search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[Alignment][NFC] Value::getPointerAlignment returns MaybeAlign
[llvm-core.git] / lib / Analysis / CaptureTracking.cpp
blob20e2f06540a385cb6e88abd0ac804b07093e1ee7
1 //===--- CaptureTracking.cpp - Determine whether a pointer is captured ----===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file contains routines that help determine which pointers are captured.
10 // A pointer value is captured if the function makes a copy of any part of the
11 // pointer that outlives the call. Not being captured means, more or less, that
12 // the pointer is only dereferenced and not stored in a global. Returning part
13 // of the pointer as the function return value may or may not count as capturing
14 // the pointer, depending on the context.
15 //
16 //===----------------------------------------------------------------------===//
17
18 #include "llvm/Analysis/CaptureTracking.h"
19 #include "llvm/ADT/SmallSet.h"
20 #include "llvm/ADT/SmallVector.h"
21 #include "llvm/Analysis/AliasAnalysis.h"
22 #include "llvm/Analysis/CFG.h"
23 #include "llvm/Analysis/OrderedBasicBlock.h"
24 #include "llvm/Analysis/ValueTracking.h"
25 #include "llvm/IR/Constants.h"
26 #include "llvm/IR/Dominators.h"
27 #include "llvm/IR/Instructions.h"
28 #include "llvm/IR/IntrinsicInst.h"
29
30 using namespace llvm;
31
32 CaptureTracker::~CaptureTracker() {}
33
34 bool CaptureTracker::shouldExplore(const Use *U) { return true; }
35
36 bool CaptureTracker::isDereferenceableOrNull(Value *O, const DataLayout &DL) {
37 // An inbounds GEP can either be a valid pointer (pointing into
38 // or to the end of an allocation), or be null in the default
39 // address space. So for an inbounds GEP there is no way to let
40 // the pointer escape using clever GEP hacking because doing so
41 // would make the pointer point outside of the allocated object
42 // and thus make the GEP result a poison value. Similarly, other
43 // dereferenceable pointers cannot be manipulated without producing
44 // poison.
45 if (auto *GEP = dyn_cast<GetElementPtrInst>(O))
46 if (GEP->isInBounds())
47 return true;
48 bool CanBeNull;
49 return O->getPointerDereferenceableBytes(DL, CanBeNull);
50 }
51
52 namespace {
53 struct SimpleCaptureTracker : public CaptureTracker {
54 explicit SimpleCaptureTracker(bool ReturnCaptures)
55 : ReturnCaptures(ReturnCaptures), Captured(false) {}
56
57 void tooManyUses() override { Captured = true; }
58
59 bool captured(const Use *U) override {
60 if (isa<ReturnInst>(U->getUser()) && !ReturnCaptures)
61 return false;
62
63 Captured = true;
64 return true;
65 }
66
67 bool ReturnCaptures;
68
69 bool Captured;
70 };
71
72 /// Only find pointer captures which happen before the given instruction. Uses
73 /// the dominator tree to determine whether one instruction is before another.
74 /// Only support the case where the Value is defined in the same basic block
75 /// as the given instruction and the use.
76 struct CapturesBefore : public CaptureTracker {
77
78 CapturesBefore(bool ReturnCaptures, const Instruction *I, const DominatorTree *DT,
79 bool IncludeI, OrderedBasicBlock *IC)
80 : OrderedBB(IC), BeforeHere(I), DT(DT),
81 ReturnCaptures(ReturnCaptures), IncludeI(IncludeI), Captured(false) {}
82
83 void tooManyUses() override { Captured = true; }
84
85 bool isSafeToPrune(Instruction *I) {
86 BasicBlock *BB = I->getParent();
87 // We explore this usage only if the usage can reach "BeforeHere".
88 // If use is not reachable from entry, there is no need to explore.
89 if (BeforeHere != I && !DT->isReachableFromEntry(BB))
90 return true;
91
92 // Compute the case where both instructions are inside the same basic
93 // block. Since instructions in the same BB as BeforeHere are numbered in
94 // 'OrderedBB', avoid using 'dominates' and 'isPotentiallyReachable'
95 // which are very expensive for large basic blocks.
