1 //===-- SafepointIRVerifier.cpp - Verify gc.statepoint invariants ---------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Run a sanity check on the IR to ensure that Safepoints - if they've been 10 // inserted - were inserted correctly. In particular, look for use of 11 // non-relocated values after a safepoint. It's primary use is to check the 12 // correctness of safepoint insertion immediately after insertion, but it can 13 // also be used to verify that later transforms have not found a way to break 14 // safepoint semenatics. 15 // 16 // In its current form, this verify checks a property which is sufficient, but 17 // not neccessary for correctness. There are some cases where an unrelocated 18 // pointer can be used after the safepoint. Consider this example: 19 // 20 // a = ... 21 // b = ... 22 // (a',b') = safepoint(a,b) 23 // c = cmp eq a b 24 // br c, ..., .... 25 // 26 // Because it is valid to reorder 'c' above the safepoint, this is legal. In 27 // practice, this is a somewhat uncommon transform, but CodeGenPrep does create 28 // idioms like this. The verifier knows about these cases and avoids reporting 29 // false positives. 30 // 31 //===----------------------------------------------------------------------===// 32 33 #include "llvm/IR/SafepointIRVerifier.h" 34 #include "llvm/ADT/DenseSet.h" 35 #include "llvm/ADT/PostOrderIterator.h" 36 #include "llvm/ADT/SetOperations.h" 37 #include "llvm/ADT/SetVector.h" 38 #include "llvm/IR/BasicBlock.h" 39 #include "llvm/IR/Dominators.h" 40 #include "llvm/IR/Function.h" 41 #include "llvm/IR/Instructions.h" 42 #include "llvm/IR/IntrinsicInst.h" 43 #include "llvm/IR/Intrinsics.h" 44 #include "llvm/IR/Module.h" 45 #include "llvm/IR/Statepoint.h" 46 #include "llvm/IR/Value.h" 47 #include "llvm/InitializePasses.h" 48 #include "llvm/Support/CommandLine.h" 49 #include "llvm/Support/Debug.h" 50 #include "llvm/Support/raw_ostream.h" 51 52 #define DEBUG_TYPE "safepoint-ir-verifier" 53 54 using namespace llvm; 55 56 /// This option is used for writing test cases. Instead of crashing the program 57 /// when verification fails, report a message to the console (for FileCheck 58 /// usage) and continue execution as if nothing happened. 59 static cl::opt<bool> PrintOnly("safepoint-ir-verifier-print-only", 60 cl::init(false)); 61 62 namespace { 63 64 /// This CFG Deadness finds dead blocks and edges. Algorithm starts with a set 65 /// of blocks unreachable from entry then propagates deadness using foldable 66 /// conditional branches without modifying CFG. So GVN does but it changes CFG 67 /// by splitting critical edges. In most cases passes rely on SimplifyCFG to 68 /// clean up dead blocks, but in some cases, like verification or loop passes 69 /// it's not possible. 70 class CFGDeadness { 71 const DominatorTree *DT = nullptr; 72 SetVector<const BasicBlock *> DeadBlocks; 73 SetVector<const Use *> DeadEdges; // Contains all dead edges from live blocks. 74 75 public: 76 /// Return the edge that coresponds to the predecessor. 77 static const Use& getEdge(const_pred_iterator &PredIt) { 78 auto &PU = PredIt.getUse(); 79 return PU.getUser()->getOperandUse(PU.getOperandNo()); 80 } 81 82 /// Return true if there is at least one live edge that corresponds to the 83 /// basic block InBB listed in the phi node. 84 bool hasLiveIncomingEdge(const PHINode *PN, const BasicBlock *InBB) const { 85 assert(!isDeadBlock(InBB) && "block must be live"); 86 const BasicBlock* BB = PN->getParent(); 87 bool Listed = false; 88 for (const_pred_iterator PredIt(BB), End(BB, true); PredIt != End; ++PredIt) { 89 if (InBB == *PredIt) { 90 if (!isDeadEdge(&getEdge(PredIt))) 91 return true; 92 Listed = true; 93 } 94 } 95 (void)Listed; 96 assert(Listed && "basic block is not found among incoming blocks"); 97 return false; 98 } 99 100 101 bool isDeadBlock(const BasicBlock *BB) const { 102 return DeadBlocks.count(BB); 103 } 104 105 bool isDeadEdge(const Use *U) const { 106 assert(cast<Instruction>(U->getUser())->isTerminator() && 107 "edge must be operand of terminator"); 108 assert(cast_or_null<BasicBlock>(U->get()) && 109 "edge must refer to basic block"); 110 assert(!isDeadBlock(cast<Instruction>(U->getUser())->getParent()) && 111 "isDeadEdge() must be applied to edge from live block"); 112 return DeadEdges.count(U); 113 } 114 115 bool hasLiveIncomingEdges(const BasicBlock *BB) const { 116 // Check if all incoming edges are dead. 117 for (const_pred_iterator PredIt(BB), End(BB, true); PredIt != End; ++PredIt) { 118 auto &PU = PredIt.getUse(); 119 const Use &U = PU.getUser()->getOperandUse(PU.getOperandNo()); 120 if (!isDeadBlock(*PredIt) && !isDeadEdge(&U)) 121 return true; // Found a live edge. 122 } 123 return false; 124 } 125 126 void processFunction(const Function &F, const DominatorTree &DT) { 127 this->DT = &DT; 128 129 // Start with all blocks unreachable from entry. 