[clang] Allow inlining of copies without capabilities #506
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrtc27
reviewed
Jan 25, 2021
There was a problem hiding this comment.
What happens with:
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}I believe that's valid C, provided 2 * sizeof(long) is a multiple of void (**)(long **, long **).
Imagine it as being that you have a pointer to a header and want to copy the header plus some amount of the body, where the body contains capabilities. |
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Mar 10, 2021
…iasing Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that assumes relaxed aliasing. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Adding the no_preserve_tags attribute to memcpy() is safe under -fstrict-aliasing (since the store above is invalid), but with -fno-strict-aliasing this aligned memcpy must preserve tags.
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Mar 10, 2021
…iasing Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that assumes relaxed aliasing. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Adding the no_preserve_tags attribute to memcpy() is safe under -fstrict-aliasing (since the store above is invalid), but with -fno-strict-aliasing this aligned memcpy must preserve tags.
arichardson
force-pushed
the
memcpy-no-tags
branch
from
035d46b
to
b4f4de8
Compare
|
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Mar 12, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Mar 12, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
force-pushed
the
memcpy-no-tags
branch
from
b4f4de8
to
e147562
Compare
|
As discussed earlier this week, my -fstrict-aliasing/-fno-strict-aliasing assumptions were incorrect, so this new version makes decisions based on whether a valid variable declaration is visible and if not assumes it is an "allocated type" where the first store defines the underlying type. |
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Jul 15, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Jul 15, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
force-pushed
the
memcpy-no-tags
branch
from
e147562
to
09e3f46
Compare
|
rebased |
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Aug 17, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
force-pushed
the
memcpy-no-tags
branch
from
09e3f46
to
bacd109
Compare
|
rebased |
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Oct 4, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
force-pushed
the
memcpy-no-tags
branch
from
bacd109
to
7e96616
Compare
|
rebased after upstream merge. |
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Oct 15, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts and is correct under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy being a long* (and therefore intuitevly not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Oct 21, 2021
…type Marking a memcpy() to/from a long* as not tag-preserving could result in tag stripping for code that using type casts. Such code is correct even under strict aliasing rules since the first store to a memory location determines the type. Example from CTSRD-CHERI#506: ``` void *malloc(__SIZE_TYPE__); void *memcpy(void *, const void *, __SIZE_TYPE__); void foo(long **p, long **q) { *p = malloc(32); *q = malloc(32); (*p)[0] = 1; (*p)[1] = 2; *(void (**)(long **, long **))(*p + 2) = &foo; memcpy(*q, *p, 32); } ``` Despite the memcpy() being a long* (and therefore intuitively not tag preserving), we can't add the attribute since we don't actually know the type of the underlying object (malloc creates an allocated with no declared type). From C99: The effective type of an object for an access to its stored value is the declared type of the object, if any (footnote 75: Allocated objects have no declared type). If a value is stored into an object having no declared type through an lvalue having a type that is not a character type, then the type of the lvalue becomes the effective type of the object for that access and for subsequent accesses that do not modify the stored value. If a value is copied into an object having no declared type using memcpy or memmove, or is copied as an array of character type, then the effective type of the modified object for that access and for subsequent accesses that do not modify the value is the effective type of the object from which the value is copied, if it has one. For all other accesses to an object having no declared type, the effective type of the object is simply the type of the lvalue used for the access.
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Oct 21, 2021
Once the backends handle the new attribute, this will allow inlining
structure assignments for structs that are at least capability size
but do not contain any capabilities (e.g. struct { long a; long b; }).
We can also set the attribute for all trivial auto var-init cases since
those patterns never contain valid capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
CTSRD-CHERI#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Oct 21, 2021
Once the backends handle the new attribute, this will allow inlining
structure assignments for structs that are at least capability size
but do not contain any capabilities (e.g. struct { long a; long b; }).
