gimple, internal-fn: Add IFN_TRAP and use it for __builtin_unreachable [PR106099]

  Hi!

__builtin_unreachable and __ubsan_handle_builtin_unreachable don't
use vops, they are marked const/leaf/noreturn/nothrow/cold.
But __builtin_trap uses vops, isn't const, just leaf/noreturn/nothrow/cold.
This is I believe so that when users explicitly use __builtin_trap in their
sources they get stores visible at the trap side.
-fsanitize=unreachable -fsanitize-undefined-trap-on-error used to transform
__builtin_unreachable to __builtin_trap even in the past, but the sanopt pass
has TODO_update_ssa, so it worked fine.

Now that gimple_build_builtin_unreachable can build a __builtin_trap call
right away, we can run into problems that whenever we need it we would need
to either manually or through TODO_update* ensure the vops being updated.

Though, as it is originally __builtin_unreachable which is just implemented
as trap, I think for this case it is fine to avoid vops.  For this the
patch introduces IFN_TRAP, which has ECF_* flags like __builtin_unreachable
and is expanded as __builtin_trap.

Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

2022-07-27  Jakub Jelinek  <jakub@redhat.com>

	PR tree-optimization/106099
	* internal-fn.def (TRAP): New internal fn.
	* internal-fn.h (expand_TRAP): Declare.
	* internal-fn.cc (expand_TRAP): Define.
	* gimple.cc (gimple_build_builtin_unreachable): For BUILT_IN_TRAP,
	use internal fn rather than builtin.

	* gcc.dg/ubsan/pr106099.c: New test.


	Jakub
  

On Wed, 27 Jul 2022, Jakub Jelinek wrote:

> Hi!
> 
> __builtin_unreachable and __ubsan_handle_builtin_unreachable don't
> use vops, they are marked const/leaf/noreturn/nothrow/cold.
> But __builtin_trap uses vops, isn't const, just leaf/noreturn/nothrow/cold.
> This is I believe so that when users explicitly use __builtin_trap in their
> sources they get stores visible at the trap side.
> -fsanitize=unreachable -fsanitize-undefined-trap-on-error used to transform
> __builtin_unreachable to __builtin_trap even in the past, but the sanopt pass
> has TODO_update_ssa, so it worked fine.
> 
> Now that gimple_build_builtin_unreachable can build a __builtin_trap call
> right away, we can run into problems that whenever we need it we would need
> to either manually or through TODO_update* ensure the vops being updated.
> 
> Though, as it is originally __builtin_unreachable which is just implemented
> as trap, I think for this case it is fine to avoid vops.  For this the
> patch introduces IFN_TRAP, which has ECF_* flags like __builtin_unreachable
> and is expanded as __builtin_trap.
> 
> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

I think for the sake of sanitizing unreachable as trap this is OK
but it seems this isn't actually what is done.

I still think the original change fiddling with the unreachable decl
is wrong.  Likewise unrolling shouldn't use 
gimple_build_builtin_unreachable - it isn't sanitizing anything but
telling the middle-end to DCE a path.  IMHO only few select places
where the middle-end builds unreachable () should be using this
function (which means it probably shouldn't exist), like path
isolation which IIRC uses a trap anyway.

