1 //===- Evaluator.cpp - LLVM IR evaluator ----------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Function evaluator for LLVM IR.
10 //
11 //===----------------------------------------------------------------------===//
12
13 #include "llvm/Transforms/Utils/Evaluator.h"
14 #include "llvm/ADT/DenseMap.h"
15 #include "llvm/ADT/STLExtras.h"
16 #include "llvm/ADT/SmallPtrSet.h"
17 #include "llvm/ADT/SmallVector.h"
18 #include "llvm/Analysis/ConstantFolding.h"
19 #include "llvm/IR/BasicBlock.h"
20 #include "llvm/IR/Constant.h"
21 #include "llvm/IR/Constants.h"
22 #include "llvm/IR/DataLayout.h"
23 #include "llvm/IR/DerivedTypes.h"
24 #include "llvm/IR/Function.h"
25 #include "llvm/IR/GlobalAlias.h"
26 #include "llvm/IR/GlobalValue.h"
27 #include "llvm/IR/GlobalVariable.h"
28 #include "llvm/IR/InstrTypes.h"
29 #include "llvm/IR/Instruction.h"
30 #include "llvm/IR/Instructions.h"
31 #include "llvm/IR/IntrinsicInst.h"
32 #include "llvm/IR/Intrinsics.h"
33 #include "llvm/IR/Operator.h"
34 #include "llvm/IR/Type.h"
35 #include "llvm/IR/User.h"
36 #include "llvm/IR/Value.h"
37 #include "llvm/Support/Casting.h"
38 #include "llvm/Support/Debug.h"
39 #include "llvm/Support/raw_ostream.h"
40 #include <iterator>
41
42 #define DEBUG_TYPE "evaluator"
43
44 using namespace llvm;
45
46 static inline bool
47 isSimpleEnoughValueToCommit(Constant *C,
48 SmallPtrSetImpl<Constant *> &SimpleConstants,
49 const DataLayout &DL);
50
51 /// Return true if the specified constant can be handled by the code generator.
52 /// We don't want to generate something like:
53 /// void *X = &X/42;
54 /// because the code generator doesn't have a relocation that can handle that.
55 ///
56 /// This function should be called if C was not found (but just got inserted)
57 /// in SimpleConstants to avoid having to rescan the same constants all the
58 /// time.
59 static bool
isSimpleEnoughValueToCommitHelper(Constant * C,SmallPtrSetImpl<Constant * > & SimpleConstants,const DataLayout & DL)60 isSimpleEnoughValueToCommitHelper(Constant *C,
61 SmallPtrSetImpl<Constant *> &SimpleConstants,
62 const DataLayout &DL) {
63 // Simple global addresses are supported, do not allow dllimport or
64 // thread-local globals.
65 if (auto *GV = dyn_cast<GlobalValue>(C))
66 return !GV->hasDLLImportStorageClass() && !GV->isThreadLocal();
67
68 // Simple integer, undef, constant aggregate zero, etc are all supported.
69 if (C->getNumOperands() == 0 || isa<BlockAddress>(C))
70 return true;
71
72 // Aggregate values are safe if all their elements are.
73 if (isa<ConstantAggregate>(C)) {
74 for (Value *Op : C->operands())
75 if (!isSimpleEnoughValueToCommit(cast<Constant>(Op), SimpleConstants, DL))
76 return false;
77 return true;
78 }
79
80 // We don't know exactly what relocations are allowed in constant expressions,
81 // so we allow &global+constantoffset, which is safe and uniformly supported
82 // across targets.
83 ConstantExpr *CE = cast<ConstantExpr>(C);
84 switch (CE->getOpcode()) {
85 case Instruction::BitCast:
86 // Bitcast is fine if the casted value is fine.
87 return isSimpleEnoughValueToCommit(CE->getOperand(0), SimpleConstants, DL);
88
89 case Instruction::IntToPtr:
90 case Instruction::PtrToInt:
91 // int <=> ptr is fine if the int type is the same size as the
92 // pointer type.
93 if (DL.getTypeSizeInBits(CE->getType()) !=
94 DL.getTypeSizeInBits(CE->getOperand(0)->getType()))
95 return false;
96 return isSimpleEnoughValueToCommit(CE->getOperand(0), SimpleConstants, DL);
97
98 // GEP is fine if it is simple + constant offset.