130 for (const BasicBlock &BB : F) 131 if (!DT.isReachableFromEntry(&BB)) 132 DeadBlocks.insert(&BB); 133 134 // Top-down walk of the dominator tree 135 ReversePostOrderTraversal<const Function *> RPOT(&F); 136 for (const BasicBlock *BB : RPOT) { 137 const Instruction *TI = BB->getTerminator(); 138 assert(TI && "blocks must be well formed"); 139 140 // For conditional branches, we can perform simple conditional propagation on 141 // the condition value itself. 142 const BranchInst *BI = dyn_cast<BranchInst>(TI); 143 if (!BI || !BI->isConditional() || !isa<Constant>(BI->getCondition())) 144 continue; 145 146 // If a branch has two identical successors, we cannot declare either dead. 147 if (BI->getSuccessor(0) == BI->getSuccessor(1)) 148 continue; 149 150 ConstantInt *Cond = dyn_cast<ConstantInt>(BI->getCondition()); 151 if (!Cond) 152 continue; 153 154 addDeadEdge(BI->getOperandUse(Cond->getZExtValue() ? 1 : 2)); 155 } 156 } 157 158 protected: 159 void addDeadBlock(const BasicBlock *BB) { 160 SmallVector<const BasicBlock *, 4> NewDead; 161 SmallSetVector<const BasicBlock *, 4> DF; 162 163 NewDead.push_back(BB); 164 while (!NewDead.empty()) { 165 const BasicBlock *D = NewDead.pop_back_val(); 166 if (isDeadBlock(D)) 167 continue; 168 169 // All blocks dominated by D are dead. 170 SmallVector<BasicBlock *, 8> Dom; 171 DT->getDescendants(const_cast<BasicBlock*>(D), Dom); 172 // Do not need to mark all in and out edges dead 173 // because BB is marked dead and this is enough 174 // to run further. 175 DeadBlocks.insert(Dom.begin(), Dom.end()); 176 177 // Figure out the dominance-frontier(D). 178 for (BasicBlock *B : Dom) 179 for (BasicBlock *S : successors(B)) 180 if (!isDeadBlock(S) && !hasLiveIncomingEdges(S)) 181 NewDead.push_back(S); 182 } 183 } 184 185 void addDeadEdge(const Use &DeadEdge) { 186 if (!DeadEdges.insert(&DeadEdge)) 187 return; 188 189 BasicBlock *BB = cast_or_null<BasicBlock>(DeadEdge.get()); 190 if (hasLiveIncomingEdges(BB)) 191 return; 192 193 addDeadBlock(BB); 194 } 195 }; 196 } // namespace 197 198 static void Verify(const Function &F, const DominatorTree &DT, 199 const CFGDeadness &CD); 200 201 namespace llvm { 202 PreservedAnalyses SafepointIRVerifierPass::run(Function &F, 203 FunctionAnalysisManager &AM) { 204 const auto &DT = AM.getResult<DominatorTreeAnalysis>(F); 205 CFGDeadness CD; 206 CD.processFunction(F, DT); 207 Verify(F, DT, CD); 208 return PreservedAnalyses::all(); 209 } 210 } 211 212 namespace { 213 214 struct SafepointIRVerifier : public FunctionPass { 215 static char ID; // Pass identification, replacement for typeid 216 SafepointIRVerifier() : FunctionPass(ID) { 217 initializeSafepointIRVerifierPass(*PassRegistry::getPassRegistry()); 218 } 219 220 bool runOnFunction(Function &F) override { 221 auto &DT = getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 222 CFGDeadness CD; 223 CD.processFunction(F, DT); 224 Verify(F, DT, CD); 225 return false; // no modifications 226 } 227 228 void getAnalysisUsage(AnalysisUsage &AU) const override { 229 AU.addRequiredID(DominatorTreeWrapperPass::ID); 230 AU.setPreservesAll(); 231 } 232 233 StringRef getPassName() const override { return "safepoint verifier"; } 234 }; 235 } // namespace 236 237 void llvm::verifySafepointIR(Function &F) { 238 SafepointIRVerifier pass; 239 pass.runOnFunction(F); 240 } 241 242 char SafepointIRVerifier::ID = 0; 243 244 FunctionPass *llvm::createSafepointIRVerifierPass() { 245 return new SafepointIRVerifier(); 246 } 247 248 INITIALIZE_PASS_BEGIN(SafepointIRVerifier, "verify-safepoint-ir", 249 "Safepoint IR Verifier", false, false) 250 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 251 INITIALIZE_PASS_END(SafepointIRVerifier, "verify-safepoint-ir", 252 "Safepoint IR