> 2022-07-27  Jakub Jelinek  <jakub@redhat.com>
> 
> 	PR tree-optimization/106099
> 	* internal-fn.def (TRAP): New internal fn.
> 	* internal-fn.h (expand_TRAP): Declare.
> 	* internal-fn.cc (expand_TRAP): Define.
> 	* gimple.cc (gimple_build_builtin_unreachable): For BUILT_IN_TRAP,
> 	use internal fn rather than builtin.
> 
> 	* gcc.dg/ubsan/pr106099.c: New test.
> 
> --- gcc/internal-fn.def.jj	2022-07-26 10:32:23.886269144 +0200
> +++ gcc/internal-fn.def	2022-07-26 11:40:41.799927048 +0200
> @@ -456,6 +456,10 @@ DEF_INTERNAL_FN (SHUFFLEVECTOR, ECF_CONS
>  /* <=> optimization.  */
>  DEF_INTERNAL_FN (SPACESHIP, ECF_CONST | ECF_LEAF | ECF_NOTHROW, NULL)
>  
> +/* __builtin_trap created from/for __builtin_unreachable.  */
> +DEF_INTERNAL_FN (TRAP, ECF_CONST | ECF_LEAF | ECF_NORETURN
> +		       | ECF_NOTHROW | ECF_COLD, NULL)
> +
>  #undef DEF_INTERNAL_INT_FN
>  #undef DEF_INTERNAL_FLT_FN
>  #undef DEF_INTERNAL_FLT_FLOATN_FN
> --- gcc/internal-fn.h.jj	2022-06-16 10:56:28.945385251 +0200
> +++ gcc/internal-fn.h	2022-07-26 11:45:50.483837472 +0200
> @@ -242,6 +242,7 @@ extern void expand_internal_call (intern
>  extern void expand_PHI (internal_fn, gcall *);
>  extern void expand_SHUFFLEVECTOR (internal_fn, gcall *);
>  extern void expand_SPACESHIP (internal_fn, gcall *);
> +extern void expand_TRAP (internal_fn, gcall *);
>  
>  extern bool vectorized_internal_fn_supported_p (internal_fn, tree);
>  
> --- gcc/internal-fn.cc.jj	2022-07-26 10:32:23.885269157 +0200
> +++ gcc/internal-fn.cc	2022-07-26 11:42:02.611856420 +0200
> @@ -4494,3 +4494,9 @@ expand_SPACESHIP (internal_fn, gcall *st
>    if (!rtx_equal_p (target, ops[0].value))
>      emit_move_insn (target, ops[0].value);
>  }
> +
> +void
> +expand_TRAP (internal_fn, gcall *)
> +{
> +  expand_builtin_trap ();
> +}
> --- gcc/gimple.cc.jj	2022-06-27 11:18:02.680058429 +0200
> +++ gcc/gimple.cc	2022-07-26 11:57:17.049760135 +0200
> @@ -430,7 +430,16 @@ gimple_build_builtin_unreachable (locati
>  {
>    tree data = NULL_TREE;
>    tree fn = sanitize_unreachable_fn (&data, loc);
> -  gcall *g = gimple_build_call (fn, data != NULL_TREE, data);
> +  gcall *g;
> +  if (DECL_FUNCTION_CODE (fn) != BUILT_IN_TRAP)
> +    g = gimple_build_call (fn, data != NULL_TREE, data);
> +  else
> +    {
> +      /* Instead of __builtin_trap use .TRAP, so that it doesn't
> +	 need vops.  */
> +      gcc_checking_assert (data == NULL_TREE);
> +      g = gimple_build_call_internal (IFN_TRAP, 0);
> +    }
>    gimple_set_location (g, loc);
>    return g;
>  }
> --- gcc/testsuite/gcc.dg/ubsan/pr106099.c.jj	2022-07-26 12:22:26.248156163 +0200
> +++ gcc/testsuite/gcc.dg/ubsan/pr106099.c	2022-07-26 11:34:25.660909186 +0200
> @@ -0,0 +1,10 @@
> +/* PR tree-optimization/106099 */
> +/* { dg-do compile } */
> +/* { dg-options "-O -fsanitize=unreachable -fsanitize-undefined-trap-on-error -fno-tree-ccp -fno-tree-dominator-opts" } */
> +
> +void
> +foo (void)
> +{
> +  for (unsigned i = 0; i == 0; i++)
> +    ;
> +}
> 
> 	Jakub
> 
>
  