99 case Instruction::GetElementPtr:
100 for (unsigned i = 1, e = CE->getNumOperands(); i != e; ++i)
101 if (!isa<ConstantInt>(CE->getOperand(i)))
102 return false;
103 return isSimpleEnoughValueToCommit(CE->getOperand(0), SimpleConstants, DL);
104
105 case Instruction::Add:
106 // We allow simple+cst.
107 if (!isa<ConstantInt>(CE->getOperand(1)))
108 return false;
109 return isSimpleEnoughValueToCommit(CE->getOperand(0), SimpleConstants, DL);
110 }
111 return false;
112 }
113
114 static inline bool
isSimpleEnoughValueToCommit(Constant * C,SmallPtrSetImpl<Constant * > & SimpleConstants,const DataLayout & DL)115 isSimpleEnoughValueToCommit(Constant *C,
116 SmallPtrSetImpl<Constant *> &SimpleConstants,
117 const DataLayout &DL) {
118 // If we already checked this constant, we win.
119 if (!SimpleConstants.insert(C).second)
120 return true;
121 // Check the constant.
122 return isSimpleEnoughValueToCommitHelper(C, SimpleConstants, DL);
123 }
124
125 /// Return true if this constant is simple enough for us to understand. In
126 /// particular, if it is a cast to anything other than from one pointer type to
127 /// another pointer type, we punt. We basically just support direct accesses to
128 /// globals and GEP's of globals. This should be kept up to date with
129 /// CommitValueTo.
isSimpleEnoughPointerToCommit(Constant * C,const DataLayout & DL)130 static bool isSimpleEnoughPointerToCommit(Constant *C, const DataLayout &DL) {
131 // Conservatively, avoid aggregate types. This is because we don't
132 // want to worry about them partially overlapping other stores.
133 if (!cast<PointerType>(C->getType())->getElementType()->isSingleValueType())
134 return false;
135
136 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(C))
137 // Do not allow weak/*_odr/linkonce linkage or external globals.
138 return GV->hasUniqueInitializer();
139
140 if (ConstantExpr *CE = dyn_cast<ConstantExpr>(C)) {
141 // Handle a constantexpr gep.
142 if (CE->getOpcode() == Instruction::GetElementPtr &&
143 isa<GlobalVariable>(CE->getOperand(0)) &&
144 cast<GEPOperator>(CE)->isInBounds()) {
145 GlobalVariable *GV = cast<GlobalVariable>(CE->getOperand(0));
146 // Do not allow weak/*_odr/linkonce/dllimport/dllexport linkage or
147 // external globals.
148 if (!GV->hasUniqueInitializer())
149 return false;
150
151 // The first index must be zero.
152 ConstantInt *CI = dyn_cast<ConstantInt>(*std::next(CE->op_begin()));
153 if (!CI || !CI->isZero()) return false;
154
155 // The remaining indices must be compile-time known integers within the
156 // notional bounds of the corresponding static array types.
157 if (!CE->isGEPWithNoNotionalOverIndexing())
158 return false;
159
160 return ConstantFoldLoadThroughGEPConstantExpr(
161 GV->getInitializer(), CE,
162 cast<GEPOperator>(CE)->getResultElementType(), DL);
163 } else if (CE->getOpcode() == Instruction::BitCast &&
164 isa<GlobalVariable>(CE->getOperand(0))) {
165 // A constantexpr bitcast from a pointer to another pointer is a no-op,
166 // and we know how to evaluate it by moving the bitcast from the pointer
167 // operand to the value operand.
168 // Do not allow weak/*_odr/linkonce/dllimport/dllexport linkage or
169 // external globals.
170 return cast<GlobalVariable>(CE->getOperand(0))->hasUniqueInitializer();
171 }
172 }
173
174 return false;
175 }
176
177 /// Apply 'Func' to Ptr. If this returns nullptr, introspect the pointer's
178 /// type and walk down through the initial elements to obtain additional
179 /// pointers to try. Returns the first non-null return value from Func, or
180 /// nullptr if the type can't be introspected further.
181 static Constant *
evaluateBitcastFromPtr(Constant * Ptr,const DataLayout & DL,const TargetLibraryInfo * TLI,std::function<Constant * (Constant *)> Func)182 evaluateBitcastFromPtr(Constant *Ptr, const DataLayout &DL,
183 const TargetLibraryInfo *TLI,
184 std::function<Constant *(Constant *)> Func) {
185 Constant *Val;
186 while (!(Val = Func(Ptr))) {
187 // If Ty is a non-opaque struct, we can convert the pointer to the struct
188 // into a pointer to its first member.
189 // FIXME: This could be extended to support arrays as well.
