| blob | 5ad003ed31802078e742457390671c1572562883 |
1 //===- ImplicitNullChecks.cpp - Fold null checks into memory accesses -----===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This pass turns explicit null checks of the form
10 //
11 // test %r10, %r10
12 // je throw_npe
13 // movl (%r10), %esi
14 // ...
15 //
16 // to
17 //
18 // faulting_load_op("movl (%r10), %esi", throw_npe)
19 // ...
20 //
21 // With the help of a runtime that understands the .fault_maps section,
22 // faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs
23 // a page fault.
24 // Store and LoadStore are also supported.
25 //
26 //===----------------------------------------------------------------------===//
56 #include <cassert>
57 #include <cstdint>
58 #include <iterator>
80 /// Return true if \c computeDependence can process \p MI.
83 /// Helper function for \c computeDependence. Return true if \p A
84 /// and \p B do not have any dependences between them, and can be
85 /// re-ordered without changing program semantics.
88 /// A data type for representing the result computed by \c
89 /// computeDependence. States whether it is okay to reorder the
90 /// instruction passed to \c computeDependence with at most one
91 /// dependency.
93 /// Can we actually re-order \p MI with \p Insts (see \c
94 /// computeDependence).
97 /// If non-std::nullopt, then an instruction in \p Insts that also must be
98 /// hoisted.
107 }
108 };
110 /// Compute a result for the following question: can \p MI be
111 /// re-ordered from after \p Insts to before it.
112 ///
113 /// \c canHandle should return true for all instructions in \p
114 /// Insts.
118 /// Represents one null check that can be made implicit.
120 // The memory operation the null check can be folded into.
123 // The instruction actually doing the null check (Ptr != 0).
126 // The block the check resides in.
129 // The block branched to if the pointer is non-null.
132 // The block branched to if the pointer is null.
135 // If this is non-null, then MemOperation has a dependency on this
136 // instruction; and it needs to be hoisted to execute before MemOperation.
160 };
174 AR_NoAlias,
175 AR_MayAlias,
176 AR_WillAliasEverything
177 };
179 /// Returns AR_NoAlias if \p MI memory operation does not alias with
180 /// \p PrevMI, AR_MayAlias if they may alias and AR_WillAliasEverything if
181 /// they may alias and any further memory operation may alias with \p PrevMI.
186 SR_Suitable,
187 SR_Unsuitable,
188 SR_Impossible
189 };
191 /// Return SR_Suitable if \p MI a memory operation that can be used to
192 /// implicitly null check the value in \p PointerReg, SR_Unsuitable if
193 /// \p MI cannot be used to null check and SR_Impossible if there is
194 /// no sense to continue lookup due to any other instruction will not be able
195 /// to be used. \p PrevInsts is the set of instruction seen since
196 /// the explicit null check on \p PointerReg.
201 /// Returns true if \p DependenceMI can clobber the liveIns in NullSucc block
202 /// if it was hoisted to the NullCheck block. This is used by caller
203 /// canHoistInst to decide if DependenceMI can be hoisted safely.
207 /// Return true if \p FaultingMI can be hoisted from after the
208 /// instructions in \p InstsSeenSoFar to before them. Set \p Dependence to a
209 /// non-null value if we also need to (and legally can) hoist a dependency.
219 }
226 }
231 }
232 };
248 }
263 // Found one possible dependency, keep track of it.
266 // We found two dependencies, so bail out.
268 }
269 }
272 }
278 // canHandle makes sure that we _can_ correctly analyze the dependencies
279 // between A and B here -- for instance, we should not be dealing with heap
280 // load-store dependencies here.
295 }
296 }
299 }
316 }
318 // Return true if any register aliasing \p Reg is live-in into \p MBB.
326 }
331 // If it is not memory access, skip the check.
334 // Load-Load may alias
337 // We lost info, conservatively alias. If it was store then no sense to
338 // continue because we won't be able to check against it further.
345 // MMO1 should have a value due it comes from operation we'd like to use
346 // as implicit null check.
353 }
358 }
359 }
361 }
367 // Implementation restriction for faulting_op insertion
368 // TODO: This could be relaxed if we find a test case which warrants it.
381 // We need the base of the memory instruction to be same as the register
382 // where the null check is performed (i.e. PointerReg).
387 // Bail out of the sizes of BaseReg, ScaledReg and PointerReg are not the
388 // same.
395 // Returns true if RegUsedInAddr is used for calculating the displacement
396 // depending on addressing mode. Also calculates the Displacement.
399 // The register can be NoRegister, which is defined as zero for all targets.
400 // Consider instruction of interest as `movq 8(,%rdi,8), %rax`. Here the
401 // ScaledReg is %rdi, while there is no BaseReg.
412 }
413 }
416 // Check for the const value defined in register by ModifyingMI. This means
417 // all other previous values for that register has been invalidated.
421 // Calculate the reg size in bits, since this is needed for bailing out in
422 // case of overflow.
429 // Sign of the product depends on the sign of the ImmVal, since Multiplier
430 // is always positive.
439 // We only handle diplacements upto 64 bits wide.
444 };
446 // If a register used in the address is constant, fold it's effect into the
447 // displacement for ease of analysis.
454 // The register which is not null checked should be part of the Displacement
455 // calculation, otherwise we do not know whether the Displacement is made up
456 // by some symbolic values.
457 // This matters because we do not want to incorrectly assume that load from
458 // falls in the zeroth faulting page in the "sane offset check" below.
