Thanks Jakub for the explanation, I have a try like below patch but I am not
quite sure it is expected, and where should I put the assertion.
> If yes, it needs to
> be unsigned short, if not, we should add an assertion (e.g. on streaming
> in the LTO table) that MAX_MACHINE_MODE <= 256.
diff --git a/gcc/lto-streamer-in.cc b/gcc/lto-streamer-in.cc
index 2cb83406db5..93ef97ec5d3 100644
--- a/gcc/lto-streamer-in.cc
+++ b/gcc/lto-streamer-in.cc
@@ -1985,8 +1985,6 @@ lto_input_mode_table (struct lto_file_decl_data
*file_data)
internal_error ("cannot read LTO mode table from %s",
file_data->file_name);
- unsigned char *table = ggc_cleared_vec_alloc<unsigned char> (1 << 8);
- file_data->mode_table = table;
const struct lto_simple_header_with_strings *header
= (const struct lto_simple_header_with_strings *) data;
int string_offset;
@@ -1994,6 +1992,9 @@ lto_input_mode_table (struct lto_file_decl_data
*file_data)
string_offset = sizeof (*header) + header->main_size;
lto_input_block ib (data + sizeof (*header), header->main_size, NULL);
+ unsigned char *table = ggc_cleared_vec_alloc<unsigned char> (
+ 1 << ib.mode_bits);
+ file_data->mode_table = table;
data_in = lto_data_in_create (file_data, data + string_offset,
header->string_size, vNULL);
bitpack_d bp = streamer_read_bitpack (&ib);
@@ -2001,13 +2002,13 @@ lto_input_mode_table (struct lto_file_decl_data
*file_data)
table[VOIDmode] = VOIDmode;
table[BLKmode] = BLKmode;
unsigned int m;
- while ((m = bp_unpack_value (&bp, 8)) != VOIDmode)
+ while ((m = bp_unpack_value (&bp, ib.mode_bits)) != VOIDmode)
{
enum mode_class mclass
= bp_unpack_enum (&bp, mode_class, MAX_MODE_CLASS);
poly_uint16 size = bp_unpack_poly_value (&bp, 16);
poly_uint16 prec = bp_unpack_poly_value (&bp, 16);
- machine_mode inner = (machine_mode) bp_unpack_value (&bp, 8);
+ machine_mode inner = (machine_mode) bp_unpack_value (&bp, ib.mode_bits);
poly_uint16 nunits = bp_unpack_poly_value (&bp, 16);
unsigned int ibit = 0, fbit = 0;
unsigned int real_fmt_len = 0;
@@ -2018,8 +2019,8 @@ lto_input_mode_table (struct lto_file_decl_data
*file_data)
case MODE_UFRACT:
case MODE_ACCUM:
case MODE_UACCUM:
- ibit = bp_unpack_value (&bp, 8);
- fbit = bp_unpack_value (&bp, 8);
+ ibit = bp_unpack_value (&bp, ib.mode_bits);
+ fbit = bp_unpack_value (&bp, ib.mode_bits);
break;
case MODE_FLOAT:
case MODE_DECIMAL_FLOAT:
diff --git a/gcc/lto-streamer.h b/gcc/lto-streamer.h
index fc7133d07ba..f1d826d59e4 100644
--- a/gcc/lto-streamer.h
+++ b/gcc/lto-streamer.h
@@ -352,6 +352,8 @@ public:
const char *data;
const unsigned char *mode_table;
+ /* Indicates how many bits of one machine mode will have. */
+ const unsigned int mode_bits = ceil_log2 (MAX_MACHINE_MODE) ;
unsigned int p;
unsigned int len;
};
diff --git a/gcc/tree-streamer.cc b/gcc/tree-streamer.cc
index ed65a7692e3..a28ef9c7920 100644
--- a/gcc/tree-streamer.cc
+++ b/gcc/tree-streamer.cc
@@ -35,7 +35,7 @@ along with GCC; see the file COPYING3. If not see
During streaming in, we translate the on the disk mode using this
table. For normal LTO it is set to identity, for ACCEL_COMPILER
depending on the mode_table content. */
-unsigned char streamer_mode_table[1 << 8];
+unsigned char streamer_mode_table[MAX_MACHINE_MODE];
/* Check that all the TS_* structures handled by the streamer_write_* and
streamer_read_* routines are exactly ALL the structures defined in
diff --git a/gcc/tree-streamer.h b/gcc/tree-streamer.h
index 170d61cf20b..9aa248cd2f5 100644
--- a/gcc/tree-streamer.h
+++ b/gcc/tree-streamer.h
@@ -75,7 +75,7 @@ void streamer_write_tree_body (struct output_block *, tree);
