10b57cec5SDimitry Andric //===- PoisonChecking.cpp - -----------------------------------------------===// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // Implements a transform pass which instruments IR such that poison semantics 100b57cec5SDimitry Andric // are made explicit. That is, it provides a (possibly partial) executable 110b57cec5SDimitry Andric // semantics for every instruction w.r.t. poison as specified in the LLVM 120b57cec5SDimitry Andric // LangRef. There are obvious parallels to the sanitizer tools, but this pass 130b57cec5SDimitry Andric // is focused purely on the semantics of LLVM IR, not any particular source 140b57cec5SDimitry Andric // language. If you're looking for something to see if your C/C++ contains 150b57cec5SDimitry Andric // UB, this is not it. 160b57cec5SDimitry Andric // 170b57cec5SDimitry Andric // The rewritten semantics of each instruction will include the following 180b57cec5SDimitry Andric // components: 190b57cec5SDimitry Andric // 200b57cec5SDimitry Andric // 1) The original instruction, unmodified. 210b57cec5SDimitry Andric // 2) A propagation rule which translates dynamic information about the poison 220b57cec5SDimitry Andric // state of each input to whether the dynamic output of the instruction 230b57cec5SDimitry Andric // produces poison. 245ffd83dbSDimitry Andric // 3) A creation rule which validates any poison producing flags on the 250b57cec5SDimitry Andric // instruction itself (e.g. checks for overflow on nsw). 260b57cec5SDimitry Andric // 4) A check rule which traps (to a handler function) if this instruction must 270b57cec5SDimitry Andric // execute undefined behavior given the poison state of it's inputs. 280b57cec5SDimitry Andric // 295ffd83dbSDimitry Andric // This is a must analysis based transform; that is, the resulting code may 305ffd83dbSDimitry Andric // produce a false negative result (not report UB when actually exists 315ffd83dbSDimitry Andric // according to the LangRef spec), but should never produce a false positive 325ffd83dbSDimitry Andric // (report UB where it doesn't exist). 330b57cec5SDimitry Andric // 340b57cec5SDimitry Andric // Use cases for this pass include: 350b57cec5SDimitry Andric // - Understanding (and testing!) the implications of the definition of poison 360b57cec5SDimitry Andric // from the LangRef. 370b57cec5SDimitry Andric // - Validating the output of a IR fuzzer to ensure that all programs produced 380b57cec5SDimitry Andric // are well defined on the specific input used. 390b57cec5SDimitry Andric // - Finding/confirming poison specific miscompiles by checking the poison 400b57cec5SDimitry Andric // status of an input/IR pair is the same before and after an optimization 410b57cec5SDimitry Andric // transform. 420b57cec5SDimitry Andric // - Checking that a bugpoint reduction does not introduce UB which didn't 430b57cec5SDimitry Andric // exist in the original program being reduced. 440b57cec5SDimitry Andric // 450b57cec5SDimitry Andric // The major sources of inaccuracy are currently: 460b57cec5SDimitry Andric // - Most validation rules not yet implemented for instructions with poison 470b57cec5SDimitry Andric // relavant flags. At the moment, only nsw/nuw on add/sub are supported. 480b57cec5SDimitry Andric // - UB which is control dependent on a branch on poison is not yet 490b57cec5SDimitry Andric // reported. Currently, only data flow dependence is modeled. 