1 //===- ImplicitNullChecks.cpp - Fold null checks into memory accesses -----===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This pass turns explicit null checks of the form 10 // 11 // test %r10, %r10 12 // je throw_npe 13 // movl (%r10), %esi 14 // ... 15 // 16 // to 17 // 18 // faulting_load_op("movl (%r10), %esi", throw_npe) 19 // ... 20 // 21 // With the help of a runtime that understands the .fault_maps section, 22 // faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs 23 // a page fault. 24 // Store and LoadStore are also supported. 25 // 26 //===----------------------------------------------------------------------===// 27 28 #include "llvm/ADT/ArrayRef.h" 29 #include "llvm/ADT/None.h" 30 #include "llvm/ADT/Optional.h" 31 #include "llvm/ADT/STLExtras.h" 32 #include "llvm/ADT/SmallVector.h" 33 #include "llvm/ADT/Statistic.h" 34 #include "llvm/Analysis/AliasAnalysis.h" 35 #include "llvm/Analysis/MemoryLocation.h" 36 #include "llvm/CodeGen/FaultMaps.h" 37 #include "llvm/CodeGen/MachineBasicBlock.h" 38 #include "llvm/CodeGen/MachineFunction.h" 39 #include "llvm/CodeGen/MachineFunctionPass.h" 40 #include "llvm/CodeGen/MachineInstr.h" 41 #include "llvm/CodeGen/MachineInstrBuilder.h" 42 #include "llvm/CodeGen/MachineMemOperand.h" 43 #include "llvm/CodeGen/MachineOperand.h" 44 #include "llvm/CodeGen/MachineRegisterInfo.h" 45 #include "llvm/CodeGen/PseudoSourceValue.h" 46 #include "llvm/CodeGen/TargetInstrInfo.h" 47 #include "llvm/CodeGen/TargetOpcodes.h" 48 #include "llvm/CodeGen/TargetRegisterInfo.h" 49 #include "llvm/CodeGen/TargetSubtargetInfo.h" 50 #include "llvm/IR/BasicBlock.h" 51 #include "llvm/IR/DebugLoc.h" 52 #include "llvm/IR/LLVMContext.h" 53 #include "llvm/InitializePasses.h" 54 #include "llvm/MC/MCInstrDesc.h" 55 #include "llvm/MC/MCRegisterInfo.h" 56 #include "llvm/Pass.h" 57 #include "llvm/Support/CommandLine.h" 58 #include <cassert> 59 #include <cstdint> 60 #include <iterator> 61 62 using namespace llvm; 63 64 static cl::opt<int> PageSize("imp-null-check-page-size", 65 cl::desc("The page size of the target in bytes"), 66 cl::init(4096), cl::Hidden); 67 68 static cl::opt<unsigned> MaxInstsToConsider( 69 "imp-null-max-insts-to-consider", 70 cl::desc("The max number of instructions to consider hoisting loads over " 71 "(the algorithm is quadratic over this number)"), 72 cl::Hidden, cl::init(8)); 73 74 #define DEBUG_TYPE "implicit-null-checks" 75 76 STATISTIC(NumImplicitNullChecks, 77 "Number of explicit null checks made implicit"); 78 79 namespace { 80 81 class ImplicitNullChecks : public MachineFunctionPass { 82 /// Return true if \c computeDependence can process \p MI. 83 static bool canHandle(const MachineInstr *MI); 84 85 /// Helper function for \c computeDependence. Return true if \p A 86 /// and \p B do not have any dependences between them, and can be 87 /// re-ordered without changing program semantics. 88 bool canReorder(const MachineInstr *A, const MachineInstr *B); 89 90 /// A data type for representing the result computed by \c 91 /// computeDependence. States whether it is okay to reorder the 92 /// instruction passed to \c computeDependence with at most one 93 /// dependency. 94 struct DependenceResult { 95 /// Can we actually re-order \p MI with \p Insts (see \c 96 /// computeDependence). 97 bool CanReorder; 98 99 /// If non-None, then an instruction in \p Insts that also must be 100 /// hoisted. 