| blob | 68a2ab3bb6d4eb680ec90e130361a52e94b3e66b |
2 /*--------------------------------------------------------------------*/
3 /*--- Instrument IR to perform memory checking operations. ---*/
4 /*--- mc_translate.c ---*/
5 /*--------------------------------------------------------------------*/
7 /*
8 This file is part of MemCheck, a heavyweight Valgrind tool for
9 detecting memory errors.
11 Copyright (C) 2000-2017 Julian Seward
12 jseward@acm.org
14 This program is free software; you can redistribute it and/or
15 modify it under the terms of the GNU General Public License as
16 published by the Free Software Foundation; either version 2 of the
17 License, or (at your option) any later version.
19 This program is distributed in the hope that it will be useful, but
20 WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, write to the Free Software
26 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
27 02111-1307, USA.
29 The GNU General Public License is contained in the file COPYING.
30 */
46 /* FIXMEs JRS 2011-June-16.
48 Check the interpretation for vector narrowing and widening ops,
49 particularly the saturating ones. I suspect they are either overly
50 pessimistic and/or wrong.
52 Iop_QandSQsh64x2 and friends (vector-by-vector bidirectional
53 saturating shifts): the interpretation is overly pessimistic.
54 See comments on the relevant cases below for details.
56 Iop_Sh64Sx2 and friends (vector-by-vector bidirectional shifts,
57 both rounding and non-rounding variants): ditto
58 */
60 /* This file implements the Memcheck instrumentation, and in
61 particular contains the core of its undefined value detection
62 machinery. For a comprehensive background of the terminology,
63 algorithms and rationale used herein, read:
65 Using Valgrind to detect undefined value errors with
66 bit-precision
68 Julian Seward and Nicholas Nethercote
70 2005 USENIX Annual Technical Conference (General Track),
71 Anaheim, CA, USA, April 10-15, 2005.
73 ----
75 Here is as good a place as any to record exactly when V bits are and
76 should be checked, why, and what function is responsible.
79 Memcheck complains when an undefined value is used:
81 1. In the condition of a conditional branch. Because it could cause
82 incorrect control flow, and thus cause incorrect externally-visible
83 behaviour. [mc_translate.c:complainIfUndefined]
85 2. As an argument to a system call, or as the value that specifies
86 the system call number. Because it could cause an incorrect
87 externally-visible side effect. [mc_translate.c:mc_pre_reg_read]
89 3. As the address in a load or store. Because it could cause an
90 incorrect value to be used later, which could cause externally-visible
91 behaviour (eg. via incorrect control flow or an incorrect system call
92 argument) [complainIfUndefined]
94 4. As the target address of a branch. Because it could cause incorrect
95 control flow. [complainIfUndefined]
97 5. As an argument to setenv, unsetenv, or putenv. Because it could put
98 an incorrect value into the external environment.
99 [mc_replace_strmem.c:VG_WRAP_FUNCTION_ZU(*, *env)]
101 6. As the index in a GETI or PUTI operation. I'm not sure why... (njn).
102 [complainIfUndefined]
104 7. As an argument to the VALGRIND_CHECK_MEM_IS_DEFINED and
105 VALGRIND_CHECK_VALUE_IS_DEFINED client requests. Because the user
106 requested it. [in memcheck.h]
109 Memcheck also complains, but should not, when an undefined value is used:
111 8. As the shift value in certain SIMD shift operations (but not in the
112 standard integer shift operations). This inconsistency is due to
113 historical reasons.) [complainIfUndefined]
116 Memcheck does not complain, but should, when an undefined value is used:
118 9. As an input to a client request. Because the client request may
119 affect the visible behaviour -- see bug #144362 for an example
120 involving the malloc replacements in vg_replace_malloc.c and
121 VALGRIND_NON_SIMD_CALL* requests, where an uninitialised argument
122 isn't identified. That bug report also has some info on how to solve
123 the problem. [valgrind.h:VALGRIND_DO_CLIENT_REQUEST]
126 In practice, 1 and 2 account for the vast majority of cases.
127 */
129 /* Generation of addr-definedness, addr-validity and
130 guard-definedness checks pertaining to loads and stores (Iex_Load,
131 Ist_Store, IRLoadG, IRStoreG, LLSC, CAS and Dirty memory
132 loads/stores) was re-checked 11 May 2013. */
135 /*------------------------------------------------------------*/
136 /*--- Forward decls ---*/
137 /*------------------------------------------------------------*/
141 // See below for comments explaining what this is for.
142 typedef
144 HowUsed;
154 /*------------------------------------------------------------*/
155 /*--- Memcheck running state, and tmp management. ---*/
156 /*------------------------------------------------------------*/
158 /* For a few (maybe 1%) IROps, we have both a cheaper, less exact vbit
159 propagation scheme, and a more expensive, more precise vbit propagation
160 scheme. This enum describes, for such an IROp, which scheme to use. */
161 typedef
163 // Use the cheaper, less-exact variant.
165 // Choose between cheap and expensive based on analysis of the block
166 // to be instrumented. Note that the choice may be done on a
167 // per-instance basis of the IROp that this DetailLevel describes.
168 DLauto,
169 // Use the more expensive, more-exact variant.
170 DLexpensive
171 }
172 DetailLevel;
175 /* A readonly part of the running state. For IROps that have both a
176 less-exact and more-exact interpretation, records which interpretation is
177 to be used. */
178 typedef
180 // For Add32/64 and Sub32/64, all 3 settings are allowed. For the
181 // DLauto case, a per-instance decision is to be made by inspecting
182 // the associated tmp's entry in MCEnv.tmpHowUsed.
183 DetailLevel dl_Add32;
184 DetailLevel dl_Add64;
185 DetailLevel dl_Sub32;
186 DetailLevel dl_Sub64;
187 // For Cmp{EQ,NE}{64,32,16,8}, only DLcheap and DLexpensive are
188 // allowed.
189 DetailLevel dl_CmpEQ64_CmpNE64;
190 DetailLevel dl_CmpEQ32_CmpNE32;
191 DetailLevel dl_CmpEQ16_CmpNE16;
192 DetailLevel dl_CmpEQ8_CmpNE8;
193 }
194 DetailLevelByOp;
197 DetailLevel dl )
198 {
207 }
210 {
223 }
226 DetailLevel dl )
227 {
238 }
241 /* Carries info about a particular tmp. The tmp's number is not
242 recorded, as this is implied by (equal to) its index in the tmpMap
243 in MCEnv. The tmp's type is also not recorded, as this is present
244 in MCEnv.sb->tyenv.