500b57cec5SDimitry Andric // - Poison which is propagated through memory is not modeled. As such, 510b57cec5SDimitry Andric // storing poison to memory and then reloading it will cause a false negative 520b57cec5SDimitry Andric // as we consider the reloaded value to not be poisoned. 530b57cec5SDimitry Andric // - Poison propagation across function boundaries is not modeled. At the 540b57cec5SDimitry Andric // moment, all arguments and return values are assumed not to be poison. 550b57cec5SDimitry Andric // - Undef is not modeled. In particular, the optimizer's freedom to pick 560b57cec5SDimitry Andric // concrete values for undef bits so as to maximize potential for producing 570b57cec5SDimitry Andric // poison is not modeled. 580b57cec5SDimitry Andric // 590b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 600b57cec5SDimitry Andric 610b57cec5SDimitry Andric #include "llvm/Transforms/Instrumentation/PoisonChecking.h" 620b57cec5SDimitry Andric #include "llvm/ADT/DenseMap.h" 630b57cec5SDimitry Andric #include "llvm/Analysis/ValueTracking.h" 64480093f4SDimitry Andric #include "llvm/IR/IRBuilder.h" 65*0fca6ea1SDimitry Andric #include "llvm/IR/Module.h" 66480093f4SDimitry Andric #include "llvm/Support/CommandLine.h" 670b57cec5SDimitry Andric 680b57cec5SDimitry Andric using namespace llvm; 690b57cec5SDimitry Andric 700b57cec5SDimitry Andric #define DEBUG_TYPE "poison-checking" 710b57cec5SDimitry Andric 720b57cec5SDimitry Andric static cl::opt<bool> 730b57cec5SDimitry Andric LocalCheck("poison-checking-function-local", 740b57cec5SDimitry Andric cl::init(false), 750b57cec5SDimitry Andric cl::desc("Check that returns are non-poison (for testing)")); 760b57cec5SDimitry Andric 770b57cec5SDimitry Andric 780b57cec5SDimitry Andric static bool isConstantFalse(Value* V) { 790b57cec5SDimitry Andric assert(V->getType()->isIntegerTy(1)); 800b57cec5SDimitry Andric if (auto *CI = dyn_cast<ConstantInt>(V)) 810b57cec5SDimitry Andric return CI->isZero(); 820b57cec5SDimitry Andric return false; 830b57cec5SDimitry Andric } 840b57cec5SDimitry Andric 850b57cec5SDimitry Andric static Value *buildOrChain(IRBuilder<> &B, ArrayRef<Value*> Ops) { 860b57cec5SDimitry Andric if (Ops.size() == 0) 870b57cec5SDimitry Andric return B.getFalse(); 880b57cec5SDimitry Andric unsigned i = 0; 890b57cec5SDimitry Andric for (; i < Ops.size() && isConstantFalse(Ops[i]); i++) {} 900b57cec5SDimitry Andric if (i == Ops.size()) 910b57cec5SDimitry Andric return B.getFalse(); 920b57cec5SDimitry Andric Value *Accum = Ops[i++]; 93bdd1243dSDimitry Andric for (Value *Op : llvm::drop_begin(Ops, i)) 94bdd1243dSDimitry Andric if (!isConstantFalse(Op)) 95bdd1243dSDimitry Andric Accum = B.CreateOr(Accum, Op); 960b57cec5SDimitry Andric return Accum; 970b57cec5SDimitry Andric } 980b57cec5SDimitry Andric 995ffd83dbSDimitry Andric static void generateCreationChecksForBinOp(Instruction &I, 1005ffd83dbSDimitry Andric SmallVectorImpl<Value*> &Checks) { 1010b57cec5SDimitry Andric assert(isa<BinaryOperator>(I)); 1020b57cec5SDimitry Andric 1030b57cec5SDimitry Andric IRBuilder<> B(&I); 1040b57cec5SDimitry Andric Value *LHS = I.getOperand(0); 1050b57cec5SDimitry Andric Value *RHS = I.getOperand(1); 1060b57cec5SDimitry Andric switch (I.getOpcode()) { 1070b57cec5SDimitry Andric default: 1080b57cec5SDimitry Andric return; 1090b57cec5SDimitry Andric case Instruction::Add: { 1100b57cec5SDimitry Andric if (I.hasNoSignedWrap()) { 1110b57cec5SDimitry Andric auto *OverflowOp = 1120b57cec5SDimitry Andric B.CreateBinaryIntrinsic(Intrinsic::sadd_with_overflow, LHS, RHS); 1130b57cec5SDimitry