101 Optional<ArrayRef<MachineInstr *>::iterator> PotentialDependence; 102 103 /*implicit*/ DependenceResult( 104 bool CanReorder, 105 Optional<ArrayRef<MachineInstr *>::iterator> PotentialDependence) 106 : CanReorder(CanReorder), PotentialDependence(PotentialDependence) { 107 assert((!PotentialDependence || CanReorder) && 108 "!CanReorder && PotentialDependence.hasValue() not allowed!"); 109 } 110 }; 111 112 /// Compute a result for the following question: can \p MI be 113 /// re-ordered from after \p Insts to before it. 114 /// 115 /// \c canHandle should return true for all instructions in \p 116 /// Insts. 117 DependenceResult computeDependence(const MachineInstr *MI, 118 ArrayRef<MachineInstr *> Block); 119 120 /// Represents one null check that can be made implicit. 121 class NullCheck { 122 // The memory operation the null check can be folded into. 123 MachineInstr *MemOperation; 124 125 // The instruction actually doing the null check (Ptr != 0). 126 MachineInstr *CheckOperation; 127 128 // The block the check resides in. 129 MachineBasicBlock *CheckBlock; 130 131 // The block branched to if the pointer is non-null. 132 MachineBasicBlock *NotNullSucc; 133 134 // The block branched to if the pointer is null. 135 MachineBasicBlock *NullSucc; 136 137 // If this is non-null, then MemOperation has a dependency on this 138 // instruction; and it needs to be hoisted to execute before MemOperation. 139 MachineInstr *OnlyDependency; 140 141 public: 142 explicit NullCheck(MachineInstr *memOperation, MachineInstr *checkOperation, 143 MachineBasicBlock *checkBlock, 144 MachineBasicBlock *notNullSucc, 145 MachineBasicBlock *nullSucc, 146 MachineInstr *onlyDependency) 147 : MemOperation(memOperation), CheckOperation(checkOperation), 148 CheckBlock(checkBlock), NotNullSucc(notNullSucc), NullSucc(nullSucc), 149 OnlyDependency(onlyDependency) {} 150 151 MachineInstr *getMemOperation() const { return MemOperation; } 152 153 MachineInstr *getCheckOperation() const { return CheckOperation; } 154 155 MachineBasicBlock *getCheckBlock() const { return CheckBlock; } 156 157 MachineBasicBlock *getNotNullSucc() const { return NotNullSucc; } 158 159 MachineBasicBlock *getNullSucc() const { return NullSucc; } 160 161 MachineInstr *getOnlyDependency() const { return OnlyDependency; } 162 }; 163 164 const TargetInstrInfo *TII = nullptr; 165 const TargetRegisterInfo *TRI = nullptr; 166 AliasAnalysis *AA = nullptr; 167 MachineFrameInfo *MFI = nullptr; 168 169 bool analyzeBlockForNullChecks(MachineBasicBlock &MBB, 170 SmallVectorImpl<NullCheck> &NullCheckList); 171 MachineInstr *insertFaultingInstr(MachineInstr *MI, MachineBasicBlock *MBB, 172 MachineBasicBlock *HandlerMBB); 173 void rewriteNullChecks(ArrayRef<NullCheck> NullCheckList); 174 175 enum AliasResult { 176 AR_NoAlias, 177 AR_MayAlias, 178 AR_WillAliasEverything 179 }; 180 181 /// Returns AR_NoAlias if \p MI memory operation does not alias with 182 /// \p PrevMI, AR_MayAlias if they may alias and AR_WillAliasEverything if 183 /// they may alias and any further memory operation may alias with \p PrevMI. 184 AliasResult areMemoryOpsAliased(const MachineInstr &MI, 185 const MachineInstr *PrevMI) const; 186 187 enum SuitabilityResult { 188 SR_Suitable, 189 SR_Unsuitable, 190 SR_Impossible 191 }; 192 193 /// Return SR_Suitable if \p MI a memory operation that can be used to 194 /// implicitly null check the value in \p PointerReg, SR_Unsuitable if 195 /// \p MI cannot be used to null check and SR_Impossible if there is 196 /// no sense to continue lookup due to any other instruction will not be able 197 /// to be used. \p PrevInsts is the set of instruction seen since 198 /// the explicit null check on \p PointerReg. 199 SuitabilityResult isSuitableMemoryOp(const MachineInstr &MI, 200 unsigned PointerReg, 201 ArrayRef<MachineInstr *> PrevInsts); 202 203 /// Returns true if \p DependenceMI can clobber the liveIns in NullSucc block 204 /// if it was hoisted to the NullCheck block. This is used by caller 205 /// canHoistInst to decide if DependenceMI can be hoisted safely. 