246 When .kind is Orig, .shadowV and .shadowB may give the identities
247 of the temps currently holding the associated definedness (shadowV)
248 and origin (shadowB) values, or these may be IRTemp_INVALID if code
249 to compute such values has not yet been emitted.
251 When .kind is VSh or BSh then the tmp is holds a V- or B- value,
252 and so .shadowV and .shadowB must be IRTemp_INVALID, since it is
253 illogical for a shadow tmp itself to be shadowed.
254 */
255 typedef
257 TempKind;
259 typedef
261 TempKind kind;
262 IRTemp shadowV;
263 IRTemp shadowB;
264 }
265 TempMapEnt;
268 /* A |HowUsed| value carries analysis results about how values are used,
269 pertaining to whether we need to instrument integer adds expensively or
270 not. The running state carries a (readonly) mapping from original tmp to
271 a HowUsed value for it. A usage value can be one of three values,
272 forming a 3-point chain lattice.
274 HuOth ("Other") used in some arbitrary way
275 |
276 HuPCa ("PCast") used *only* in effectively a PCast, in which all
277 | we care about is the all-defined vs not-all-defined distinction
278 |
279 HuUnU ("Unused") not used at all.
281 The "safe" (don't-know) end of the lattice is "HuOth". See comments
282 below in |preInstrumentationAnalysis| for further details.
283 */
284 /* DECLARED ABOVE:
285 typedef
286 enum __attribute__((packed)) { HuUnU=0, HuPCa=1, HuOth=2 }
287 HowUsed;
288 */
290 // Not actually necessary, but we don't want to waste D1 space.
294 /* Carries around state during memcheck instrumentation. */
295 typedef
297 /* MODIFIED: the superblock being constructed. IRStmts are
298 added. */
300 Bool trace;
302 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
303 current kind and possibly shadow temps for each temp in the
304 IRSB being constructed. Note that it does not contain the
305 type of each tmp. If you want to know the type, look at the
306 relevant entry in sb->tyenv. It follows that at all times
307 during the instrumentation process, the valid indices for
308 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
309 total number of Orig, V- and B- temps allocated so far.
311 The reason for this strange split (types in one place, all
312 other info in another) is that we need the types to be
313 attached to sb so as to make it possible to do
314 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
315 instrumentation process. */
318 /* READONLY: contains details of which ops should be expensively
319 instrumented. */
320 DetailLevelByOp dlbo;
322 /* READONLY: for each original tmp, how the tmp is used. This is
323 computed by |preInstrumentationAnalysis|. Valid indices are
324 0 .. #temps_in_sb-1 (same as for tmpMap). */
327 /* READONLY: the guest layout. This indicates which parts of
328 the guest state should be regarded as 'always defined'. */
331 /* READONLY: the host word type. Needed for constructing
332 arguments of type 'HWord' to be passed to helper functions.
333 Ity_I32 or Ity_I64 only. */
334 IRType hWordTy;
335 }
336 MCEnv;
339 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
340 demand), as they are encountered. This is for two reasons.
342 (1) (less important reason): Many original tmps are unused due to
343 initial IR optimisation, and we do not want to spaces in tables
344 tracking them.
346 Shadow IRTemps are therefore allocated on demand. mce.tmpMap is a
347 table indexed [0 .. n_types-1], which gives the current shadow for
348 each original tmp, or INVALID_IRTEMP if none is so far assigned.
349 It is necessary to support making multiple assignments to a shadow
350 -- specifically, after testing a shadow for definedness, it needs
351 to be made defined. But IR's SSA property disallows this.
353 (2) (more important reason): Therefore, when a shadow needs to get
354 a new value, a new temporary is created, the value is assigned to
355 that, and the tmpMap is updated to reflect the new binding.
357 A corollary is that if the tmpMap maps a given tmp to
358 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
359 there's a read-before-write error in the original tmps. The IR
360 sanity checker should catch all such anomalies, however.
361 */
363 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
364 both the table in mce->sb and to our auxiliary mapping. Note that
365 newTemp may cause mce->tmpMap to resize, hence previous results
366 from VG_(indexXA)(mce->tmpMap) are invalidated. */
368 {
369 Word newIx;
370 TempMapEnt ent;
378 }
381 /* Find the tmp currently shadowing the given original tmp. If none
382 so far exists, allocate one. */
384 {
386 /* VG_(indexXA) range-checks 'orig', hence no need to check
387 here. */
391 IRTemp tmpV
393 /* newTemp may cause mce->tmpMap to resize, hence previous results
394 from VG_(indexXA) are invalid. */
399 }
401 }
403 /* Allocate a new shadow for the given original tmp. This means any
404 previous shadow is abandoned. This is needed because it is
405 necessary to give a new value to a shadow once it has been tested
406 for undefinedness, but unfortunately IR's SSA property disallows
407 this. Instead we must abandon the old shadow, allocate a new one
408 and use that instead.
