| blob | fc97938ccd3e976986a987533e983d7f309c9d12 |
1 //===- ImplicitNullChecks.cpp - Fold null checks into memory accesses -----===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This pass turns explicit null checks of the form
10 //
11 // test %r10, %r10
12 // je throw_npe
13 // movl (%r10), %esi
14 // ...
15 //
16 // to
17 //
18 // faulting_load_op("movl (%r10), %esi", throw_npe)
19 // ...
20 //
21 // With the help of a runtime that understands the .fault_maps section,
22 // faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs
23 // a page fault.
24 // Store and LoadStore are also supported.
25 //
26 //===----------------------------------------------------------------------===//
58 #include <cassert>
59 #include <cstdint>
60 #include <iterator>
82 /// Return true if \c computeDependence can process \p MI.
85 /// Helper function for \c computeDependence. Return true if \p A
86 /// and \p B do not have any dependences between them, and can be
87 /// re-ordered without changing program semantics.
90 /// A data type for representing the result computed by \c
91 /// computeDependence. States whether it is okay to reorder the
92 /// instruction passed to \c computeDependence with at most one
93 /// dependency.
95 /// Can we actually re-order \p MI with \p Insts (see \c
96 /// computeDependence).
99 /// If non-None, then an instruction in \p Insts that also must be
100 /// hoisted.
109 }
110 };
112 /// Compute a result for the following question: can \p MI be
113 /// re-ordered from after \p Insts to before it.
114 ///
115 /// \c canHandle should return true for all instructions in \p
116 /// Insts.
120 /// Represents one null check that can be made implicit.
122 // The memory operation the null check can be folded into.
125 // The instruction actually doing the null check (Ptr != 0).
128 // The block the check resides in.
131 // The block branched to if the pointer is non-null.
134 // The block branched to if the pointer is null.
137 // If this is non-null, then MemOperation has a dependency on this
138 // instruction; and it needs to be hoisted to execute before MemOperation.
162 };
176 AR_NoAlias,
177 AR_MayAlias,
178 AR_WillAliasEverything
179 };
181 /// Returns AR_NoAlias if \p MI memory operation does not alias with
182 /// \p PrevMI, AR_MayAlias if they may alias and AR_WillAliasEverything if
183 /// they may alias and any further memory operation may alias with \p PrevMI.
188 SR_Suitable,
189 SR_Unsuitable,
190 SR_Impossible
191 };
193 /// Return SR_Suitable if \p MI a memory operation that can be used to
194 /// implicitly null check the value in \p PointerReg, SR_Unsuitable if
195 /// \p MI cannot be used to null check and SR_Impossible if there is
196 /// no sense to continue lookup due to any other instruction will not be able
197 /// to be used. \p PrevInsts is the set of instruction seen since
198 /// the explicit null check on \p PointerReg.
203 /// Returns true if \p DependenceMI can clobber the liveIns in NullSucc block
204 /// if it was hoisted to the NullCheck block. This is used by caller
205 /// canHoistInst to decide if DependenceMI can be hoisted safely.
209 /// Return true if \p FaultingMI can be hoisted from after the
210 /// instructions in \p InstsSeenSoFar to before them. Set \p Dependence to a
211 /// non-null value if we also need to (and legally can) hoist a dependency.
221 }
228 }
233 }
234 };
250 }
265 // Found one possible dependency, keep track of it.
268 // We found two dependencies, so bail out.
270 }
271 }
274 }
280 // canHandle makes sure that we _can_ correctly analyze the dependencies
281 // between A and B here -- for instance, we should not be dealing with heap
282 // load-store dependencies here.
297 }
298 }
301 }
318 }
320 // Return true if any register aliasing \p Reg is live-in into \p MBB.
328 }
333 // If it is not memory access, skip the check.
336 // Load-Load may alias
339 // We lost info, conservatively alias. If it was store then no sense to
340 // continue because we won't be able to check against it further.
347 // MMO1 should have a value due it comes from operation we'd like to use
348 // as implicit null check.
355 }
360 }
361 }
363 }
369 // Implementation restriction for faulting_op insertion
370 // TODO: This could be relaxed if we find a test case which warrants it.
383 // We need the base of the memory instruction to be same as the register
384 // where the null check is performed (i.e. PointerReg).
389 // Bail out of the sizes of BaseReg, ScaledReg and PointerReg are not the
390 // same.
397 // Returns true if RegUsedInAddr is used for calculating the displacement
398 // depending on addressing mode. Also calculates the Displacement.
401 // The register can be NoRegister, which is defined as zero for all targets.
402 // Consider instruction of interest as `movq 8(,%rdi,8), %rax`. Here the
403 // ScaledReg is %rdi, while there is no BaseReg.
414 }
415 }
418 // Check for the const value defined in register by ModifyingMI. This means
419 // all other previous values for that register has been invalidated.
423 // Calculate the reg size in bits, since this is needed for bailing out in
424 // case of overflow.
431 // Sign of the product depends on the sign of the ImmVal, since Multiplier
432 // is always positive.
441 // We only handle diplacements upto 64 bits wide.
446 };
448 // If a register used in the address is constant, fold it's effect into the
449 // displacement for ease of analysis.
456 // The register which is not null checked should be part of the Displacement
457 // calculation, otherwise we do not know whether the Displacement is made up
458 // by some symbolic values.
459 // This matters because we do not want to incorrectly assume that load from
460 // falls in the zeroth faulting page in the "sane offset check" below.
