1 //==- llvm/Analysis/MemoryBuiltins.h - Calls to memory builtins --*- C++ -*-==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This family of functions identifies calls to builtin functions that allocate 10 // or free memory. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #ifndef LLVM_ANALYSIS_MEMORYBUILTINS_H 15 #define LLVM_ANALYSIS_MEMORYBUILTINS_H 16 17 #include "llvm/ADT/APInt.h" 18 #include "llvm/ADT/DenseMap.h" 19 #include "llvm/ADT/SmallPtrSet.h" 20 #include "llvm/Analysis/TargetFolder.h" 21 #include "llvm/IR/IRBuilder.h" 22 #include "llvm/IR/InstVisitor.h" 23 #include "llvm/IR/ValueHandle.h" 24 #include <cstdint> 25 #include <optional> 26 #include <utility> 27 28 namespace llvm { 29 30 class AllocaInst; 31 class AAResults; 32 class Argument; 33 class ConstantPointerNull; 34 class DataLayout; 35 class ExtractElementInst; 36 class ExtractValueInst; 37 class GEPOperator; 38 class GlobalAlias; 39 class GlobalVariable; 40 class Instruction; 41 class IntegerType; 42 class IntrinsicInst; 43 class IntToPtrInst; 44 class LLVMContext; 45 class LoadInst; 46 class PHINode; 47 class SelectInst; 48 class Type; 49 class UndefValue; 50 class Value; 51 52 /// Tests if a value is a call or invoke to a library function that 53 /// allocates or reallocates memory (either malloc, calloc, realloc, or strdup 54 /// like). 55 bool isAllocationFn(const Value *V, const TargetLibraryInfo *TLI); 56 bool isAllocationFn(const Value *V, 57 function_ref<const TargetLibraryInfo &(Function &)> GetTLI); 58 59 /// Tests if a value is a call or invoke to a library function that 60 /// allocates memory via new. 61 bool isNewLikeFn(const Value *V, const TargetLibraryInfo *TLI); 62 63 /// Tests if a value is a call or invoke to a library function that 64 /// allocates memory similar to malloc or calloc. 65 bool isMallocOrCallocLikeFn(const Value *V, const TargetLibraryInfo *TLI); 66 67 /// Tests if a value is a call or invoke to a library function that 68 /// allocates memory (either malloc, calloc, or strdup like). 69 bool isAllocLikeFn(const Value *V, const TargetLibraryInfo *TLI); 70 71 /// Tests if a function is a call or invoke to a library function that 72 /// reallocates memory (e.g., realloc). 73 bool isReallocLikeFn(const Function *F); 74 75 /// If this is a call to a realloc function, return the reallocated operand. 76 Value *getReallocatedOperand(const CallBase *CB); 77 78 //===----------------------------------------------------------------------===// 79 // free Call Utility Functions. 80 // 81 82 /// isLibFreeFunction - Returns true if the function is a builtin free() 83 bool isLibFreeFunction(const Function *F, const LibFunc TLIFn); 84 85 /// If this if a call to a free function, return the freed operand. 86 Value *getFreedOperand(const CallBase *CB, const TargetLibraryInfo *TLI); 87 88 //===----------------------------------------------------------------------===// 89 // Properties of allocation functions 90 // 91 92 /// Return true if this is a call to an allocation function that does not have 93 /// side effects that we are required to preserve beyond the effect of 94 /// allocating a new object. 95 /// Ex: If our allocation routine has a counter for the number of objects 96 /// allocated, and the program prints it on exit, can the value change due 97 /// to optimization? Answer is highly language dependent. 98 /// Note: *Removable* really does mean removable; it does not mean observable. 99 /// A language (e.g. C++) can allow removing allocations without allowing 100 /// insertion or speculative execution of allocation routines. 101 bool isRemovableAlloc(const CallBase *V, const TargetLibraryInfo *TLI); 102 103 /// Gets the alignment argument for an aligned_alloc-like function, using either 104 /// built-in knowledge based on fuction names/signatures or allocalign 105 /// attributes. Note: the Value returned may not indicate a valid alignment, per 106 /// the definition of the allocalign attribute. 