master: Build failure in malloc with GCC 7

Message ID	dc70486d-358a-c979-def3-f48778c32147@redhat.com
State	New
Headers	show Return-Path: <libc-alpha-return-82053-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:cc:references:from:message-id:date :mime-version:in-reply-to:content-type; q=dns; s=default; b=mLiG FqZTwQSYYPHpGdtc3MgaNQkyH1PXAS4Hhs4TT7mvUqKcwJSrfLLPtrHZCHVPQJv5 Dme2edlmDceXEJzu/T4Vnvidx3jGNMRKnByty/G90cq/SO0FyZDQh0gj6pBm1Eb+ 0A6CbcuNSmL4MZG/1OolQYieYx1qNSJLXdY/d3U= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 28FC580C1D Subject: Re: master: Build failure in malloc with GCC 7 To: Andreas Schwab <schwab@suse.de> Cc: GNU C Library <libc-alpha@sourceware.org>, DJ Delorie <dj@redhat.com>, Carlos O'Donell <carlos@redhat.com> References: <53780a28-ff3e-0c60-f9b2-f16f9580667d@redhat.com> <mvm60ey9gyx.fsf@suse.de> <8a31493c-6778-ca10-7469-77fff10b8b42@redhat.com> <a0e2feeb-4f0e-29f5-f0e2-c44f848ac3a5@redhat.com> <mvmd19596u2.fsf@suse.de> From: Florian Weimer <fweimer@redhat.com> Message-ID: <dc70486d-358a-c979-def3-f48778c32147@redhat.com> Date: Wed, 12 Jul 2017 14:58:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <mvmd19596u2.fsf@suse.de> Content-Type: multipart/mixed; boundary="------------7358851402D0DD0FBC4A55BD"

Message ID

dc70486d-358a-c979-def3-f48778c32147@redhat.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:cc:references:from:message-id:date
	:mime-version:in-reply-to:content-type; q=dns; s=default; b=mLiG
	FqZTwQSYYPHpGdtc3MgaNQkyH1PXAS4Hhs4TT7mvUqKcwJSrfLLPtrHZCHVPQJv5
	Dme2edlmDceXEJzu/T4Vnvidx3jGNMRKnByty/G90cq/SO0FyZDQh0gj6pBm1Eb+
	0A6CbcuNSmL4MZG/1OolQYieYx1qNSJLXdY/d3U=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 28FC580C1D
Subject: Re: master: Build failure in malloc with GCC 7
To: Andreas Schwab <schwab@suse.de>
Cc: GNU C Library <libc-alpha@sourceware.org>, DJ Delorie <dj@redhat.com>,
	Carlos O'Donell <carlos@redhat.com>
References: <53780a28-ff3e-0c60-f9b2-f16f9580667d@redhat.com>
	<mvm60ey9gyx.fsf@suse.de>
	<8a31493c-6778-ca10-7469-77fff10b8b42@redhat.com>
	<a0e2feeb-4f0e-29f5-f0e2-c44f848ac3a5@redhat.com>
	<mvmd19596u2.fsf@suse.de>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <dc70486d-358a-c979-def3-f48778c32147@redhat.com>
Date: Wed, 12 Jul 2017 14:58:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <mvmd19596u2.fsf@suse.de>
Content-Type: multipart/mixed;
	boundary="------------7358851402D0DD0FBC4A55BD"

Commit Message

Florian Weimer July 12, 2017, 12:58 p.m. UTC

On 07/12/2017 02:29 PM, Andreas Schwab wrote:
> On Jul 12 2017, Florian Weimer <fweimer@redhat.com> wrote:
> 
>> The attached patch adds an assert which reveals to the GCC optimizers
>> that the global_max_fast can never MAX_FAST_SIZE, so this particular
>> issue goes away.  However, there is a cost in terms of code size because
>> it affects many places in malloc.
> 
> Can __builtin_unreachable avoid the runtime overhead?

Interesting idea.  I have never used __builtin_unreachable before, I think.

Current master:

   text    data     bss     dec     hex filename
  64592    2392     104   67088   10610 /root/build/malloc/malloc.o

My second patch:

   text    data     bss     dec     hex filename
  64424    2392     104   66920   10568 /root/build/malloc/malloc.o

Attached patch:

   text    data     bss     dec     hex filename
  64504    2392     104   67000   105b8 /root/build/malloc/malloc.o

Looking at the GIMPLE dumps, the code is somewhat improved over my
second patch.

