I'm using uclibc built with dragonegg-3.2 / gcc-4.6, and ran into a
problem in which:
* uclibc's realloc malloc()'s some memory
* realloc then uses (malloc'd pointer) - some offset to find the true
* MemoryDependenceAnalysis (MDA) regards load from (malloc() call + any
offset) to be undefined, and replaces the size read with 0.
* All manner of chaos results when that value is used.
Obviously the problem is MDA assumes that load from malloc without
intervening store is undefined, but that assumption is unreasonable when
you're building parts of the allocator itself. It looks like LLVM makes
a little effort to spot that situation (it won't enforce malloc's
contract if the malloc function has a definition), but from the point of
view of building the realloc call malloc is an external declaration just
like for a program using libc.
For now I've added a flag to MDA such that malloc clobbers rather than
resolving to undef; however I was wondering if there is a "proper" way
to do this with any compiler targeting LLVM?
If it's actually not solved already, I'd suggest that instead of
assuming "derived from malloc -> undef" it could be better to leave such
loads alone unless they are provably within the bounds of the allocation
- so malloc(n) yields n bytes of undef, but clobbers out of bounds
pointers derived from the same malloc.
Re: Disabling special treatment of "malloc" function
On 08/09/13 16:36, Tim Northover wrote:
>> For now I've added a flag to MDA such that malloc clobbers rather than
>> resolving to undef; however I was wondering if there is a "proper" way to do
>> this with any compiler targeting LLVM?
> Clang has an option "-fno-builtin" that disables such assumptions (by
> adding the attribute "nobuiltin" to the relevant callsites by the
> looks of it). Is that useful to you?
That works; unfortunately I was using Dragonegg and would rather not
switch at this point.
For the benefit of Googlers, it appears that Clang -fno-builtin leads to
a call to TargetLibraryInfo::disableAllFunctions, but Dragonegg-3.2
never calls it.