107 Value *getAllocAlignment(const CallBase *V, const TargetLibraryInfo *TLI); 108 109 /// Return the size of the requested allocation. With a trivial mapper, this is 110 /// similar to calling getObjectSize(..., Exact), but without looking through 111 /// calls that return their argument. A mapper function can be used to replace 112 /// one Value* (operand to the allocation) with another. This is useful when 113 /// doing abstract interpretation. 114 std::optional<APInt> getAllocSize( 115 const CallBase *CB, const TargetLibraryInfo *TLI, 116 function_ref<const Value *(const Value *)> Mapper = [](const Value *V) { 117 return V; 118 }); 119 120 /// If this is a call to an allocation function that initializes memory to a 121 /// fixed value, return said value in the requested type. Otherwise, return 122 /// nullptr. 123 Constant *getInitialValueOfAllocation(const Value *V, 124 const TargetLibraryInfo *TLI, 125 Type *Ty); 126 127 /// If a function is part of an allocation family (e.g. 128 /// malloc/realloc/calloc/free), return the identifier for its family 129 /// of functions. 130 std::optional<StringRef> getAllocationFamily(const Value *I, 131 const TargetLibraryInfo *TLI); 132 133 //===----------------------------------------------------------------------===// 134 // Utility functions to compute size of objects. 135 // 136 137 /// Various options to control the behavior of getObjectSize. 138 struct ObjectSizeOpts { 139 /// Controls how we handle conditional statements with unknown conditions. 140 enum class Mode : uint8_t { 141 /// All branches must be known and have the same size, starting from the 142 /// offset, to be merged. 143 ExactSizeFromOffset, 144 /// All branches must be known and have the same underlying size and offset 145 /// to be merged. 146 ExactUnderlyingSizeAndOffset, 147 /// Evaluate all branches of an unknown condition. If all evaluations 148 /// succeed, pick the minimum size. 149 Min, 150 /// Same as Min, except we pick the maximum size of all of the branches. 151 Max, 152 }; 153 154 /// How we want to evaluate this object's size. 155 Mode EvalMode = Mode::ExactSizeFromOffset; 156 /// Whether to round the result up to the alignment of allocas, byval 157 /// arguments, and global variables. 158 bool RoundToAlign = false; 159 /// If this is true, null pointers in address space 0 will be treated as 160 /// though they can't be evaluated. Otherwise, null is always considered to 161 /// point to a 0 byte region of memory. 162 bool NullIsUnknownSize = false; 163 /// If set, used for more accurate evaluation 164 AAResults *AA = nullptr; 165 }; 166 167 /// Compute the size of the object pointed by Ptr. Returns true and the 168 /// object size in Size if successful, and false otherwise. In this context, by 169 /// object we mean the region of memory starting at Ptr to the end of the 170 /// underlying object pointed to by Ptr. 171 /// 172 /// WARNING: The object size returned is the allocation size. This does not 173 /// imply dereferenceability at site of use since the object may be freeed in 174 /// between. 175 bool getObjectSize(const Value *Ptr, uint64_t &Size, const DataLayout &DL, 176 const TargetLibraryInfo *TLI, ObjectSizeOpts Opts = {}); 177 178 /// Try to turn a call to \@llvm.objectsize into an integer value of the given 179 /// Type. Returns null on failure. If MustSucceed is true, this function will 180 /// not return null, and may return conservative values governed by the second 181 /// argument of the call to objectsize. 