Verifier", false, false) 253 254 static bool isGCPointerType(Type *T) { 255 if (auto *PT = dyn_cast<PointerType>(T)) 256 // For the sake of this example GC, we arbitrarily pick addrspace(1) as our 257 // GC managed heap. We know that a pointer into this heap needs to be 258 // updated and that no other pointer does. 259 return (1 == PT->getAddressSpace()); 260 return false; 261 } 262 263 static bool containsGCPtrType(Type *Ty) { 264 if (isGCPointerType(Ty)) 265 return true; 266 if (VectorType *VT = dyn_cast<VectorType>(Ty)) 267 return isGCPointerType(VT->getScalarType()); 268 if (ArrayType *AT = dyn_cast<ArrayType>(Ty)) 269 return containsGCPtrType(AT->getElementType()); 270 if (StructType *ST = dyn_cast<StructType>(Ty)) 271 return llvm::any_of(ST->elements(), containsGCPtrType); 272 return false; 273 } 274 275 // Debugging aid -- prints a [Begin, End) range of values. 276 template<typename IteratorTy> 277 static void PrintValueSet(raw_ostream &OS, IteratorTy Begin, IteratorTy End) { 278 OS << "[ "; 279 while (Begin != End) { 280 OS << **Begin << " "; 281 ++Begin; 282 } 283 OS << "]"; 284 } 285 286 /// The verifier algorithm is phrased in terms of availability. The set of 287 /// values "available" at a given point in the control flow graph is the set of 288 /// correctly relocated value at that point, and is a subset of the set of 289 /// definitions dominating that point. 290 291 using AvailableValueSet = DenseSet<const Value *>; 292 293 /// State we compute and track per basic block. 294 struct BasicBlockState { 295 // Set of values available coming in, before the phi nodes 296 AvailableValueSet AvailableIn; 297 298 // Set of values available going out 299 AvailableValueSet AvailableOut; 300 301 // AvailableOut minus AvailableIn. 302 // All elements are Instructions 303 AvailableValueSet Contribution; 304 305 // True if this block contains a safepoint and thus AvailableIn does not 306 // contribute to AvailableOut. 307 bool Cleared = false; 308 }; 309 310 /// A given derived pointer can have multiple base pointers through phi/selects. 311 /// This type indicates when the base pointer is exclusively constant 312 /// (ExclusivelySomeConstant), and if that constant is proven to be exclusively 313 /// null, we record that as ExclusivelyNull. In all other cases, the BaseType is 314 /// NonConstant. 315 enum BaseType { 316 NonConstant = 1, // Base pointers is not exclusively constant. 317 ExclusivelyNull, 318 ExclusivelySomeConstant // Base pointers for a given derived pointer is from a 319 // set of constants, but they are not exclusively 320 // null. 321 }; 322 323 /// Return the baseType for Val which states whether Val is exclusively 324 /// derived from constant/null, or not exclusively derived from constant. 325 /// Val is exclusively derived off a constant base when all operands of phi and 326 /// selects are derived off a constant base. 327 static enum BaseType getBaseType(const Value *Val) { 328 329 SmallVector<const Value *, 32> Worklist; 330 DenseSet<const Value *> Visited; 331 bool isExclusivelyDerivedFromNull = true; 332 Worklist.push_back(Val); 333 // Strip through all the bitcasts and geps to get base pointer. Also check for 334 // the exclusive value when there can be multiple base pointers (through phis 335 // or selects). 336 while(!Worklist.empty()) { 337 const Value *V = Worklist.pop_back_val(); 338 if (!Visited.insert(V).second) 339 continue; 340 341 if (const auto *CI = dyn_cast<CastInst>(V)) { 342 Worklist.push_back(CI->stripPointerCasts()); 343 continue; 344 } 345 if (const auto *GEP = dyn_cast<GetElementPtrInst>(V)) { 346 Worklist.push_back(GEP->getPointerOperand()); 347 continue; 348 } 349 // Push all the incoming values of phi node into the worklist for 350 // processing. 351 if (const auto *PN = dyn_cast<PHINode>(V)) { 352 for (Value *InV: PN->incoming_values()) 353 Worklist.push_back(InV); 354 continue; 355 } 356 if (const auto *SI = dyn_cast<SelectInst>(V)) { 357 // Push in the true and false values 358 Worklist.push_back(SI->getTrueValue()); 359 Worklist.push_back(SI->getFalseValue()); 360 continue; 361 } 362 if (isa<Constant>(V)) { 363 // We found at least one base pointer which is non-null, so this derived 364 // pointer is not exclusively derived from null. 365 if (V != Constant::getNullValue(V->getType())) 366 isExclusivelyDerivedFromNull = false; 367 // Continue processing the remaining values to make sure it's exclusively 368 // constant. 