206 bool canDependenceHoistingClobberLiveIns(MachineInstr *DependenceMI, 207 MachineBasicBlock *NullSucc); 208 209 /// Return true if \p FaultingMI can be hoisted from after the 210 /// instructions in \p InstsSeenSoFar to before them. Set \p Dependence to a 211 /// non-null value if we also need to (and legally can) hoist a dependency. 212 bool canHoistInst(MachineInstr *FaultingMI, 213 ArrayRef<MachineInstr *> InstsSeenSoFar, 214 MachineBasicBlock *NullSucc, MachineInstr *&Dependence); 215 216 public: 217 static char ID; 218 219 ImplicitNullChecks() : MachineFunctionPass(ID) { 220 initializeImplicitNullChecksPass(*PassRegistry::getPassRegistry()); 221 } 222 223 bool runOnMachineFunction(MachineFunction &MF) override; 224 225 void getAnalysisUsage(AnalysisUsage &AU) const override { 226 AU.addRequired<AAResultsWrapperPass>(); 227 MachineFunctionPass::getAnalysisUsage(AU); 228 } 229 230 MachineFunctionProperties getRequiredProperties() const override { 231 return MachineFunctionProperties().set( 232 MachineFunctionProperties::Property::NoVRegs); 233 } 234 }; 235 236 } // end anonymous namespace 237 238 bool ImplicitNullChecks::canHandle(const MachineInstr *MI) { 239 if (MI->isCall() || MI->mayRaiseFPException() || 240 MI->hasUnmodeledSideEffects()) 241 return false; 242 auto IsRegMask = [](const MachineOperand &MO) { return MO.isRegMask(); }; 243 (void)IsRegMask; 244 245 assert(!llvm::any_of(MI->operands(), IsRegMask) && 246 "Calls were filtered out above!"); 247 248 auto IsUnordered = [](MachineMemOperand *MMO) { return MMO->isUnordered(); }; 249 return llvm::all_of(MI->memoperands(), IsUnordered); 250 } 251 252 ImplicitNullChecks::DependenceResult 253 ImplicitNullChecks::computeDependence(const MachineInstr *MI, 254 ArrayRef<MachineInstr *> Block) { 255 assert(llvm::all_of(Block, canHandle) && "Check this first!"); 256 assert(!is_contained(Block, MI) && "Block must be exclusive of MI!"); 257 258 Optional<ArrayRef<MachineInstr *>::iterator> Dep; 259 260 for (auto I = Block.begin(), E = Block.end(); I != E; ++I) { 261 if (canReorder(*I, MI)) 262 continue; 263 264 if (Dep == None) { 265 // Found one possible dependency, keep track of it. 266 Dep = I; 267 } else { 268 // We found two dependencies, so bail out. 269 return {false, None}; 270 } 271 } 272 273 return {true, Dep}; 274 } 275 276 bool ImplicitNullChecks::canReorder(const MachineInstr *A, 277 const MachineInstr *B) { 278 assert(canHandle(A) && canHandle(B) && "Precondition!"); 279 280 // canHandle makes sure that we _can_ correctly analyze the dependencies 281 // between A and B here -- for instance, we should not be dealing with heap 282 // load-store dependencies here. 283 284 for (const auto &MOA : A->operands()) { 285 if (!(MOA.isReg() && MOA.getReg())) 286 continue; 287 288 Register RegA = MOA.getReg(); 289 for (const auto &MOB : B->operands()) { 290 if (!(MOB.isReg() && MOB.getReg())) 291 continue; 292 293 Register RegB = MOB.getReg(); 294 295 if (TRI->regsOverlap(RegA, RegB) && (MOA.isDef() || MOB.isDef())) 296 return false; 297 } 298 } 299 300 return true; 301 } 302 303 bool ImplicitNullChecks::runOnMachineFunction(MachineFunction &MF) { 304 TII = MF.getSubtarget().getInstrInfo(); 305 TRI = MF.getRegInfo().getTargetRegisterInfo(); 306 MFI = &MF.getFrameInfo(); 307 AA = &getAnalysis<AAResultsWrapperPass>().getAAResults(); 308 309 SmallVector<NullCheck, 16> NullCheckList; 310 311 for (auto &MBB : MF) 312 analyzeBlockForNullChecks(MBB, NullCheckList); 313 314 if (!NullCheckList.empty()) 315 rewriteNullChecks(NullCheckList); 316 317 return !NullCheckList.empty(); 318 } 319 320 // Return true if any register aliasing \p Reg is live-in into \p MBB. 321 static bool AnyAliasLiveIn(const TargetRegisterInfo *TRI, 322 MachineBasicBlock *MBB, unsigned Reg) { 323 for (MCRegAliasIterator AR(Reg, TRI, /*IncludeSelf*/ true); AR.isValid(); 324 ++AR) 325 if (MBB->isLiveIn(*AR)) 326 return true; 327 return false; 328 } 329 330 ImplicitNullChecks::AliasResult 331 ImplicitNullChecks::areMemoryOpsAliased(const MachineInstr &MI, 332 const MachineInstr *PrevMI) const { 333 // If it is not memory access, skip the check. 