM, Jakub Jelinek wrote:
> On Fri, Jan 20, 2017 at 04:32:19PM -0700, Jeff Law wrote:
>>> then the loop does the same thing as will memset (p, 6, 3U * 1024 * 1024 * 1024);
>>> do. On such large objects some operations may not work properly, e.g.
>>> &p[i] - &p[0] might be negative etc., but that is not something the above
>>> loop does or memset will do internally. If the loop doesn't use just 3/4 of
>>> the address space, but much more, e.g. more than whole address space minus
>>> one page, which is what happens in the testcase, it is indeed quite sure it
>>> will crash if invoked, but the problem with the warning is the same with
>>> many other late warnings or warnings excessively using VRP etc.
>> Not in my mind, it's different. It's not triggered by path isolation. It's
>> standard const propagation + simplification.
>
> So where does the constant -1 length appear there? The test clearly just
> attempts to clear some variable length - 1. I admit I haven't looked at the
> dumps in detail, I should...
At least in Martin's simplified test it's just a series of standard
constant propagations and obvious simplifications. No threading, no
path isolation.
;; basic block 2, loop depth 0, count 0, freq 10000, maybe hot
;; prev block 0, next block 3, flags: (NEW, REACHABLE, VISITED)
;; pred: ENTRY [100.0%] (FALLTHRU,EXECUTABLE)
_7 = MEM[(int * *)s_5(D)];
_8 = MEM[(int * *)s_5(D) + 8B];
_9 = (long int) _8;
_10 = (long int) _7;
_11 = _9 - _10;
_12 = _11 /[ex] 4;
_13 = (long unsigned int) _12;
_1 = _13 + 18446744073709551614;
if (_1 <= 2)
goto <bb 3>; [36.64%]
else
goto <bb 8>; [63.36%]
;; succ: 3 [36.6%] (TRUE_VALUE,EXECUTABLE)
;; 8 [63.4%] (FALSE_VALUE,EXECUTABLE)
;; basic block 3, loop depth 0, count 0, freq 3664, maybe hot
;; prev block 2, next block 4, flags: (NEW, REACHABLE, VISITED)
;; pred: 2 [36.6%] (TRUE_VALUE,EXECUTABLE)
_2 = _13 + 18446744073709551615;
_14 = MEM[(int * *)s_5(D)];
_15 = MEM[(int * *)s_5(D) + 8B];
_16 = (long int) _15;
_17 = (long int) _14;
_18 = _16 - _17;
_19 = _18 /[ex] 4;
_20 = (long unsigned int) _19;
if (_2 > _20)
goto <bb 4>; [50.00%]
else
goto <bb 6>; [50.00%]
;; succ: 4 [50.0%] (TRUE_VALUE,EXECUTABLE)
;; 6 [50.0%] (FALSE_VALUE,EXECUTABLE)
;; basic block 4, loop depth 0, count 0, freq 1832, maybe hot
;; prev block 3, next block 5, flags: (NEW, REACHABLE, VISITED)
;; pred: 3 [50.0%] (TRUE_VALUE,EXECUTABLE)
_21 = _2 - _20;
_22 = MEM[(int * *)s_5(D) + 16B];
_23 = (long int) _22;
_24 = _23 - _16;
_25 = _24 /[ex] 4;
left_26 = (size_t) _25;
if (_21 <= left_26)
goto <bb 5>; [33.00%]
else
goto <bb 8>; [67.00%]
;; succ: 5 [33.0%] (TRUE_VALUE,EXECUTABLE)
;; 8 [67.0%] (FALSE_VALUE,EXECUTABLE)
;; basic block 5, loop depth 0, count 0, freq 605, maybe hot
;; prev block 4, next block 6, flags: (NEW, REACHABLE, VISITED)
;; pred: 4 [33.0%] (TRUE_VALUE,EXECUTABLE)
_27 = _21 * 4;
__builtin_memset (_22, 0, _27);
goto <bb 8>; [100.00%]
;; succ: 8 [100.0%] (FALLTHRU,EXECUTABLE)
In particular look at _27, which is _21 * 4.
_21 is _2 - _20
If you follow things though the use-def chains and simplify you'll see
that _2 - 20 is always -1.
Jeff
More information about the Gcc-patches
mailing list