369 continue; 370 } 371 // At this point, we know that the base pointer is not exclusively 372 // constant. 373 return BaseType::NonConstant; 374 } 375 // Now, we know that the base pointer is exclusively constant, but we need to 376 // differentiate between exclusive null constant and non-null constant. 377 return isExclusivelyDerivedFromNull ? BaseType::ExclusivelyNull 378 : BaseType::ExclusivelySomeConstant; 379 } 380 381 static bool isNotExclusivelyConstantDerived(const Value *V) { 382 return getBaseType(V) == BaseType::NonConstant; 383 } 384 385 namespace { 386 class InstructionVerifier; 387 388 /// Builds BasicBlockState for each BB of the function. 389 /// It can traverse function for verification and provides all required 390 /// information. 391 /// 392 /// GC pointer may be in one of three states: relocated, unrelocated and 393 /// poisoned. 394 /// Relocated pointer may be used without any restrictions. 395 /// Unrelocated pointer cannot be dereferenced, passed as argument to any call 396 /// or returned. Unrelocated pointer may be safely compared against another 397 /// unrelocated pointer or against a pointer exclusively derived from null. 398 /// Poisoned pointers are produced when we somehow derive pointer from relocated 399 /// and unrelocated pointers (e.g. phi, select). This pointers may be safely 400 /// used in a very limited number of situations. Currently the only way to use 401 /// it is comparison against constant exclusively derived from null. All 402 /// limitations arise due to their undefined state: this pointers should be 403 /// treated as relocated and unrelocated simultaneously. 404 /// Rules of deriving: 405 /// R + U = P - that's where the poisoned pointers come from 406 /// P + X = P 407 /// U + U = U 408 /// R + R = R 409 /// X + C = X 410 /// Where "+" - any operation that somehow derive pointer, U - unrelocated, 411 /// R - relocated and P - poisoned, C - constant, X - U or R or P or C or 412 /// nothing (in case when "+" is unary operation). 413 /// Deriving of pointers by itself is always safe. 414 /// NOTE: when we are making decision on the status of instruction's result: 415 /// a) for phi we need to check status of each input *at the end of 416 /// corresponding predecessor BB*. 417 /// b) for other instructions we need to check status of each input *at the 418 /// current point*. 419 /// 420 /// FIXME: This works fairly well except one case 421 /// bb1: 422 /// p = *some GC-ptr def* 423 /// p1 = gep p, offset 424 /// / | 425 /// / | 426 /// bb2: | 427 /// safepoint | 428 /// \ | 429 /// \ | 430 /// bb3: 431 /// p2 = phi [p, bb2] [p1, bb1] 432 /// p3 = phi [p, bb2] [p, bb1] 433 /// here p and p1 is unrelocated 434 /// p2 and p3 is poisoned (though they shouldn't be) 435 /// 436 /// This leads to some weird results: 437 /// cmp eq p, p2 - illegal instruction (false-positive) 438 /// cmp eq p1, p2 - illegal instruction (false-positive) 439 /// cmp eq p, p3 - illegal instruction (false-positive) 440 /// cmp eq p, p1 - ok 441 /// To fix this we need to introduce conception of generations and be able to 442 /// check if two values belong to one generation or not. This way p2 will be 443 /// considered to be unrelocated and no false alarm will happen. 444 class GCPtrTracker { 445 const Function &F; 446 const CFGDeadness &CD; 447 SpecificBumpPtrAllocator<BasicBlockState> BSAllocator; 448 DenseMap<const BasicBlock *, BasicBlockState *> BlockMap; 449 // This set contains defs of unrelocated pointers that are proved to be legal 450 // and don't need verification. 451 DenseSet<const Instruction *> ValidUnrelocatedDefs; 452 // This set contains poisoned defs. They can be safely ignored during 453 // verification too. 454 DenseSet<const Value *> PoisonedDefs; 455 456 public: 457 GCPtrTracker(const Function &F, const DominatorTree &DT, 458 const CFGDeadness &CD); 459 460 bool hasLiveIncomingEdge(const PHINode *PN, const BasicBlock *InBB) const { 461 return CD.hasLiveIncomingEdge(PN, InBB); 462 } 463 464 BasicBlockState *getBasicBlockState(const BasicBlock *BB); 465 const BasicBlockState *getBasicBlockState(const BasicBlock *BB) const; 466 467 bool isValuePoisoned(const Value *V) const { return PoisonedDefs.count(V); } 468 469 /// Traverse each BB of the function and call 470 /// InstructionVerifier::verifyInstruction for each possibly invalid 471 /// instruction. 