465 // We want the mem access to be issued at a sane offset from PointerReg,
466 // so that if PointerReg is null then the access reliably page faults.
470 // Finally, check whether the current memory access aliases with previous one.
477 }
479 }
487 // Make sure that we won't clobber any live ins to the sibling block by
488 // hoisting Dependency. For instance, we can't hoist INST to before the
489 // null check (even if it safe, and does not violate any dependencies in
490 // the non_null_block) if %rdx is live in to _null_block.
491 //
492 // test %rcx, %rcx
493 // je _null_block
494 // _non_null_block:
495 // %rdx = INST
496 // ...
497 //
498 // This restriction does not apply to the faulting load inst because in
499 // case the pointer loaded from is in the null page, the load will not
500 // semantically execute, and affect machine state. That is, if the load
501 // was loading into %rax and it faults, the value of %rax should stay the
502 // same as it would have been had the load not have executed and we'd have
503 // branched to NullSucc directly.
507 }
509 // The dependence does not clobber live-ins in NullSucc block.
511 }
524 }
529 // We don't want to reason about speculating loads. Note -- at this point
530 // we should have already filtered out all of the other non-speculatable
531 // things, like calls and stores.
532 // We also do not want to hoist stores because it might change the memory
533 // while the FaultingMI may result in faulting.
549 }
551 /// Analyze MBB to check if its terminating branch can be turned into an
552 /// implicit null check. If yes, append a description of the said null check to
553 /// NullCheckList and return true, else return false.
565 MachineBranchPredicate MBP;
570 // Is the predicate comparing an integer to zero?
576 // If there is a separate condition generation instruction, we chose not to
577 // transform unless we can remove both condition and consuming branch.
589 }
591 // We handle the simplest case for now. We can potentially do better by using
592 // the machine dominator tree.
599 // To prevent the invalid transformation of the following code:
600 //
601 // mov %rax, %rcx
602 // test %rax, %rax
603 // %rax = ...
604 // je throw_npe
605 // mov(%rcx), %r9
606 // mov(%rax), %r10
607 //
608 // into:
609 //
610 // mov %rax, %rcx
611 // %rax = ....
612 // faulting_load_op("movl (%rax), %r10", throw_npe)
613 // mov(%rcx), %r9
614 //
615 // we must ensure that there are no instructions between the 'test' and
616 // conditional jump that modify %rax.
623 }
624 // Starting with a code fragment like:
625 //
626 // test %rax, %rax
627 // jne LblNotNull
628 //
629 // LblNull:
630 // callq throw_NullPointerException
631 //
632 // LblNotNull:
633 // Inst0
634 // Inst1
635 // ...
636 // Def = Load (%rax + <offset>)
637 // ...
638 //
639 //
640 // we want to end up with
641 //
642 // Def = FaultingLoad (%rax + <offset>), LblNull
643 // jmp LblNotNull ;; explicit or fallthrough
644 //
645 // LblNotNull:
646 // Inst0
647 // Inst1
648 // ...
649 //
650 // LblNull:
651 // callq throw_NullPointerException
652 //
653 //
654 // To see why this is legal, consider the two possibilities:
655 //
656 // 1. %rax is null: since we constrain <offset> to be less than PageSize, the
657 // load instruction dereferences the null page, causing a segmentation
658 // fault.
659 //
660 // 2. %rax is not null: in this case we know that the load cannot fault, as
661 // otherwise the load would've faulted in the original program too and the
662 // original program would've been undefined.
663 //
664 // This reasoning cannot be extended to justify hoisting through arbitrary
665 // control flow. For instance, in the example below (in pseudo-C)
666 //
667 // if (ptr == null) { throw_npe(); unreachable; }
668 // if (some_cond) { return 42; }
669 // v = ptr->field; // LD
670 // ...
671 //
672 // we cannot (without code duplication) use the load marked "LD" to null check
673 // ptr -- clause (2) above does not apply in this case. In the above program
674 // the safety of ptr->field can be dependent on some_cond; and, for instance,
675 // ptr could be some non-null invalid reference that never gets loaded from
676 // because some_cond is always true.
693 }
695 // If MI re-defines the PointerReg in a way that changes the value of
696 // PointerReg if it was null, then we cannot move further.
700 }
703 }
705 /// Wrap a machine instruction, MI, into a FAULTING machine instruction.
706 /// The FAULTING instruction does the same load/store as MI
707 /// (defining the same register), and branches to HandlerMBB if the mem access
708 /// faults. The FAULTING instruction is inserted at the end of MBB.
712 // all targets.
714 DebugLoc DL;
722 }
726 FK =
728 else
744 }
748 }
749 }
754 }
756 /// Rewrite the null checks in NullCheckList into implicit null checks.
759 DebugLoc DL;
762 // Remove the conditional branch dependent on the null check.
770 }
772 // Insert a faulting instruction where the conditional branch was
773 // originally. We check earlier ensures that this bit of code motion
774 // is legal. We do not touch the successors list for any basic block
775 // since we haven't changed control flow, we've just made it implicit.
778 // Now the values defined by MemOperation, if any, are live-in of
779 // the block of MemOperation.
780 // The original operation may define implicit-defs alongside
781 // the value.
790 }
798 }
799 }
805 // Insert an *unconditional* branch to not-null successor - we expect
806 // block placement to remove fallthroughs later.
810 NumImplicitNullChecks++;
811 }
812 }