Thanks,
Florian

Comments

Zack Weinberg July 12, 2017, 2:27 p.m. UTC | #1

On Wed, Jul 12, 2017 at 8:58 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 07/12/2017 02:29 PM, Andreas Schwab wrote:
>> On Jul 12 2017, Florian Weimer <fweimer@redhat.com> wrote:
>>
>>> The attached patch adds an assert which reveals to the GCC optimizers
>>> that the global_max_fast can never MAX_FAST_SIZE, so this particular
>>> issue goes away.  However, there is a cost in terms of code size because
>>> it affects many places in malloc.
>>
>> Can __builtin_unreachable avoid the runtime overhead?
>
> Interesting idea.  I have never used __builtin_unreachable before, I think.

I think this code should be defensive against the possibility of
global_max_fast somehow getting corrupted.  What about

+static inline INTERNAL_SIZE_T
+get_max_fast (void)
+{
+  /* If this function ever returns a value larger than MAX_FAST_SIZE,
+     _int_malloc will make out-of-bounds array accesses.  It should be
+     impossible for global_max_fast to become larger than than
+     MAX_FAST_SIZE, but as an extra precaution, limit the value here
+     as well.  */
+  if (global_max_fast > MAX_FAST_SIZE)
+    return MAX_FAST_SIZE;
+  return global_max_fast;
+}

Zack Weinberg July 12, 2017, 2:29 p.m. UTC | #2

On Wed, Jul 12, 2017 at 10:27 AM, Zack Weinberg <zackw@panix.com> wrote:
> +     impossible for global_max_fast to become larger than than

Or without the double 'than',

+static inline INTERNAL_SIZE_T
+get_max_fast (void)
+{
+  /* If this function ever returns a value larger than MAX_FAST_SIZE,
+     _int_malloc will make out-of-bounds array accesses.  It should be
+     impossible for global_max_fast to become larger than MAX_FAST_SIZE,
+     but as an extra precaution, limit the value here as well.  */
+  if (global_max_fast > MAX_FAST_SIZE)
+    return MAX_FAST_SIZE;
+  return global_max_fast;
+}

Florian Weimer Aug. 10, 2017, 2 p.m. UTC | #3

On 08/03/2017 03:31 AM, Victor Rodriguez wrote:
> On Wed, Jul 12, 2017 at 5:43 PM, DJ Delorie <dj@redhat.com> wrote:
> 
>> I tested this patch and can measure no discernable performance
>> difference, so LGTM :-)
>>
>>
> Thanks for the patch , it works fine with  2.26 release
> 
> Any  reason why is not merged on master for 2.26 ?

I didn't get an ack from the RM.

Anyway, I pushed it now.  I will also backport it to the 2.26 branch.

Thanks,
Florian

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 54e406b..da7876a 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1658,6 +1658,9 @@  typedef struct malloc_chunk *mfastbinptr;
 #define arena_is_corrupt(A)	(((A)->flags & ARENA_CORRUPTION_BIT))
 #define set_arena_corrupt(A)	((A)->flags |= ARENA_CORRUPTION_BIT)
 
+/* Maximum size of memory handled in fastbins.  */
+static INTERNAL_SIZE_T global_max_fast;
+
 /*
    Set value of max_fast.
    Use impossibly small value if 0.
@@ -1668,8 +1671,20 @@  typedef struct malloc_chunk *mfastbinptr;
 #define set_max_fast(s) \
   global_max_fast = (((s) == 0)						      \
                      ? SMALLBIN_WIDTH : ((s + SIZE_SZ) & ~MALLOC_ALIGN_MASK))
-#define get_max_fast() global_max_fast
 
+static inline INTERNAL_SIZE_T
+get_max_fast (void)
+{
+  /* Tell the glibc optimizers that global_max_fast is never larger
+     than MAX_FAST_SIZE.  This avoids out-of-bounds array accesses in
+     _int_malloc after constant propagation of the size parameter.
+     (The code never executes because malloc preserves the
+     global_max_fast invariant, but the optimizers may not recognize
+     this.)  */
+  if (global_max_fast > MAX_FAST_SIZE)
+    __builtin_unreachable ();
+  return global_max_fast;
+}
 
 /*
    ----------- Internal state representation and initialization -----------
@@ -1797,9 +1812,6 @@  static struct malloc_par mp_ =
 #endif
 };
 
-/* Maximum size of memory handled in fastbins.  */
-static INTERNAL_SIZE_T global_max_fast;
-
 /*
    Initialize a malloc_state struct.

master: Build failure in malloc with GCC 7

Commit Message

Comments

Patch