472 /// It destructively modifies GCPtrTracker so it's passed via rvalue reference 473 /// in order to prohibit further usages of GCPtrTracker as it'll be in 474 /// inconsistent state. 475 static void verifyFunction(GCPtrTracker &&Tracker, 476 InstructionVerifier &Verifier); 477 478 /// Returns true for reachable and live blocks. 479 bool isMapped(const BasicBlock *BB) const { 480 return BlockMap.find(BB) != BlockMap.end(); 481 } 482 483 private: 484 /// Returns true if the instruction may be safely skipped during verification. 485 bool instructionMayBeSkipped(const Instruction *I) const; 486 487 /// Iterates over all BBs from BlockMap and recalculates AvailableIn/Out for 488 /// each of them until it converges. 489 void recalculateBBsStates(); 490 491 /// Remove from Contribution all defs that legally produce unrelocated 492 /// pointers and saves them to ValidUnrelocatedDefs. 493 /// Though Contribution should belong to BBS it is passed separately with 494 /// different const-modifier in order to emphasize (and guarantee) that only 495 /// Contribution will be changed. 496 /// Returns true if Contribution was changed otherwise false. 497 bool removeValidUnrelocatedDefs(const BasicBlock *BB, 498 const BasicBlockState *BBS, 499 AvailableValueSet &Contribution); 500 501 /// Gather all the definitions dominating the start of BB into Result. This is 502 /// simply the defs introduced by every dominating basic block and the 503 /// function arguments. 504 void gatherDominatingDefs(const BasicBlock *BB, AvailableValueSet &Result, 505 const DominatorTree &DT); 506 507 /// Compute the AvailableOut set for BB, based on the BasicBlockState BBS, 508 /// which is the BasicBlockState for BB. 509 /// ContributionChanged is set when the verifier runs for the first time 510 /// (in this case Contribution was changed from 'empty' to its initial state) 511 /// or when Contribution of this BB was changed since last computation. 512 static void transferBlock(const BasicBlock *BB, BasicBlockState &BBS, 513 bool ContributionChanged); 514 515 /// Model the effect of an instruction on the set of available values. 516 static void transferInstruction(const Instruction &I, bool &Cleared, 517 AvailableValueSet &Available); 518 }; 519 520 /// It is a visitor for GCPtrTracker::verifyFunction. It decides if the 521 /// instruction (which uses heap reference) is legal or not, given our safepoint 522 /// semantics. 523 class InstructionVerifier { 524 bool AnyInvalidUses = false; 525 526 public: 527 void verifyInstruction(const GCPtrTracker *Tracker, const Instruction &I, 528 const AvailableValueSet &AvailableSet); 529 530 bool hasAnyInvalidUses() const { return AnyInvalidUses; } 531 532 private: 533 void reportInvalidUse(const Value &V, const Instruction &I); 534 }; 535 } // end anonymous namespace 536 537 GCPtrTracker::GCPtrTracker(const Function &F, const DominatorTree &DT, 538 const CFGDeadness &CD) : F(F), CD(CD) { 539 // Calculate Contribution of each live BB. 540 // Allocate BB states for live blocks. 541 for (const BasicBlock &BB : F) 542 if (!CD.isDeadBlock(&BB)) { 543 BasicBlockState *BBS = new (BSAllocator.Allocate()) BasicBlockState; 544 for (const auto &I : BB) 545 transferInstruction(I, BBS->Cleared, BBS->Contribution); 546 BlockMap[&BB] = BBS; 547 } 548 549 // Initialize AvailableIn/Out sets of each BB using only information about 550 // dominating BBs. 551 for (auto &BBI : BlockMap) { 552 gatherDominatingDefs(BBI.first, BBI.second->AvailableIn, DT); 553 transferBlock(BBI.first, *BBI.second, true); 554 } 555 556 // Simulate the flow of defs through the CFG and recalculate AvailableIn/Out 557 // sets of each BB until it converges. If any def is proved to be an 558 // unrelocated pointer, it will be removed from all BBSs. 559 recalculateBBsStates(); 560 } 561 562 BasicBlockState *GCPtrTracker::getBasicBlockState(const BasicBlock *BB) { 563 auto it = BlockMap.find(BB); 564 return it != BlockMap.end() ? it->second : nullptr; 565 } 566 567 const BasicBlockState *GCPtrTracker::getBasicBlockState( 568 const BasicBlock *BB) const { 569 return const_cast<GCPtrTracker *>(this)->getBasicBlockState(BB); 570 } 571 572 bool GCPtrTracker::instructionMayBeSkipped(const Instruction *I) const { 573 // Poisoned defs are skipped since they are always safe by itself by 574 // definition (for details see comment to this class). 