410 This is the same as findShadowTmpV, except we don't bother to see
411 if a shadow temp already existed -- we simply allocate a new one
412 regardless. */
414 {
416 /* VG_(indexXA) range-checks 'orig', hence no need to check
417 here. */
421 IRTemp tmpV
423 /* newTemp may cause mce->tmpMap to resize, hence previous results
424 from VG_(indexXA) are invalid. */
428 }
429 }
432 /*------------------------------------------------------------*/
433 /*--- IRAtoms -- a subset of IRExprs ---*/
434 /*------------------------------------------------------------*/
436 /* An atom is either an IRExpr_Const or an IRExpr_Tmp, as defined by
437 isIRAtom() in libvex_ir.h. Because this instrumenter expects flat
438 input, most of this code deals in atoms. Usefully, a value atom
439 always has a V-value which is also an atom: constants are shadowed
440 by constants, and temps are shadowed by the corresponding shadow
441 temporary. */
445 /* (used for sanity checks only): is this an atom which looks
446 like it's from original code? */
448 {
454 }
456 }
458 /* (used for sanity checks only): is this an atom which looks
459 like it's from shadow code? */
461 {
467 }
469 }
471 /* (used for sanity checks only): check that both args are atoms and
472 are identically-kinded. */
474 {
480 }
483 /*------------------------------------------------------------*/
484 /*--- Type management ---*/
485 /*------------------------------------------------------------*/
487 /* Shadow state is always accessed using integer types. This returns
488 an integer type with the same size (as per sizeofIRType) as the
489 given type. The only valid shadow types are Bit, I8, I16, I32,
490 I64, I128, V128, V256. */
493 {
512 }
513 }
515 /* Produce a 'defined' value of the given shadow type. Should only be
516 supplied shadow types (Bit/I8/I16/I32/UI64). */
528 }
529 }
532 /*------------------------------------------------------------*/
533 /*--- Constructing IR fragments ---*/
534 /*------------------------------------------------------------*/
536 /* add stmt to a bb */
542 }
544 }
546 /* assign value to tmp */
550 }
552 /* build various kinds of expressions */
553 #define triop(_op, _arg1, _arg2, _arg3) \
554 IRExpr_Triop((_op),(_arg1),(_arg2),(_arg3))
555 #define binop(_op, _arg1, _arg2) IRExpr_Binop((_op),(_arg1),(_arg2))
556 #define unop(_op, _arg) IRExpr_Unop((_op),(_arg))
557 #define mkU1(_n) IRExpr_Const(IRConst_U1(_n))
558 #define mkU8(_n) IRExpr_Const(IRConst_U8(_n))
559 #define mkU16(_n) IRExpr_Const(IRConst_U16(_n))
560 #define mkU32(_n) IRExpr_Const(IRConst_U32(_n))
561 #define mkU64(_n) IRExpr_Const(IRConst_U64(_n))
562 #define mkV128(_n) IRExpr_Const(IRConst_V128(_n))
563 #define mkexpr(_tmp) IRExpr_RdTmp((_tmp))
565 /* Bind the given expression to a new temporary, and return the
566 temporary. This effectively converts an arbitrary expression into
567 an atom.
569 'ty' is the type of 'e' and hence the type that the new temporary
570 needs to be. But passing it in is redundant, since we can deduce
571 the type merely by inspecting 'e'. So at least use that fact to
572 assert that the two types agree. */
574 {
575 TempKind k;
576 IRTemp t;
584 /* happens when we are making up new "orig"
585 expressions, for IRCAS handling */
587 }
591 }
594 /*------------------------------------------------------------*/
595 /*--- Helper functions for 128-bit ops ---*/
596 /*------------------------------------------------------------*/
599 {
602 }
604 /* There are no I128-bit loads and/or stores [as generated by any
605 current front ends]. So we do not need to worry about that in
606 expr2vbits_Load */
609 /*------------------------------------------------------------*/
610 /*--- Constructing definedness primitive ops ---*/
611 /*------------------------------------------------------------*/
613 /* --------- Defined-if-either-defined --------- */
619 }
625 }
631 }
637 }
643 }
649 }
651 /* --------- Undefined-if-either-undefined --------- */
657 }
663 }
669 }
675 }
689 }
695 }
701 }
715 }
716 }
718 /* --------- The Left-family of operations. --------- */
723 }
728 }
733 }
738 }
740 /* --------- 'Improvement' functions for AND/OR. --------- */
742 /* ImproveAND(data, vbits) = data OR vbits. Defined (0) data 0s give
743 defined (0); all other -> undefined (1).
744 */
746 {
751 }
754 {
759 }
762 {
767 }
770 {
775 }
778 {
783 }
786 {
791 }
793 /* ImproveOR(data, vbits) = ~data OR vbits. Defined (0) data 1s give
794 defined (0); all other -> undefined (1).
795 */
797 {
805 vbits) );
806 }
809 {
817 vbits) );
818 }
821 {
829 vbits) );
830 }
833 {
841 vbits) );
842 }
845 {
853 vbits) );
854 }
857 {
865 vbits) );
866 }
868 /* --------- Pessimising casts. --------- */
870 /* The function returns an expression of type DST_TY. If any of the VBITS
871 is undefined (value == 1) the resulting expression has all bits set to
872 1. Otherwise, all bits are 0. */
875 {
876 IRType src_ty;
879 /* Note, dst_ty is a shadow type, not an original type. */
883 /* Fast-track some common cases */
891 /* PCast the arg, then clone it. */
894 }
897 /* PCast the arg, then clone it 4 times. */
901 }
904 /* PCast the arg, then clone it 8 times. */
909 }
912 /* PCast the arg. This gives all 0s or all 1s. Then throw away
913 the top half. */
916 }
919 /* Use InterleaveHI64x2 to copy the top half of the vector into
920 the bottom half. Then we can UifU it with the original, throw
921 away the upper half of the result, and PCast-I64-to-I64
922 the lower half. */
923 // Generates vbits[127:64] : vbits[127:64]
924 IRAtom* hi64hi64
927 // Generates
928 // UifU(vbits[127:64],vbits[127:64]) : UifU(vbits[127:64],vbits[63:0])
929 // == vbits[127:64] : UifU(vbits[127:64],vbits[63:0])
930 IRAtom* lohi64
932 // Generates UifU(vbits[127:64],vbits[63:0])
933 IRAtom* lo64
935 // Generates
936 // PCast-to-I64( UifU(vbits[127:64], vbits[63:0] )
937 // == PCast-to-I64( vbits[127:0] )
938 IRAtom* res
941 }
943 /* Else do it the slow way .. */
944 /* First of all, collapse vbits down to a single bit. */
963 /* Gah. Chop it in half, OR the halves together, and compare
964 that with zero. */
971 }
973 /* Chop it in half, OR the halves together, and compare that
974 * with zero.
975 */
982 }
986 }
988 /* Now widen up to the dst type. */
1018 }
1019 }
1021 /* This is a minor variant. It takes an arg of some type and returns
1022 a value of the same type. The result consists entirely of Defined
1023 (zero) bits except its least significant bit, which is a PCast of
1024 the entire argument down to a single bit. */
1026 {
1028 /* --- Case for V128 --- */
1030 // generates: PCast-to-I64(varg128)
1032 // Now introduce zeros (defined bits) in the top 63 places
1033 // generates: Def--(63)--Def PCast-to-I1(varg128)
1034 IRAtom* d63pc
1036 // generates: Def--(64)--Def
1037 IRAtom* d64
1039 // generates: Def--(127)--Def PCast-to-I1(varg128)
1040 IRAtom* res
1043 }
1045 /* --- Case for I64 --- */
1046 // PCast to 64
1048 // Zero (Def) out the top 63 bits
1049 IRAtom* res
1052 }
1053 /*NOTREACHED*/
1055 }
1057 /* --------- Optimistic casts. --------- */
1059 /* The function takes and returns an expression of type TY. If any of the
1060 VBITS indicate defined (value == 0) the resulting expression has all bits
1061 set to 0. Otherwise, all bits are 1. In words, if any bits are defined
1062 then all bits are made to be defined.
