1 //===- MemoryBuiltins.cpp - Identify calls to memory builtins -------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This family of functions identifies calls to builtin functions that allocate 10 // or free memory. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "llvm/Analysis/MemoryBuiltins.h" 15 #include "llvm/ADT/APInt.h" 16 #include "llvm/ADT/STLExtras.h" 17 #include "llvm/ADT/Statistic.h" 18 #include "llvm/Analysis/AliasAnalysis.h" 19 #include "llvm/Analysis/TargetFolder.h" 20 #include "llvm/Analysis/TargetLibraryInfo.h" 21 #include "llvm/Analysis/Utils/Local.h" 22 #include "llvm/Analysis/ValueTracking.h" 23 #include "llvm/IR/Argument.h" 24 #include "llvm/IR/Attributes.h" 25 #include "llvm/IR/Constants.h" 26 #include "llvm/IR/DataLayout.h" 27 #include "llvm/IR/DerivedTypes.h" 28 #include "llvm/IR/Function.h" 29 #include "llvm/IR/GlobalAlias.h" 30 #include "llvm/IR/GlobalVariable.h" 31 #include "llvm/IR/Instruction.h" 32 #include "llvm/IR/Instructions.h" 33 #include "llvm/IR/IntrinsicInst.h" 34 #include "llvm/IR/Operator.h" 35 #include "llvm/IR/Type.h" 36 #include "llvm/IR/Value.h" 37 #include "llvm/Support/Casting.h" 38 #include "llvm/Support/Debug.h" 39 #include "llvm/Support/MathExtras.h" 40 #include "llvm/Support/raw_ostream.h" 41 #include <cassert> 42 #include <cstdint> 43 #include <iterator> 44 #include <numeric> 45 #include <optional> 46 #include <type_traits> 47 #include <utility> 48 49 using namespace llvm; 50 51 #define DEBUG_TYPE "memory-builtins" 52 53 enum AllocType : uint8_t { 54 OpNewLike = 1<<0, // allocates; never returns null 55 MallocLike = 1<<1, // allocates; may return null 56 StrDupLike = 1<<2, 57 MallocOrOpNewLike = MallocLike | OpNewLike, 58 AllocLike = MallocOrOpNewLike | StrDupLike, 59 AnyAlloc = AllocLike 60 }; 61 62 enum class MallocFamily { 63 Malloc, 64 CPPNew, // new(unsigned int) 65 CPPNewAligned, // new(unsigned int, align_val_t) 66 CPPNewArray, // new[](unsigned int) 67 CPPNewArrayAligned, // new[](unsigned long, align_val_t) 68 MSVCNew, // new(unsigned int) 69 MSVCArrayNew, // new[](unsigned int) 70 VecMalloc, 71 KmpcAllocShared, 72 }; 73 74 StringRef mangledNameForMallocFamily(const MallocFamily &Family) { 75 switch (Family) { 76 case MallocFamily::Malloc: 77 return "malloc"; 78 case MallocFamily::CPPNew: 79 return "_Znwm"; 80 case MallocFamily::CPPNewAligned: 81 return "_ZnwmSt11align_val_t"; 82 case MallocFamily::CPPNewArray: 83 return "_Znam"; 84 case MallocFamily::CPPNewArrayAligned: 85 return "_ZnamSt11align_val_t"; 86 case MallocFamily::MSVCNew: 87 return "??2@YAPAXI@Z"; 88 case MallocFamily::MSVCArrayNew: 89 return "??_U@YAPAXI@Z"; 90 case MallocFamily::VecMalloc: 91 return "vec_malloc"; 92 case MallocFamily::KmpcAllocShared: 93 return "__kmpc_alloc_shared"; 94 } 95 llvm_unreachable("missing an alloc family"); 96 } 97 98 struct AllocFnsTy { 99 AllocType AllocTy; 100 unsigned NumParams; 101 // First and Second size parameters (or -1 if unused) 102 int FstParam, SndParam; 103 // Alignment parameter for aligned_alloc and aligned new 104 int AlignParam; 105 // Name of default allocator function to group malloc/free calls by family 106 MallocFamily Family; 107 }; 108 109 // clang-format off 110 // FIXME: certain users need more information. E.g., SimplifyLibCalls needs to 111 // know which functions are nounwind, noalias, nocapture parameters, etc. 112 static const std::pair<LibFunc, AllocFnsTy> AllocationFnData[] = { 113 {LibFunc_Znwj, {OpNewLike, 1, 0, -1, -1, MallocFamily::CPPNew}}, // new(unsigned int) 114 {LibFunc_ZnwjRKSt9nothrow_t, {MallocLike, 2, 0, -1, -1, MallocFamily::CPPNew}}, // new(unsigned int, nothrow) 115 {LibFunc_ZnwjSt11align_val_t, {OpNewLike, 2, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new(unsigned int, align_val_t) 116 {LibFunc_ZnwjSt11align_val_tRKSt9nothrow_t, {MallocLike, 3, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new(unsigned int, align_val_t, nothrow) 117 {LibFunc_Znwm, {OpNewLike, 1, 0, -1, -1, MallocFamily::CPPNew}}, // new(unsigned long) 118 {LibFunc_Znwm12__hot_cold_t, {OpNewLike, 2, 0, -1, -1, MallocFamily::CPPNew}}, // new(unsigned long, __hot_cold_t) 119 {LibFunc_ZnwmRKSt9nothrow_t, {MallocLike, 2, 0, -1, -1, MallocFamily::CPPNew}}, // new(unsigned long, nothrow) 120 {LibFunc_ZnwmRKSt9nothrow_t12__hot_cold_t, {MallocLike, 3, 0, -1, -1, MallocFamily::CPPNew}}, // new(unsigned long, nothrow, __hot_cold_t) 121 {LibFunc_ZnwmSt11align_val_t, {OpNewLike, 2, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new(unsigned long, align_val_t) 122 {LibFunc_ZnwmSt11align_val_t12__hot_cold_t, {OpNewLike, 3, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new(unsigned long, align_val_t, __hot_cold_t) 123 {LibFunc_ZnwmSt11align_val_tRKSt9nothrow_t, {MallocLike, 3, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new(unsigned long, align_val_t, nothrow) 124 {LibFunc_ZnwmSt11align_val_tRKSt9nothrow_t12__hot_cold_t, {MallocLike, 4, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new(unsigned long, align_val_t, nothrow, __hot_cold_t) 125 {LibFunc_Znaj, {OpNewLike, 1, 0, -1, -1, MallocFamily::CPPNewArray}}, // new[](unsigned int) 126 {LibFunc_ZnajRKSt9nothrow_t, {MallocLike, 2, 0, -1, -1, MallocFamily::CPPNewArray}}, // new[](unsigned int, nothrow) 127 {LibFunc_ZnajSt11align_val_t, {OpNewLike, 2, 0, -1, 1, MallocFamily::CPPNewArrayAligned}}, // new[](unsigned int, align_val_t) 128 {LibFunc_ZnajSt11align_val_tRKSt9nothrow_t, {MallocLike, 3, 0, -1, 1, MallocFamily::CPPNewArrayAligned}}, // new[](unsigned int, align_val_t, nothrow) 129 {LibFunc_Znam, {OpNewLike, 1, 0, -1, -1, MallocFamily::CPPNewArray}}, // new[](unsigned long) 130 {LibFunc_Znam12__hot_cold_t, {OpNewLike, 2, 0, -1, -1, MallocFamily::CPPNew}}, // new[](unsigned long, __hot_cold_t) 131 {LibFunc_ZnamRKSt9nothrow_t, {MallocLike, 2, 0, -1, -1, MallocFamily::CPPNewArray}}, // new[](unsigned long, nothrow) 132 {LibFunc_ZnamRKSt9nothrow_t12__hot_cold_t, {MallocLike, 3, 0, -1, -1, MallocFamily::CPPNew}}, // new[](unsigned long, nothrow, __hot_cold_t) 133 {LibFunc_ZnamSt11align_val_t, {OpNewLike, 2, 0, -1, 1, MallocFamily::CPPNewArrayAligned}}, // new[](unsigned long, align_val_t) 134 {LibFunc_ZnamSt11align_val_t12__hot_cold_t, {OpNewLike, 3, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new[](unsigned long, align_val_t, __hot_cold_t) 135 {LibFunc_ZnamSt11align_val_tRKSt9nothrow_t, {MallocLike, 3, 0, -1, 1, MallocFamily::CPPNewArrayAligned}}, // new[](unsigned long, align_val_t, nothrow) 136 {LibFunc_ZnamSt11align_val_tRKSt9nothrow_t12__hot_cold_t, {MallocLike, 4, 0, -1, 1, MallocFamily::CPPNewAligned}}, // new[](unsigned long, align_val_t, nothrow, __hot_cold_t) 137 {LibFunc_msvc_new_int, {OpNewLike, 1, 0, -1, -1, MallocFamily::MSVCNew}}, // new(unsigned int) 138 {LibFunc_msvc_new_int_nothrow, {MallocLike, 2, 0, -1, -1, MallocFamily::MSVCNew}}, // new(unsigned int, nothrow) 139 {LibFunc_msvc_new_longlong, {OpNewLike, 1, 0, -1, -1, MallocFamily::MSVCNew}}, // new(unsigned long long) 140 {LibFunc_msvc_new_longlong_nothrow, {MallocLike, 2, 0, -1, -1, MallocFamily::MSVCNew}}, // new(unsigned long long, nothrow) 141 {LibFunc_msvc_new_array_int, {OpNewLike, 1, 0, -1, -1, MallocFamily::MSVCArrayNew}}, // new[](unsigned int) 142 {LibFunc_msvc_new_array_int_nothrow, {MallocLike, 2, 0, -1, -1, MallocFamily::MSVCArrayNew}}, // new[](unsigned int, nothrow) 143 {LibFunc_msvc_new_array_longlong, {OpNewLike, 1, 0, -1, -1, MallocFamily::MSVCArrayNew}}, // new[](unsigned long long) 144 {LibFunc_msvc_new_array_longlong_nothrow, {MallocLike, 2, 0, -1, -1, MallocFamily::MSVCArrayNew}}, // new[](unsigned long long, nothrow) 145 {LibFunc_strdup, {StrDupLike, 1, -1, -1, -1, MallocFamily::Malloc}}, 146 {LibFunc_dunder_strdup, {StrDupLike, 1, -1, -1, -1, MallocFamily::Malloc}}, 147 {LibFunc_strndup, {StrDupLike, 2, 1, -1, -1, MallocFamily::Malloc}}, 148 {LibFunc_dunder_strndup, {StrDupLike, 2, 1, -1, -1, MallocFamily::Malloc}}, 149 {LibFunc___kmpc_alloc_shared, {MallocLike, 1, 0, -1, -1, MallocFamily::KmpcAllocShared}}, 150 }; 151 // clang-format on 152 153 static const Function *getCalledFunction(const Value *V, 154 bool &IsNoBuiltin) { 155 // Don't care about intrinsics in this case. 156 if (isa<IntrinsicInst>(V)) 157 return nullptr; 158 159 const auto *CB = dyn_cast<CallBase>(V); 160 if (!CB) 161 return nullptr; 162 163 IsNoBuiltin = CB->isNoBuiltin(); 164 165 if (const Function *Callee = CB->getCalledFunction()) 166 return Callee; 167 return nullptr; 168 } 169 170 /// Returns the allocation data for the given value if it's a call to a known 171 /// allocation function. 172 static std::optional<AllocFnsTy> 173 getAllocationDataForFunction(const Function *Callee, AllocType AllocTy, 174 const TargetLibraryInfo *TLI) { 175 // Don't perform a slow TLI lookup, if this function doesn't return a pointer 176 // and thus can't be an allocation function. 177 if (!Callee->getReturnType()->isPointerTy()) 178 return std::nullopt; 179 180 // Make sure that the function is available. 181 LibFunc TLIFn; 182 if (!TLI || !TLI->getLibFunc(*Callee, TLIFn) || !TLI->has(TLIFn)) 183 return std::nullopt; 184 185 const auto *Iter = find_if( 186 AllocationFnData, [TLIFn](const std::pair<LibFunc, AllocFnsTy> &P) { 187 return P.first == TLIFn; 188 }); 189 190 if (Iter == std::end(AllocationFnData)) 191 return std::nullopt; 192 193 const AllocFnsTy *FnData = &Iter->second; 194 if ((FnData->AllocTy & AllocTy) != FnData->AllocTy) 195 return std::nullopt; 196 197 // Check function prototype. 198 int FstParam = FnData->FstParam; 199 int SndParam = FnData->SndParam; 200 FunctionType *FTy = Callee->getFunctionType(); 201 202 if (FTy->getReturnType()->isPointerTy() && 203 FTy->getNumParams() == FnData->NumParams && 204 (FstParam < 0 || 205 (FTy->getParamType(FstParam)->isIntegerTy(32) || 206 FTy->getParamType(FstParam)->isIntegerTy(64))) && 207 (SndParam < 0 || 208 FTy->getParamType(SndParam)->isIntegerTy(32) || 209 FTy->getParamType(SndParam)->isIntegerTy(64))) 210 return *FnData; 211 return std::nullopt; 212 } 213 214 static std::optional<AllocFnsTy> 215 getAllocationData(const Value *V, AllocType AllocTy, 216 const TargetLibraryInfo *TLI) { 217 bool IsNoBuiltinCall; 218 if (const Function *Callee = getCalledFunction(V, IsNoBuiltinCall)) 219 if (!IsNoBuiltinCall) 220 return getAllocationDataForFunction(Callee, AllocTy, TLI); 221 return std::nullopt; 222 } 223 224 static std::optional<AllocFnsTy> 225 getAllocationData(const Value *V, AllocType AllocTy, 226 function_ref<const TargetLibraryInfo &(Function &)> GetTLI) { 227 bool IsNoBuiltinCall; 228 if (const Function *Callee = getCalledFunction(V, IsNoBuiltinCall)) 229 if (!IsNoBuiltinCall) 230 return getAllocationDataForFunction( 231 Callee, AllocTy, &GetTLI(const_cast<Function &>(*Callee))); 232 return std::nullopt; 233 } 234 235 static std::optional<AllocFnsTy> 236 getAllocationSize(const Value *V, const TargetLibraryInfo *TLI) { 237 bool IsNoBuiltinCall; 238 const Function *Callee = 239 getCalledFunction(V, IsNoBuiltinCall); 240 if (!Callee) 241 return std::nullopt; 242 243 // Prefer to use existing information over allocsize. This will give us an 244 // accurate AllocTy. 245 if (!IsNoBuiltinCall) 246 if (std::optional<AllocFnsTy> Data = 247 getAllocationDataForFunction(Callee, AnyAlloc, TLI)) 248 return Data; 249 250 Attribute Attr = Callee->getFnAttribute(Attribute::AllocSize); 251 if (Attr == Attribute()) 252 return std::nullopt; 253 254 std::pair<unsigned, std::optional<unsigned>> Args = Attr.getAllocSizeArgs(); 255 256 AllocFnsTy Result; 257 // Because allocsize only tells us how many bytes are allocated, we're not 258 // really allowed to assume anything, so we use MallocLike. 259 Result.AllocTy = MallocLike; 260 Result.NumParams = Callee->getNumOperands(); 261 Result.FstParam = Args.first; 262 Result.SndParam = Args.second.value_or(-1); 263 // Allocsize has no way to specify an alignment argument 264 Result.AlignParam = -1; 265 return Result; 266 } 267 268 static AllocFnKind getAllocFnKind(const Value *V) { 269 if (const auto *CB = dyn_cast<CallBase>(V)) { 270 Attribute Attr = CB->getFnAttr(Attribute::AllocKind); 271 if (Attr.isValid()) 272 return AllocFnKind(Attr.getValueAsInt()); 273 } 274 return AllocFnKind::Unknown; 275 } 276 277 static AllocFnKind getAllocFnKind(const Function *F) { 278 Attribute Attr = F->getFnAttribute(Attribute::AllocKind); 279 if (Attr.isValid()) 280 return AllocFnKind(Attr.getValueAsInt()); 281 return AllocFnKind::Unknown; 282 } 283 284 static bool checkFnAllocKind(const Value *V, AllocFnKind Wanted) { 285 return (getAllocFnKind(V) & Wanted) != AllocFnKind::Unknown; 286 } 287 288 static bool checkFnAllocKind(const Function *F, AllocFnKind Wanted) { 289 return (getAllocFnKind(F) & Wanted) != AllocFnKind::Unknown; 290 } 291 292 /// Tests if a value is a call or invoke to a library function that 293 /// allocates or reallocates memory (either malloc, calloc, realloc, or strdup 294 /// like). 