575 return ValidUnrelocatedDefs.count(I) || PoisonedDefs.count(I); 576 } 577 578 void GCPtrTracker::verifyFunction(GCPtrTracker &&Tracker, 579 InstructionVerifier &Verifier) { 580 // We need RPO here to a) report always the first error b) report errors in 581 // same order from run to run. 582 ReversePostOrderTraversal<const Function *> RPOT(&Tracker.F); 583 for (const BasicBlock *BB : RPOT) { 584 BasicBlockState *BBS = Tracker.getBasicBlockState(BB); 585 if (!BBS) 586 continue; 587 588 // We destructively modify AvailableIn as we traverse the block instruction 589 // by instruction. 590 AvailableValueSet &AvailableSet = BBS->AvailableIn; 591 for (const Instruction &I : *BB) { 592 if (Tracker.instructionMayBeSkipped(&I)) 593 continue; // This instruction shouldn't be added to AvailableSet. 594 595 Verifier.verifyInstruction(&Tracker, I, AvailableSet); 596 597 // Model the effect of current instruction on AvailableSet to keep the set 598 // relevant at each point of BB. 599 bool Cleared = false; 600 transferInstruction(I, Cleared, AvailableSet); 601 (void)Cleared; 602 } 603 } 604 } 605 606 void GCPtrTracker::recalculateBBsStates() { 607 SetVector<const BasicBlock *> Worklist; 608 // TODO: This order is suboptimal, it's better to replace it with priority 609 // queue where priority is RPO number of BB. 610 for (auto &BBI : BlockMap) 611 Worklist.insert(BBI.first); 612 613 // This loop iterates the AvailableIn/Out sets until it converges. 614 // The AvailableIn and AvailableOut sets decrease as we iterate. 615 while (!Worklist.empty()) { 616 const BasicBlock *BB = Worklist.pop_back_val(); 617 BasicBlockState *BBS = getBasicBlockState(BB); 618 if (!BBS) 619 continue; // Ignore dead successors. 620 621 size_t OldInCount = BBS->AvailableIn.size(); 622 for (const_pred_iterator PredIt(BB), End(BB, true); PredIt != End; ++PredIt) { 623 const BasicBlock *PBB = *PredIt; 624 BasicBlockState *PBBS = getBasicBlockState(PBB); 625 if (PBBS && !CD.isDeadEdge(&CFGDeadness::getEdge(PredIt))) 626 set_intersect(BBS->AvailableIn, PBBS->AvailableOut); 627 } 628 629 assert(OldInCount >= BBS->AvailableIn.size() && "invariant!"); 630 631 bool InputsChanged = OldInCount != BBS->AvailableIn.size(); 632 bool ContributionChanged = 633 removeValidUnrelocatedDefs(BB, BBS, BBS->Contribution); 634 if (!InputsChanged && !ContributionChanged) 635 continue; 636 637 size_t OldOutCount = BBS->AvailableOut.size(); 638 transferBlock(BB, *BBS, ContributionChanged); 639 if (OldOutCount != BBS->AvailableOut.size()) { 640 assert(OldOutCount > BBS->AvailableOut.size() && "invariant!"); 641 Worklist.insert(succ_begin(BB), succ_end(BB)); 642 } 643 } 644 } 645 646 bool GCPtrTracker::removeValidUnrelocatedDefs(const BasicBlock *BB, 647 const BasicBlockState *BBS, 648 AvailableValueSet &Contribution) { 649 assert(&BBS->Contribution == &Contribution && 650 "Passed Contribution should be from the passed BasicBlockState!"); 651 AvailableValueSet AvailableSet = BBS->AvailableIn; 652 bool ContributionChanged = false; 653 // For explanation why instructions are processed this way see 654 // "Rules of deriving" in the comment to this class. 655 for (const Instruction &I : *BB) { 656 bool ValidUnrelocatedPointerDef = false; 657 bool PoisonedPointerDef = false; 658 // TODO: `select` instructions should be handled here too. 659 if (const PHINode *PN = dyn_cast<PHINode>(&I)) { 660 if (containsGCPtrType(PN->getType())) { 661 // If both is true, output is poisoned. 662 bool HasRelocatedInputs = false; 663 bool HasUnrelocatedInputs = false; 664 for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) { 665 const BasicBlock *InBB = PN->getIncomingBlock(i); 666 if (!isMapped(InBB) || 667 !CD.hasLiveIncomingEdge(PN, InBB)) 668 continue; // Skip dead block or dead edge. 669 670 const Value *InValue = PN->getIncomingValue(i); 671 672 if (isNotExclusivelyConstantDerived(InValue)) { 673 if (isValuePoisoned(InValue)) { 674 // If any of inputs is poisoned, output is always poisoned too. 675 HasRelocatedInputs = true; 676 HasUnrelocatedInputs = true; 677 break; 678 } 679 if (BlockMap[InBB]->AvailableOut.count(InValue)) 680 HasRelocatedInputs = true; 681 else 682 HasUnrelocatedInputs = true; 683 } 684 } 685 if (HasUnrelocatedInputs) { 686 if (HasRelocatedInputs) 687 PoisonedPointerDef = true; 688 else 689 ValidUnrelocatedPointerDef = true; 690 } 691 } 692 } else if ((isa<GetElementPtrInst>(I) || isa<BitCastInst>(I)) && 693 containsGCPtrType(I.getType())) { 694 // GEP/bitcast of unrelocated pointer is legal by itself but this def 695 // shouldn't appear in any AvailableSet. 