Andric Checks.push_back(B.CreateExtractValue(OverflowOp, 1)); 1140b57cec5SDimitry Andric } 1150b57cec5SDimitry Andric if (I.hasNoUnsignedWrap()) { 1160b57cec5SDimitry Andric auto *OverflowOp = 1170b57cec5SDimitry Andric B.CreateBinaryIntrinsic(Intrinsic::uadd_with_overflow, LHS, RHS); 1180b57cec5SDimitry Andric Checks.push_back(B.CreateExtractValue(OverflowOp, 1)); 1190b57cec5SDimitry Andric } 1200b57cec5SDimitry Andric break; 1210b57cec5SDimitry Andric } 1220b57cec5SDimitry Andric case Instruction::Sub: { 1230b57cec5SDimitry Andric if (I.hasNoSignedWrap()) { 1240b57cec5SDimitry Andric auto *OverflowOp = 1250b57cec5SDimitry Andric B.CreateBinaryIntrinsic(Intrinsic::ssub_with_overflow, LHS, RHS); 1260b57cec5SDimitry Andric Checks.push_back(B.CreateExtractValue(OverflowOp, 1)); 1270b57cec5SDimitry Andric } 1280b57cec5SDimitry Andric if (I.hasNoUnsignedWrap()) { 1290b57cec5SDimitry Andric auto *OverflowOp = 1300b57cec5SDimitry Andric B.CreateBinaryIntrinsic(Intrinsic::usub_with_overflow, LHS, RHS); 1310b57cec5SDimitry Andric Checks.push_back(B.CreateExtractValue(OverflowOp, 1)); 1320b57cec5SDimitry Andric } 1330b57cec5SDimitry Andric break; 1340b57cec5SDimitry Andric } 1350b57cec5SDimitry Andric case Instruction::Mul: { 1360b57cec5SDimitry Andric if (I.hasNoSignedWrap()) { 1370b57cec5SDimitry Andric auto *OverflowOp = 1380b57cec5SDimitry Andric B.CreateBinaryIntrinsic(Intrinsic::smul_with_overflow, LHS, RHS); 1390b57cec5SDimitry Andric Checks.push_back(B.CreateExtractValue(OverflowOp, 1)); 1400b57cec5SDimitry Andric } 1410b57cec5SDimitry Andric if (I.hasNoUnsignedWrap()) { 1420b57cec5SDimitry Andric auto *OverflowOp = 1430b57cec5SDimitry Andric B.CreateBinaryIntrinsic(Intrinsic::umul_with_overflow, LHS, RHS); 1440b57cec5SDimitry Andric Checks.push_back(B.CreateExtractValue(OverflowOp, 1)); 1450b57cec5SDimitry Andric } 1460b57cec5SDimitry Andric break; 1470b57cec5SDimitry Andric } 1480b57cec5SDimitry Andric case Instruction::UDiv: { 1490b57cec5SDimitry Andric if (I.isExact()) { 1500b57cec5SDimitry Andric auto *Check = 1510b57cec5SDimitry Andric B.CreateICmp(ICmpInst::ICMP_NE, B.CreateURem(LHS, RHS), 1520b57cec5SDimitry Andric ConstantInt::get(LHS->getType(), 0)); 1530b57cec5SDimitry Andric Checks.push_back(Check); 1540b57cec5SDimitry Andric } 1550b57cec5SDimitry Andric break; 1560b57cec5SDimitry Andric } 1570b57cec5SDimitry Andric case Instruction::SDiv: { 1580b57cec5SDimitry Andric if (I.isExact()) { 1590b57cec5SDimitry Andric auto *Check = 1600b57cec5SDimitry Andric B.CreateICmp(ICmpInst::ICMP_NE, B.CreateSRem(LHS, RHS), 1610b57cec5SDimitry Andric ConstantInt::get(LHS->getType(), 0)); 1620b57cec5SDimitry Andric Checks.push_back(Check); 1630b57cec5SDimitry Andric } 1640b57cec5SDimitry Andric break; 1650b57cec5SDimitry Andric } 1660b57cec5SDimitry Andric case Instruction::AShr: 1670b57cec5SDimitry Andric case Instruction::LShr: 1680b57cec5SDimitry Andric case Instruction::Shl: { 1690b57cec5SDimitry Andric Value *ShiftCheck = 1700b57cec5SDimitry Andric B.CreateICmp(ICmpInst::ICMP_UGE, RHS, 1710b57cec5SDimitry Andric ConstantInt::get(RHS->getType(), 1720b57cec5SDimitry Andric LHS->getType()->getScalarSizeInBits())); 1730b57cec5SDimitry Andric Checks.push_back(ShiftCheck); 1740b57cec5SDimitry Andric break; 1750b57cec5SDimitry Andric } 1760b57cec5SDimitry Andric }; 1770b57cec5SDimitry Andric } 1780b57cec5SDimitry Andric 1795ffd83dbSDimitry Andric /// Given an instruction which can produce poison on non-poison inputs 1805ffd83dbSDimitry Andric /// (i.e. canCreatePoison returns true), generate runtime checks to produce 1815ffd83dbSDimitry Andric /// boolean indicators of when poison would result. 