190 Type *Ty = cast<PointerType>(Ptr->getType())->getElementType();
191 if (!isa<StructType>(Ty) || cast<StructType>(Ty)->isOpaque())
192 break;
193
194 IntegerType *IdxTy = IntegerType::get(Ty->getContext(), 32);
195 Constant *IdxZero = ConstantInt::get(IdxTy, 0, false);
196 Constant *const IdxList[] = {IdxZero, IdxZero};
197
198 Ptr = ConstantExpr::getGetElementPtr(Ty, Ptr, IdxList);
199 Ptr = ConstantFoldConstant(Ptr, DL, TLI);
200 }
201 return Val;
202 }
203
getInitializer(Constant * C)204 static Constant *getInitializer(Constant *C) {
205 auto *GV = dyn_cast<GlobalVariable>(C);
206 return GV && GV->hasDefinitiveInitializer() ? GV->getInitializer() : nullptr;
207 }
208
209 /// Return the value that would be computed by a load from P after the stores
210 /// reflected by 'memory' have been performed. If we can't decide, return null.
ComputeLoadResult(Constant * P,Type * Ty)211 Constant *Evaluator::ComputeLoadResult(Constant *P, Type *Ty) {
212 // If this memory location has been recently stored, use the stored value: it
213 // is the most up-to-date.
214 auto findMemLoc = [this](Constant *Ptr) { return MutatedMemory.lookup(Ptr); };
215
216 if (Constant *Val = findMemLoc(P))
217 return Val;
218
219 // Access it.
220 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(P)) {
221 if (GV->hasDefinitiveInitializer())
222 return GV->getInitializer();
223 return nullptr;
224 }
225
226 if (ConstantExpr *CE = dyn_cast<ConstantExpr>(P)) {
227 switch (CE->getOpcode()) {
228 // Handle a constantexpr getelementptr.
229 case Instruction::GetElementPtr:
230 if (auto *I = getInitializer(CE->getOperand(0)))
231 return ConstantFoldLoadThroughGEPConstantExpr(I, CE, Ty, DL);
232 break;
233 // Handle a constantexpr bitcast.
234 case Instruction::BitCast:
235 // We're evaluating a load through a pointer that was bitcast to a
236 // different type. See if the "from" pointer has recently been stored.
237 // If it hasn't, we may still be able to find a stored pointer by
238 // introspecting the type.
239 Constant *Val =
240 evaluateBitcastFromPtr(CE->getOperand(0), DL, TLI, findMemLoc);
241 if (!Val)
242 Val = getInitializer(CE->getOperand(0));
243 if (Val)
244 return ConstantFoldLoadThroughBitcast(
245 Val, P->getType()->getPointerElementType(), DL);
246 break;
247 }
248 }
249
250 return nullptr; // don't know how to evaluate.
251 }
252
getFunction(Constant * C)253 static Function *getFunction(Constant *C) {
254 if (auto *Fn = dyn_cast<Function>(C))
255 return Fn;
256
257 if (auto *Alias = dyn_cast<GlobalAlias>(C))
258 if (auto *Fn = dyn_cast<Function>(Alias->getAliasee()))
259 return Fn;
260 return nullptr;
261 }
262
263 Function *
getCalleeWithFormalArgs(CallBase & CB,SmallVectorImpl<Constant * > & Formals)264 Evaluator::getCalleeWithFormalArgs(CallBase &CB,
265 SmallVectorImpl<Constant *> &Formals) {
266 auto *V = CB.getCalledOperand();
267 if (auto *Fn = getFunction(getVal(V)))
268 return getFormalParams(CB, Fn, Formals) ? Fn : nullptr;
269
270 auto *CE = dyn_cast<ConstantExpr>(V);
271 if (!CE || CE->getOpcode() != Instruction::BitCast ||
272 !getFormalParams(CB, getFunction(CE->getOperand(0)), Formals))
273 return nullptr;
274
275 return dyn_cast<Function>(
276 ConstantFoldLoadThroughBitcast(CE, CE->getOperand(0)->getType(), DL));
277 }
278
getFormalParams(CallBase & CB,Function * F,SmallVectorImpl<Constant * > & Formals)279 bool Evaluator::getFormalParams(CallBase &CB, Function *F,
280 SmallVectorImpl<Constant *> &Formals) {
281 if (!F)
282 return false;
283
284 auto *FTy = F->getFunctionType();
285 if (FTy->getNumParams() > CB.getNumArgOperands()) {
286 LLVM_DEBUG(dbgs() << "Too few arguments for function.\n");
287 return false;
288 }
289
290 auto ArgI = CB.arg_begin();
291 for (auto ParI = FTy->param_begin(), ParE = FTy->param_end(); ParI != ParE;
292 ++ParI) {
293 auto *ArgC = ConstantFoldLoadThroughBitcast(getVal(*ArgI), *ParI, DL);
294 if (!ArgC) {
295 LLVM_DEBUG(dbgs() << "Can not convert function argument.\n");
296 return false;
297 }
298 Formals.push_back(ArgC);
299 ++ArgI;
300 }
301 return true;
302 }
303
304 /// If call expression contains bitcast then we may need to cast
305 /// evaluated return value to a type of the call expression.
castCallResultIfNeeded(Value * CallExpr,Constant * RV)306 Constant *Evaluator::castCallResultIfNeeded(Value *CallExpr, Constant *RV) {
307 ConstantExpr *CE = dyn_cast<ConstantExpr>(CallExpr);
308 if (!RV || !CE || CE->getOpcode() != Instruction::BitCast)
309 return RV;
310
311 if (auto *FT =
312 dyn_cast<FunctionType>(CE->getType()->getPointerElementType())) {
313 RV = ConstantFoldLoadThroughBitcast(RV, FT->getReturnType(), DL);
314 if (!RV)
315 LLVM_DEBUG(dbgs() << "Failed to fold bitcast call expr\n");
316 }
317 return RV;
318 }
319
320 /// Evaluate all instructions in block BB, returning true if successful, false
321 /// if we can't evaluate it. NewBB returns the next BB that control flows into,
322 /// or null upon return. StrippedPointerCastsForAliasAnalysis is set to true if
323 /// we looked through pointer casts to evaluate something.
EvaluateBlock(BasicBlock::iterator CurInst,BasicBlock * & NextBB,bool & StrippedPointerCastsForAliasAnalysis)324 bool Evaluator::EvaluateBlock(BasicBlock::iterator CurInst, BasicBlock *&NextBB,
325 bool &StrippedPointerCastsForAliasAnalysis) {
326 // This is the main evaluation loop.
327 while (true) {
328 Constant *InstResult = nullptr;
329
330 LLVM_DEBUG(dbgs() << "Evaluating Instruction: " << *CurInst << "\n");
331
332 if (StoreInst *SI = dyn_cast<StoreInst>(CurInst)) {
333 if (!SI->isSimple()) {
334 LLVM_DEBUG(dbgs() << "Store is not simple! Can not evaluate.\n");
335 return false; // no volatile/atomic accesses.
336 }
337 Constant *Ptr = getVal(SI->getOperand(1));
338 Constant *FoldedPtr = ConstantFoldConstant(Ptr, DL, TLI);
339 if (Ptr != FoldedPtr) {
340 LLVM_DEBUG(dbgs() << "Folding constant ptr expression: " << *Ptr);
341 Ptr = FoldedPtr;
342 LLVM_DEBUG(dbgs() << "; To: " << *Ptr << "\n");
343 }
344 if (!isSimpleEnoughPointerToCommit(Ptr, DL)) {
345 // If this is too complex for us to commit, reject it.
346 LLVM_DEBUG(
347 dbgs() << "Pointer is too complex for us to evaluate store.");
348 return false;
349 }
350
351 Constant *Val = getVal(SI->getOperand(0));
352
353 // If this might be too difficult for the backend to handle (e.g. the addr
354 // of one global variable divided by another) then we can't commit it.
355 if (!isSimpleEnoughValueToCommit(Val, SimpleConstants, DL)) {
356 LLVM_DEBUG(dbgs() << "Store value is too complex to evaluate store. "
357 << *Val << "\n");
358 return false;
359 }
360
361 if (ConstantExpr *CE = dyn_cast<ConstantExpr>(Ptr)) {
362 if (CE->getOpcode() == Instruction::BitCast) {
363 LLVM_DEBUG(dbgs()
364 << "Attempting to resolve bitcast on constant ptr.\n");
365 // If we're evaluating a store through a bitcast, then we need
366 // to pull the bitcast off the pointer type and push it onto the
367 // stored value. In order to push the bitcast onto the stored value,
368 // a bitcast from the pointer's element type to Val's type must be
369 // legal. If it's not, we can try introspecting the type to find a
370 // legal conversion.
371
372 auto castValTy = [&](Constant *P) -> Constant * {
373 Type *Ty = cast<PointerType>(P->getType())->getElementType();
374 if (Constant *FV = ConstantFoldLoadThroughBitcast(Val, Ty, DL)) {
375 Ptr = P;
376 return FV;
377 }
378 return nullptr;
379 };
380
381 Constant *NewVal =
382 evaluateBitcastFromPtr(CE->getOperand(0), DL, TLI, castValTy);
383 if (!NewVal) {
384 LLVM_DEBUG(dbgs() << "Failed to bitcast constant ptr, can not "
385 "evaluate.\n");
386 return false;
387 }
388
389 Val = NewVal;
390 LLVM_DEBUG(dbgs() << "Evaluated bitcast: " << *Val << "\n");
391 }
392 }
393
394 MutatedMemory[Ptr] = Val;
395 } else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(CurInst)) {
396 InstResult = ConstantExpr::get(BO->getOpcode(),
397 getVal(BO->getOperand(0)),
398 getVal(BO->getOperand(1)));
399 LLVM_DEBUG(dbgs() << "Found a BinaryOperator! Simplifying: "
400 << *InstResult << "\n");
401 } else if (CmpInst *CI = dyn_cast<CmpInst>(CurInst)) {
402 InstResult = ConstantExpr::getCompare(CI->getPredicate(),
403 getVal(CI->getOperand(0)),
404 getVal(CI->getOperand(1)));
405 LLVM_DEBUG(dbgs() << "Found a CmpInst! Simplifying: " << *InstResult
406 << "\n");
407 } else if (CastInst *CI = dyn_cast<CastInst>(CurInst)) {
408 InstResult = ConstantExpr::getCast(CI->getOpcode(),
409 getVal(CI->getOperand(0)),
410 CI->getType());
411 LLVM_DEBUG(dbgs() << "Found a Cast! Simplifying: " << *InstResult
412 << "\n");
413 } else if (SelectInst *SI = dyn_cast<SelectInst>(CurInst)) {
414 InstResult = ConstantExpr::getSelect(getVal(SI->getOperand(0)),
415 getVal(SI->getOperand(1)),
416 getVal(SI->getOperand(2)));
417 LLVM_DEBUG(dbgs() << "Found a Select! Simplifying: " << *InstResult
418 << "\n");
419 } else if (auto *EVI = dyn_cast<ExtractValueInst>(CurInst)) {
420 InstResult = ConstantExpr::getExtractValue(
421 getVal(EVI->getAggregateOperand()), EVI->getIndices());
422 LLVM_DEBUG(dbgs() << "Found an ExtractValueInst! Simplifying: "
423 << *InstResult << "\n");
424 } else if (auto *IVI = dyn_cast<InsertValueInst>(CurInst)) {
425 InstResult = ConstantExpr::getInsertValue(
426 getVal(IVI->getAggregateOperand()),
427 getVal(IVI->getInsertedValueOperand()), IVI->getIndices());
428 LLVM_DEBUG(dbgs() << "Found an InsertValueInst! Simplifying: "
429 << *InstResult << "\n");
430 } else if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(CurInst)) {
431 Constant *P = getVal(GEP->getOperand(0));
432 SmallVector<Constant*, 8> GEPOps;
433 for (Use &Op : llvm::drop_begin(GEP->operands()))
434 GEPOps.push_back(getVal(Op));
435 InstResult =
436 ConstantExpr::getGetElementPtr(GEP->getSourceElementType(), P, GEPOps,
437 cast<GEPOperator>(GEP)->isInBounds());
438 LLVM_DEBUG(dbgs() << "Found a GEP! Simplifying: " << *InstResult << "\n");
439 } else if (LoadInst *LI = dyn_cast<LoadInst>(CurInst)) {
440 if (!LI->isSimple()) {
441 LLVM_DEBUG(
442 dbgs() << "Found a Load! Not a simple load, can not evaluate.\n");
443 return false; // no volatile/atomic accesses.
444 }
445
446 Constant *Ptr = getVal(LI->getOperand(0));
447 Constant *FoldedPtr = ConstantFoldConstant(Ptr, DL, TLI);
448 if (Ptr != FoldedPtr) {
449 Ptr = FoldedPtr;
450 LLVM_DEBUG(dbgs() << "Found a constant pointer expression, constant "
451 "folding: "
452 << *Ptr << "\n");
453 }
454 InstResult = ComputeLoadResult(Ptr, LI->getType());
455 if (!InstResult) {
456 LLVM_DEBUG(
457 dbgs() << "Failed to compute load result. Can not evaluate load."
458 "\n");
459 return false; // Could not evaluate load.
460 }
461
462 LLVM_DEBUG(dbgs() << "Evaluated load: " << *InstResult << "\n");
463 } else if (AllocaInst *AI = dyn_cast<AllocaInst>(CurInst)) {
464 if (AI->isArrayAllocation()) {
465 LLVM_DEBUG(dbgs() << "Found an array alloca. Can not evaluate.\n");
466 return false; // Cannot handle array allocs.
467 }
468 Type *Ty = AI->getAllocatedType();
469 AllocaTmps.push_back(std::make_unique<GlobalVariable>(
470 Ty, false, GlobalValue::InternalLinkage, UndefValue::get(Ty),
471 AI->getName(), /*TLMode=*/GlobalValue::NotThreadLocal,
472 AI->getType()->getPointerAddressSpace()));
473 InstResult = AllocaTmps.back().get();
474 LLVM_DEBUG(dbgs() << "Found an alloca. Result: " << *InstResult << "\n");
475 } else if (isa<CallInst>(CurInst) || isa<InvokeInst>(CurInst)) {
476 CallBase &CB = *cast<CallBase>(&*CurInst);
477
478 // Debug info can safely be ignored here.
479 if (isa<DbgInfoIntrinsic>(CB)) {
480 LLVM_DEBUG(dbgs() << "Ignoring debug info.\n");
481 ++CurInst;
482 continue;
483 }
484
485 // Cannot handle inline asm.
486 if (CB.isInlineAsm()) {
487 LLVM_DEBUG(dbgs() << "Found inline asm, can not evaluate.\n");
488 return false;
489 }
490
491 if (IntrinsicInst *II = dyn_cast<IntrinsicInst>(&CB)) {
492 if (MemSetInst *MSI = dyn_cast<MemSetInst>(II)) {
493 if (MSI->isVolatile()) {
494 LLVM_DEBUG(dbgs() << "Can not optimize a volatile memset "
495 << "intrinsic.\n");
496 return false;
497 }
498 Constant *Ptr = getVal(MSI->getDest());
499 Constant *Val = getVal(MSI->getValue());
500 Constant *DestVal =
501 ComputeLoadResult(getVal(Ptr), MSI->getValue()->getType());
502 if (Val->isNullValue() && DestVal && DestVal->isNullValue()) {
503 // This memset is a no-op.
504 LLVM_DEBUG(dbgs() << "Ignoring no-op memset.\n");
505 ++CurInst;
506 continue;
507 }
508 }
509
510 if (II->isLifetimeStartOrEnd()) {
511 LLVM_DEBUG(dbgs() << "Ignoring lifetime intrinsic.\n");
512 ++CurInst;
513 continue;
514 }
515
516 if (II->getIntrinsicID() == Intrinsic::invariant_start) {
517 // We don't insert an entry into Values, as it doesn't have a
518 // meaningful return value.
519 if (!II->use_empty()) {
520 LLVM_DEBUG(dbgs()
521 << "Found unused invariant_start. Can't evaluate.\n");
522 return false;
523 }
524 ConstantInt *Size = cast<ConstantInt>(II->getArgOperand(0));
525 Value *PtrArg = getVal(II->getArgOperand(1));
526 Value *Ptr = PtrArg->stripPointerCasts();
527 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Ptr)) {
528 Type *ElemTy = GV->getValueType();
529 if (!Size->isMinusOne() &&
530 Size->getValue().getLimitedValue() >=
531 DL.getTypeStoreSize(ElemTy)) {
532 Invariants.insert(GV);
533 LLVM_DEBUG(dbgs() << "Found a global var that is an invariant: "
534 << *GV << "\n");
535 } else {
536 LLVM_DEBUG(dbgs()
537 << "Found a global var, but can not treat it as an "
538 "invariant.\n");
539 }
540 }
541 // Continue even if we do nothing.
542 ++CurInst;
543 continue;
544 } else if (II->getIntrinsicID() == Intrinsic::assume) {
545 LLVM_DEBUG(dbgs() << "Skipping assume intrinsic.\n");
546 ++CurInst;
547 continue;
548 } else if (II->getIntrinsicID() == Intrinsic::sideeffect) {
549 LLVM_DEBUG(dbgs() << "Skipping sideeffect intrinsic.\n");
550 ++CurInst;
551 continue;
552 } else if (II->getIntrinsicID() == Intrinsic::pseudoprobe) {
553 LLVM_DEBUG(dbgs() << "Skipping pseudoprobe intrinsic.\n");
554 ++CurInst;
555 continue;
556 } else {
557 Value *Stripped = CurInst->stripPointerCastsForAliasAnalysis();
558 // Only attempt to getVal() if we've actually managed to strip
559 // anything away, or else we'll call getVal() on the current
560 // instruction.
561 if (Stripped != &*CurInst) {
562 InstResult = getVal(Stripped);
563 }
564 if (InstResult) {
565 LLVM_DEBUG(dbgs()
566 << "Stripped pointer casts for alias analysis for "
567 "intrinsic call.\n");
568 StrippedPointerCastsForAliasAnalysis = true;
569 InstResult = ConstantExpr::getBitCast(InstResult, II->getType());
570 } else {
571 LLVM_DEBUG(dbgs() << "Unknown intrinsic. Cannot evaluate.\n");
572 return false;
573 }
574 }
575 }
576
577 if (!InstResult) {
578 // Resolve function pointers.
579 SmallVector<Constant *, 8> Formals;
580 Function *Callee = getCalleeWithFormalArgs(CB, Formals);
581 if (!Callee || Callee->isInterposable()) {
582 LLVM_DEBUG(dbgs() << "Can not resolve function pointer.\n");
583 return false; // Cannot resolve.
584 }
585
586 if (Callee->isDeclaration()) {
587 // If this is a function we can constant fold, do it.
588 if (Constant *C = ConstantFoldCall(&CB, Callee, Formals, TLI)) {
589 InstResult = castCallResultIfNeeded(CB.getCalledOperand(), C);
590 if (!InstResult)
591 return false;
592 LLVM_DEBUG(dbgs() << "Constant folded function call. Result: "
593 << *InstResult << "\n");
594 } else {
595 LLVM_DEBUG(dbgs() << "Can not constant fold function call.\n");
596 return false;
597 }
598 } else {
599 if (Callee->getFunctionType()->isVarArg()) {
600 LLVM_DEBUG(dbgs()
601 << "Can not constant fold vararg function call.\n");
602 return false;
603 }
604
605 Constant *RetVal = nullptr;
606 // Execute the call, if successful, use the return value.
607 ValueStack.emplace_back();
608 if (!EvaluateFunction(Callee, RetVal, Formals)) {
609 LLVM_DEBUG(dbgs() << "Failed to evaluate function.\n");
610 return false;
611 }
612 ValueStack.pop_back();
613 InstResult = castCallResultIfNeeded(CB.getCalledOperand(), RetVal);
614 if (RetVal && !InstResult)
615 return false;
616
617 if (InstResult) {
618 LLVM_DEBUG(dbgs() << "Successfully evaluated function. Result: "
619 << *InstResult << "\n\n");
620 } else {
621 LLVM_DEBUG(dbgs()
622 << "Successfully evaluated function. Result: 0\n\n");
623 }
624 }
625 }
626 } else if (CurInst->isTerminator()) {
627 LLVM_DEBUG(dbgs() << "Found a terminator instruction.\n");
628
629 if (BranchInst *BI = dyn_cast<BranchInst>(CurInst)) {
630 if (BI->isUnconditional()) {
631 NextBB = BI->getSuccessor(0);
632 } else {
633 ConstantInt *Cond =
634 dyn_cast<ConstantInt>(getVal(BI->getCondition()));
635 if (!Cond) return false; // Cannot determine.
636
637 NextBB = BI->getSuccessor(!Cond->getZExtValue());
638 }
639 } else if (SwitchInst *SI = dyn_cast<SwitchInst>(CurInst)) {
640 ConstantInt *Val =
641 dyn_cast<ConstantInt>(getVal(SI->getCondition()));
642 if (!Val) return false; // Cannot determine.
643 NextBB = SI->findCaseValue(Val)->getCaseSuccessor();
644 } else if (IndirectBrInst *IBI = dyn_cast<IndirectBrInst>(CurInst)) {
645 Value *Val = getVal(IBI->getAddress())->stripPointerCasts();
646 if (BlockAddress *BA = dyn_cast<BlockAddress>(Val))
647 NextBB = BA->getBasicBlock();
648 else
649 return false; // Cannot determine.
650 } else if (isa<ReturnInst>(CurInst)) {
651 NextBB = nullptr;
652 } else {
653 // invoke, unwind, resume, unreachable.
654 LLVM_DEBUG(dbgs() << "Can not handle terminator.");
655 return false; // Cannot handle this terminator.
656 }
657
658 // We succeeded at evaluating this block!
659 LLVM_DEBUG(dbgs() << "Successfully evaluated block.\n");
660 return true;
661 } else {
662 // Did not know how to evaluate this!
663 LLVM_DEBUG(
664 dbgs() << "Failed to evaluate block due to unhandled instruction."
665 "\n");
666 return false;
667 }
668
669 if (!CurInst->use_empty()) {
670 InstResult = ConstantFoldConstant(InstResult, DL, TLI);
671 setVal(&*CurInst, InstResult);
672 }
673
674 // If we just processed an invoke, we finished evaluating the block.
675 if (InvokeInst *II = dyn_cast<InvokeInst>(CurInst)) {
676 NextBB = II->getNormalDest();
677 LLVM_DEBUG(dbgs() << "Found an invoke instruction. Finished Block.\n\n");
678 return true;
679 }
680
681 // Advance program counter.
682 ++CurInst;
683 }
684 }
685
686 /// Evaluate a call to function F, returning true if successful, false if we
687 /// can't evaluate it. ActualArgs contains the formal arguments for the
688 /// function.
EvaluateFunction(Function * F,Constant * & RetVal,const SmallVectorImpl<Constant * > & ActualArgs)689 bool Evaluator::EvaluateFunction(Function *F, Constant *&RetVal,
690 const SmallVectorImpl<Constant*> &ActualArgs) {
691 // Check to see if this function is already executing (recursion). If so,
692 // bail out. TODO: we might want to accept limited recursion.
693 if (is_contained(CallStack, F))
694 return false;
695
696 CallStack.push_back(F);
697
698 // Initialize arguments to the incoming values specified.
699 unsigned ArgNo = 0;
700 for (Function::arg_iterator AI = F->arg_begin(), E = F->arg_end(); AI != E;
701 ++AI, ++ArgNo)
702 setVal(&*AI, ActualArgs[ArgNo]);
703
704 // ExecutedBlocks - We only handle non-looping, non-recursive code. As such,
705 // we can only evaluate any one basic block at most once. This set keeps
706 // track of what we have executed so we can detect recursive cases etc.
707 SmallPtrSet<BasicBlock*, 32> ExecutedBlocks;
708
709 // CurBB - The current basic block we're evaluating.
710 BasicBlock *CurBB = &F->front();
711
712 BasicBlock::iterator CurInst = CurBB->begin();
713
714 while (true) {
715 BasicBlock *NextBB = nullptr; // Initialized to avoid compiler warnings.
716 LLVM_DEBUG(dbgs() << "Trying to evaluate BB: " << *CurBB << "\n");
717
718 bool StrippedPointerCastsForAliasAnalysis = false;
719
720 if (!EvaluateBlock(CurInst, NextBB, StrippedPointerCastsForAliasAnalysis))
721 return false;
722
723 if (!NextBB) {
724 // Successfully running until there's no next block means that we found
725 // the return. Fill it the return value and pop the call stack.
726 ReturnInst *RI = cast<ReturnInst>(CurBB->getTerminator());
727 if (RI->getNumOperands()) {
728 // The Evaluator can look through pointer casts as long as alias
729 // analysis holds because it's just a simple interpreter and doesn't
730 // skip memory accesses due to invariant group metadata, but we can't
731 // let users of Evaluator use a value that's been gleaned looking
732 // through stripping pointer casts.
733 if (StrippedPointerCastsForAliasAnalysis &&
734 !RI->getReturnValue()->getType()->isVoidTy()) {
735 return false;
736 }
737 RetVal = getVal(RI->getOperand(0));
738 }
739 CallStack.pop_back();
740 return true;
741 }
742
743 // Okay, we succeeded in evaluating this control flow. See if we have
744 // executed the new block before. If so, we have a looping function,
745 // which we cannot evaluate in reasonable time.
746 if (!ExecutedBlocks.insert(NextBB).second)
747 return false; // looped!
748
749 // Okay, we have never been in this block before. Check to see if there
750 // are any PHI nodes. If so, evaluate them with information about where
751 // we came from.
752 PHINode *PN = nullptr;
753 for (CurInst = NextBB->begin();
754 (PN = dyn_cast<PHINode>(CurInst)); ++CurInst)
755 setVal(PN, getVal(PN->getIncomingValueForBlock(CurBB)));
756
757 // Advance to the next block.
758 CurBB = NextBB;
759 }
760 }
761