1064 In short we compute (vbits - (vbits >>u 1)) >>s (bitsize(vbits)-1).
1065 */
1067 {
1069 UInt sh;
1087 }
1094 }
1097 /* --------- Accurate interpretation of CmpEQ/CmpNE. --------- */
1098 /*
1099 Normally, we can do CmpEQ/CmpNE by doing UifU on the arguments, and
1100 PCasting to Ity_U1. However, sometimes it is necessary to be more
1101 accurate. The insight is that the result is defined if two
1102 corresponding bits can be found, one from each argument, so that
1103 both bits are defined but are different -- that makes EQ say "No"
1104 and NE say "Yes". Hence, we compute an improvement term and DifD
1105 it onto the "normal" (UifU) result.
1107 The result is:
1109 PCastTo<1> (
1110 -- naive version
1111 UifU<sz>(vxx, vyy)
1113 `DifD<sz>`
1115 -- improvement term
1116 OCast<sz>(vec)
1117 )
1119 where
1120 vec contains 0 (defined) bits where the corresponding arg bits
1121 are defined but different, and 1 bits otherwise.
1123 vec = Or<sz>( vxx, // 0 iff bit defined
1124 vyy, // 0 iff bit defined
1125 Not<sz>(Xor<sz>( xx, yy )) // 0 iff bits different
1126 )
1128 If any bit of vec is 0, the result is defined and so the
1129 improvement term should produce 0...0, else it should produce
1130 1...1.
1132 Hence require for the improvement term:
1134 OCast(vec) = if vec == 1...1 then 1...1 else 0...0
1136 which you can think of as an "optimistic cast" (OCast, the opposite of
1137 the normal "pessimistic cast" (PCast) family. An OCast says all bits
1138 are defined if any bit is defined.
1140 It is possible to show that
1142 if vec == 1...1 then 1...1 else 0...0
1144 can be implemented in straight-line code as
1146 (vec - (vec >>u 1)) >>s (word-size-in-bits - 1)
1148 We note that vec contains the sub-term Or<sz>(vxx, vyy). Since UifU is
1149 implemented with Or (since 1 signifies undefinedness), this is a
1150 duplicate of the UifU<sz>(vxx, vyy) term and so we can CSE it out, giving
1151 a final version of:
1153 let naive = UifU<sz>(vxx, vyy)
1154 vec = Or<sz>(naive, Not<sz>(Xor<sz)(xx, yy))
1155 in
1156 PCastTo<1>( DifD<sz>(naive, OCast<sz>(vec)) )
1158 This was extensively re-analysed and checked on 6 July 05 and again
1159 in July 2017.
1160 */
1162 IRType ty,
1165 {
1207 }
1209 naive
1212 vec
1216 naive,
1222 improved
1226 final_cast
1230 }
1233 /* --------- Semi-accurate interpretation of CmpORD. --------- */
1235 /* CmpORD32{S,U} does PowerPC-style 3-way comparisons:
1237 CmpORD32S(x,y) = 1<<3 if x <s y
1238 = 1<<2 if x >s y
1239 = 1<<1 if x == y
1241 and similarly the unsigned variant. The default interpretation is:
1243 CmpORD32{S,U}#(x,y,x#,y#) = PCast(x# `UifU` y#)
1244 & (7<<1)
1246 The "& (7<<1)" reflects the fact that all result bits except 3,2,1
1247 are zero and therefore defined (viz, zero).
1249 Also deal with a special case better:
1251 CmpORD32S(x,0)
1253 Here, bit 3 (LT) of the result is a copy of the top bit of x and
1254 will be defined even if the rest of x isn't. In which case we do:
1256 CmpORD32S#(x,x#,0,{impliedly 0}#)
1257 = PCast(x#) & (3<<1) -- standard interp for GT#,EQ#
1258 | (x# >>u 31) << 3 -- LT# = x#[31]
1260 Analogous handling for CmpORD64{S,U}.
1261 */
1263 {
1264 return
1268 }
1271 {
1272 return
1276 }
1279 IROp cmp_op,
1282 {
1309 }
1312 /* fancy interpretation */
1313 /* if yy is zero, then it must be fully defined (zero#). */
1316 return
1318 opOR,
1322 opAND,
1324 threeLeft1
1325 )),
1329 opSHL,
1334 ))
1335 );
1337 /* standard interpretation */
1339 return
1341 opAND,
1344 sevenLeft1
1345 );
1346 }
1347 }
1350 /*------------------------------------------------------------*/
1351 /*--- Emit a test and complaint if something is undefined. ---*/
1352 /*------------------------------------------------------------*/
1357 /* Set the annotations on a dirty helper to indicate that the stack
1358 pointer and instruction pointers might be read. This is the
1359 behaviour of all 'emit-a-complaint' style functions we might
1360 call. */
1374 }
1377 /* Check the supplied *original* |atom| for undefinedness, and emit a
1378 complaint if so. Once that happens, mark it as defined. This is
1379 possible because the atom is either a tmp or literal. If it's a
1380 tmp, it will be shadowed by a tmp, and so we can set the shadow to
1381 be defined. In fact as mentioned above, we will have to allocate a
1382 new tmp to carry the new 'defined' shadow value, and update the
1383 original->tmp mapping accordingly; we cannot simply assign a new
1384 value to an existing shadow tmp as this breaks SSAness.
1386 The checks are performed, any resulting complaint emitted, and
1387 |atom|'s shadow temp set to 'defined', ONLY in the case that
1388 |guard| evaluates to True at run-time. If it evaluates to False
1389 then no action is performed. If |guard| is NULL (the usual case)
1390 then it is assumed to be always-true, and hence these actions are
1391 performed unconditionally.
1393 This routine does not generate code to check the definedness of
1394 |guard|. The caller is assumed to have taken care of that already.
1395 */
1397 {
1399 IRType ty;
1400 Int sz;
1407 Int nargs;
1409 // Don't do V bit tests if we're not reporting undefined value errors.