295 bool llvm::isAllocationFn(const Value *V, const TargetLibraryInfo *TLI) { 296 return getAllocationData(V, AnyAlloc, TLI).has_value() || 297 checkFnAllocKind(V, AllocFnKind::Alloc | AllocFnKind::Realloc); 298 } 299 bool llvm::isAllocationFn( 300 const Value *V, 301 function_ref<const TargetLibraryInfo &(Function &)> GetTLI) { 302 return getAllocationData(V, AnyAlloc, GetTLI).has_value() || 303 checkFnAllocKind(V, AllocFnKind::Alloc | AllocFnKind::Realloc); 304 } 305 306 /// Tests if a value is a call or invoke to a library function that 307 /// allocates memory via new. 308 bool llvm::isNewLikeFn(const Value *V, const TargetLibraryInfo *TLI) { 309 return getAllocationData(V, OpNewLike, TLI).has_value(); 310 } 311 312 /// Tests if a value is a call or invoke to a library function that 313 /// allocates memory similar to malloc or calloc. 314 bool llvm::isMallocOrCallocLikeFn(const Value *V, const TargetLibraryInfo *TLI) { 315 // TODO: Function behavior does not match name. 316 return getAllocationData(V, MallocOrOpNewLike, TLI).has_value(); 317 } 318 319 /// Tests if a value is a call or invoke to a library function that 320 /// allocates memory (either malloc, calloc, or strdup like). 321 bool llvm::isAllocLikeFn(const Value *V, const TargetLibraryInfo *TLI) { 322 return getAllocationData(V, AllocLike, TLI).has_value() || 323 checkFnAllocKind(V, AllocFnKind::Alloc); 324 } 325 326 /// Tests if a functions is a call or invoke to a library function that 327 /// reallocates memory (e.g., realloc). 328 bool llvm::isReallocLikeFn(const Function *F) { 329 return checkFnAllocKind(F, AllocFnKind::Realloc); 330 } 331 332 Value *llvm::getReallocatedOperand(const CallBase *CB) { 333 if (checkFnAllocKind(CB, AllocFnKind::Realloc)) 334 return CB->getArgOperandWithAttribute(Attribute::AllocatedPointer); 335 return nullptr; 336 } 337 338 bool llvm::isRemovableAlloc(const CallBase *CB, const TargetLibraryInfo *TLI) { 339 // Note: Removability is highly dependent on the source language. For 340 // example, recent C++ requires direct calls to the global allocation 341 // [basic.stc.dynamic.allocation] to be observable unless part of a new 342 // expression [expr.new paragraph 13]. 343 344 // Historically we've treated the C family allocation routines and operator 345 // new as removable 346 return isAllocLikeFn(CB, TLI); 347 } 348 349 Value *llvm::getAllocAlignment(const CallBase *V, 350 const TargetLibraryInfo *TLI) { 351 const std::optional<AllocFnsTy> FnData = getAllocationData(V, AnyAlloc, TLI); 352 if (FnData && FnData->AlignParam >= 0) { 353 return V->getOperand(FnData->AlignParam); 354 } 355 return V->getArgOperandWithAttribute(Attribute::AllocAlign); 356 } 357 358 /// When we're compiling N-bit code, and the user uses parameters that are 359 /// greater than N bits (e.g. uint64_t on a 32-bit build), we can run into 360 /// trouble with APInt size issues. This function handles resizing + overflow 361 /// checks for us. Check and zext or trunc \p I depending on IntTyBits and 362 /// I's value. 363 static bool CheckedZextOrTrunc(APInt &I, unsigned IntTyBits) { 364 // More bits than we can handle. Checking the bit width isn't necessary, but 365 // it's faster than checking active bits, and should give `false` in the 366 // vast majority of cases. 367 if (I.getBitWidth() > IntTyBits && I.getActiveBits() > IntTyBits) 368 return false; 369 if (I.getBitWidth() != IntTyBits) 370 I = I.zextOrTrunc(IntTyBits); 371 return true; 372 } 373 374 std::optional<APInt> 375 llvm::getAllocSize(const CallBase *CB, const TargetLibraryInfo *TLI, 376 function_ref<const Value *(const Value *)> Mapper) { 377 // Note: This handles both explicitly listed allocation functions and 378 // allocsize. The code structure could stand to be cleaned up a bit. 379 std::optional<AllocFnsTy> FnData = getAllocationSize(CB, TLI); 380 if (!FnData) 381 return std::nullopt; 382 383 // Get the index type for this address space, results and intermediate 384 // computations are performed at that width. 385 auto &DL = CB->getModule()->getDataLayout(); 386 const unsigned IntTyBits = DL.getIndexTypeSizeInBits(CB->getType()); 387 388 // Handle strdup-like functions separately. 389 if (FnData->AllocTy == StrDupLike) { 390 APInt Size(IntTyBits, GetStringLength(Mapper(CB->getArgOperand(0)))); 391 if (!Size) 392 return std::nullopt; 393 394 // Strndup limits strlen. 395 if (FnData->FstParam > 0) { 396 const ConstantInt *Arg = 397 dyn_cast<ConstantInt>(Mapper(CB->getArgOperand(FnData->FstParam))); 398 if (!Arg) 399 return std::nullopt; 400 401 APInt MaxSize = Arg->getValue().zext(IntTyBits); 402 if (Size.ugt(MaxSize)) 403 Size = MaxSize + 1; 404 } 405 return Size; 406 } 407 408 const ConstantInt *Arg = 409 dyn_cast<ConstantInt>(Mapper(CB->getArgOperand(FnData->FstParam))); 410 if (!Arg) 411 return std::nullopt; 412 413 APInt Size = Arg->getValue(); 414 if (!CheckedZextOrTrunc(Size, IntTyBits)) 415 return std::nullopt; 416 417 // Size is determined by just 1 parameter. 