We can also set the attribute for all trivial auto var-init cases since
those patterns never contain valid capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
CTSRD-CHERI#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Oct 21, 2021
Once the backends handle the new attribute, this will allow inlining
structure assignments for structs that are at least capability size
but do not contain any capabilities (e.g. struct { long a; long b; }).
We can also set the attribute for all trivial auto var-init cases since
those patterns never contain valid capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
CTSRD-CHERI#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
arichardson
force-pushed
the
no-preserve-tags-codegen
branch
from
a24d4d2
to
89a3cd0
Compare
arichardson
force-pushed
the
no-preserve-tags-codegen
branch
2 times, most recently
from
0c5b087
to
2c713b3
Compare
arichardson
force-pushed
the
no-preserve-tags-codegen
branch
2 times, most recently
from
1539e37
to
66d47e7
Compare
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Aug 26, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
CTSRD-CHERI#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
arichardson
force-pushed
the
memcpy-no-tags
branch
from
4c201bc
to
528ce37
Compare
arichardson
changed the title
arichardson
commented
Aug 26, 2022
arichardson
added a commit
that referenced
this pull request
Sep 1, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
arichardson
force-pushed
the
memcpy-no-tags
branch
from
528ce37
to
952b02c
Compare
arichardson
added a commit
to arichardson/llvm-project
that referenced
this pull request
Sep 2, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
CTSRD-CHERI#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
There is another important caveat: we have to conservatively assume that
the copy affects adjacent data (e.g. C++ subclass fields) that could
hold capabilities if we don't know the copy size. If the copy size is
<= sizeof(T), we can mark copies as non-tag-preserving since it cannot
affect trailing fields (even if we are actually copying a subclass).
arichardson
force-pushed
the
memcpy-no-tags
branch
from
952b02c
to
d4dc697
Compare
arichardson
force-pushed
the
no-preserve-tags-codegen
branch
from
66d47e7
to
f8a0d53
Compare
These tests highlight some places where we can easily add the no_preserve_tags attribute to allow inlining small copies.
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
CTSRD-CHERI#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
There is another important caveat: we have to conservatively assume that
the copy affects adjacent data (e.g. C++ subclass fields) that could
hold capabilities if we don't know the copy size. If the copy size is
<= sizeof(T), we can mark copies as non-tag-preserving since it cannot
affect trailing fields (even if we are actually copying a subclass).
We are also conservative if the structure contains an array of type
((un)signed) char or std::byte since those are often used to store
arbitrary data (including capabilities). We could make this check more
strict and require the array to be capability aligned, but that could be
done as a follow-up change.
arichardson
force-pushed
the
memcpy-no-tags
branch
from
d4dc697
to
3712d60
Compare
|
I've dropped all the more complex logic from this patch - should be easier to review now. |
arichardson
commented
Oct 5, 2022
| if (Ty->isCHERICapabilityType(*this)) | ||
| return false; | ||
| else if (const RecordType *RT = Ty->getAs<RecordType>()) { | ||
| if (!cannotContainCapabilities(RT->getDecl())) |
There was a problem hiding this comment.
The double negatives make this function implementation rather ugly, but I think it makes more sense for callers such as CodeGenTypes::copyShouldPreserveTagsForPointee().
arichardson
added a commit
that referenced
this pull request
Oct 6, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
There is another important caveat: we have to conservatively assume that
the copy affects adjacent data (e.g. C++ subclass fields) that could
hold capabilities if we don't know the copy size. If the copy size is
<= sizeof(T), we can mark copies as non-tag-preserving since it cannot
affect trailing fields (even if we are actually copying a subclass).
We are also conservative if the structure contains an array of type
((un)signed) char or std::byte since those are often used to store
arbitrary data (including capabilities). We could make this check more
strict and require the array to be capability aligned, but that could be
done as a follow-up change.
arichardson
added a commit
that referenced
this pull request
Oct 6, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
There is another important caveat: we have to conservatively assume that
the copy affects adjacent data (e.g. C++ subclass fields) that could
hold capabilities if we don't know the copy size. If the copy size is
<= sizeof(T), we can mark copies as non-tag-preserving since it cannot
affect trailing fields (even if we are actually copying a subclass).