1416 /* Since the original expression is atomic, there's no duplicated
1417 work generated by making multiple V-expressions for it. So we
1418 don't really care about the possibility that someone else may
1419 also create a V-interpretion for it. */
1427 /* sz is only used for constructing the error message */
1431 /* cond will be 0 if all defined, and 1 if any not defined. */
1433 /* Get the origin info for the value we are about to check. At
1434 least, if we are doing origin tracking. If not, use a dummy
1435 zero origin. */
1440 }
1443 }
1462 }
1475 }
1488 }
1501 }
1515 }
1519 }
1532 /* If the complaint is to be issued under a guard condition, AND
1533 that into the guard condition for the helper call. */
1539 }
1544 /* If |atom| is shadowed by an IRTemp, set the shadow tmp to be
1545 defined -- but only in the case where the guard evaluates to
1546 True at run-time. Do the update by setting the orig->shadow
1547 mapping for tmp to reflect the fact that this shadow is getting
1548 a new value. */
1550 /* sameKindedAtoms ... */
1554 // guard is 'always True', hence update unconditionally
1559 // update the temp only conditionally. Do this by copying
1560 // its old value when the guard is False.
1561 // The old value ..
1564 IRAtom* new_tmpV
1569 }
1570 }
1571 }
1574 /*------------------------------------------------------------*/
1575 /*--- Shadowing PUTs/GETs, and indexed variants thereof ---*/
1576 /*------------------------------------------------------------*/
1578 /* Examine the always-defined sections declared in layout to see if
1579 the (offset,size) section is within one. Note, is is an error to
1580 partially fall into such a region: (offset,size) should either be
1581 completely in such a region or completely not-in such a region.
1582 */
1584 {
1603 }
1605 }
1608 /* Generate into bb suitable actions to shadow this Put. If the state
1609 slice is marked 'always defined', do nothing. Otherwise, write the
1610 supplied V bits to the shadow state. We can pass in either an
1611 original atom or a V-atom, but not both. In the former case the
1612 relevant V-bits are then generated from the original.
1613 We assume here, that the definedness of GUARD has already been checked.
1614 */
1615 static
1618 {
1619 IRType ty;
1621 // Don't do shadow PUTs if we're not doing undefined value checking.
1622 // Their absence lets Vex's optimiser remove all the shadow computation
1623 // that they depend on, which includes GETs of the shadow registers.
1634 }
1639 /* later: no ... */
1640 /* emit code to emit a complaint if any of the vbits are 1. */
1641 /* complainIfUndefined(mce, atom); */
1643 /* Do a plain shadow Put. */
1645 /* If the guard expression evaluates to false we simply Put the value
1646 that is already stored in the guest state slot */
1653 }
1655 }
1656 }
1659 /* Return an expression which contains the V bits corresponding to the
1660 given GETI (passed in in pieces).
1661 */
1662 static
1664 {
1667 Int arrSize;;
1673 // Don't do shadow PUTIs if we're not doing undefined value checking.
1674 // Their absence lets Vex's optimiser remove all the shadow computation
1675 // that they depend on, which includes GETIs of the shadow registers.
1689 /* later: no ... */
1690 /* emit code to emit a complaint if any of the vbits are 1. */
1691 /* complainIfUndefined(mce, atom); */
1693 /* Do a cloned version of the Put that refers to the shadow
1694 area. */
1695 IRRegArray* new_descr
1699 }
1700 }
1703 /* Return an expression which contains the V bits corresponding to the
1704 given GET (passed in in pieces).
1705 */
1706 static
1708 {
1713 /* Always defined, return all zeroes of the relevant type */
1716 /* return a cloned version of the Get that refers to the shadow
1717 area. */
1718 /* FIXME: this isn't an atom! */
1720 }
1721 }
1724 /* Return an expression which contains the V bits corresponding to the
1725 given GETI (passed in in pieces).
1726 */
1727 static
1730 {
1738 /* Always defined, return all zeroes of the relevant type */
1741 /* return a cloned version of the Get that refers to the shadow
1742 area. */
1743 IRRegArray* new_descr
1747 }
1748 }
1751 /*------------------------------------------------------------*/
1752 /*--- Generating approximations for unknown operations, ---*/
1753 /*--- using lazy-propagate semantics ---*/
1754 /*------------------------------------------------------------*/
1756 /* Lazy propagation of undefinedness from two values, resulting in the
1757 specified shadow type.
1758 */
1759 static
1761 {
1768 /* The general case is inefficient because PCast is an expensive
1769 operation. Here are some special cases which use PCast only
1770 once rather than twice. */
1772 /* I64 x I64 -> I64 */
1778 }
1780 /* I64 x I64 -> I32 */
1786 }
1788 /* I32 x I32 -> I32 */
1794 }
1804 }
1806 /* General case: force everything via 32-bit intermediaries. */
1811 }
1814 /* 3-arg version of the above. */
1815 static
1818 {
1827 /* The general case is inefficient because PCast is an expensive
1828 operation. Here are some special cases which use PCast only
1829 twice rather than three times. */
1831 /* I32 x I64 x I64 -> I64 */
1832 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1836 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
1837 mode indication which is fully defined, this should get
1838 folded out later. */
1840 /* Now fold in 2nd and 3rd args. */
1843 /* and PCast once again. */
1846 }
1848 /* I32 x I8 x I64 -> I64 */
1852 /* Widen 1st and 2nd args to I64. Since 1st arg is typically a
1853 * rounding mode indication which is fully defined, this should
1854 * get folded out later.
1855 */
1860 /* and PCast once again. */
1863 }
1865 /* I32 x I64 x I64 -> I32 */
1874 }
1876 /* I32 x I32 x I32 -> I32 */
1877 /* 32-bit FP idiom, as (eg) happens on ARM */
1886 }
1888 /* I32 x I128 x I128 -> I128 */
1889 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1893 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
1894 mode indication which is fully defined, this should get
1895 folded out later. */
1897 /* Now fold in 2nd and 3rd args. */
1900 /* and PCast once again. */
1903 }
1905 /* I32 x I8 x I128 -> I128 */
1906 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1910 /* Use I64 as an intermediate type, which means PCasting all 3
1911 args to I64 to start with. 1st arg is typically a rounding
1912 mode indication which is fully defined, so we hope that it
1913 will get folded out later. */
1917 /* Now UifU all three together. */
1920 /* and PCast once again. */
1923 }
1934 }
1937 /* General case: force everything via 32-bit intermediaries. */
1938 /*
1939 at = mkPCastTo(mce, Ity_I32, va1);
1940 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va2));
1941 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va3));
1942 at = mkPCastTo(mce, finalVty, at);
1943 return at;
1944 */
1945 }
1948 /* 4-arg version of the above. */
1949 static
1952 {
1963 /* The general case is inefficient because PCast is an expensive
1964 operation. Here are some special cases which use PCast only
1965 twice rather than three times. */
1967 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
1972 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
1973 mode indication which is fully defined, this should get
1974 folded out later. */
1976 /* Now fold in 2nd, 3rd, 4th args. */
1980 /* and PCast once again. */
1983 }
1985 /* I32 x I64 x I64 x I64 -> I64 */
1989 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
1990 mode indication which is fully defined, this should get
1991 folded out later. */
1993 /* Now fold in 2nd, 3rd, 4th args. */
1997 /* and PCast once again. */
2000 }
2001 /* I32 x I32 x I32 x I32 -> I32 */
2002 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2007 /* Now fold in 2nd, 3rd, 4th args. */
2013 }
2019 /* Now fold in 2nd, 3rd, 4th args. */
2025 }
2031 /* Now fold in 2nd, 3rd, 4th args. */
2037 }
2051 }
2054 }
2057 /* Do the lazy propagation game from a null-terminated vector of
2058 atoms. This is presumably the arguments to a helper call, so the
2059 IRCallee info is also supplied in order that we can know which
2060 arguments should be ignored (via the .mcx_mask field).