418 if (FnData->SndParam < 0) 419 return Size; 420 421 Arg = dyn_cast<ConstantInt>(Mapper(CB->getArgOperand(FnData->SndParam))); 422 if (!Arg) 423 return std::nullopt; 424 425 APInt NumElems = Arg->getValue(); 426 if (!CheckedZextOrTrunc(NumElems, IntTyBits)) 427 return std::nullopt; 428 429 bool Overflow; 430 Size = Size.umul_ov(NumElems, Overflow); 431 if (Overflow) 432 return std::nullopt; 433 return Size; 434 } 435 436 Constant *llvm::getInitialValueOfAllocation(const Value *V, 437 const TargetLibraryInfo *TLI, 438 Type *Ty) { 439 auto *Alloc = dyn_cast<CallBase>(V); 440 if (!Alloc) 441 return nullptr; 442 443 // malloc are uninitialized (undef) 444 if (getAllocationData(Alloc, MallocOrOpNewLike, TLI).has_value()) 445 return UndefValue::get(Ty); 446 447 AllocFnKind AK = getAllocFnKind(Alloc); 448 if ((AK & AllocFnKind::Uninitialized) != AllocFnKind::Unknown) 449 return UndefValue::get(Ty); 450 if ((AK & AllocFnKind::Zeroed) != AllocFnKind::Unknown) 451 return Constant::getNullValue(Ty); 452 453 return nullptr; 454 } 455 456 struct FreeFnsTy { 457 unsigned NumParams; 458 // Name of default allocator function to group malloc/free calls by family 459 MallocFamily Family; 460 }; 461 462 // clang-format off 463 static const std::pair<LibFunc, FreeFnsTy> FreeFnData[] = { 464 {LibFunc_ZdlPv, {1, MallocFamily::CPPNew}}, // operator delete(void*) 465 {LibFunc_ZdaPv, {1, MallocFamily::CPPNewArray}}, // operator delete[](void*) 466 {LibFunc_msvc_delete_ptr32, {1, MallocFamily::MSVCNew}}, // operator delete(void*) 467 {LibFunc_msvc_delete_ptr64, {1, MallocFamily::MSVCNew}}, // operator delete(void*) 468 {LibFunc_msvc_delete_array_ptr32, {1, MallocFamily::MSVCArrayNew}}, // operator delete[](void*) 469 {LibFunc_msvc_delete_array_ptr64, {1, MallocFamily::MSVCArrayNew}}, // operator delete[](void*) 470 {LibFunc_ZdlPvj, {2, MallocFamily::CPPNew}}, // delete(void*, uint) 471 {LibFunc_ZdlPvm, {2, MallocFamily::CPPNew}}, // delete(void*, ulong) 472 {LibFunc_ZdlPvRKSt9nothrow_t, {2, MallocFamily::CPPNew}}, // delete(void*, nothrow) 473 {LibFunc_ZdlPvSt11align_val_t, {2, MallocFamily::CPPNewAligned}}, // delete(void*, align_val_t) 474 {LibFunc_ZdaPvj, {2, MallocFamily::CPPNewArray}}, // delete[](void*, uint) 475 {LibFunc_ZdaPvm, {2, MallocFamily::CPPNewArray}}, // delete[](void*, ulong) 476 {LibFunc_ZdaPvRKSt9nothrow_t, {2, MallocFamily::CPPNewArray}}, // delete[](void*, nothrow) 477 {LibFunc_ZdaPvSt11align_val_t, {2, MallocFamily::CPPNewArrayAligned}}, // delete[](void*, align_val_t) 478 {LibFunc_msvc_delete_ptr32_int, {2, MallocFamily::MSVCNew}}, // delete(void*, uint) 479 {LibFunc_msvc_delete_ptr64_longlong, {2, MallocFamily::MSVCNew}}, // delete(void*, ulonglong) 480 {LibFunc_msvc_delete_ptr32_nothrow, {2, MallocFamily::MSVCNew}}, // delete(void*, nothrow) 481 {LibFunc_msvc_delete_ptr64_nothrow, {2, MallocFamily::MSVCNew}}, // delete(void*, nothrow) 482 {LibFunc_msvc_delete_array_ptr32_int, {2, MallocFamily::MSVCArrayNew}}, // delete[](void*, uint) 483 {LibFunc_msvc_delete_array_ptr64_longlong, {2, MallocFamily::MSVCArrayNew}}, // delete[](void*, ulonglong) 484 {LibFunc_msvc_delete_array_ptr32_nothrow, {2, MallocFamily::MSVCArrayNew}}, // delete[](void*, nothrow) 485 {LibFunc_msvc_delete_array_ptr64_nothrow, {2, MallocFamily::MSVCArrayNew}}, // delete[](void*, nothrow) 486 {LibFunc___kmpc_free_shared, {2, MallocFamily::KmpcAllocShared}}, // OpenMP Offloading RTL free 487 {LibFunc_ZdlPvSt11align_val_tRKSt9nothrow_t, {3, MallocFamily::CPPNewAligned}}, // delete(void*, align_val_t, nothrow) 488 {LibFunc_ZdaPvSt11align_val_tRKSt9nothrow_t, {3, MallocFamily::CPPNewArrayAligned}}, // delete[](void*, align_val_t, nothrow) 489 {LibFunc_ZdlPvjSt11align_val_t, {3, MallocFamily::CPPNewAligned}}, // delete(void*, unsigned int, align_val_t) 490 {LibFunc_ZdlPvmSt11align_val_t, {3, MallocFamily::CPPNewAligned}}, // delete(void*, unsigned long, align_val_t) 491 {LibFunc_ZdaPvjSt11align_val_t, {3, MallocFamily::CPPNewArrayAligned}}, // delete[](void*, unsigned int, align_val_t) 492 {LibFunc_ZdaPvmSt11align_val_t, {3, MallocFamily::CPPNewArrayAligned}}, // delete[](void*, unsigned long, align_val_t) 493 }; 494 // clang-format on 495 496 std::optional<FreeFnsTy> getFreeFunctionDataForFunction(const Function *Callee, 497 const LibFunc TLIFn) { 498 const auto *Iter = 499 find_if(FreeFnData, [TLIFn](const std::pair<LibFunc, FreeFnsTy> &P) { 500 return P.first == TLIFn; 501 }); 502 if (Iter == std::end(FreeFnData)) 503 return std::nullopt; 504 return Iter->second; 505 } 506 507 std::optional<StringRef> 508 llvm::getAllocationFamily(const Value *I, const TargetLibraryInfo *TLI) { 509 bool IsNoBuiltin; 510 const Function *Callee = getCalledFunction(I, IsNoBuiltin); 511 if (Callee == nullptr || IsNoBuiltin) 512 return std::nullopt; 513 LibFunc TLIFn; 514 515 if (TLI && TLI->getLibFunc(*Callee, TLIFn) && TLI->has(TLIFn)) { 516 // Callee is some known library function. 517 const auto AllocData = getAllocationDataForFunction(Callee, AnyAlloc, TLI); 518 if (AllocData) 519 return mangledNameForMallocFamily(AllocData->Family); 520 const auto FreeData = getFreeFunctionDataForFunction(Callee, TLIFn); 521 if (FreeData) 522 return mangledNameForMallocFamily(FreeData->Family); 523 } 524 // Callee isn't a known library function, still check attributes. 525 if (checkFnAllocKind(I, AllocFnKind::Free | AllocFnKind::Alloc | 526 AllocFnKind::Realloc)) { 527 Attribute Attr = cast<CallBase>(I)->getFnAttr("alloc-family"); 528 if (Attr.isValid()) 529 return Attr.getValueAsString(); 530 } 531 return std::nullopt; 532 } 533 534 /// isLibFreeFunction - Returns true if the function is a builtin free() 535 bool llvm::isLibFreeFunction(const Function *F, const LibFunc TLIFn) { 536 std::optional<FreeFnsTy> FnData = getFreeFunctionDataForFunction(F, TLIFn); 537 if (!FnData) 538 return checkFnAllocKind(F, AllocFnKind::Free); 539 540 // Check free prototype. 541 // FIXME: workaround for PR5130, this will be obsolete when a nobuiltin 542 // attribute will exist. 543 FunctionType *FTy = F->getFunctionType(); 544 if (!FTy->getReturnType()->isVoidTy()) 545 return false; 546 if (FTy->getNumParams() != FnData->NumParams) 547 return false; 548 if (!FTy->getParamType(0)->isPointerTy()) 549 return false; 550 551 return true; 552 } 553 554 Value *llvm::getFreedOperand(const CallBase *CB, const TargetLibraryInfo *TLI) { 555 bool IsNoBuiltinCall; 556 const Function *Callee = getCalledFunction(CB, IsNoBuiltinCall); 557 if (Callee == nullptr || IsNoBuiltinCall) 558 return nullptr; 559 560 LibFunc TLIFn; 561 if (TLI && TLI->getLibFunc(*Callee, TLIFn) && TLI->has(TLIFn) && 562 isLibFreeFunction(Callee, TLIFn)) { 563 // All currently supported free functions free the first argument. 564 return CB->getArgOperand(0); 565 } 566 567 if (checkFnAllocKind(CB, AllocFnKind::Free)) 568 return CB->getArgOperandWithAttribute(Attribute::AllocatedPointer); 569 570 return nullptr; 571 } 572 573 //===----------------------------------------------------------------------===// 574 // Utility functions to compute size of objects. 