334 if (!(PrevMI->mayStore() || PrevMI->mayLoad())) 335 return AR_NoAlias; 336 // Load-Load may alias 337 if (!(MI.mayStore() || PrevMI->mayStore())) 338 return AR_NoAlias; 339 // We lost info, conservatively alias. If it was store then no sense to 340 // continue because we won't be able to check against it further. 341 if (MI.memoperands_empty()) 342 return MI.mayStore() ? AR_WillAliasEverything : AR_MayAlias; 343 if (PrevMI->memoperands_empty()) 344 return PrevMI->mayStore() ? AR_WillAliasEverything : AR_MayAlias; 345 346 for (MachineMemOperand *MMO1 : MI.memoperands()) { 347 // MMO1 should have a value due it comes from operation we'd like to use 348 // as implicit null check. 349 assert(MMO1->getValue() && "MMO1 should have a Value!"); 350 for (MachineMemOperand *MMO2 : PrevMI->memoperands()) { 351 if (const PseudoSourceValue *PSV = MMO2->getPseudoValue()) { 352 if (PSV->mayAlias(MFI)) 353 return AR_MayAlias; 354 continue; 355 } 356 llvm::AliasResult AAResult = 357 AA->alias(MemoryLocation(MMO1->getValue(), LocationSize::unknown(), 358 MMO1->getAAInfo()), 359 MemoryLocation(MMO2->getValue(), LocationSize::unknown(), 360 MMO2->getAAInfo())); 361 if (AAResult != NoAlias) 362 return AR_MayAlias; 363 } 364 } 365 return AR_NoAlias; 366 } 367 368 ImplicitNullChecks::SuitabilityResult 369 ImplicitNullChecks::isSuitableMemoryOp(const MachineInstr &MI, 370 unsigned PointerReg, 371 ArrayRef<MachineInstr *> PrevInsts) { 372 int64_t Offset; 373 bool OffsetIsScalable; 374 const MachineOperand *BaseOp; 375 376 // Implementation restriction for faulting_op insertion 377 // TODO: This could be relaxed if we find a test case which warrants it. 378 if (MI.getDesc().getNumDefs() > 1) 379 return SR_Unsuitable; 380 381 if (!MI.mayLoadOrStore() || MI.isPredicable()) 382 return SR_Unsuitable; 383 auto AM = TII->getAddrModeFromMemoryOp(MI, TRI); 384 if (!AM) 385 return SR_Unsuitable; 386 auto AddrMode = *AM; 387 const Register BaseReg = AddrMode.BaseReg, ScaledReg = AddrMode.ScaledReg; 388 int64_t Displacement = AddrMode.Displacement; 389 390 // We need the base of the memory instruction to be same as the register 391 // where the null check is performed (i.e. PointerReg). 392 if (BaseReg != PointerReg && ScaledReg != PointerReg) 393 return SR_Unsuitable; 394 const MachineRegisterInfo &MRI = MI.getMF()->getRegInfo(); 395 unsigned PointerRegSizeInBits = TRI->getRegSizeInBits(PointerReg, MRI); 396 // Bail out of the sizes of BaseReg, ScaledReg and PointerReg are not the 397 // same. 398 if ((BaseReg && 399 TRI->getRegSizeInBits(BaseReg, MRI) != PointerRegSizeInBits) || 400 (ScaledReg && 401 TRI->getRegSizeInBits(ScaledReg, MRI) != PointerRegSizeInBits)) 402 return SR_Unsuitable; 403 404 // Returns true if RegUsedInAddr is used for calculating the displacement 405 // depending on addressing mode. Also calculates the Displacement. 406 auto CalculateDisplacementFromAddrMode = [&](Register RegUsedInAddr, 407 int64_t Multiplier) { 408 // The register can be NoRegister, which is defined as zero for all targets. 409 // Consider instruction of interest as `movq 8(,%rdi,8), %rax`. Here the 410 // ScaledReg is %rdi, while there is no BaseReg. 