On Wed, Jul 27, 2022 at 09:33:47AM +0000, Richard Biener wrote:
> > __builtin_unreachable and __ubsan_handle_builtin_unreachable don't
> > use vops, they are marked const/leaf/noreturn/nothrow/cold.
> > But __builtin_trap uses vops, isn't const, just leaf/noreturn/nothrow/cold.
> > This is I believe so that when users explicitly use __builtin_trap in their
> > sources they get stores visible at the trap side.
> > -fsanitize=unreachable -fsanitize-undefined-trap-on-error used to transform
> > __builtin_unreachable to __builtin_trap even in the past, but the sanopt pass
> > has TODO_update_ssa, so it worked fine.
> > 
> > Now that gimple_build_builtin_unreachable can build a __builtin_trap call
> > right away, we can run into problems that whenever we need it we would need
> > to either manually or through TODO_update* ensure the vops being updated.
> > 
> > Though, as it is originally __builtin_unreachable which is just implemented
> > as trap, I think for this case it is fine to avoid vops.  For this the
> > patch introduces IFN_TRAP, which has ECF_* flags like __builtin_unreachable
> > and is expanded as __builtin_trap.
> > 
> > Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
> 
> I think for the sake of sanitizing unreachable as trap this is OK
> but it seems this isn't actually what is done.

We chose to sanitize not just explicit user __builtin_unreachable calls,
but also the internally generated __builtin_unreachable calls (with the
one exception of fall through to end of C++ function returning non-void,
which had before a separate sanitizer) and we've been doing it since 2013
when ubsan was added.
Even for the internally generated unreachable calls like those from
devirtualization or other reasons like ivcanon/unrolling, having the
possibility to get some runtime diagnostics or trap can be useful over
just falling through to random following code.
Previously we'd always emit __builtin_unreachable, then perhaps in some
cases could e.g. optimize it away (say if there is a guarding condition
around the implicitly added unreachable turning the condition into VRP
info and optimizing the conditional away), otherwise the sanopt pass
would turn those __builtin_unreachable calls into __builtin_trap.
With the recent changes, we don't run the sanopt pass when only
doing -fsanitize=unreachable (or -funrechable-traps) though, so we need
to emit the trap/__ubsan_handle_unreachable/__builtin_unreachable right
away.

	Jakub
  

On Wed, 27 Jul 2022, Jakub Jelinek wrote:

> On Wed, Jul 27, 2022 at 09:33:47AM +0000, Richard Biener wrote:
> > > __builtin_unreachable and __ubsan_handle_builtin_unreachable don't
> > > use vops, they are marked const/leaf/noreturn/nothrow/cold.
> > > But __builtin_trap uses vops, isn't const, just leaf/noreturn/nothrow/cold.
> > > This is I believe so that when users explicitly use __builtin_trap in their
> > > sources they get stores visible at the trap side.
> > > -fsanitize=unreachable -fsanitize-undefined-trap-on-error used to transform
> > > __builtin_unreachable to __builtin_trap even in the past, but the sanopt pass
> > > has TODO_update_ssa, so it worked fine.
> > > 
> > > Now that gimple_build_builtin_unreachable can build a __builtin_trap call
> > > right away, we can run into problems that whenever we need it we would need
> > > to either manually or through TODO_update* ensure the vops being updated.
> > > 
> > > Though, as it is originally __builtin_unreachable which is just implemented
> > > as trap, I think for this case it is fine to avoid vops.  For this the
> > > patch introduces IFN_TRAP, which has ECF_* flags like __builtin_unreachable
> > > and is expanded as __builtin_trap.
> > > 
> > > Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
> > 
> > I think for the sake of sanitizing unreachable as trap this is OK
> > but it seems this isn't actually what is done.
> 
> We chose to sanitize not just explicit user __builtin_unreachable calls,
> but also the internally generated __builtin_unreachable calls (with the
> one exception of fall through to end of C++ function returning non-void,
> which had before a separate sanitizer) and we've been doing it since 2013
> when ubsan was added.
> Even for the internally generated unreachable calls like those from
> devirtualization or other reasons like ivcanon/unrolling, having the
> possibility to get some runtime diagnostics or trap can be useful over
> just falling through to random following code.

So at least for the unrolling use the intent is to have the
unreachable () fully elided by later passes.  Honza can correct me
if I'm wrong.  Using __builtin_trap from the start until sanopt
may prevent some of that from happening, keeping dead conditions
live, no?

> Previously we'd always emit __builtin_unreachable, then perhaps in some
> cases could e.g. optimize it away (say if there is a guarding condition
> around the implicitly added unreachable turning the condition into VRP
> info and optimizing the conditional away), otherwise the sanopt pass
> would turn those __builtin_unreachable calls into __builtin_trap.
> With the recent changes, we don't run the sanopt pass when only
> doing -fsanitize=unreachable (or -funrechable-traps) though, so we need
> to emit the trap/__ubsan_handle_unreachable/__builtin_unreachable right
> away.