575 // 576 static APInt getSizeWithOverflow(const SizeOffsetType &Data) { 577 if (Data.second.isNegative() || Data.first.ult(Data.second)) 578 return APInt(Data.first.getBitWidth(), 0); 579 return Data.first - Data.second; 580 } 581 582 /// Compute the size of the object pointed by Ptr. Returns true and the 583 /// object size in Size if successful, and false otherwise. 584 /// If RoundToAlign is true, then Size is rounded up to the alignment of 585 /// allocas, byval arguments, and global variables. 586 bool llvm::getObjectSize(const Value *Ptr, uint64_t &Size, const DataLayout &DL, 587 const TargetLibraryInfo *TLI, ObjectSizeOpts Opts) { 588 ObjectSizeOffsetVisitor Visitor(DL, TLI, Ptr->getContext(), Opts); 589 SizeOffsetType Data = Visitor.compute(const_cast<Value*>(Ptr)); 590 if (!Visitor.bothKnown(Data)) 591 return false; 592 593 Size = getSizeWithOverflow(Data).getZExtValue(); 594 return true; 595 } 596 597 Value *llvm::lowerObjectSizeCall(IntrinsicInst *ObjectSize, 598 const DataLayout &DL, 599 const TargetLibraryInfo *TLI, 600 bool MustSucceed) { 601 return lowerObjectSizeCall(ObjectSize, DL, TLI, /*AAResults=*/nullptr, 602 MustSucceed); 603 } 604 605 Value *llvm::lowerObjectSizeCall( 606 IntrinsicInst *ObjectSize, const DataLayout &DL, 607 const TargetLibraryInfo *TLI, AAResults *AA, bool MustSucceed, 608 SmallVectorImpl<Instruction *> *InsertedInstructions) { 609 assert(ObjectSize->getIntrinsicID() == Intrinsic::objectsize && 610 "ObjectSize must be a call to llvm.objectsize!"); 611 612 bool MaxVal = cast<ConstantInt>(ObjectSize->getArgOperand(1))->isZero(); 613 ObjectSizeOpts EvalOptions; 614 EvalOptions.AA = AA; 615 616 // Unless we have to fold this to something, try to be as accurate as 617 // possible. 618 if (MustSucceed) 619 EvalOptions.EvalMode = 620 MaxVal ? ObjectSizeOpts::Mode::Max : ObjectSizeOpts::Mode::Min; 621 else 622 EvalOptions.EvalMode = ObjectSizeOpts::Mode::ExactSizeFromOffset; 623 624 EvalOptions.NullIsUnknownSize = 625 cast<ConstantInt>(ObjectSize->getArgOperand(2))->isOne(); 626 627 auto *ResultType = cast<IntegerType>(ObjectSize->getType()); 628 bool StaticOnly = cast<ConstantInt>(ObjectSize->getArgOperand(3))->isZero(); 629 if (StaticOnly) { 630 // FIXME: Does it make sense to just return a failure value if the size won't 631 // fit in the output and `!MustSucceed`? 632 uint64_t Size; 633 if (getObjectSize(ObjectSize->getArgOperand(0), Size, DL, TLI, EvalOptions) && 634 isUIntN(ResultType->getBitWidth(), Size)) 635 return ConstantInt::get(ResultType, Size); 636 } else { 637 LLVMContext &Ctx = ObjectSize->getFunction()->getContext(); 638 ObjectSizeOffsetEvaluator Eval(DL, TLI, Ctx, EvalOptions); 639 SizeOffsetEvalType SizeOffsetPair = 640 Eval.compute(ObjectSize->getArgOperand(0)); 641 642 if (SizeOffsetPair != ObjectSizeOffsetEvaluator::unknown()) { 643 IRBuilder<TargetFolder, IRBuilderCallbackInserter> Builder( 644 Ctx, TargetFolder(DL), IRBuilderCallbackInserter([&](Instruction *I) { 645 if (InsertedInstructions) 646 InsertedInstructions->push_back(I); 647 })); 648 Builder.SetInsertPoint(ObjectSize); 649 650 // If we've outside the end of the object, then we can always access 651 // exactly 0 bytes. 652 Value *ResultSize = 653 Builder.CreateSub(SizeOffsetPair.first, SizeOffsetPair.second); 654 Value *UseZero = 655 Builder.CreateICmpULT(SizeOffsetPair.first, SizeOffsetPair.second); 656 ResultSize = Builder.CreateZExtOrTrunc(ResultSize, ResultType); 657 Value *Ret = Builder.CreateSelect( 658 UseZero, ConstantInt::get(ResultType, 0), ResultSize); 659 660 // The non-constant size expression cannot evaluate to -1. 661 if (!isa<Constant>(SizeOffsetPair.first) || 662 !isa<Constant>(SizeOffsetPair.second)) 663 Builder.CreateAssumption( 664 Builder.CreateICmpNE(Ret, ConstantInt::get(ResultType, -1))); 665 666 return Ret; 667 } 668 } 669 670 if (!MustSucceed) 671 return nullptr; 672 673 return ConstantInt::get(ResultType, MaxVal ? -1ULL : 0); 674 } 675 676 STATISTIC(ObjectVisitorArgument, 677 "Number of arguments with unsolved size and offset"); 678 STATISTIC(ObjectVisitorLoad, 679 "Number of load instructions with unsolved size and offset"); 680 681 APInt ObjectSizeOffsetVisitor::align(APInt Size, MaybeAlign Alignment) { 682 if (Options.RoundToAlign && Alignment) 683 return APInt(IntTyBits, alignTo(Size.getZExtValue(), *Alignment)); 684 return Size; 685 } 686 687 ObjectSizeOffsetVisitor::ObjectSizeOffsetVisitor(const DataLayout &DL, 688 const TargetLibraryInfo *TLI, 689 LLVMContext &Context, 690 ObjectSizeOpts Options) 691 : DL(DL), TLI(TLI), Options(Options) { 692 // Pointer size must be rechecked for each object visited since it could have 693 // a different address space. 694 } 695 696 SizeOffsetType ObjectSizeOffsetVisitor::compute(Value *V) { 697 unsigned InitialIntTyBits = DL.getIndexTypeSizeInBits(V->getType()); 698 699 // Stripping pointer casts can strip address space casts which can change the 700 // index type size. The invariant is that we use the value type to determine 701 // the index type size and if we stripped address space casts we have to 702 // readjust the APInt as we pass it upwards in order for the APInt to match 703 // the type the caller passed in. 704 APInt Offset(InitialIntTyBits, 0); 705 V = V->stripAndAccumulateConstantOffsets( 706 DL, Offset, /* AllowNonInbounds */ true, /* AllowInvariantGroup */ true); 707 708 // Later we use the index type size and zero but it will match the type of the 709 // value that is passed to computeImpl. 710 IntTyBits = DL.getIndexTypeSizeInBits(V->getType()); 711 Zero = APInt::getZero(IntTyBits); 712 713 bool IndexTypeSizeChanged = InitialIntTyBits != IntTyBits; 714 if (!IndexTypeSizeChanged && Offset.isZero()) 715 return computeImpl(V); 716 717 // We stripped an address space cast that changed the index type size or we 718 // accumulated some constant offset (or both). Readjust the bit width to match 719 // the argument index type size and apply the offset, as required. 