2061 */
2062 static
2065 {
2066 Int i;
2069 IRType mergeTy;
2072 /* Decide on the type of the merge intermediary. If all relevant
2073 args are I64, then it's I64. In all other circumstances, use
2074 I32. */
2082 }
2090 /* Only take notice of this arg if the callee's mc-exclusion
2091 mask does not say it is to be excluded. */
2093 /* the arg is to be excluded from definedness checking. Do
2094 nothing. */
2097 /* calculate the arg's definedness, and pessimistically merge
2098 it in. */
2100 curr = mergeTy64
2103 }
2104 }
2106 }
2109 /*------------------------------------------------------------*/
2110 /*--- Generating expensive sequences for exact carry-chain ---*/
2111 /*--- propagation in add/sub and related operations. ---*/
2112 /*------------------------------------------------------------*/
2114 static
2116 Bool add,
2117 IRType ty,
2120 {
2150 }
2152 // a_min = aa & ~qaa
2157 // b_min = bb & ~qbb
2162 // a_max = aa | qaa
2165 // b_max = bb | qbb
2169 // result = (qaa | qbb) | ((a_min + b_min) ^ (a_max + b_max))
2170 return
2178 )
2179 )
2180 )
2181 );
2183 // result = (qaa | qbb) | ((a_min - b_max) ^ (a_max - b_min))
2184 return
2192 )
2193 )
2194 )
2195 );
2196 }
2198 }
2201 static
2204 {
2205 IRType ty;
2231 }
2233 // improver = atom ^ (atom - 1)
2234 //
2235 // That is, improver has its low ctz(atom) bits equal to one;
2236 // higher bits (if any) equal to zero.
2239 atom,
2243 // improved = vatom & improver
2244 //
2245 // That is, treat any V bits above the first ctz(atom) bits as
2246 // "defined".
2250 // Return pessimizing cast of improved.
2252 }
2255 /*------------------------------------------------------------*/
2256 /*--- Scalar shifts. ---*/
2257 /*------------------------------------------------------------*/
2259 /* Produce an interpretation for (aa << bb) (or >>s, >>u). The basic
2260 idea is to shift the definedness bits by the original shift amount.
2261 This introduces 0s ("defined") in new positions for left shifts and
2262 unsigned right shifts, and copies the top definedness bit for
2263 signed right shifts. So, conveniently, applying the original shift
2264 operator to the definedness bits for the left arg is exactly the
2265 right thing to do:
2267 (qaa << bb)
2269 However if the shift amount is undefined then the whole result
2270 is undefined. Hence need:
2272 (qaa << bb) `UifU` PCast(qbb)
2274 If the shift amount bb is a literal than qbb will say 'all defined'
2275 and the UifU and PCast will get folded out by post-instrumentation
2276 optimisation.
2277 */
2279 IRType ty,
2280 IROp original_op,
2283 {
2290 return
2296 )
2297 );
2298 }
2301 /*------------------------------------------------------------*/
2302 /*--- Helpers for dealing with vector primops. ---*/
2303 /*------------------------------------------------------------*/
2305 /* Vector pessimisation -- pessimise within each lane individually. */
2308 {
2310 }
2313 {
2315 }
2318 {
2320 }
2323 {
2325 }
2328 {
2330 }
2333 {
2335 }
2338 {
2340 }
2343 {
2345 }
2348 {
2350 }
2353 {
2355 }
2358 {
2360 }
2363 {
2365 }
2368 {
2370 }
2373 {
2375 }
2378 /* Here's a simple scheme capable of handling ops derived from SSE1
2379 code and while only generating ops that can be efficiently
2380 implemented in SSE1. */
2382 /* All-lanes versions are straightforward:
2384 binary32Fx4(x,y) ==> PCast32x4(UifUV128(x#,y#))
2386 unary32Fx4(x,y) ==> PCast32x4(x#)
2388 Lowest-lane-only versions are more complex:
2390 binary32F0x4(x,y) ==> SetV128lo32(
2391 x#,
2392 PCast32(V128to32(UifUV128(x#,y#)))
2393 )
2395 This is perhaps not so obvious. In particular, it's faster to
2396 do a V128-bit UifU and then take the bottom 32 bits than the more
2397 obvious scheme of taking the bottom 32 bits of each operand
2398 and doing a 32-bit UifU. Basically since UifU is fast and
2399 chopping lanes off vector values is slow.
