[PATCH] avoid calling memset et al. with excessively large sizes (PR 79095)

Jeff Law law@redhat.com
Sat Jan 21 00:19:00 GMT 2017 

On 01/20/2017 04:34 PM, Jakub Jelinek wrote:
> On Fri, Jan 20, 2017 at 04:32:19PM -0700, Jeff Law wrote:
>>> then the loop does the same thing as will memset (p, 6, 3U * 1024 * 1024 * 1024);
>>> do.  On such large objects some operations may not work properly, e.g.
>>> &p[i] - &p[0] might be negative etc., but that is not something the above
>>> loop does or memset will do internally.  If the loop doesn't use just 3/4 of
>>> the address space, but much more, e.g. more than whole address space minus
>>> one page, which is what happens in the testcase, it is indeed quite sure it
>>> will crash if invoked, but the problem with the warning is the same with
>>> many other late warnings or warnings excessively using VRP etc.
>> Not in my mind, it's different.  It's not triggered by path isolation. It's
>> standard const propagation + simplification.
>
> So where does the constant -1 length appear there?  The test clearly just
> attempts to clear some variable length - 1.  I admit I haven't looked at the
> dumps in detail, I should...
At least in Martin's simplified test it's just a series of standard 
constant propagations and obvious simplifications.  No threading, no 
path isolation.

;;   basic block 2, loop depth 0, count 0, freq 10000, maybe hot
;;    prev block 0, next block 3, flags: (NEW, REACHABLE, VISITED)
;;    pred:       ENTRY [100.0%]  (FALLTHRU,EXECUTABLE)
   _7 = MEM[(int * *)s_5(D)];
   _8 = MEM[(int * *)s_5(D) + 8B];
   _9 = (long int) _8;
   _10 = (long int) _7;
   _11 = _9 - _10;
   _12 = _11 /[ex] 4;
   _13 = (long unsigned int) _12;
   _1 = _13 + 18446744073709551614;
   if (_1 <= 2)
     goto <bb 3>; [36.64%]
   else
     goto <bb 8>; [63.36%]
;;    succ:       3 [36.6%]  (TRUE_VALUE,EXECUTABLE)
;;                8 [63.4%]  (FALSE_VALUE,EXECUTABLE)

;;   basic block 3, loop depth 0, count 0, freq 3664, maybe hot
;;    prev block 2, next block 4, flags: (NEW, REACHABLE, VISITED)
;;    pred:       2 [36.6%]  (TRUE_VALUE,EXECUTABLE)
   _2 = _13 + 18446744073709551615;
   _14 = MEM[(int * *)s_5(D)];
   _15 = MEM[(int * *)s_5(D) + 8B];
   _16 = (long int) _15;
   _17 = (long int) _14;
   _18 = _16 - _17;
   _19 = _18 /[ex] 4;
   _20 = (long unsigned int) _19;
   if (_2 > _20)
     goto <bb 4>; [50.00%]
   else
     goto <bb 6>; [50.00%]
;;    succ:       4 [50.0%]  (TRUE_VALUE,EXECUTABLE)
;;                6 [50.0%]  (FALSE_VALUE,EXECUTABLE)

;;   basic block 4, loop depth 0, count 0, freq 1832, maybe hot
;;    prev block 3, next block 5, flags: (NEW, REACHABLE, VISITED)
;;    pred:       3 [50.0%]  (TRUE_VALUE,EXECUTABLE)
   _21 = _2 - _20;
   _22 = MEM[(int * *)s_5(D) + 16B];
   _23 = (long int) _22;
   _24 = _23 - _16;
   _25 = _24 /[ex] 4;
   left_26 = (size_t) _25;
   if (_21 <= left_26)
     goto <bb 5>; [33.00%]
   else
     goto <bb 8>; [67.00%]
;;    succ:       5 [33.0%]  (TRUE_VALUE,EXECUTABLE)
;;                8 [67.0%]  (FALSE_VALUE,EXECUTABLE)

;;   basic block 5, loop depth 0, count 0, freq 605, maybe hot
;;    prev block 4, next block 6, flags: (NEW, REACHABLE, VISITED)
;;    pred:       4 [33.0%]  (TRUE_VALUE,EXECUTABLE)
   _27 = _21 * 4;
   __builtin_memset (_22, 0, _27);
   goto <bb 8>; [100.00%]
;;    succ:       8 [100.0%]  (FALLTHRU,EXECUTABLE)


In particular look at _27, which is _21 * 4.

_21 is _2 - _20

If you follow things though the use-def chains and simplify you'll see 
that _2 - 20 is always -1.


Jeff

More information about the Gcc-patches mailing list