411 if (!RegUsedInAddr) 412 return false; 413 assert(Multiplier && "expected to be non-zero!"); 414 MachineInstr *ModifyingMI = nullptr; 415 for (auto It = std::next(MachineBasicBlock::const_reverse_iterator(&MI)); 416 It != MI.getParent()->rend(); It++) { 417 const MachineInstr *CurrMI = &*It; 418 if (CurrMI->modifiesRegister(RegUsedInAddr, TRI)) { 419 ModifyingMI = const_cast<MachineInstr *>(CurrMI); 420 break; 421 } 422 } 423 if (!ModifyingMI) 424 return false; 425 // Check for the const value defined in register by ModifyingMI. This means 426 // all other previous values for that register has been invalidated. 427 int64_t ImmVal; 428 if (!TII->getConstValDefinedInReg(*ModifyingMI, RegUsedInAddr, ImmVal)) 429 return false; 430 // Calculate the reg size in bits, since this is needed for bailing out in 431 // case of overflow. 432 int32_t RegSizeInBits = TRI->getRegSizeInBits(RegUsedInAddr, MRI); 433 APInt ImmValC(RegSizeInBits, ImmVal, true /*IsSigned*/); 434 APInt MultiplierC(RegSizeInBits, Multiplier); 435 assert(MultiplierC.isStrictlyPositive() && 436 "expected to be a positive value!"); 437 bool IsOverflow; 438 // Sign of the product depends on the sign of the ImmVal, since Multiplier 439 // is always positive. 440 APInt Product = ImmValC.smul_ov(MultiplierC, IsOverflow); 441 if (IsOverflow) 442 return false; 443 APInt DisplacementC(64, Displacement, true /*isSigned*/); 444 DisplacementC = Product.sadd_ov(DisplacementC, IsOverflow); 445 if (IsOverflow) 446 return false; 447 448 // We only handle diplacements upto 64 bits wide. 449 if (DisplacementC.getActiveBits() > 64) 450 return false; 451 Displacement = DisplacementC.getSExtValue(); 452 return true; 453 }; 454 455 // If a register used in the address is constant, fold it's effect into the 456 // displacement for ease of analysis. 457 bool BaseRegIsConstVal = false, ScaledRegIsConstVal = false; 458 if (CalculateDisplacementFromAddrMode(BaseReg, 1)) 459 BaseRegIsConstVal = true; 460 if (CalculateDisplacementFromAddrMode(ScaledReg, AddrMode.Scale)) 461 ScaledRegIsConstVal = true; 462 463 // The register which is not null checked should be part of the Displacement 464 // calculation, otherwise we do not know whether the Displacement is made up 465 // by some symbolic values. 466 // This matters because we do not want to incorrectly assume that load from 467 // falls in the zeroth faulting page in the "sane offset check" below. 468 if ((BaseReg && BaseReg != PointerReg && !BaseRegIsConstVal) || 469 (ScaledReg && ScaledReg != PointerReg && !ScaledRegIsConstVal)) 470 return SR_Unsuitable; 471 472 // We want the mem access to be issued at a sane offset from PointerReg, 473 // so that if PointerReg is null then the access reliably page faults. 474 if (!(-PageSize < Displacement && Displacement < PageSize)) 475 return SR_Unsuitable; 476 477 // Finally, check whether the current memory access aliases with previous one. 478 for (auto *PrevMI : PrevInsts) { 479 AliasResult AR = areMemoryOpsAliased(MI, PrevMI); 480 if (AR == AR_WillAliasEverything) 481 return SR_Impossible; 482 if (AR == AR_MayAlias) 483 return SR_Unsuitable; 484 } 485 return SR_Suitable; 486 } 487 488 bool ImplicitNullChecks::canDependenceHoistingClobberLiveIns( 489 MachineInstr *DependenceMI, MachineBasicBlock *NullSucc) { 490 for (const auto &DependenceMO : DependenceMI->operands()) { 491 if (!(DependenceMO.isReg() && DependenceMO.getReg())) 492 continue; 493 494 // Make sure that we won't clobber any live ins to the sibling block by 495 // hoisting Dependency. For instance, we can't hoist INST to before the 496 // null check (even if it safe, and does not violate any dependencies in 497 // the non_null_block) if %rdx is live in to _null_block. 