696 for (const Value *V : I.operands()) 697 if (containsGCPtrType(V->getType()) && 698 isNotExclusivelyConstantDerived(V) && !AvailableSet.count(V)) { 699 if (isValuePoisoned(V)) 700 PoisonedPointerDef = true; 701 else 702 ValidUnrelocatedPointerDef = true; 703 break; 704 } 705 } 706 assert(!(ValidUnrelocatedPointerDef && PoisonedPointerDef) && 707 "Value cannot be both unrelocated and poisoned!"); 708 if (ValidUnrelocatedPointerDef) { 709 // Remove def of unrelocated pointer from Contribution of this BB and 710 // trigger update of all its successors. 711 Contribution.erase(&I); 712 PoisonedDefs.erase(&I); 713 ValidUnrelocatedDefs.insert(&I); 714 LLVM_DEBUG(dbgs() << "Removing urelocated " << I 715 << " from Contribution of " << BB->getName() << "\n"); 716 ContributionChanged = true; 717 } else if (PoisonedPointerDef) { 718 // Mark pointer as poisoned, remove its def from Contribution and trigger 719 // update of all successors. 720 Contribution.erase(&I); 721 PoisonedDefs.insert(&I); 722 LLVM_DEBUG(dbgs() << "Removing poisoned " << I << " from Contribution of " 723 << BB->getName() << "\n"); 724 ContributionChanged = true; 725 } else { 726 bool Cleared = false; 727 transferInstruction(I, Cleared, AvailableSet); 728 (void)Cleared; 729 } 730 } 731 return ContributionChanged; 732 } 733 734 void GCPtrTracker::gatherDominatingDefs(const BasicBlock *BB, 735 AvailableValueSet &Result, 736 const DominatorTree &DT) { 737 DomTreeNode *DTN = DT[const_cast<BasicBlock *>(BB)]; 738 739 assert(DTN && "Unreachable blocks are ignored"); 740 while (DTN->getIDom()) { 741 DTN = DTN->getIDom(); 742 auto BBS = getBasicBlockState(DTN->getBlock()); 743 assert(BBS && "immediate dominator cannot be dead for a live block"); 744 const auto &Defs = BBS->Contribution; 745 Result.insert(Defs.begin(), Defs.end()); 746 // If this block is 'Cleared', then nothing LiveIn to this block can be 747 // available after this block completes. Note: This turns out to be 748 // really important for reducing memory consuption of the initial available 749 // sets and thus peak memory usage by this verifier. 750 if (BBS->Cleared) 751 return; 752 } 753 754 for (const Argument &A : BB->getParent()->args()) 755 if (containsGCPtrType(A.getType())) 756 Result.insert(&A); 757 } 758 759 void GCPtrTracker::transferBlock(const BasicBlock *BB, BasicBlockState &BBS, 760 bool ContributionChanged) { 761 const AvailableValueSet &AvailableIn = BBS.AvailableIn; 762 AvailableValueSet &AvailableOut = BBS.AvailableOut; 763 764 if (BBS.Cleared) { 765 // AvailableOut will change only when Contribution changed. 766 if (ContributionChanged) 767 AvailableOut = BBS.Contribution; 768 } else { 769 // Otherwise, we need to reduce the AvailableOut set by things which are no 770 // longer in our AvailableIn 771 AvailableValueSet Temp = BBS.Contribution; 772 set_union(Temp, AvailableIn); 773 AvailableOut = std::move(Temp); 774 } 775 776 LLVM_DEBUG(dbgs() << "Transfered block " << BB->getName() << " from "; 777 PrintValueSet(dbgs(), AvailableIn.begin(), AvailableIn.end()); 778 dbgs() << " to "; 779 PrintValueSet(dbgs(), AvailableOut.begin(), AvailableOut.end()); 780 dbgs() << "\n";); 781 } 782 783 void GCPtrTracker::transferInstruction(const Instruction &I, bool &Cleared, 784 AvailableValueSet &Available) { 785 if (isStatepoint(I)) { 786 Cleared = true; 787 Available.clear(); 788 } else if (containsGCPtrType(I.getType())) 789 Available.insert(&I); 790 } 791 792 void InstructionVerifier::verifyInstruction( 793 const GCPtrTracker *Tracker, const Instruction &I, 794 const AvailableValueSet &AvailableSet) { 795 if (const PHINode *PN = dyn_cast<PHINode>(&I)) { 796 if (containsGCPtrType(PN->getType())) 797 for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) { 798 const BasicBlock *InBB = PN->getIncomingBlock(i); 799 const BasicBlockState *InBBS = Tracker->getBasicBlockState(InBB); 800 if (!InBBS || 801 !Tracker->hasLiveIncomingEdge(PN, InBB)) 802 continue; // Skip dead block or dead edge. 803 804 const Value *InValue = PN->getIncomingValue(i); 805 806 if (isNotExclusivelyConstantDerived(InValue) && 807 !InBBS->AvailableOut.count(InValue)) 808 reportInvalidUse(*InValue, *PN); 809 } 810 } else if (isa<CmpInst>(I) && 811 containsGCPtrType(I.getOperand(0)->getType())) { 812 Value *LHS = I.getOperand(0), *RHS = I.getOperand(1); 813 enum BaseType baseTyLHS = getBaseType(LHS), 814 baseTyRHS = getBaseType(RHS); 815 816 // Returns true if LHS and RHS are unrelocated pointers and they are 817 // valid unrelocated uses. 818 auto hasValidUnrelocatedUse = [&AvailableSet, Tracker, baseTyLHS, baseTyRHS, 819 &LHS, &RHS] () { 820 // A cmp instruction has valid unrelocated pointer operands only if 821 // both operands are unrelocated pointers. 822 // In the comparison between two pointers, if one is an unrelocated 823 // use, the other *should be* an unrelocated use, for this 824 // instruction to contain valid unrelocated uses. This unrelocated 825 // use can be a null constant as well, or another unrelocated 826 // pointer. 827 if (AvailableSet.count(LHS) || AvailableSet.count(RHS)) 828 return false; 829 // Constant pointers (that are not exclusively null) may have 830 // meaning in different VMs, so we cannot reorder the compare 831 // against constant pointers before the safepoint. In other words, 832 // comparison of an unrelocated use against a non-null constant 833 // maybe invalid. 834 if ((baseTyLHS == BaseType::ExclusivelySomeConstant && 835 baseTyRHS == BaseType::NonConstant) || 836 (baseTyLHS == BaseType::NonConstant && 837 baseTyRHS == BaseType::ExclusivelySomeConstant)) 838 return false; 839 840 // If one of pointers is poisoned and other is not exclusively derived 841 // from null it is an invalid expression: it produces poisoned result 842 // and unless we want to track all defs (not only gc pointers) the only 843 // option is to prohibit such instructions. 844 if ((Tracker->isValuePoisoned(LHS) && baseTyRHS != ExclusivelyNull) || 845 (Tracker->isValuePoisoned(RHS) && baseTyLHS != ExclusivelyNull)) 846 return false; 847 848 // All other cases are valid cases enumerated below: 849 // 1. Comparison between an exclusively derived null pointer and a 850 // constant base pointer. 851 // 2. Comparison between an exclusively derived null pointer and a 852 // non-constant unrelocated base pointer. 853 // 3. Comparison between 2 unrelocated pointers. 854 // 4. Comparison between a pointer exclusively derived from null and a 855 // non-constant poisoned pointer. 856 return true; 857 }; 858 if (!hasValidUnrelocatedUse()) { 859 // Print out all non-constant derived pointers that are unrelocated 860 // uses, which are invalid. 861 if (baseTyLHS == BaseType::NonConstant && !AvailableSet.count(LHS)) 862 reportInvalidUse(*LHS, I); 863 if (baseTyRHS == BaseType::NonConstant && !AvailableSet.count(RHS)) 864 reportInvalidUse(*RHS, I); 865 } 866 } else { 867 for (const Value *V : I.operands()) 868 if (containsGCPtrType(V->getType()) && 869 isNotExclusivelyConstantDerived(V) && !AvailableSet.count(V)) 870 reportInvalidUse(*V, I); 871 } 872 } 873 874 void InstructionVerifier::reportInvalidUse(const Value &V, 875 const Instruction &I) { 876 errs() << "Illegal use of unrelocated value found!\n"; 877 errs() << "Def: " << V << "\n"; 878 errs() << "Use: " << I << "\n"; 879 if (!PrintOnly) 880 abort(); 881 AnyInvalidUses = true; 882 } 883 884 static void Verify(const Function &F, const DominatorTree &DT, 885 const CFGDeadness &CD) { 886 LLVM_DEBUG(dbgs() << "Verifying gc pointers in function: " << F.getName() 887 << "\n"); 888 if (PrintOnly) 889 dbgs() << "Verifying gc pointers in function: " << F.getName() << "\n"; 890 891 GCPtrTracker Tracker(F, DT, CD); 892 893 // We now have all the information we need to decide if the use of a heap 894 // reference is legal or not, given our safepoint semantics. 895 896 InstructionVerifier Verifier; 897 GCPtrTracker::verifyFunction(std::move(Tracker), Verifier); 898 899 if (PrintOnly && !Verifier.hasAnyInvalidUses()) { 900 dbgs() << "No illegal uses found by SafepointIRVerifier in: " << F.getName() 901 << "\n"; 902 } 903 } 904