1825ffd83dbSDimitry Andric static void generateCreationChecks(Instruction &I, 1835ffd83dbSDimitry Andric SmallVectorImpl<Value*> &Checks) { 1840b57cec5SDimitry Andric IRBuilder<> B(&I); 1850b57cec5SDimitry Andric if (isa<BinaryOperator>(I) && !I.getType()->isVectorTy()) 1865ffd83dbSDimitry Andric generateCreationChecksForBinOp(I, Checks); 1870b57cec5SDimitry Andric 1885ffd83dbSDimitry Andric // Handle non-binops separately 1890b57cec5SDimitry Andric switch (I.getOpcode()) { 1900b57cec5SDimitry Andric default: 1915ffd83dbSDimitry Andric // Note there are a couple of missing cases here, once implemented, this 1925ffd83dbSDimitry Andric // should become an llvm_unreachable. 1930b57cec5SDimitry Andric break; 1940b57cec5SDimitry Andric case Instruction::ExtractElement: { 1950b57cec5SDimitry Andric Value *Vec = I.getOperand(0); 1965ffd83dbSDimitry Andric auto *VecVTy = dyn_cast<FixedVectorType>(Vec->getType()); 1975ffd83dbSDimitry Andric if (!VecVTy) 1980b57cec5SDimitry Andric break; 1990b57cec5SDimitry Andric Value *Idx = I.getOperand(1); 2005ffd83dbSDimitry Andric unsigned NumElts = VecVTy->getNumElements(); 2010b57cec5SDimitry Andric Value *Check = 2020b57cec5SDimitry Andric B.CreateICmp(ICmpInst::ICMP_UGE, Idx, 2030b57cec5SDimitry Andric ConstantInt::get(Idx->getType(), NumElts)); 2040b57cec5SDimitry Andric Checks.push_back(Check); 2050b57cec5SDimitry Andric break; 2060b57cec5SDimitry Andric } 2070b57cec5SDimitry Andric case Instruction::InsertElement: { 2080b57cec5SDimitry Andric Value *Vec = I.getOperand(0); 2095ffd83dbSDimitry Andric auto *VecVTy = dyn_cast<FixedVectorType>(Vec->getType()); 2105ffd83dbSDimitry Andric if (!VecVTy) 2110b57cec5SDimitry Andric break; 2120b57cec5SDimitry Andric Value *Idx = I.getOperand(2); 2135ffd83dbSDimitry Andric unsigned NumElts = VecVTy->getNumElements(); 2140b57cec5SDimitry Andric Value *Check = 2150b57cec5SDimitry Andric B.CreateICmp(ICmpInst::ICMP_UGE, Idx, 2160b57cec5SDimitry Andric ConstantInt::get(Idx->getType(), NumElts)); 2170b57cec5SDimitry Andric Checks.push_back(Check); 2180b57cec5SDimitry Andric break; 2190b57cec5SDimitry Andric } 2200b57cec5SDimitry Andric }; 2210b57cec5SDimitry Andric } 2220b57cec5SDimitry Andric 2230b57cec5SDimitry Andric static Value *getPoisonFor(DenseMap<Value *, Value *> &ValToPoison, Value *V) { 2240b57cec5SDimitry Andric auto Itr = ValToPoison.find(V); 2250b57cec5SDimitry Andric if (Itr != ValToPoison.end()) 2260b57cec5SDimitry Andric return Itr->second; 2270b57cec5SDimitry Andric if (isa<Constant>(V)) { 2280b57cec5SDimitry Andric return ConstantInt::getFalse(V->getContext()); 2290b57cec5SDimitry Andric } 2300b57cec5SDimitry Andric // Return false for unknwon values - this implements a non-strict mode where 2310b57cec5SDimitry Andric // unhandled IR constructs are simply considered to never produce poison. At 2320b57cec5SDimitry Andric // some point in the future, we probably want a "strict mode" for testing if 2330b57cec5SDimitry Andric // nothing else. 2340b57cec5SDimitry Andric return ConstantInt::getFalse(V->getContext()); 2350b57cec5SDimitry Andric } 2360b57cec5SDimitry Andric 2370b57cec5SDimitry Andric static void CreateAssert(IRBuilder<> &B, Value *Cond) { 2380b57cec5SDimitry Andric assert(Cond->getType()->isIntegerTy(1)); 2390b57cec5SDimitry Andric if (auto *CI = dyn_cast<ConstantInt>(Cond)) 2400b57cec5SDimitry