498 // 499 // test %rcx, %rcx 500 // je _null_block 501 // _non_null_block: 502 // %rdx = INST 503 // ... 504 // 505 // This restriction does not apply to the faulting load inst because in 506 // case the pointer loaded from is in the null page, the load will not 507 // semantically execute, and affect machine state. That is, if the load 508 // was loading into %rax and it faults, the value of %rax should stay the 509 // same as it would have been had the load not have executed and we'd have 510 // branched to NullSucc directly. 511 if (AnyAliasLiveIn(TRI, NullSucc, DependenceMO.getReg())) 512 return true; 513 514 } 515 516 // The dependence does not clobber live-ins in NullSucc block. 517 return false; 518 } 519 520 bool ImplicitNullChecks::canHoistInst(MachineInstr *FaultingMI, 521 ArrayRef<MachineInstr *> InstsSeenSoFar, 522 MachineBasicBlock *NullSucc, 523 MachineInstr *&Dependence) { 524 auto DepResult = computeDependence(FaultingMI, InstsSeenSoFar); 525 if (!DepResult.CanReorder) 526 return false; 527 528 if (!DepResult.PotentialDependence) { 529 Dependence = nullptr; 530 return true; 531 } 532 533 auto DependenceItr = *DepResult.PotentialDependence; 534 auto *DependenceMI = *DependenceItr; 535 536 // We don't want to reason about speculating loads. Note -- at this point 537 // we should have already filtered out all of the other non-speculatable 538 // things, like calls and stores. 539 // We also do not want to hoist stores because it might change the memory 540 // while the FaultingMI may result in faulting. 541 assert(canHandle(DependenceMI) && "Should never have reached here!"); 542 if (DependenceMI->mayLoadOrStore()) 543 return false; 544 545 if (canDependenceHoistingClobberLiveIns(DependenceMI, NullSucc)) 546 return false; 547 548 auto DepDepResult = 549 computeDependence(DependenceMI, {InstsSeenSoFar.begin(), DependenceItr}); 550 551 if (!DepDepResult.CanReorder || DepDepResult.PotentialDependence) 552 return false; 553 554 Dependence = DependenceMI; 555 return true; 556 } 557 558 /// Analyze MBB to check if its terminating branch can be turned into an 559 /// implicit null check. If yes, append a description of the said null check to 560 /// NullCheckList and return true, else return false. 561 bool ImplicitNullChecks::analyzeBlockForNullChecks( 562 MachineBasicBlock &MBB, SmallVectorImpl<NullCheck> &NullCheckList) { 563 using MachineBranchPredicate = TargetInstrInfo::MachineBranchPredicate; 564 565 MDNode *BranchMD = nullptr; 566 if (auto *BB = MBB.getBasicBlock()) 567 BranchMD = BB->getTerminator()->getMetadata(LLVMContext::MD_make_implicit); 568 569 if (!BranchMD) 570 return false; 571 572 MachineBranchPredicate MBP; 573 574 if (TII->analyzeBranchPredicate(MBB, MBP, true)) 575 return false; 576 577 // Is the predicate comparing an integer to zero? 578 if (!(MBP.LHS.isReg() && MBP.RHS.isImm() && MBP.RHS.getImm() == 0 && 579 (MBP.Predicate == MachineBranchPredicate::PRED_NE || 580 MBP.Predicate == MachineBranchPredicate::PRED_EQ))) 581 return false; 582 583 // If there is a separate condition generation instruction, we chose not to 584 // transform unless we can remove both condition and consuming branch. 585 if (MBP.ConditionDef && !MBP.SingleUseCondition) 586 return false; 587 588 MachineBasicBlock *NotNullSucc, *NullSucc; 589 590 if (MBP.Predicate == MachineBranchPredicate::PRED_NE) { 591 NotNullSucc = MBP.TrueDest; 592 NullSucc = MBP.FalseDest; 593 } else { 594 NotNullSucc = MBP.FalseDest; 595 NullSucc = MBP.TrueDest; 596 } 597 598 // We handle the simplest case for now. We can potentially do better by using 599 // the machine dominator tree. 600 if (NotNullSucc->pred_size() != 1) 601 return false; 602 603 const Register PointerReg = MBP.LHS.getReg(); 604 605 if (MBP.ConditionDef) { 606 // To prevent the invalid transformation of the following code: 607 // 608 // mov %rax, %rcx 609 // test %rax, %rax 610 // %rax = ... 