720 SizeOffsetType SOT = computeImpl(V); 721 if (IndexTypeSizeChanged) { 722 if (knownSize(SOT) && !::CheckedZextOrTrunc(SOT.first, InitialIntTyBits)) 723 SOT.first = APInt(); 724 if (knownOffset(SOT) && !::CheckedZextOrTrunc(SOT.second, InitialIntTyBits)) 725 SOT.second = APInt(); 726 } 727 // If the computed offset is "unknown" we cannot add the stripped offset. 728 return {SOT.first, 729 SOT.second.getBitWidth() > 1 ? SOT.second + Offset : SOT.second}; 730 } 731 732 SizeOffsetType ObjectSizeOffsetVisitor::computeImpl(Value *V) { 733 if (Instruction *I = dyn_cast<Instruction>(V)) { 734 // If we have already seen this instruction, bail out. Cycles can happen in 735 // unreachable code after constant propagation. 736 if (!SeenInsts.insert(I).second) 737 return unknown(); 738 739 return visit(*I); 740 } 741 if (Argument *A = dyn_cast<Argument>(V)) 742 return visitArgument(*A); 743 if (ConstantPointerNull *P = dyn_cast<ConstantPointerNull>(V)) 744 return visitConstantPointerNull(*P); 745 if (GlobalAlias *GA = dyn_cast<GlobalAlias>(V)) 746 return visitGlobalAlias(*GA); 747 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(V)) 748 return visitGlobalVariable(*GV); 749 if (UndefValue *UV = dyn_cast<UndefValue>(V)) 750 return visitUndefValue(*UV); 751 752 LLVM_DEBUG(dbgs() << "ObjectSizeOffsetVisitor::compute() unhandled value: " 753 << *V << '\n'); 754 return unknown(); 755 } 756 757 bool ObjectSizeOffsetVisitor::CheckedZextOrTrunc(APInt &I) { 758 return ::CheckedZextOrTrunc(I, IntTyBits); 759 } 760 761 SizeOffsetType ObjectSizeOffsetVisitor::visitAllocaInst(AllocaInst &I) { 762 TypeSize ElemSize = DL.getTypeAllocSize(I.getAllocatedType()); 763 if (ElemSize.isScalable() && Options.EvalMode != ObjectSizeOpts::Mode::Min) 764 return unknown(); 765 APInt Size(IntTyBits, ElemSize.getKnownMinValue()); 766 if (!I.isArrayAllocation()) 767 return std::make_pair(align(Size, I.getAlign()), Zero); 768 769 Value *ArraySize = I.getArraySize(); 770 if (const ConstantInt *C = dyn_cast<ConstantInt>(ArraySize)) { 771 APInt NumElems = C->getValue(); 772 if (!CheckedZextOrTrunc(NumElems)) 773 return unknown(); 774 775 bool Overflow; 776 Size = Size.umul_ov(NumElems, Overflow); 777 return Overflow ? unknown() 778 : std::make_pair(align(Size, I.getAlign()), Zero); 779 } 780 return unknown(); 781 } 782 783 SizeOffsetType ObjectSizeOffsetVisitor::visitArgument(Argument &A) { 784 Type *MemoryTy = A.getPointeeInMemoryValueType(); 785 // No interprocedural analysis is done at the moment. 786 if (!MemoryTy|| !MemoryTy->isSized()) { 787 ++ObjectVisitorArgument; 788 return unknown(); 789 } 790 791 APInt Size(IntTyBits, DL.getTypeAllocSize(MemoryTy)); 792 return std::make_pair(align(Size, A.getParamAlign()), Zero); 793 } 794 795 SizeOffsetType ObjectSizeOffsetVisitor::visitCallBase(CallBase &CB) { 796 if (std::optional<APInt> Size = getAllocSize(&CB, TLI)) 797 return std::make_pair(*Size, Zero); 798 return unknown(); 799 } 800 801 SizeOffsetType 802 ObjectSizeOffsetVisitor::visitConstantPointerNull(ConstantPointerNull& CPN) { 803 // If null is unknown, there's nothing we can do. Additionally, non-zero 804 // address spaces can make use of null, so we don't presume to know anything 805 // about that. 806 // 807 // TODO: How should this work with address space casts? We currently just drop 808 // them on the floor, but it's unclear what we should do when a NULL from 809 // addrspace(1) gets casted to addrspace(0) (or vice-versa). 810 if (Options.NullIsUnknownSize || CPN.getType()->getAddressSpace()) 811 return unknown(); 812 return std::make_pair(Zero, Zero); 813 } 814 815 SizeOffsetType 816 ObjectSizeOffsetVisitor::visitExtractElementInst(ExtractElementInst&) { 817 return unknown(); 818 } 819 820 SizeOffsetType 821 ObjectSizeOffsetVisitor::visitExtractValueInst(ExtractValueInst&) { 822 // Easy cases were already folded by previous passes. 823 return unknown(); 824 } 825 826 SizeOffsetType ObjectSizeOffsetVisitor::visitGlobalAlias(GlobalAlias &GA) { 827 if (GA.isInterposable()) 828 return unknown(); 829 return compute(GA.getAliasee()); 830 } 831 832 SizeOffsetType ObjectSizeOffsetVisitor::visitGlobalVariable(GlobalVariable &GV){ 833 if (!GV.getValueType()->isSized() || GV.hasExternalWeakLinkage() || 834 ((!GV.hasInitializer() || GV.isInterposable()) && 835 Options.EvalMode != ObjectSizeOpts::Mode::Min)) 836 return unknown(); 837 838 APInt Size(IntTyBits, DL.getTypeAllocSize(GV.getValueType())); 839 return std::make_pair(align(Size, GV.getAlign()), Zero); 840 } 841 842 SizeOffsetType ObjectSizeOffsetVisitor::visitIntToPtrInst(IntToPtrInst&) { 843 // clueless 844 return unknown(); 845 } 846 847 SizeOffsetType ObjectSizeOffsetVisitor::findLoadSizeOffset( 848 LoadInst &Load, BasicBlock &BB, BasicBlock::iterator From, 849 SmallDenseMap<BasicBlock *, SizeOffsetType, 8> &VisitedBlocks, 850 unsigned &ScannedInstCount) { 851 constexpr unsigned MaxInstsToScan = 128; 852 853 auto Where = VisitedBlocks.find(&BB); 854 if (Where != VisitedBlocks.end()) 855 return Where->second; 856 857 auto Unknown = [this, &BB, &VisitedBlocks]() { 858 return VisitedBlocks[&BB] = unknown(); 859 }; 860 auto Known = [&BB, &VisitedBlocks](SizeOffsetType SO) { 861 return VisitedBlocks[&BB] = SO; 862 }; 863 864 do { 865 Instruction &I = *From; 866 867 if (I.isDebugOrPseudoInst()) 868 continue; 869 870 if (++ScannedInstCount > MaxInstsToScan) 871 return Unknown(); 872 873 if (!I.mayWriteToMemory()) 874 continue; 875 876 if (auto *SI = dyn_cast<StoreInst>(&I)) { 877 AliasResult AR = 878 Options.AA->alias(SI->getPointerOperand(), Load.getPointerOperand()); 879 switch ((AliasResult::Kind)AR) { 880 case AliasResult::NoAlias: 881 continue; 882 case AliasResult::MustAlias: 883 if (SI->getValueOperand()->getType()->isPointerTy()) 884 return Known(compute(SI->getValueOperand())); 885 else 886 return Unknown(); // No handling of non-pointer values by `compute`. 