96 if (BB == BeforeHere->getParent()) {
97 // 'I' dominates 'BeforeHere' => not safe to prune.
98 //
99 // The value defined by an invoke dominates an instruction only
100 // if it dominates every instruction in UseBB. A PHI is dominated only
101 // if the instruction dominates every possible use in the UseBB. Since
102 // UseBB == BB, avoid pruning.
103 if (isa<InvokeInst>(BeforeHere) || isa<PHINode>(I) || I == BeforeHere)
104 return false;
105 if (!OrderedBB->dominates(BeforeHere, I))
106 return false;
107
108 // 'BeforeHere' comes before 'I', it's safe to prune if we also
109 // guarantee that 'I' never reaches 'BeforeHere' through a back-edge or
110 // by its successors, i.e, prune if:
111 //
112 // (1) BB is an entry block or have no successors.
113 // (2) There's no path coming back through BB successors.
114 if (BB == &BB->getParent()->getEntryBlock() ||
115 !BB->getTerminator()->getNumSuccessors())
116 return true;
117
118 SmallVector<BasicBlock*, 32> Worklist;
119 Worklist.append(succ_begin(BB), succ_end(BB));
120 return !isPotentiallyReachableFromMany(Worklist, BB, nullptr, DT);
121 }
122
123 // If the value is defined in the same basic block as use and BeforeHere,
124 // there is no need to explore the use if BeforeHere dominates use.
125 // Check whether there is a path from I to BeforeHere.
126 if (BeforeHere != I && DT->dominates(BeforeHere, I) &&
127 !isPotentiallyReachable(I, BeforeHere, nullptr, DT))
128 return true;
129
130 return false;
131 }
132
133 bool shouldExplore(const Use *U) override {
134 Instruction *I = cast<Instruction>(U->getUser());
135
136 if (BeforeHere == I && !IncludeI)
137 return false;
138
139 if (isSafeToPrune(I))
140 return false;
141
142 return true;
143 }
144
145 bool captured(const Use *U) override {
146 if (isa<ReturnInst>(U->getUser()) && !ReturnCaptures)
147 return false;
148
149 if (!shouldExplore(U))
150 return false;
151
152 Captured = true;
153 return true;
154 }
155
156 OrderedBasicBlock *OrderedBB;
157 const Instruction *BeforeHere;
158 const DominatorTree *DT;
159
160 bool ReturnCaptures;
161 bool IncludeI;
162
163 bool Captured;
164 };
165 }
166
167 /// PointerMayBeCaptured - Return true if this pointer value may be captured
168 /// by the enclosing function (which is required to exist). This routine can
169 /// be expensive, so consider caching the results. The boolean ReturnCaptures
170 /// specifies whether returning the value (or part of it) from the function
171 /// counts as capturing it or not. The boolean StoreCaptures specified whether
172 /// storing the value (or part of it) into memory anywhere automatically
173 /// counts as capturing it or not.
174 bool llvm::PointerMayBeCaptured(const Value *V,
175 bool ReturnCaptures, bool StoreCaptures,
176 unsigned MaxUsesToExplore) {
177 assert(!isa<GlobalValue>(V) &&
178 "It doesn't make sense to ask whether a global is captured.");
179
180 // TODO: If StoreCaptures is not true, we could do Fancy analysis
181 // to determine whether this store is not actually an escape point.
182 // In that case, BasicAliasAnalysis should be updated as well to
183 // take advantage of this.
184 (void)StoreCaptures;
185
186 SimpleCaptureTracker SCT(ReturnCaptures);
187 PointerMayBeCaptured(V, &SCT, MaxUsesToExplore);
188 return SCT.Captured;
189 }
190
191 /// PointerMayBeCapturedBefore - Return true if this pointer value may be
192 /// captured by the enclosing function (which is required to exist). If a
193 /// DominatorTree is provided, only captures which happen before the given
194 /// instruction are considered. This routine can be expensive, so consider
195 /// caching the results. The boolean ReturnCaptures specifies whether
196 /// returning the value (or part of it) from the function counts as capturing
197 /// it or not. The boolean StoreCaptures specified whether storing the value
198 /// (or part of it) into memory anywhere automatically counts as capturing it
199 /// or not. A ordered basic block \p OBB can be used in order to speed up
200 /// queries about relative order among instructions in the same basic block.