182 Value *lowerObjectSizeCall(IntrinsicInst *ObjectSize, const DataLayout &DL, 183 const TargetLibraryInfo *TLI, bool MustSucceed); 184 Value *lowerObjectSizeCall( 185 IntrinsicInst *ObjectSize, const DataLayout &DL, 186 const TargetLibraryInfo *TLI, AAResults *AA, bool MustSucceed, 187 SmallVectorImpl<Instruction *> *InsertedInstructions = nullptr); 188 189 /// SizeOffsetType - A base template class for the object size visitors. Used 190 /// here as a self-documenting way to handle the values rather than using a 191 /// \p std::pair. 192 template <typename T, class C> struct SizeOffsetType { 193 public: 194 T Size; 195 T Offset; 196 197 SizeOffsetType() = default; 198 SizeOffsetType(T Size, T Offset) 199 : Size(std::move(Size)), Offset(std::move(Offset)) {} 200 201 bool knownSize() const { return C::known(Size); } 202 bool knownOffset() const { return C::known(Offset); } 203 bool anyKnown() const { return knownSize() || knownOffset(); } 204 bool bothKnown() const { return knownSize() && knownOffset(); } 205 206 bool operator==(const SizeOffsetType<T, C> &RHS) const { 207 return Size == RHS.Size && Offset == RHS.Offset; 208 } 209 bool operator!=(const SizeOffsetType<T, C> &RHS) const { 210 return !(*this == RHS); 211 } 212 }; 213 214 /// SizeOffsetAPInt - Used by \p ObjectSizeOffsetVisitor, which works with 215 /// \p APInts. 216 struct SizeOffsetAPInt : public SizeOffsetType<APInt, SizeOffsetAPInt> { 217 SizeOffsetAPInt() = default; 218 SizeOffsetAPInt(APInt Size, APInt Offset) 219 : SizeOffsetType(std::move(Size), std::move(Offset)) {} 220 221 static bool known(const APInt &V) { return V.getBitWidth() > 1; } 222 }; 223 224 /// OffsetSpan - Used internally by \p ObjectSizeOffsetVisitor. Represents a 225 /// point in memory as a pair of allocated bytes before and after it. 226 /// 227 /// \c Before and \c After fields are signed values. It makes it possible to 228 /// represent out-of-bound access, e.g. as a result of a GEP, at the expense of 229 /// not being able to represent very large allocation. 230 struct OffsetSpan { 231 APInt Before; /// Number of allocated bytes before this point. 232 APInt After; /// Number of allocated bytes after this point. 233 234 OffsetSpan() = default; 235 OffsetSpan(APInt Before, APInt After) : Before(Before), After(After) {} 236 237 bool knownBefore() const { return known(Before); } 238 bool knownAfter() const { return known(After); } 239 bool anyKnown() const { return knownBefore() || knownAfter(); } 240 bool bothKnown() const { return knownBefore() && knownAfter(); } 241 242 bool operator==(const OffsetSpan &RHS) const { 243 return Before == RHS.Before && After == RHS.After; 244 } 245 bool operator!=(const OffsetSpan &RHS) const { return !(*this == RHS); } 246 247 static bool known(const APInt &V) { return V.getBitWidth() > 1; } 248 }; 249 250 /// Evaluate the size and offset of an object pointed to by a Value* 251 /// statically. Fails if size or offset are not known at compile time. 252 class ObjectSizeOffsetVisitor 253 : public InstVisitor<ObjectSizeOffsetVisitor, OffsetSpan> { 254 const DataLayout &DL; 255 const TargetLibraryInfo *TLI; 256 ObjectSizeOpts Options; 257 unsigned IntTyBits; 258 APInt Zero; 259 SmallDenseMap<Instruction *, OffsetSpan, 8> SeenInsts; 260 unsigned InstructionsVisited; 261 262 APInt align(APInt Size, MaybeAlign Align); 263 264 static OffsetSpan unknown() { return OffsetSpan(); } 265 266 public: 267 ObjectSizeOffsetVisitor(const DataLayout &DL, const TargetLibraryInfo *TLI, 268 LLVMContext &Context, ObjectSizeOpts Options = {}); 269 270 SizeOffsetAPInt compute(Value *V); 271 272 // These are "private", except they can't actually be made private. Only 273 // compute() should be used by external users. 