887 default: 888 return Unknown(); 889 } 890 } 891 892 if (auto *CB = dyn_cast<CallBase>(&I)) { 893 Function *Callee = CB->getCalledFunction(); 894 // Bail out on indirect call. 895 if (!Callee) 896 return Unknown(); 897 898 LibFunc TLIFn; 899 if (!TLI || !TLI->getLibFunc(*CB->getCalledFunction(), TLIFn) || 900 !TLI->has(TLIFn)) 901 return Unknown(); 902 903 // TODO: There's probably more interesting case to support here. 904 if (TLIFn != LibFunc_posix_memalign) 905 return Unknown(); 906 907 AliasResult AR = 908 Options.AA->alias(CB->getOperand(0), Load.getPointerOperand()); 909 switch ((AliasResult::Kind)AR) { 910 case AliasResult::NoAlias: 911 continue; 912 case AliasResult::MustAlias: 913 break; 914 default: 915 return Unknown(); 916 } 917 918 // Is the error status of posix_memalign correctly checked? If not it 919 // would be incorrect to assume it succeeds and load doesn't see the 920 // previous value. 921 std::optional<bool> Checked = isImpliedByDomCondition( 922 ICmpInst::ICMP_EQ, CB, ConstantInt::get(CB->getType(), 0), &Load, DL); 923 if (!Checked || !*Checked) 924 return Unknown(); 925 926 Value *Size = CB->getOperand(2); 927 auto *C = dyn_cast<ConstantInt>(Size); 928 if (!C) 929 return Unknown(); 930 931 return Known({C->getValue(), APInt(C->getValue().getBitWidth(), 0)}); 932 } 933 934 return Unknown(); 935 } while (From-- != BB.begin()); 936 937 SmallVector<SizeOffsetType> PredecessorSizeOffsets; 938 for (auto *PredBB : predecessors(&BB)) { 939 PredecessorSizeOffsets.push_back(findLoadSizeOffset( 940 Load, *PredBB, BasicBlock::iterator(PredBB->getTerminator()), 941 VisitedBlocks, ScannedInstCount)); 942 if (!bothKnown(PredecessorSizeOffsets.back())) 943 return Unknown(); 944 } 945 946 if (PredecessorSizeOffsets.empty()) 947 return Unknown(); 948 949 return Known(std::accumulate(PredecessorSizeOffsets.begin() + 1, 950 PredecessorSizeOffsets.end(), 951 PredecessorSizeOffsets.front(), 952 [this](SizeOffsetType LHS, SizeOffsetType RHS) { 953 return combineSizeOffset(LHS, RHS); 954 })); 955 } 956 957 SizeOffsetType ObjectSizeOffsetVisitor::visitLoadInst(LoadInst &LI) { 958 if (!Options.AA) { 959 ++ObjectVisitorLoad; 960 return unknown(); 961 } 962 963 SmallDenseMap<BasicBlock *, SizeOffsetType, 8> VisitedBlocks; 964 unsigned ScannedInstCount = 0; 965 SizeOffsetType SO = 966 findLoadSizeOffset(LI, *LI.getParent(), BasicBlock::iterator(LI), 967 VisitedBlocks, ScannedInstCount); 968 if (!bothKnown(SO)) 969 ++ObjectVisitorLoad; 970 return SO; 971 } 972 973 SizeOffsetType ObjectSizeOffsetVisitor::combineSizeOffset(SizeOffsetType LHS, 974 SizeOffsetType RHS) { 975 if (!bothKnown(LHS) || !bothKnown(RHS)) 976 return unknown(); 977 978 switch (Options.EvalMode) { 979 case ObjectSizeOpts::Mode::Min: 980 return (getSizeWithOverflow(LHS).slt(getSizeWithOverflow(RHS))) ? LHS : RHS; 981 case ObjectSizeOpts::Mode::Max: 982 return (getSizeWithOverflow(LHS).sgt(getSizeWithOverflow(RHS))) ? LHS : RHS; 983 case ObjectSizeOpts::Mode::ExactSizeFromOffset: 984 return (getSizeWithOverflow(LHS).eq(getSizeWithOverflow(RHS))) ? LHS 985 : unknown(); 986 case ObjectSizeOpts::Mode::ExactUnderlyingSizeAndOffset: 987 return LHS == RHS && LHS.second.eq(RHS.second) ? LHS : unknown(); 988 } 989 llvm_unreachable("missing an eval mode"); 990 } 991 992 SizeOffsetType ObjectSizeOffsetVisitor::visitPHINode(PHINode &PN) { 993 if (PN.getNumIncomingValues() == 0) 994 return unknown(); 995 auto IncomingValues = PN.incoming_values(); 996 return std::accumulate(IncomingValues.begin() + 1, IncomingValues.end(), 997 compute(*IncomingValues.begin()), 998 [this](SizeOffsetType LHS, Value *VRHS) { 999 return combineSizeOffset(LHS, compute(VRHS)); 1000 }); 1001 } 1002 1003 SizeOffsetType ObjectSizeOffsetVisitor::visitSelectInst(SelectInst &I) { 1004 return combineSizeOffset(compute(I.getTrueValue()), 1005 compute(I.getFalseValue())); 1006 } 1007 1008 SizeOffsetType ObjectSizeOffsetVisitor::visitUndefValue(UndefValue&) { 1009 return std::make_pair(Zero, Zero); 1010 } 1011 1012 SizeOffsetType ObjectSizeOffsetVisitor::visitInstruction(Instruction &I) { 1013 LLVM_DEBUG(dbgs() << "ObjectSizeOffsetVisitor unknown instruction:" << I 1014 << '\n'); 1015 return unknown(); 1016 } 1017 1018 ObjectSizeOffsetEvaluator::ObjectSizeOffsetEvaluator( 1019 const DataLayout &DL, const TargetLibraryInfo *TLI, LLVMContext &Context, 1020 ObjectSizeOpts EvalOpts) 1021 : DL(DL), TLI(TLI), Context(Context), 1022 Builder(Context, TargetFolder(DL), 1023 IRBuilderCallbackInserter( 1024 [&](Instruction *I) { InsertedInstructions.insert(I); })), 1025 EvalOpts(EvalOpts) { 1026 // IntTy and Zero must be set for each compute() since the address space may 1027 // be different for later objects. 1028 } 1029 1030 SizeOffsetEvalType ObjectSizeOffsetEvaluator::compute(Value *V) { 1031 // XXX - Are vectors of pointers possible here? 1032 IntTy = cast<IntegerType>(DL.getIndexType(V->getType())); 1033 Zero = ConstantInt::get(IntTy, 0); 1034 1035 SizeOffsetEvalType Result = compute_(V); 1036 1037 if (!bothKnown(Result)) { 1038 // Erase everything that was computed in this iteration from the cache, so 1039 // that no dangling references are left behind. We could be a bit smarter if 1040 // we kept a dependency graph. It's probably not worth the complexity. 1041 for (const Value *SeenVal : SeenVals) { 1042 CacheMapTy::iterator CacheIt = CacheMap.find(SeenVal); 1043 // non-computable results can be safely cached 1044 if (CacheIt != CacheMap.end() && anyKnown(CacheIt->second)) 1045 CacheMap.erase(CacheIt); 1046 } 1047 1048 // Erase any instructions we inserted as part of the traversal. 1049 for (Instruction *I : InsertedInstructions) { 1050 I->replaceAllUsesWith(PoisonValue::get(I->getType())); 1051 I->eraseFromParent(); 1052 } 1053 } 1054 1055 SeenVals.clear(); 1056 InsertedInstructions.clear(); 1057 return Result; 1058 } 1059 1060 SizeOffsetEvalType ObjectSizeOffsetEvaluator::compute_(Value *V) { 1061 ObjectSizeOffsetVisitor Visitor(DL, TLI, Context, EvalOpts); 1062 SizeOffsetType Const = Visitor.compute(V); 1063 if (Visitor.bothKnown(Const)) 1064 return std::make_pair(ConstantInt::get(Context, Const.first), 1065 ConstantInt::get(Context, Const.second)); 1066 1067 V = V->stripPointerCasts(); 1068 1069 // Check cache. 1070 CacheMapTy::iterator CacheIt = CacheMap.find(V); 1071 if (CacheIt != CacheMap.end()) 1072 return CacheIt->second; 1073 1074 // Always generate code immediately before the instruction being 1075 // processed, so that the generated code dominates the same BBs. 1076 BuilderTy::InsertPointGuard Guard(Builder); 1077 if (Instruction *I = dyn_cast<Instruction>(V)) 1078 Builder.SetInsertPoint(I); 1079 1080 // Now compute the size and offset. 