void streamer_write_integer_cst (struct output_block *, tree);
/* In tree-streamer.cc. */
-extern unsigned char streamer_mode_table[1 << 8];
+extern unsigned char streamer_mode_table[MAX_MACHINE_MODE];
void streamer_check_handled_ts_structures (void);
bool streamer_tree_cache_insert (struct streamer_tree_cache_d *, tree,
hashval_t, unsigned *);
@@ -108,15 +108,18 @@ inline void
bp_pack_machine_mode (struct bitpack_d *bp, machine_mode mode)
{
streamer_mode_table[mode] = 1;
- bp_pack_enum (bp, machine_mode, 1 << 8, mode);
+ int last = 1 << ceil_log2 (MAX_MACHINE_MODE);
+
+ bp_pack_enum (bp, machine_mode, last, mode);
}
inline machine_mode
bp_unpack_machine_mode (struct bitpack_d *bp)
{
- return (machine_mode)
- ((class lto_input_block *)
- bp->stream)->mode_table[bp_unpack_enum (bp, machine_mode, 1 << 8)];
+ lto_input_block *input_block = (class lto_input_block *)bp->stream;
+ int index = bp_unpack_enum (bp, machine_mode, input_block->mode_bits);
+
+ return (machine_mode)input_block->mode_table[index];
}
#endif /* GCC_TREE_STREAMER_H */
Pan
-----Original Message-----
From: Jakub Jelinek <ja...@redhat.com>
Sent: Tuesday, June 20, 2023 4:04 PM
To: Li, Pan2 <pan2...@intel.com>
Cc: gcc-patches@gcc.gnu.org; juzhe.zh...@rivai.ai; rdapp....@gmail.com;
jeffreya...@gmail.com; Wang, Yanzhang <yanzhang.w...@intel.com>;
kito.ch...@gmail.com; rguent...@suse.de
Subject: Re: [PATCH] RISC-V: Fix out of range memory access of machine mode
table
On Tue, Jun 20, 2023 at 07:50:00AM +0000, Li, Pan2 wrote:
> Hi Jakub,
>
> Thanks for reviewing but I am not quite sure if I fully understand how to fix
> this issue. Could you please help to enlighten me more about this ?
>
> Currently for RISC-V, the memset has touched out of range memory already due
> to MAX_MACHINE_MODE > 256. And we may have below parts require adjusting.
>
> 1. streamer_mode_table.
> 2. bp_unpack_machine_mode/bp_pack_machine_mode
> 3. bp_pack_value/bp_unpack_value in lto_write_mode_table.
> 4. unsigned char *table = ggc_cleared_vec_alloc<unsigned char> (1 << 8) in
> lto_input_mode_table.
>
> For 1. is safe to extend the size to MAX_MACHINE_MODE as the array only used
> as Boolean, aka streamer_mode_table[XXXmode] = 1.
Because the array is used only during stream out, that is safe.
> For 2 & 3. Keep 1 << 8 as is, or stream out the host MAX_MACHINE_MODE value
> somewhere for underlying consuming?
You can't keep 1 << 8, otherwise you won't stream all the bits.
I think you want to use 1 << ceil_log2 (MAX_MACHINE_MODE) on the stream out
side, stream that ceil_log2 (MAX_MACHINE_MODE) value somewhere at the start
of the mode table, add some field next to mode_table in lto_input_block
which will contain that value (and make sure to initialize it to
ceil_log2 (MAX_MACHINE_MODE) in case mode table isn't streamed in and use
1 << ...->mode_bits in e.g. bp_unpack_machine_mode
Or for cases where 8 was used before use ceil_log2 (MAX_MACHINE_MODE)
or mode_bits.
> For 4, one possible approach is that extend unsigned char to unsigned short,
> as well as 256 to MAX_MACHINE_MODE. Because it stores the actually machine
> mode in array.
The 1 << 8 needs to be similarly 1 << ...->mode_bits or ...->num_modes (that
is also streamed out and in), it is sized by the host number of modes.
Whether it is unsigned char or unsigned short array depends on if we
want to support offloading targets with > 256 modes. If yes, it needs to
be unsigned short, if not, we should add an assertion (e.g. on streaming
in the LTO table) that MAX_MACHINE_MODE <= 256.
Jakub