463 // We want the mem access to be issued at a sane offset from PointerReg,
464 // so that if PointerReg is null then the access reliably page faults.
468 // Finally, check whether the current memory access aliases with previous one.
475 }
477 }
485 // Make sure that we won't clobber any live ins to the sibling block by
486 // hoisting Dependency. For instance, we can't hoist INST to before the
487 // null check (even if it safe, and does not violate any dependencies in
488 // the non_null_block) if %rdx is live in to _null_block.
489 //
490 // test %rcx, %rcx
491 // je _null_block
492 // _non_null_block:
493 // %rdx = INST
494 // ...
495 //
496 // This restriction does not apply to the faulting load inst because in
497 // case the pointer loaded from is in the null page, the load will not
498 // semantically execute, and affect machine state. That is, if the load
499 // was loading into %rax and it faults, the value of %rax should stay the
500 // same as it would have been had the load not have executed and we'd have
501 // branched to NullSucc directly.
505 }
507 // The dependence does not clobber live-ins in NullSucc block.
509 }
522 }
527 // We don't want to reason about speculating loads. Note -- at this point
528 // we should have already filtered out all of the other non-speculatable
529 // things, like calls and stores.
530 // We also do not want to hoist stores because it might change the memory
531 // while the FaultingMI may result in faulting.
547 }
549 /// Analyze MBB to check if its terminating branch can be turned into an
550 /// implicit null check. If yes, append a description of the said null check to
551 /// NullCheckList and return true, else return false.
563 MachineBranchPredicate MBP;
568 // Is the predicate comparing an integer to zero?
574 // If there is a separate condition generation instruction, we chose not to
575 // transform unless we can remove both condition and consuming branch.
587 }
589 // We handle the simplest case for now. We can potentially do better by using
590 // the machine dominator tree.
597 // To prevent the invalid transformation of the following code:
598 //
599 // mov %rax, %rcx
600 // test %rax, %rax
601 // %rax = ...
602 // je throw_npe
603 // mov(%rcx), %r9
604 // mov(%rax), %r10
605 //
606 // into:
607 //
608 // mov %rax, %rcx
609 // %rax = ....
610 // faulting_load_op("movl (%rax), %r10", throw_npe)
611 // mov(%rcx), %r9
612 //
613 // we must ensure that there are no instructions between the 'test' and
614 // conditional jump that modify %rax.
621 }
622 // Starting with a code fragment like:
623 //
624 // test %rax, %rax
625 // jne LblNotNull
626 //
627 // LblNull:
628 // callq throw_NullPointerException
629 //
630 // LblNotNull:
631 // Inst0
632 // Inst1
633 // ...
634 // Def = Load (%rax + <offset>)
635 // ...
636 //
637 //
638 // we want to end up with
639 //
640 // Def = FaultingLoad (%rax + <offset>), LblNull
641 // jmp LblNotNull ;; explicit or fallthrough
642 //
643 // LblNotNull:
644 // Inst0
645 // Inst1
646 // ...
647 //
648 // LblNull:
649 // callq throw_NullPointerException
650 //
651 //
652 // To see why this is legal, consider the two possibilities:
653 //
654 // 1. %rax is null: since we constrain <offset> to be less than PageSize, the
655 // load instruction dereferences the null page, causing a segmentation
656 // fault.
657 //
658 // 2. %rax is not null: in this case we know that the load cannot fault, as
659 // otherwise the load would've faulted in the original program too and the
660 // original program would've been undefined.
661 //
662 // This reasoning cannot be extended to justify hoisting through arbitrary
663 // control flow. For instance, in the example below (in pseudo-C)
664 //
665 // if (ptr == null) { throw_npe(); unreachable; }
666 // if (some_cond) { return 42; }
667 // v = ptr->field; // LD
668 // ...
669 //
670 // we cannot (without code duplication) use the load marked "LD" to null check
671 // ptr -- clause (2) above does not apply in this case. In the above program
672 // the safety of ptr->field can be dependent on some_cond; and, for instance,
673 // ptr could be some non-null invalid reference that never gets loaded from
674 // because some_cond is always true.
691 }
693 // If MI re-defines the PointerReg in a way that changes the value of
694 // PointerReg if it was null, then we cannot move further.
698 }
701 }
703 /// Wrap a machine instruction, MI, into a FAULTING machine instruction.
704 /// The FAULTING instruction does the same load/store as MI
705 /// (defining the same register), and branches to HandlerMBB if the mem access
706 /// faults. The FAULTING instruction is inserted at the end of MBB.
710 // all targets.
712 DebugLoc DL;
720 }
724 FK =
726 else
742 }
746 }
747 }
752 }
754 /// Rewrite the null checks in NullCheckList into implicit null checks.
757 DebugLoc DL;
760 // Remove the conditional branch dependent on the null check.
768 }
770 // Insert a faulting instruction where the conditional branch was
771 // originally. We check earlier ensures that this bit of code motion
772 // is legal. We do not touch the successors list for any basic block
773 // since we haven't changed control flow, we've just made it implicit.
776 // Now the values defined by MemOperation, if any, are live-in of
777 // the block of MemOperation.
778 // The original operation may define implicit-defs alongside
779 // the value.
786 }
794 }
795 }
801 // Insert an *unconditional* branch to not-null successor - we expect
802 // block placement to remove fallthroughs later.
806 NumImplicitNullChecks++;
807 }
808 }