274 OffsetSpan visitAllocaInst(AllocaInst &I); 275 OffsetSpan visitArgument(Argument &A); 276 OffsetSpan visitCallBase(CallBase &CB); 277 OffsetSpan visitConstantPointerNull(ConstantPointerNull &); 278 OffsetSpan visitExtractElementInst(ExtractElementInst &I); 279 OffsetSpan visitExtractValueInst(ExtractValueInst &I); 280 OffsetSpan visitGlobalAlias(GlobalAlias &GA); 281 OffsetSpan visitGlobalVariable(GlobalVariable &GV); 282 OffsetSpan visitIntToPtrInst(IntToPtrInst &); 283 OffsetSpan visitLoadInst(LoadInst &I); 284 OffsetSpan visitPHINode(PHINode &); 285 OffsetSpan visitSelectInst(SelectInst &I); 286 OffsetSpan visitUndefValue(UndefValue &); 287 OffsetSpan visitInstruction(Instruction &I); 288 289 private: 290 OffsetSpan 291 findLoadOffsetRange(LoadInst &LoadFrom, BasicBlock &BB, 292 BasicBlock::iterator From, 293 SmallDenseMap<BasicBlock *, OffsetSpan, 8> &VisitedBlocks, 294 unsigned &ScannedInstCount); 295 OffsetSpan combineOffsetRange(OffsetSpan LHS, OffsetSpan RHS); 296 OffsetSpan computeImpl(Value *V); 297 OffsetSpan computeValue(Value *V); 298 bool CheckedZextOrTrunc(APInt &I); 299 }; 300 301 /// SizeOffsetValue - Used by \p ObjectSizeOffsetEvaluator, which works with 302 /// \p Values. 303 struct SizeOffsetWeakTrackingVH; 304 struct SizeOffsetValue : public SizeOffsetType<Value *, SizeOffsetValue> { 305 SizeOffsetValue() : SizeOffsetType(nullptr, nullptr) {} 306 SizeOffsetValue(Value *Size, Value *Offset) : SizeOffsetType(Size, Offset) {} 307 SizeOffsetValue(const SizeOffsetWeakTrackingVH &SOT); 308 309 static bool known(Value *V) { return V != nullptr; } 310 }; 311 312 /// SizeOffsetWeakTrackingVH - Used by \p ObjectSizeOffsetEvaluator in a 313 /// \p DenseMap. 314 struct SizeOffsetWeakTrackingVH 315 : public SizeOffsetType<WeakTrackingVH, SizeOffsetWeakTrackingVH> { 316 SizeOffsetWeakTrackingVH() : SizeOffsetType(nullptr, nullptr) {} 317 SizeOffsetWeakTrackingVH(Value *Size, Value *Offset) 318 : SizeOffsetType(Size, Offset) {} 319 SizeOffsetWeakTrackingVH(const SizeOffsetValue &SOV) 320 : SizeOffsetType(SOV.Size, SOV.Offset) {} 321 322 static bool known(WeakTrackingVH V) { return V.pointsToAliveValue(); } 323 }; 324 325 /// Evaluate the size and offset of an object pointed to by a Value*. 326 /// May create code to compute the result at run-time. 327 class ObjectSizeOffsetEvaluator 328 : public InstVisitor<ObjectSizeOffsetEvaluator, SizeOffsetValue> { 329 using BuilderTy = IRBuilder<TargetFolder, IRBuilderCallbackInserter>; 330 using WeakEvalType = SizeOffsetWeakTrackingVH; 331 using CacheMapTy = DenseMap<const Value *, WeakEvalType>; 332 using PtrSetTy = SmallPtrSet<const Value *, 8>; 333 334 const DataLayout &DL; 335 const TargetLibraryInfo *TLI; 336 LLVMContext &Context; 337 BuilderTy Builder; 338 IntegerType *IntTy; 339 Value *Zero; 340 CacheMapTy CacheMap; 341 PtrSetTy SeenVals; 342 ObjectSizeOpts EvalOpts; 343 SmallPtrSet<Instruction *, 8> InsertedInstructions; 344 345 SizeOffsetValue compute_(Value *V); 346 347 public: 348 ObjectSizeOffsetEvaluator(const DataLayout &DL, const TargetLibraryInfo *TLI, 349 LLVMContext &Context, ObjectSizeOpts EvalOpts = {}); 350 351 static SizeOffsetValue unknown() { return SizeOffsetValue(); } 352 353 SizeOffsetValue compute(Value *V); 354 355 // The individual instruction visitors should be treated as private. 356 SizeOffsetValue visitAllocaInst(AllocaInst &I); 357 SizeOffsetValue visitCallBase(CallBase &CB); 358 SizeOffsetValue visitExtractElementInst(ExtractElementInst &I); 359 SizeOffsetValue visitExtractValueInst(ExtractValueInst &I); 360 SizeOffsetValue visitGEPOperator(GEPOperator &GEP); 361 SizeOffsetValue visitIntToPtrInst(IntToPtrInst &); 362 SizeOffsetValue visitLoadInst(LoadInst &I); 363 SizeOffsetValue visitPHINode(PHINode &PHI); 364 SizeOffsetValue visitSelectInst(SelectInst &I); 365 SizeOffsetValue visitInstruction(Instruction &I); 366 }; 367 368 } // end namespace llvm 369 370 #endif // LLVM_ANALYSIS_MEMORYBUILTINS_H 371