2401 Finally:
2403 unary32F0x4(x) ==> SetV128lo32(
2404 x#,
2405 PCast32(V128to32(x#))
2406 )
2408 Where:
2410 PCast32(v#) = 1Sto32(CmpNE32(v#,0))
2411 PCast32x4(v#) = CmpNEZ32x4(v#)
2412 */
2414 static
2416 {
2423 }
2425 static
2427 {
2432 }
2434 static
2436 {
2445 }
2447 static
2449 {
2456 }
2458 /* --- ... and ... 64Fx2 versions of the same ... --- */
2460 static
2462 {
2469 }
2471 static
2473 {
2478 }
2480 static
2482 {
2491 }
2493 static
2495 {
2502 }
2504 /* --- --- ... and ... 32Fx2 versions of the same --- --- */
2506 static
2508 {
2515 }
2517 static
2519 {
2524 }
2526 /* --- ... and ... 64Fx4 versions of the same ... --- */
2528 static
2530 {
2537 }
2539 static
2541 {
2546 }
2548 /* --- ... and ... 32Fx8 versions of the same ... --- */
2550 static
2552 {
2559 }
2561 static
2563 {
2568 }
2570 /* --- 64Fx2 binary FP ops, with rounding mode --- */
2572 static
2575 {
2576 /* This is the same as binary64Fx2, except that we subsequently
2577 pessimise vRM (definedness of the rounding mode), widen to 128
2578 bits and UifU it into the result. As with the scalar cases, if
2579 the RM is a constant then it is defined and so this extra bit
2580 will get constant-folded out later. */
2581 // "do" the vector args
2583 // PCast the RM, and widen it to 128 bits
2585 // Roll it into the result
2588 }
2590 /* --- ... and ... 32Fx4 versions of the same --- */
2592 static
2595 {
2597 // PCast the RM, and widen it to 128 bits
2599 // Roll it into the result
2602 }
2604 /* --- ... and ... 64Fx4 versions of the same --- */
2606 static
2609 {
2611 // PCast the RM, and widen it to 256 bits
2613 // Roll it into the result
2616 }
2618 /* --- ... and ... 32Fx8 versions of the same --- */
2620 static
2623 {
2625 // PCast the RM, and widen it to 256 bits
2627 // Roll it into the result
2630 }
2632 /* --- 64Fx2 unary FP ops, with rounding mode --- */
2634 static
2636 {
2637 /* Same scheme as binary64Fx2_w_rm. */
2638 // "do" the vector arg
2640 // PCast the RM, and widen it to 128 bits
2642 // Roll it into the result
2645 }
2647 /* --- ... and ... 32Fx4 versions of the same --- */
2649 static
2651 {
2652 /* Same scheme as unary32Fx4_w_rm. */
2654 // PCast the RM, and widen it to 128 bits
2656 // Roll it into the result
2659 }
2662 /* --- --- Vector saturated narrowing --- --- */
2664 /* We used to do something very clever here, but on closer inspection
2665 (2011-Jun-15), and in particular bug #279698, it turns out to be
2666 wrong. Part of the problem came from the fact that for a long
2667 time, the IR primops to do with saturated narrowing were
2668 underspecified and managed to confuse multiple cases which needed
2669 to be separate: the op names had a signedness qualifier, but in
2670 fact the source and destination signednesses needed to be specified
2671 independently, so the op names really need two independent
2672 signedness specifiers.
2674 As of 2011-Jun-15 (ish) the underspecification was sorted out
2675 properly. The incorrect instrumentation remained, though. That
2676 has now (2011-Oct-22) been fixed.
2678 What we now do is simple:
2680 Let the original narrowing op be QNarrowBinXtoYxZ, where Z is a
2681 number of lanes, X is the source lane width and signedness, and Y
2682 is the destination lane width and signedness. In all cases the
2683 destination lane width is half the source lane width, so the names
2684 have a bit of redundancy, but are at least easy to read.
2686 For example, Iop_QNarrowBin32Sto16Ux8 narrows 8 lanes of signed 32s
2687 to unsigned 16s.
2689 Let Vanilla(OP) be a function that takes OP, one of these
2690 saturating narrowing ops, and produces the same "shaped" narrowing
2691 op which is not saturating, but merely dumps the most significant
2692 bits. "same shape" means that the lane numbers and widths are the
2693 same as with OP.
2695 For example, Vanilla(Iop_QNarrowBin32Sto16Ux8)
2696 = Iop_NarrowBin32to16x8,
2697 that is, narrow 8 lanes of 32 bits to 8 lanes of 16 bits, by
2698 dumping the top half of each lane.
2700 So, with that in place, the scheme is simple, and it is simple to
2701 pessimise each lane individually and then apply Vanilla(OP) so as
2702 to get the result in the right "shape". If the original OP is
2703 QNarrowBinXtoYxZ then we produce
2705 Vanilla(OP)( PCast-X-to-X-x-Z(vatom1), PCast-X-to-X-x-Z(vatom2) )
2707 or for the case when OP is unary (Iop_QNarrowUn*)
2709 Vanilla(OP)( PCast-X-to-X-x-Z(vatom) )
2710 */
2711 static
2713 {
2715 /* Binary: (128, 128) -> 128 */
2726 /* Binary: (64, 64) -> 64 */
2732 /* Unary: 128 -> 64 */
2749 }
2750 }
2752 static
2755 {
2768 }
2776 }
2778 static
2781 {
2789 }
2797 }
2799 static
2802 {
2806 /* For vanilla narrowing (non-saturating), we can just apply
2807 the op directly to the V bits. */
2817 }
2818 /* Plan B: for ops that involve a saturation operation on the args,
2819 we must PCast before the vanilla narrow. */
2831 }
2836 }
2838 static
2841 {
2853 }
2858 }
2861 /* --- --- Vector integer arithmetic --- --- */
2863 /* Simple ... UifU the args and per-lane pessimise the results. */
2865 /* --- V256-bit versions --- */
2867 static
2869 {
2874 }
2876 static
2878 {
2883 }
2885 static
2887 {
2892 }
2894 static
2896 {
2901 }
2903 /* --- V128-bit versions --- */
2905 static
2907 {
2912 }
2914 static
2916 {
2921 }
2923 static
2925 {
2930 }
2932 static
2934 {
2939 }
2941 static
2943 {
2948 }
2950 /* --- 64-bit versions --- */
2952 static
2954 {
2959 }
2961 static
2963 {
2968 }
2970 static
2972 {
2977 }
2979 static
2981 {
2986 }
2988 /* --- 32-bit versions --- */
2990 static
2992 {
2997 }
2999 static
3001 {
3006 }
3009 /*------------------------------------------------------------*/
3010 /*--- Generate shadow values from all kinds of IRExprs. ---*/
3011 /*------------------------------------------------------------*/
3013 static
3015 IROp op,
3018 {
3041 /* I32(rm) x F64 x F64 x F64 -> F64 */
3046 /* I32(rm) x F32 x F32 x F32 -> F32 */
3053 /* I32(rm) x F128 x F128 x F128 -> F128 */
3056 /* V256-bit data-steering */
3061 /* I32/I64 x I8 x I8 x I8 -> I32/I64 */
3069 }
3070 }
3073 static
3075 IROp op,
3077 {
3101 /* I32(rm) x F128/D128 x F128/D128 -> F128/D128 */
3122 /* I32(rm) x F64/D64 x F64/D64 -> F64/D64 */
3126 /* I32(rm) x F64 x F64 -> I32 */
3132 /* I32(rm) x F32 x F32 -> I32 */
3135 /* IRRoundingMode(I32) x I8 x D64 -> D64 */
3138 /* IRRoundingMode(I32) x I8 x D128 -> D128 */
3141 /* (V128, V128, I8) -> V128 */
3145 /* (I64, I64, I8) -> I64 */
3162 /* (V128, V128, V128) -> V128 */
3165 mce,
3168 );
3170 /* Vector FP with rounding mode as the first arg */
3212 }
3213 }
3216 static
3218 IROp op,
3221 {
3222 IRType and_or_ty;
3238 /* 32-bit SIMD */
3264 /* 64-bit SIMD */
3275 /* Same scheme as with all other shifts. */
3436 );
3445 );
3454 );
3456 /* 64-bit data-steering */
3483 /* Perm8x8: rearrange values in left arg using steering values
3484 from right arg. So rearrange the vbits in the same way but
3485 pessimise wrt steering values. */
3488 mce,
3491 );
3493 /* V128-bit SIMD */
3512 /* Same scheme as with all other shifts. Note: 22 Oct 05:
3513 this is wrong now, scalar shifts are done properly lazily.