201 bool llvm::PointerMayBeCapturedBefore(const Value *V, bool ReturnCaptures,
202 bool StoreCaptures, const Instruction *I,
203 const DominatorTree *DT, bool IncludeI,
204 OrderedBasicBlock *OBB,
205 unsigned MaxUsesToExplore) {
206 assert(!isa<GlobalValue>(V) &&
207 "It doesn't make sense to ask whether a global is captured.");
208 bool UseNewOBB = OBB == nullptr;
209
210 if (!DT)
211 return PointerMayBeCaptured(V, ReturnCaptures, StoreCaptures,
212 MaxUsesToExplore);
213 if (UseNewOBB)
214 OBB = new OrderedBasicBlock(I->getParent());
215
216 // TODO: See comment in PointerMayBeCaptured regarding what could be done
217 // with StoreCaptures.
218
219 CapturesBefore CB(ReturnCaptures, I, DT, IncludeI, OBB);
220 PointerMayBeCaptured(V, &CB, MaxUsesToExplore);
221
222 if (UseNewOBB)
223 delete OBB;
224 return CB.Captured;
225 }
226
227 void llvm::PointerMayBeCaptured(const Value *V, CaptureTracker *Tracker,
228 unsigned MaxUsesToExplore) {
229 assert(V->getType()->isPointerTy() && "Capture is for pointers only!");
230 SmallVector<const Use *, DefaultMaxUsesToExplore> Worklist;
231 SmallSet<const Use *, DefaultMaxUsesToExplore> Visited;
232
233 auto AddUses = [&](const Value *V) {
234 unsigned Count = 0;
235 for (const Use &U : V->uses()) {
236 // If there are lots of uses, conservatively say that the value
237 // is captured to avoid taking too much compile time.
238 if (Count++ >= MaxUsesToExplore)
239 return Tracker->tooManyUses();
240 if (!Visited.insert(&U).second)
241 continue;
242 if (!Tracker->shouldExplore(&U))
243 continue;
244 Worklist.push_back(&U);
245 }
246 };
247 AddUses(V);
248
249 while (!Worklist.empty()) {
250 const Use *U = Worklist.pop_back_val();
251 Instruction *I = cast<Instruction>(U->getUser());
252 V = U->get();
253
254 switch (I->getOpcode()) {
255 case Instruction::Call:
256 case Instruction::Invoke: {
257 auto *Call = cast<CallBase>(I);
258 // Not captured if the callee is readonly, doesn't return a copy through
259 // its return value and doesn't unwind (a readonly function can leak bits
260 // by throwing an exception or not depending on the input value).
261 if (Call->onlyReadsMemory() && Call->doesNotThrow() &&
262 Call->getType()->isVoidTy())
263 break;
264
265 // The pointer is not captured if returned pointer is not captured.
266 // NOTE: CaptureTracking users should not assume that only functions
267 // marked with nocapture do not capture. This means that places like
268 // GetUnderlyingObject in ValueTracking or DecomposeGEPExpression
269 // in BasicAA also need to know about this property.
270 if (isIntrinsicReturningPointerAliasingArgumentWithoutCapturing(Call,
271 true)) {
272 AddUses(Call);
273 break;
274 }
275
276 // Volatile operations effectively capture the memory location that they
277 // load and store to.
278 if (auto *MI = dyn_cast<MemIntrinsic>(Call))
279 if (MI->isVolatile())
280 if (Tracker->captured(U))
281 return;
282
283 // Not captured if only passed via 'nocapture' arguments. Note that
284 // calling a function pointer does not in itself cause the pointer to
285 // be captured. This is a subtle point considering that (for example)
286 // the callee might return its own address. It is analogous to saying
287 // that loading a value from a pointer does not cause the pointer to be
288 // captured, even though the loaded value might be the pointer itself
289 // (think of self-referential objects).