Why did the recent changes not just replace __builtin_unreachable
at RTL expansion time?  Was the intent really to force the paths
to be kept live?  I can see that for user or frontend generated
unreachables but not so much for some of the middle-end ones.

Richard.
  

On Wed, Jul 27, 2022 at 10:09:34AM +0000, Richard Biener wrote:
> > We chose to sanitize not just explicit user __builtin_unreachable calls,
> > but also the internally generated __builtin_unreachable calls (with the
> > one exception of fall through to end of C++ function returning non-void,
> > which had before a separate sanitizer) and we've been doing it since 2013
> > when ubsan was added.
> > Even for the internally generated unreachable calls like those from
> > devirtualization or other reasons like ivcanon/unrolling, having the
> > possibility to get some runtime diagnostics or trap can be useful over
> > just falling through to random following code.
> 
> So at least for the unrolling use the intent is to have the
> unreachable () fully elided by later passes.  Honza can correct me
> if I'm wrong.  Using __builtin_trap from the start until sanopt
> may prevent some of that from happening, keeping dead conditions
> live, no?

That is true.
I guess changing the sanopt gate back and building __builtin_unreachable
only in the ivcanon/unrolling case is possible too.

Without or with this patch then, the advantage of the patch would be that
we wouldn't need to recompute vops if we replace unreachables with traps
during the sanopt pass.
> 
> > Previously we'd always emit __builtin_unreachable, then perhaps in some
> > cases could e.g. optimize it away (say if there is a guarding condition
> > around the implicitly added unreachable turning the condition into VRP
> > info and optimizing the conditional away), otherwise the sanopt pass
> > would turn those __builtin_unreachable calls into __builtin_trap.
> > With the recent changes, we don't run the sanopt pass when only
> > doing -fsanitize=unreachable (or -funrechable-traps) though, so we need
> > to emit the trap/__ubsan_handle_unreachable/__builtin_unreachable right
> > away.
> 
> Why did the recent changes not just replace __builtin_unreachable
> at RTL expansion time?  Was the intent really to force the paths
> to be kept live?  I can see that for user or frontend generated
> unreachables but not so much for some of the middle-end ones.

It is easier on GIMPLE and perhaps allows e.g. sharing the data for
__ubsan_handle_unreachable calls.  sanopt pass is quite late anyway.

	Jakub
  

On Wed, 27 Jul 2022, Jakub Jelinek wrote:

> On Wed, Jul 27, 2022 at 10:09:34AM +0000, Richard Biener wrote:
> > > We chose to sanitize not just explicit user __builtin_unreachable calls,
> > > but also the internally generated __builtin_unreachable calls (with the
> > > one exception of fall through to end of C++ function returning non-void,
> > > which had before a separate sanitizer) and we've been doing it since 2013
> > > when ubsan was added.
> > > Even for the internally generated unreachable calls like those from
> > > devirtualization or other reasons like ivcanon/unrolling, having the
> > > possibility to get some runtime diagnostics or trap can be useful over
> > > just falling through to random following code.
> > 
> > So at least for the unrolling use the intent is to have the
> > unreachable () fully elided by later passes.  Honza can correct me
> > if I'm wrong.  Using __builtin_trap from the start until sanopt
> > may prevent some of that from happening, keeping dead conditions
> > live, no?
> 
> That is true.
> I guess changing the sanopt gate back and building __builtin_unreachable
> only in the ivcanon/unrolling case is possible too.
> 
> Without or with this patch then, the advantage of the patch would be that
> we wouldn't need to recompute vops if we replace unreachables with traps
> during the sanopt pass.

Yes, as I said on that ground the patch is OK, but I think it doesn't
really address the few PRs that popped up after the earlier change.

Richard.

