alive2 icon indicating copy to clipboard operation
alive2 copied to clipboard
verified publisher icon AliveToolkit

new semantics for object size

Open nunoplopes opened this issue 5 months ago • 6 comments

This is going to be a nightmare.. we need to predict the future to evaluate gep inbounds. Not clear if it's path sensitive or not, but it precludes the construction of a precise step-by-step interpreter regardless. https://github.com/llvm/llvm-project/pull/141338

nunoplopes avatar Jul 23 '25 12:07 nunoplopes

This is going to be a nightmare.. we need to predict the future to evaluate gep inbounds. Not clear if it's path sensitive or not, but it precludes the construction of a precise step-by-step interpreter regardless. llvm/llvm-project#141338

The wording explicitly does not require predicting the future. GEP inbounds for growable allocations always refers to the maximum possible allocation size, independently of what maximum size it will actually reach.

nikic avatar Jul 23 '25 15:07 nikic

Yeah, an exact interpreter gets the max object size as an input. For the "native" allocation operations LLVM understands (alloca, malloc), max size == initial size.

RalfJung avatar Aug 17 '25 14:08 RalfJung

One thing that needs clarification in LangRef is what kind of memory() function attributes allow a function to increase the size of a block.

nunoplopes avatar Sep 09 '25 14:09 nunoplopes

One thing that needs clarification in LangRef is what kind of memory() function attributes allow a function to increase the size of a block.

I'd assume that growing an object would count as a write effect on that object, so you'd need whatever contains that (e.g. argmem: write if passed via argument).

nikic avatar Sep 10 '25 13:09 nikic

One thing that needs clarification in LangRef is what kind of memory() function attributes allow a function to increase the size of a block.

I'd assume that growing an object would count as a write effect on that object, so you'd need whatever contains that (e.g. argmem: write if passed via argument).

I'm ok with that. But that can potentially block optimizations because a function that just extends the object size doesn't change the memory contents. But maybe it doesn't matter in practice. My initial confusion was because we usually tag allocation functions with inaccessible, but that wouldn't be sufficient here.

nunoplopes avatar Sep 11 '25 09:09 nunoplopes

One thing that needs clarification in LangRef is what kind of memory() function attributes allow a function to increase the size of a block.

I'd assume that growing an object would count as a write effect on that object, so you'd need whatever contains that (e.g. argmem: write if passed via argument).

I'm ok with that. But that can potentially block optimizations because a function that just extends the object size doesn't change the memory contents. But maybe it doesn't matter in practice.

Yeah, I don't think trying to distinguish write vs grow is going to be particularly valuable, as LLVM isn't going to be able to analyze these allocations particularly well anyway, and growing an allocation should be irrelevant in most context.

For shrinking an allocation (not allowed currently) we should consider "shrink" as a type of "free" for the purposes of nofree.

nikic avatar Sep 11 '25 11:09 nikic