290 for (auto IdxOpPair : enumerate(Call->data_ops())) {
291 int Idx = IdxOpPair.index();
292 Value *A = IdxOpPair.value();
293 if (A == V && !Call->doesNotCapture(Idx))
294 // The parameter is not marked 'nocapture' - captured.
295 if (Tracker->captured(U))
296 return;
297 }
298 break;
299 }
300 case Instruction::Load:
301 // Volatile loads make the address observable.
302 if (cast<LoadInst>(I)->isVolatile())
303 if (Tracker->captured(U))
304 return;
305 break;
306 case Instruction::VAArg:
307 // "va-arg" from a pointer does not cause it to be captured.
308 break;
309 case Instruction::Store:
310 // Stored the pointer - conservatively assume it may be captured.
311 // Volatile stores make the address observable.
312 if (V == I->getOperand(0) || cast<StoreInst>(I)->isVolatile())
313 if (Tracker->captured(U))
314 return;
315 break;
316 case Instruction::AtomicRMW: {
317 // atomicrmw conceptually includes both a load and store from
318 // the same location.
319 // As with a store, the location being accessed is not captured,
320 // but the value being stored is.
321 // Volatile stores make the address observable.
322 auto *ARMWI = cast<AtomicRMWInst>(I);
323 if (ARMWI->getValOperand() == V || ARMWI->isVolatile())
324 if (Tracker->captured(U))
325 return;
326 break;
327 }
328 case Instruction::AtomicCmpXchg: {
329 // cmpxchg conceptually includes both a load and store from
330 // the same location.
331 // As with a store, the location being accessed is not captured,
332 // but the value being stored is.
333 // Volatile stores make the address observable.
334 auto *ACXI = cast<AtomicCmpXchgInst>(I);
335 if (ACXI->getCompareOperand() == V || ACXI->getNewValOperand() == V ||
336 ACXI->isVolatile())
337 if (Tracker->captured(U))
338 return;
339 break;
340 }
341 case Instruction::BitCast:
342 case Instruction::GetElementPtr:
343 case Instruction::PHI:
344 case Instruction::Select:
345 case Instruction::AddrSpaceCast:
346 // The original value is not captured via this if the new value isn't.
347 AddUses(I);
348 break;
349 case Instruction::ICmp: {
350 unsigned Idx = (I->getOperand(0) == V) ? 0 : 1;
351 unsigned OtherIdx = 1 - Idx;
352 if (auto *CPN = dyn_cast<ConstantPointerNull>(I->getOperand(OtherIdx))) {
353 // Don't count comparisons of a no-alias return value against null as
354 // captures. This allows us to ignore comparisons of malloc results
355 // with null, for example.
356 if (CPN->getType()->getAddressSpace() == 0)
357 if (isNoAliasCall(V->stripPointerCasts()))
358 break;
359 if (!I->getFunction()->nullPointerIsDefined()) {
360 auto *O = I->getOperand(Idx)->stripPointerCastsSameRepresentation();
361 // Comparing a dereferenceable_or_null pointer against null cannot
362 // lead to pointer escapes, because if it is not null it must be a
363 // valid (in-bounds) pointer.
364 if (Tracker->isDereferenceableOrNull(O, I->getModule()->getDataLayout()))
365 break;
366 }
367 }
368 // Comparison against value stored in global variable. Given the pointer
369 // does not escape, its value cannot be guessed and stored separately in a
370 // global variable.
371 auto *LI = dyn_cast<LoadInst>(I->getOperand(OtherIdx));
372 if (LI && isa<GlobalVariable>(LI->getPointerOperand()))
373 break;
374 // Otherwise, be conservative. There are crazy ways to capture pointers
375 // using comparisons.
376 if (Tracker->captured(U))
377 return;
378 break;
379 }
380 default:
381 // Something else - be conservative and say it is captured.
382 if (Tracker->captured(U))
383 return;
384 break;
385 }
386 }
387
388 // All uses examined.
389 }
The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.