We are also conservative if the structure contains an array of type
((un)signed) char or std::byte since those are often used to store
arbitrary data (including capabilities). We could make this check more
strict and require the array to be capability aligned, but that could be
done as a follow-up change.
arichardson
added a commit
that referenced
this pull request
Oct 6, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
There is another important caveat: we have to conservatively assume that
the copy affects adjacent data (e.g. C++ subclass fields) that could
hold capabilities if we don't know the copy size. If the copy size is
<= sizeof(T), we can mark copies as non-tag-preserving since it cannot
affect trailing fields (even if we are actually copying a subclass).
We are also conservative if the structure contains an array of type
((un)signed) char or std::byte since those are often used to store
arbitrary data (including capabilities). We could make this check more
strict and require the array to be capability aligned, but that could be
done as a follow-up change.
arichardson
added a commit
that referenced
this pull request
Oct 7, 2022
This allows inlining of structure assignments for structs that are at
least capability size but do not contain any capabilities (e.g.
`struct { long a; long b; }`). We can also set the attribute for all
trivial auto var-init cases since those patterns never contain valid
capabilities.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from `long*`
as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
#506:
```
void *malloc(__SIZE_TYPE__);
void *memcpy(void *, const void *, __SIZE_TYPE__);
void foo(long **p, long **q) {
*p = malloc(32);
*q = malloc(32);
(*p)[0] = 1;
(*p)[1] = 2;
*(void (**)(long **, long **))(*p + 2) = &foo;
memcpy(*q, *p, 32);
}
```
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99:
```
The effective type of an object for an access to its stored value is the
declared type of the object, if any (footnote 75: Allocated objects have
no declared type).
If a value is stored into an object having no declared type through an
lvalue having a type that is not a character type, then the type of the
lvalue becomes the effective type of the object for that access and for
subsequent accesses that do not modify the stored value.
If a value is copied into an object having no declared type using memcpy
or memmove, or is copied as an array of character type, then the effective
type of the modified object for that access and for subsequent accesses
that do not modify the value is the effective type of the object from
which the value is copied, if it has one.
For all other accesses to an object having no declared type, the effective
type of the object is simply the type of the lvalue used for the access.
```
There is another important caveat: we have to conservatively assume that
the copy affects adjacent data (e.g. C++ subclass fields) that could
hold capabilities if we don't know the copy size. If the copy size is
<= sizeof(T), we can mark copies as non-tag-preserving since it cannot
affect trailing fields (even if we are actually copying a subclass).
We are also conservative if the structure contains an array of type
((un)signed) char or std::byte since those are often used to store
arbitrary data (including capabilities). We could make this check more
strict and require the array to be capability aligned, but that could be
done as a follow-up change.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request allows inlining of memcpy/memmove for structures/types
that are guaranteed to not contain tags if the size is >= cap_size.
The motivating case for this is that we currently call memcpy when
performing structure assignment for struct { long a; long b;} rather than
using two loads+stores.
The backends still conservatively assume that a copy may contain capabilities
if sizeof(void*), but at least we can now inline copies that are explicitly marked
as non-tag-preserving.
We do this by adding a new no_preserve_cheri_tags attribute. If
neither no_preserve_cheri_tags nor must_preserve_cheri_tags is set
we still fall back to the conservative behaviour of calling memcpy for
size>cap_size && align < cap_align.
Due to C's effective type rules, we have to be careful when setting the
attribute and only perform the type-base tag-preservation analysis if we
know the effective type. For example, marking a memcpy() to/from
long*as not tag-preserving could result in tag stripping for code that uses
type casts. Such code is correct even under strict aliasing rules since
the first store to a memory location determines the type. Example from
#506:
Despite the memcpy() argument being a long* (and therefore intuitively
not tag preserving), we can't add the attribute since we don't actually
know the type of the underlying object (malloc creates an allocated with
no declared type). From C99: