From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id DDED04865E
	for <ffmpegdev@gitmailbox.com>; Sat, 13 Jan 2024 15:24:19 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2D1FB68A998;
	Sat, 13 Jan 2024 17:24:15 +0200 (EET)
Received: from btbn.de (btbn.de [144.76.60.213])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9929568A998
 for <ffmpeg-devel@ffmpeg.org>; Sat, 13 Jan 2024 17:24:08 +0200 (EET)
Received: from [authenticated] by btbn.de (Postfix) with ESMTPSA id
 013342819FC21
 for <ffmpeg-devel@ffmpeg.org>; Sat, 13 Jan 2024 16:24:05 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothenpieler.org;
 s=mail; t=1705159446;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=3r5XH3O+MIICEt6z6rO2THQ6xIPFGAZzdOIJP5xXu4c=;
 b=smcsrvUC4u/TbANi8NRypxBqRuyaNJ5DXpDIISuBYVPoZMuTPkMTz11Sk6WDDPIzO4hFe9
 kfGZSW/j+iPHJYaCKm4hnfClaG+oJd3yRfKAcv1rFM5851df1BIV8tbu0jJUmtUVzB558P
 z++e+XNndhA116rTuXzAz6QYUiCkjBhSnOYf6DWGapM7tLC5YggGQRpTEg8u+mjcP5gG8k
 uHc+5DKsfYKUGQDF05vwCp2xM+FIrGobsox7er58QEXWPb3CTsHktadyPSwcKpl4dbvaFh
 TGnx5h8JrUEW8AeyJ5IC2qLd2+slh28cRWA4jIW3LuenJYyvQCiPRJJSMZe9+g==
Message-ID: <5ad10a28-47be-4f7e-8157-da07cf3a8d62@rothenpieler.org>
Date: Sat, 13 Jan 2024 16:24:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <9ecc9fe5-d75b-41f7-8476-2e69c58951fd@rothenpieler.org>
 <20240113005716.16018-1-timo@rothenpieler.org>
Content-Language: en-US
From: Timo Rothenpieler <timo@rothenpieler.org>
In-Reply-To: <20240113005716.16018-1-timo@rothenpieler.org>
Subject: Re: [FFmpeg-devel] [PATCH] avutil/mem: limit alignment to maximum
 simg align
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/5ad10a28-47be-4f7e-8157-da07cf3a8d62@rothenpieler.org/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 13.01.2024 01:57, Timo Rothenpieler wrote:
> FFmpeg has instances of DECLARE_ALIGNED(32, ...) in a lot of structs,
> which then end up heap-allocated.
> By declaring any variable in a struct, or tree of structs, to be 32 byte
> aligned, it allows the compiler to safely assume the entire struct
> itself is also 32 byte aligned.
> 
> This might make the compiler emit code which straight up crashes or
> misbehaves in other ways, and at least in one instances is now
> documented to actually do (see ticket 10549 on trac).
> The issue there is that an unrelated variable in SingleChannelElement is
> declared to have an alignment of 32 bytes. So if the compiler does a copy
> in decode_cpe() with avx instructions, but ffmpeg is built with
> --disable-avx, this results in a crash, since the memory is only 16 byte
> aligned.
> 
> Mind you, even if the compiler does not emit avx instructions, the code
> is still invalid and could misbehave. It just happens not to. Declaring
> any variable in a struct with a 32 byte alignment promises 32 byte
> alignment of the whole struct to the compiler.
> 
> This patch limits the maximum alignment to the maximum possible simd
> alignment according to configure.
> While not perfect, it at the very least gets rid of a lot of UB, by
> matching up the maximum DECLARE_ALIGNED value with the alignment of heap
> allocations done by lavu.
> ---
>   libavutil/mem.c          |  2 +-
>   libavutil/mem_internal.h | 20 +++++++++++---------
>   2 files changed, 12 insertions(+), 10 deletions(-)
> 
> diff --git a/libavutil/mem.c b/libavutil/mem.c
> index 36b8940a0c..62163b4cb3 100644
> --- a/libavutil/mem.c
> +++ b/libavutil/mem.c
> @@ -62,7 +62,7 @@ void  free(void *ptr);
>   
>   #endif /* MALLOC_PREFIX */
>   
> -#define ALIGN (HAVE_AVX512 ? 64 : (HAVE_AVX ? 32 : 16))
> +#define ALIGN (HAVE_SIMD_ALIGN_64 ? 64 : (HAVE_SIMD_ALIGN_32 ? 32 : 16))
>   
>   /* NOTE: if you want to override these functions with your own
>    * implementations (not recommended) you have to link libav* as
> diff --git a/libavutil/mem_internal.h b/libavutil/mem_internal.h
> index 2448c606f1..ddd3c24806 100644
> --- a/libavutil/mem_internal.h
> +++ b/libavutil/mem_internal.h
> @@ -75,22 +75,24 @@
>    * @param v Name of the variable
>    */
>   
> +#define MAX_ALIGNMENT (HAVE_SIMD_ALIGN_64 ? 64 : (HAVE_SIMD_ALIGN_32 ? 32 : 16))
> +
>   #if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 1110 || defined(__SUNPRO_C)
> -    #define DECLARE_ALIGNED(n,t,v)      t __attribute__ ((aligned (n))) v
> -    #define DECLARE_ASM_ALIGNED(n,t,v)  t __attribute__ ((aligned (n))) v
> -    #define DECLARE_ASM_CONST(n,t,v)    const t __attribute__ ((aligned (n))) v
> +    #define DECLARE_ALIGNED(n,t,v)      t __attribute__ ((aligned (FFMIN(n, MAX_ALIGNMENT)))) v
> +    #define DECLARE_ASM_ALIGNED(n,t,v)  t __attribute__ ((aligned (FFMIN(n, MAX_ALIGNMENT)))) v
> +    #define DECLARE_ASM_CONST(n,t,v)    const t __attribute__ ((aligned (FFMIN(n, MAX_ALIGNMENT)))) v
>   #elif defined(__DJGPP__)
>       #define DECLARE_ALIGNED(n,t,v)      t __attribute__ ((aligned (FFMIN(n, 16)))) v
>       #define DECLARE_ASM_ALIGNED(n,t,v)  t av_used __attribute__ ((aligned (FFMIN(n, 16)))) v
>       #define DECLARE_ASM_CONST(n,t,v)    static const t av_used __attribute__ ((aligned (FFMIN(n, 16)))) v
>   #elif defined(__GNUC__) || defined(__clang__)
> -    #define DECLARE_ALIGNED(n,t,v)      t __attribute__ ((aligned (n))) v
> -    #define DECLARE_ASM_ALIGNED(n,t,v)  t av_used __attribute__ ((aligned (n))) v
> -    #define DECLARE_ASM_CONST(n,t,v)    static const t av_used __attribute__ ((aligned (n))) v
> +    #define DECLARE_ALIGNED(n,t,v)      t __attribute__ ((aligned (FFMIN(n, MAX_ALIGNMENT)))) v
> +    #define DECLARE_ASM_ALIGNED(n,t,v)  t av_used __attribute__ ((aligned (FFMIN(n, MAX_ALIGNMENT)))) v
> +    #define DECLARE_ASM_CONST(n,t,v)    static const t av_used __attribute__ ((aligned (FFMIN(n, MAX_ALIGNMENT)))) v
>   #elif defined(_MSC_VER)
> -    #define DECLARE_ALIGNED(n,t,v)      __declspec(align(n)) t v
> -    #define DECLARE_ASM_ALIGNED(n,t,v)  __declspec(align(n)) t v
> -    #define DECLARE_ASM_CONST(n,t,v)    __declspec(align(n)) static const t v
> +    #define DECLARE_ALIGNED(n,t,v)      __declspec(align(FFMIN(n, MAX_ALIGNMENT))) t v
> +    #define DECLARE_ASM_ALIGNED(n,t,v)  __declspec(align(FFMIN(n, MAX_ALIGNMENT))) t v
> +    #define DECLARE_ASM_CONST(n,t,v)    __declspec(align(FFMIN(n, MAX_ALIGNMENT))) static const t v

Just checked, this does in fact not work with msvc:
libavfilter/af_arnndn.c(122): error C2059: Syntaxfehler: "("

So I guess for MSVC, the alignment will always have to be the full 32 or 64.

>   #else
>       #define DECLARE_ALIGNED(n,t,v)      t v
>       #define DECLARE_ASM_ALIGNED(n,t,v)  t v
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".