611 // je throw_npe 612 // mov(%rcx), %r9 613 // mov(%rax), %r10 614 // 615 // into: 616 // 617 // mov %rax, %rcx 618 // %rax = .... 619 // faulting_load_op("movl (%rax), %r10", throw_npe) 620 // mov(%rcx), %r9 621 // 622 // we must ensure that there are no instructions between the 'test' and 623 // conditional jump that modify %rax. 624 assert(MBP.ConditionDef->getParent() == &MBB && 625 "Should be in basic block"); 626 627 for (auto I = MBB.rbegin(); MBP.ConditionDef != &*I; ++I) 628 if (I->modifiesRegister(PointerReg, TRI)) 629 return false; 630 } 631 // Starting with a code fragment like: 632 // 633 // test %rax, %rax 634 // jne LblNotNull 635 // 636 // LblNull: 637 // callq throw_NullPointerException 638 // 639 // LblNotNull: 640 // Inst0 641 // Inst1 642 // ... 643 // Def = Load (%rax + <offset>) 644 // ... 645 // 646 // 647 // we want to end up with 648 // 649 // Def = FaultingLoad (%rax + <offset>), LblNull 650 // jmp LblNotNull ;; explicit or fallthrough 651 // 652 // LblNotNull: 653 // Inst0 654 // Inst1 655 // ... 656 // 657 // LblNull: 658 // callq throw_NullPointerException 659 // 660 // 661 // To see why this is legal, consider the two possibilities: 662 // 663 // 1. %rax is null: since we constrain <offset> to be less than PageSize, the 664 // load instruction dereferences the null page, causing a segmentation 665 // fault. 666 // 667 // 2. %rax is not null: in this case we know that the load cannot fault, as 668 // otherwise the load would've faulted in the original program too and the 669 // original program would've been undefined. 670 // 671 // This reasoning cannot be extended to justify hoisting through arbitrary 672 // control flow. For instance, in the example below (in pseudo-C) 673 // 674 // if (ptr == null) { throw_npe(); unreachable; } 675 // if (some_cond) { return 42; } 676 // v = ptr->field; // LD 677 // ... 678 // 679 // we cannot (without code duplication) use the load marked "LD" to null check 680 // ptr -- clause (2) above does not apply in this case. In the above program 681 // the safety of ptr->field can be dependent on some_cond; and, for instance, 682 // ptr could be some non-null invalid reference that never gets loaded from 683 // because some_cond is always true. 684 685 SmallVector<MachineInstr *, 8> InstsSeenSoFar; 686 687 for (auto &MI : *NotNullSucc) { 688 if (!canHandle(&MI) || InstsSeenSoFar.size() >= MaxInstsToConsider) 689 return false; 690 691 MachineInstr *Dependence; 692 SuitabilityResult SR = isSuitableMemoryOp(MI, PointerReg, InstsSeenSoFar); 693 if (SR == SR_Impossible) 694 return false; 695 if (SR == SR_Suitable && 696 canHoistInst(&MI, InstsSeenSoFar, NullSucc, Dependence)) { 697 NullCheckList.emplace_back(&MI, MBP.ConditionDef, &MBB, NotNullSucc, 698 NullSucc, Dependence); 699 return true; 700 } 701 702 // If MI re-defines the PointerReg in a way that changes the value of 703 // PointerReg if it was null, then we cannot move further. 704 if (!TII->preservesZeroValueInReg(&MI, PointerReg, TRI)) 705 return false; 706 InstsSeenSoFar.push_back(&MI); 707 } 708 709 return false; 710 } 711 712 /// Wrap a machine instruction, MI, into a FAULTING machine instruction. 713 /// The FAULTING instruction does the same load/store as MI 714 /// (defining the same register), and branches to HandlerMBB if the mem access 715 /// faults. The FAULTING instruction is inserted at the end of MBB. 716 MachineInstr *ImplicitNullChecks::insertFaultingInstr( 717 MachineInstr *MI, MachineBasicBlock *MBB, MachineBasicBlock *HandlerMBB) { 718 const unsigned NoRegister = 0; // Guaranteed to be the NoRegister value for 719 // all targets. 