> > 
> > > Previously we'd always emit __builtin_unreachable, then perhaps in some
> > > cases could e.g. optimize it away (say if there is a guarding condition
> > > around the implicitly added unreachable turning the condition into VRP
> > > info and optimizing the conditional away), otherwise the sanopt pass
> > > would turn those __builtin_unreachable calls into __builtin_trap.
> > > With the recent changes, we don't run the sanopt pass when only
> > > doing -fsanitize=unreachable (or -funrechable-traps) though, so we need
> > > to emit the trap/__ubsan_handle_unreachable/__builtin_unreachable right
> > > away.
> > 
> > Why did the recent changes not just replace __builtin_unreachable
> > at RTL expansion time?  Was the intent really to force the paths
> > to be kept live?  I can see that for user or frontend generated
> > unreachables but not so much for some of the middle-end ones.
> 
> It is easier on GIMPLE and perhaps allows e.g. sharing the data for
> __ubsan_handle_unreachable calls.  sanopt pass is quite late anyway.
  

On 7/27/22 03:09, Richard Biener wrote:
> On Wed, 27 Jul 2022, Jakub Jelinek wrote:
> 
>> On Wed, Jul 27, 2022 at 09:33:47AM +0000, Richard Biener wrote:
>>>> __builtin_unreachable and __ubsan_handle_builtin_unreachable don't
>>>> use vops, they are marked const/leaf/noreturn/nothrow/cold.
>>>> But __builtin_trap uses vops, isn't const, just leaf/noreturn/nothrow/cold.
>>>> This is I believe so that when users explicitly use __builtin_trap in their
>>>> sources they get stores visible at the trap side.
>>>> -fsanitize=unreachable -fsanitize-undefined-trap-on-error used to transform
>>>> __builtin_unreachable to __builtin_trap even in the past, but the sanopt pass
>>>> has TODO_update_ssa, so it worked fine.
>>>>
>>>> Now that gimple_build_builtin_unreachable can build a __builtin_trap call
>>>> right away, we can run into problems that whenever we need it we would need
>>>> to either manually or through TODO_update* ensure the vops being updated.
>>>>
>>>> Though, as it is originally __builtin_unreachable which is just implemented
>>>> as trap, I think for this case it is fine to avoid vops.  For this the
>>>> patch introduces IFN_TRAP, which has ECF_* flags like __builtin_unreachable
>>>> and is expanded as __builtin_trap.
>>>>
>>>> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?
>>>
>>> I think for the sake of sanitizing unreachable as trap this is OK
>>> but it seems this isn't actually what is done.
>>
>> We chose to sanitize not just explicit user __builtin_unreachable calls,
>> but also the internally generated __builtin_unreachable calls (with the
>> one exception of fall through to end of C++ function returning non-void,
>> which had before a separate sanitizer) and we've been doing it since 2013
>> when ubsan was added.
>> Even for the internally generated unreachable calls like those from
>> devirtualization or other reasons like ivcanon/unrolling, having the
>> possibility to get some runtime diagnostics or trap can be useful over
>> just falling through to random following code.
> 
> So at least for the unrolling use the intent is to have the
> unreachable () fully elided by later passes.  Honza can correct me
> if I'm wrong.  Using __builtin_trap from the start until sanopt
> may prevent some of that from happening, keeping dead conditions
> live, no?
> 
>> Previously we'd always emit __builtin_unreachable, then perhaps in some
>> cases could e.g. optimize it away (say if there is a guarding condition
>> around the implicitly added unreachable turning the condition into VRP
>> info and optimizing the conditional away), otherwise the sanopt pass
>> would turn those __builtin_unreachable calls into __builtin_trap.
>> With the recent changes, we don't run the sanopt pass when only
>> doing -fsanitize=unreachable (or -funrechable-traps) though, so we need
>> to emit the trap/__ubsan_handle_unreachable/__builtin_unreachable right
>> away.
> 
> Why did the recent changes not just replace __builtin_unreachable
> at RTL expansion time?  Was the intent really to force the paths
> to be kept live?  I can see that for user or frontend generated
> unreachables but not so much for some of the middle-end ones.

Yes, the intent was to force user and frontend generated unreachables to 
be kept live, particularly the one for flowing off the end of a non-void 
function.  I have also wondered if treating middle-end unreachables the 
same was a mistake.

Jason