Andric if (CI->isAllOnesValue()) 2410b57cec5SDimitry Andric return; 2420b57cec5SDimitry Andric 2430b57cec5SDimitry Andric Module *M = B.GetInsertBlock()->getModule(); 2440b57cec5SDimitry Andric M->getOrInsertFunction("__poison_checker_assert", 2450b57cec5SDimitry Andric Type::getVoidTy(M->getContext()), 2460b57cec5SDimitry Andric Type::getInt1Ty(M->getContext())); 2470b57cec5SDimitry Andric Function *TrapFunc = M->getFunction("__poison_checker_assert"); 2480b57cec5SDimitry Andric B.CreateCall(TrapFunc, Cond); 2490b57cec5SDimitry Andric } 2500b57cec5SDimitry Andric 2510b57cec5SDimitry Andric static void CreateAssertNot(IRBuilder<> &B, Value *Cond) { 2520b57cec5SDimitry Andric assert(Cond->getType()->isIntegerTy(1)); 2530b57cec5SDimitry Andric CreateAssert(B, B.CreateNot(Cond)); 2540b57cec5SDimitry Andric } 2550b57cec5SDimitry Andric 2560b57cec5SDimitry Andric static bool rewrite(Function &F) { 2570b57cec5SDimitry Andric auto * const Int1Ty = Type::getInt1Ty(F.getContext()); 2580b57cec5SDimitry Andric 2590b57cec5SDimitry Andric DenseMap<Value *, Value *> ValToPoison; 2600b57cec5SDimitry Andric 2610b57cec5SDimitry Andric for (BasicBlock &BB : F) 2620b57cec5SDimitry Andric for (auto I = BB.begin(); isa<PHINode>(&*I); I++) { 2630b57cec5SDimitry Andric auto *OldPHI = cast<PHINode>(&*I); 2645ffd83dbSDimitry Andric auto *NewPHI = PHINode::Create(Int1Ty, OldPHI->getNumIncomingValues()); 2650b57cec5SDimitry Andric for (unsigned i = 0; i < OldPHI->getNumIncomingValues(); i++) 2660b57cec5SDimitry Andric NewPHI->addIncoming(UndefValue::get(Int1Ty), 2670b57cec5SDimitry Andric OldPHI->getIncomingBlock(i)); 2680b57cec5SDimitry Andric NewPHI->insertBefore(OldPHI); 2690b57cec5SDimitry Andric ValToPoison[OldPHI] = NewPHI; 2700b57cec5SDimitry Andric } 2710b57cec5SDimitry Andric 2720b57cec5SDimitry Andric for (BasicBlock &BB : F) 2730b57cec5SDimitry Andric for (Instruction &I : BB) { 2740b57cec5SDimitry Andric if (isa<PHINode>(I)) continue; 2750b57cec5SDimitry Andric 2760b57cec5SDimitry Andric IRBuilder<> B(cast<Instruction>(&I)); 2770b57cec5SDimitry Andric 2780b57cec5SDimitry Andric // Note: There are many more sources of documented UB, but this pass only 2790b57cec5SDimitry Andric // attempts to find UB triggered by propagation of poison. 280bdd1243dSDimitry Andric SmallVector<const Value *, 4> NonPoisonOps; 281bdd1243dSDimitry Andric SmallPtrSet<const Value *, 4> SeenNonPoisonOps; 282e8d8bef9SDimitry Andric getGuaranteedNonPoisonOps(&I, NonPoisonOps); 283e8d8bef9SDimitry Andric for (const Value *Op : NonPoisonOps) 284bdd1243dSDimitry Andric if (SeenNonPoisonOps.insert(Op).second) 285bdd1243dSDimitry Andric CreateAssertNot(B, 286bdd1243dSDimitry Andric getPoisonFor(ValToPoison, const_cast<Value *>(Op))); 2870b57cec5SDimitry Andric 2880b57cec5SDimitry Andric if (LocalCheck) 2890b57cec5SDimitry Andric if (auto *RI = dyn_cast<ReturnInst>(&I)) 2900b57cec5SDimitry Andric if (RI->getNumOperands() != 0) { 2910b57cec5SDimitry Andric Value *Op = RI->getOperand(0); 2920b57cec5SDimitry Andric CreateAssertNot(B, getPoisonFor(ValToPoison, Op)); 2930b57cec5SDimitry Andric } 2940b57cec5SDimitry Andric 2950b57cec5SDimitry Andric SmallVector<Value*, 4> Checks; 296bdd1243dSDimitry Andric for (const Use &U : I.operands()) { 297bdd1243dSDimitry Andric if (ValToPoison.count(U) && propagatesPoison(U)) 298bdd1243dSDimitry Andric Checks.push_back(getPoisonFor(ValToPoison, U)); 299bdd1243dSDimitry Andric } 3000b57cec5SDimitry Andric 301e8d8bef9SDimitry Andric if (canCreatePoison(cast<Operator>(&I))) 3025ffd83dbSDimitry Andric generateCreationChecks(I, Checks); 3030b57cec5SDimitry Andric ValToPoison[&I] = buildOrChain(B, Checks); 3040b57cec5SDimitry Andric } 3050b57cec5SDimitry Andric 3060b57cec5SDimitry Andric for (BasicBlock &BB : F) 3070b57cec5SDimitry Andric for (auto I = BB.begin(); isa<PHINode>(&*I); I++) { 3080b57cec5SDimitry Andric auto *OldPHI = cast<PHINode>(&*I); 3090b57cec5SDimitry Andric if (!ValToPoison.count(OldPHI)) 3100b57cec5SDimitry Andric continue; // skip the newly inserted phis 3110b57cec5SDimitry Andric auto *NewPHI = cast<PHINode>(ValToPoison[OldPHI]); 3120b57cec5SDimitry Andric for (unsigned i = 0; i < OldPHI->getNumIncomingValues(); i++) { 3130b57cec5SDimitry Andric auto *OldVal = OldPHI->getIncomingValue(i); 3140b57cec5SDimitry Andric NewPHI->setIncomingValue(i, getPoisonFor(ValToPoison, OldVal)); 3150b57cec5SDimitry Andric } 3160b57cec5SDimitry Andric } 3170b57cec5SDimitry Andric return true; 3180b57cec5SDimitry Andric } 3190b57cec5SDimitry Andric 3200b57cec5SDimitry Andric 3210b57cec5SDimitry Andric PreservedAnalyses PoisonCheckingPass::run(Module &M, 3220b57cec5SDimitry Andric ModuleAnalysisManager &AM) { 3230b57cec5SDimitry Andric bool Changed = false; 3240b57cec5SDimitry Andric for (auto &F : M) 3250b57cec5SDimitry Andric Changed |= rewrite(F); 3260b57cec5SDimitry Andric 3270b57cec5SDimitry Andric return Changed ? PreservedAnalyses::none() : PreservedAnalyses::all(); 3280b57cec5SDimitry Andric } 3290b57cec5SDimitry Andric 3300b57cec5SDimitry Andric PreservedAnalyses PoisonCheckingPass::run(Function &F, 3310b57cec5SDimitry Andric FunctionAnalysisManager &AM) { 3320b57cec5SDimitry Andric return rewrite(F) ? PreservedAnalyses::none() : PreservedAnalyses::all(); 3330b57cec5SDimitry Andric } 3340b57cec5SDimitry Andric 3350b57cec5SDimitry Andric /* Major TODO Items: 3360b57cec5SDimitry Andric - Control dependent poison UB 3370b57cec5SDimitry Andric - Strict mode - (i.e. must analyze every operand) 3380b57cec5SDimitry Andric - Poison through memory 3390b57cec5SDimitry Andric - Function ABIs 3400b57cec5SDimitry Andric - Full coverage of intrinsics, etc.. (ouch) 3410b57cec5SDimitry Andric 3420b57cec5SDimitry Andric Instructions w/Unclear Semantics: 3430b57cec5SDimitry Andric - shufflevector - It would seem reasonable for an out of bounds mask element 3440b57cec5SDimitry Andric to produce poison, but the LangRef does not state. 3450b57cec5SDimitry Andric - all binary ops w/vector operands - The likely interpretation would be that 3460b57cec5SDimitry Andric any element overflowing should produce poison for the entire result, but 3470b57cec5SDimitry Andric the LangRef does not state. 3480b57cec5SDimitry Andric - Floating point binary ops w/fmf flags other than (nnan, noinfs). It seems 3490b57cec5SDimitry Andric strange that only certian flags should be documented as producing poison. 3500b57cec5SDimitry Andric 3510b57cec5SDimitry Andric Cases of clear poison semantics not yet implemented: 3520b57cec5SDimitry Andric - Exact flags on ashr/lshr produce poison 3530b57cec5SDimitry Andric - NSW/NUW flags on shl produce poison 3540b57cec5SDimitry Andric - Inbounds flag on getelementptr produce poison 3550b57cec5SDimitry Andric - fptosi/fptoui (out of bounds input) produce poison 3560b57cec5SDimitry Andric - Scalable vector types for insertelement/extractelement 3570b57cec5SDimitry Andric - Floating point binary ops w/fmf nnan/noinfs flags produce poison 3580b57cec5SDimitry Andric */ 359