720 721 DebugLoc DL; 722 unsigned NumDefs = MI->getDesc().getNumDefs(); 723 assert(NumDefs <= 1 && "other cases unhandled!"); 724 725 unsigned DefReg = NoRegister; 726 if (NumDefs != 0) { 727 DefReg = MI->getOperand(0).getReg(); 728 assert(NumDefs == 1 && "expected exactly one def!"); 729 } 730 731 FaultMaps::FaultKind FK; 732 if (MI->mayLoad()) 733 FK = 734 MI->mayStore() ? FaultMaps::FaultingLoadStore : FaultMaps::FaultingLoad; 735 else 736 FK = FaultMaps::FaultingStore; 737 738 auto MIB = BuildMI(MBB, DL, TII->get(TargetOpcode::FAULTING_OP), DefReg) 739 .addImm(FK) 740 .addMBB(HandlerMBB) 741 .addImm(MI->getOpcode()); 742 743 for (auto &MO : MI->uses()) { 744 if (MO.isReg()) { 745 MachineOperand NewMO = MO; 746 if (MO.isUse()) { 747 NewMO.setIsKill(false); 748 } else { 749 assert(MO.isDef() && "Expected def or use"); 750 NewMO.setIsDead(false); 751 } 752 MIB.add(NewMO); 753 } else { 754 MIB.add(MO); 755 } 756 } 757 758 MIB.setMemRefs(MI->memoperands()); 759 760 return MIB; 761 } 762 763 /// Rewrite the null checks in NullCheckList into implicit null checks. 764 void ImplicitNullChecks::rewriteNullChecks( 765 ArrayRef<ImplicitNullChecks::NullCheck> NullCheckList) { 766 DebugLoc DL; 767 768 for (auto &NC : NullCheckList) { 769 // Remove the conditional branch dependent on the null check. 770 unsigned BranchesRemoved = TII->removeBranch(*NC.getCheckBlock()); 771 (void)BranchesRemoved; 772 assert(BranchesRemoved > 0 && "expected at least one branch!"); 773 774 if (auto *DepMI = NC.getOnlyDependency()) { 775 DepMI->removeFromParent(); 776 NC.getCheckBlock()->insert(NC.getCheckBlock()->end(), DepMI); 777 } 778 779 // Insert a faulting instruction where the conditional branch was 780 // originally. We check earlier ensures that this bit of code motion 781 // is legal. We do not touch the successors list for any basic block 782 // since we haven't changed control flow, we've just made it implicit. 783 MachineInstr *FaultingInstr = insertFaultingInstr( 784 NC.getMemOperation(), NC.getCheckBlock(), NC.getNullSucc()); 785 // Now the values defined by MemOperation, if any, are live-in of 786 // the block of MemOperation. 787 // The original operation may define implicit-defs alongside 788 // the value. 789 MachineBasicBlock *MBB = NC.getMemOperation()->getParent(); 790 for (const MachineOperand &MO : FaultingInstr->operands()) { 791 if (!MO.isReg() || !MO.isDef()) 792 continue; 793 Register Reg = MO.getReg(); 794 if (!Reg || MBB->isLiveIn(Reg)) 795 continue; 796 MBB->addLiveIn(Reg); 797 } 798 799 if (auto *DepMI = NC.getOnlyDependency()) { 800 for (auto &MO : DepMI->operands()) { 801 if (!MO.isReg() || !MO.getReg() || !MO.isDef() || MO.isDead()) 802 continue; 803 if (!NC.getNotNullSucc()->isLiveIn(MO.getReg())) 804 NC.getNotNullSucc()->addLiveIn(MO.getReg()); 805 } 806 } 807 808 NC.getMemOperation()->eraseFromParent(); 809 if (auto *CheckOp = NC.getCheckOperation()) 810 CheckOp->eraseFromParent(); 811 812 // Insert an *unconditional* branch to not-null successor - we expect 813 // block placement to remove fallthroughs later. 814 TII->insertBranch(*NC.getCheckBlock(), NC.getNotNullSucc(), nullptr, 815 /*Cond=*/None, DL); 816 817 NumImplicitNullChecks++; 818 } 819 } 820 821 char ImplicitNullChecks::ID = 0; 822 823 char &llvm::ImplicitNullChecksID = ImplicitNullChecks::ID; 824 825 INITIALIZE_PASS_BEGIN(ImplicitNullChecks, DEBUG_TYPE, 826 "Implicit null checks", false, false) 827 INITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass) 828 INITIALIZE_PASS_END(ImplicitNullChecks, DEBUG_TYPE, 829 "Implicit null checks", false, false) 830