1081 SizeOffsetEvalType Result; 1082 1083 // Record the pointers that were handled in this run, so that they can be 1084 // cleaned later if something fails. We also use this set to break cycles that 1085 // can occur in dead code. 1086 if (!SeenVals.insert(V).second) { 1087 Result = unknown(); 1088 } else if (GEPOperator *GEP = dyn_cast<GEPOperator>(V)) { 1089 Result = visitGEPOperator(*GEP); 1090 } else if (Instruction *I = dyn_cast<Instruction>(V)) { 1091 Result = visit(*I); 1092 } else if (isa<Argument>(V) || 1093 (isa<ConstantExpr>(V) && 1094 cast<ConstantExpr>(V)->getOpcode() == Instruction::IntToPtr) || 1095 isa<GlobalAlias>(V) || 1096 isa<GlobalVariable>(V)) { 1097 // Ignore values where we cannot do more than ObjectSizeVisitor. 1098 Result = unknown(); 1099 } else { 1100 LLVM_DEBUG( 1101 dbgs() << "ObjectSizeOffsetEvaluator::compute() unhandled value: " << *V 1102 << '\n'); 1103 Result = unknown(); 1104 } 1105 1106 // Don't reuse CacheIt since it may be invalid at this point. 1107 CacheMap[V] = Result; 1108 return Result; 1109 } 1110 1111 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitAllocaInst(AllocaInst &I) { 1112 if (!I.getAllocatedType()->isSized()) 1113 return unknown(); 1114 1115 // must be a VLA 1116 assert(I.isArrayAllocation()); 1117 1118 // If needed, adjust the alloca's operand size to match the pointer indexing 1119 // size. Subsequent math operations expect the types to match. 1120 Value *ArraySize = Builder.CreateZExtOrTrunc( 1121 I.getArraySize(), 1122 DL.getIndexType(I.getContext(), DL.getAllocaAddrSpace())); 1123 assert(ArraySize->getType() == Zero->getType() && 1124 "Expected zero constant to have pointer index type"); 1125 1126 Value *Size = ConstantInt::get(ArraySize->getType(), 1127 DL.getTypeAllocSize(I.getAllocatedType())); 1128 Size = Builder.CreateMul(Size, ArraySize); 1129 return std::make_pair(Size, Zero); 1130 } 1131 1132 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitCallBase(CallBase &CB) { 1133 std::optional<AllocFnsTy> FnData = getAllocationSize(&CB, TLI); 1134 if (!FnData) 1135 return unknown(); 1136 1137 // Handle strdup-like functions separately. 1138 if (FnData->AllocTy == StrDupLike) { 1139 // TODO: implement evaluation of strdup/strndup 1140 return unknown(); 1141 } 1142 1143 Value *FirstArg = CB.getArgOperand(FnData->FstParam); 1144 FirstArg = Builder.CreateZExtOrTrunc(FirstArg, IntTy); 1145 if (FnData->SndParam < 0) 1146 return std::make_pair(FirstArg, Zero); 1147 1148 Value *SecondArg = CB.getArgOperand(FnData->SndParam); 1149 SecondArg = Builder.CreateZExtOrTrunc(SecondArg, IntTy); 1150 Value *Size = Builder.CreateMul(FirstArg, SecondArg); 1151 return std::make_pair(Size, Zero); 1152 } 1153 1154 SizeOffsetEvalType 1155 ObjectSizeOffsetEvaluator::visitExtractElementInst(ExtractElementInst&) { 1156 return unknown(); 1157 } 1158 1159 SizeOffsetEvalType 1160 ObjectSizeOffsetEvaluator::visitExtractValueInst(ExtractValueInst&) { 1161 return unknown(); 1162 } 1163 1164 SizeOffsetEvalType 1165 ObjectSizeOffsetEvaluator::visitGEPOperator(GEPOperator &GEP) { 1166 SizeOffsetEvalType PtrData = compute_(GEP.getPointerOperand()); 1167 if (!bothKnown(PtrData)) 1168 return unknown(); 1169 1170 Value *Offset = emitGEPOffset(&Builder, DL, &GEP, /*NoAssumptions=*/true); 1171 Offset = Builder.CreateAdd(PtrData.second, Offset); 1172 return std::make_pair(PtrData.first, Offset); 1173 } 1174 1175 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitIntToPtrInst(IntToPtrInst&) { 1176 // clueless 1177 return unknown(); 1178 } 1179 1180 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitLoadInst(LoadInst &LI) { 1181 return unknown(); 1182 } 1183 1184 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitPHINode(PHINode &PHI) { 1185 // Create 2 PHIs: one for size and another for offset. 1186 PHINode *SizePHI = Builder.CreatePHI(IntTy, PHI.getNumIncomingValues()); 1187 PHINode *OffsetPHI = Builder.CreatePHI(IntTy, PHI.getNumIncomingValues()); 1188 1189 // Insert right away in the cache to handle recursive PHIs. 1190 CacheMap[&PHI] = std::make_pair(SizePHI, OffsetPHI); 1191 1192 // Compute offset/size for each PHI incoming pointer. 1193 for (unsigned i = 0, e = PHI.getNumIncomingValues(); i != e; ++i) { 1194 Builder.SetInsertPoint(&*PHI.getIncomingBlock(i)->getFirstInsertionPt()); 1195 SizeOffsetEvalType EdgeData = compute_(PHI.getIncomingValue(i)); 1196 1197 if (!bothKnown(EdgeData)) { 1198 OffsetPHI->replaceAllUsesWith(PoisonValue::get(IntTy)); 1199 OffsetPHI->eraseFromParent(); 1200 InsertedInstructions.erase(OffsetPHI); 1201 SizePHI->replaceAllUsesWith(PoisonValue::get(IntTy)); 1202 SizePHI->eraseFromParent(); 1203 InsertedInstructions.erase(SizePHI); 1204 return unknown(); 1205 } 1206 SizePHI->addIncoming(EdgeData.first, PHI.getIncomingBlock(i)); 1207 OffsetPHI->addIncoming(EdgeData.second, PHI.getIncomingBlock(i)); 1208 } 1209 1210 Value *Size = SizePHI, *Offset = OffsetPHI; 1211 if (Value *Tmp = SizePHI->hasConstantValue()) { 1212 Size = Tmp; 1213 SizePHI->replaceAllUsesWith(Size); 1214 SizePHI->eraseFromParent(); 1215 InsertedInstructions.erase(SizePHI); 1216 } 1217 if (Value *Tmp = OffsetPHI->hasConstantValue()) { 1218 Offset = Tmp; 1219 OffsetPHI->replaceAllUsesWith(Offset); 1220 OffsetPHI->eraseFromParent(); 1221 InsertedInstructions.erase(OffsetPHI); 1222 } 1223 return std::make_pair(Size, Offset); 1224 } 1225 1226 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitSelectInst(SelectInst &I) { 1227 SizeOffsetEvalType TrueSide = compute_(I.getTrueValue()); 1228 SizeOffsetEvalType FalseSide = compute_(I.getFalseValue()); 1229 1230 if (!bothKnown(TrueSide) || !bothKnown(FalseSide)) 1231 return unknown(); 1232 if (TrueSide == FalseSide) 1233 return TrueSide; 1234 1235 Value *Size = Builder.CreateSelect(I.getCondition(), TrueSide.first, 1236 FalseSide.first); 1237 Value *Offset = Builder.CreateSelect(I.getCondition(), TrueSide.second, 1238 FalseSide.second); 1239 return std::make_pair(Size, Offset); 1240 } 1241 1242 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitInstruction(Instruction &I) { 1243 LLVM_DEBUG(dbgs() << "ObjectSizeOffsetEvaluator unknown instruction:" << I 1244 << '\n'); 1245 return unknown(); 1246 } 1247