3514 Vector shifts should be fixed too. */
3518 /* V x V shifts/rotates are done using the standard lazy scheme. */
3519 /* For the non-rounding variants of bi-di vector x vector
3520 shifts (the Iop_Sh.. ops, that is) we use the lazy scheme.
3521 But note that this is overly pessimistic, because in fact only
3522 the bottom 8 bits of each lane of the second argument are taken
3523 into account when shifting. So really we ought to ignore
3524 undefinedness in bits 8 and above of each lane in the
3525 second argument. */
3536 );
3548 );
3560 );
3572 );
3574 /* For the rounding variants of bi-di vector x vector shifts, the
3575 rounding adjustment can cause undefinedness to propagate through
3576 the entire lane, in the worst case. Too complex to handle
3577 properly .. just UifU the arguments and then PCast them.
3578 Suboptimal but safe. */
3811 /* Q-and-Qshift-by-imm-and-narrow of the form (V128, I8) -> V128.
3812 To make this simpler, do the following:
3813 * complain if the shift amount (the I8) is undefined
3814 * pcast each lane at the wide width
3815 * truncate each lane to half width
3816 * pcast the resulting 64-bit value to a single bit and use
3817 that as the least significant bit of the upper half of the
3818 result. */
3837 {
3870 }
3872 // Pessimised shift result
3873 IRAtom* shV
3875 // Narrowed, pessimised shift result
3876 IRAtom* shVnarrowed
3878 // Generates: Def--(63)--Def PCast-to-I1(narrowed)
3880 // and assemble the result
3883 }
3918 /* V128-bit data-steering */
3963 /* Perm8x16: rearrange values in left arg using steering values
3964 from right arg. So rearrange the vbits in the same way but
3965 pessimise wrt steering values. Perm32x4 ditto. */
3968 mce,
3971 );
3974 mce,
3977 );
3979 /* These two take the lower half of each 16-bit lane, sign/zero
3980 extend it to 32, and multiply together, producing a 32x4
3981 result (and implicitly ignoring half the operand bits). So
3982 treat it as a bunch of independent 16x8 operations, but then
3983 do 32-bit shifts left-right to copy the lower half results
3984 (which are all 0s or all 1s due to PCasting in binary16Ix8)
3985 into the upper half of each result lane. */
3993 }
3995 /* Same deal as Iop_MullEven16{S,U}x8 */
4003 }
4005 /* Same deal as Iop_MullEven16{S,U}x8 */
4013 }
4015 /* narrow 2xV128 into 1xV128, hi half from left arg, in a 2 x
4016 32x4 -> 16x8 laneage, discarding the upper half of each lane.
4017 Simply apply same op to the V bits, since this really no more
4018 than a data steering operation. */
4029 /* Same scheme as with all other shifts. Note: 10 Nov 05:
4030 this is wrong now, scalar shifts are done properly lazily.
4031 Vector shifts should be fixed too. */
4039 /* SHA Iops */
4045 /* I128-bit data-steering */
4049 /* V256-bit SIMD */
4059 /* V256-bit data-steering */
4063 /* Scalar floating point */
4067 /* I32(rm) x F32 -> I64 */
4071 /* I32(rm) x I64 -> F32 */
4086 /* I32(rm) x I64/F64 -> I64/F64 */
4092 /* I32(rm) x D64 -> D64 */
4098 /* I32(rm) x D128 -> D128 */
4102 /* I32(rm) x F128 -> F128 */
4109 /* I32(rm) x I64/D64 -> D64/I64 */
4118 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D32/F32 */
4127 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D64/F64 */
4136 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D128/F128 */
4142 /* I32(rm) x I32/F32 -> I32/F32 */
4146 /* I32(rm) x F128 -> F128 */
4153 /* First arg is I32 (rounding mode), second is F32/I32 (data). */
4158 /* First arg is I32 (rounding mode), second is F64/F32 (data). */
4191 /* First arg is I32 (rounding mode), second is F64/D64 (data). */
4195 /* First arg is I32 (rounding mode), second is D64 (data). */
4199 /* First arg is I32 (rounding mode), second is F64 (data). */
4203 /* I64 x I64 -> D64 */
4207 /* I64 x I128 -> D128 */
4221 /* F32 x F32 -> F32 */
4226 /* F64 x F64 -> F64 */
4229 /* non-FP after here */
4251 }
4259 }
4266 }
4274 }
4282 }
4289 }
4313 }
4321 }
4323 cheap_AddSub32:
4340 }
4348 }
4350 cheap_AddSub64:
4364 ////---- CmpXX64
4368 else
4371 expensive_cmp64:
4375 cheap_cmp64:
4380 ////---- CmpXX32
4384 else
4387 expensive_cmp32:
4391 cheap_cmp32:
4396 ////---- CmpXX16
4400 else
4403 expensive_cmp16:
4407 cheap_cmp16:
4410 ////---- CmpXX8
4414 else
4417 expensive_cmp8:
4420 cheap_cmp8:
4423 ////---- end CmpXX{64,32,16,8}
4429 /* Just say these all produce a defined result, regardless
4430 of their arguments. See COMMENT_ON_CasCmpEQ in this file. */
4483 do_And_Or:
4484 return
4487 and_or_ty,
4505 /* V256-bit SIMD */
4515 /* Same scheme as with all other shifts. Note: 22 Oct 05:
4516 this is wrong now, scalar shifts are done properly lazily.
4517 Vector shifts should be fixed too. */
4571 /* Perm32x8: rearrange values in left arg using steering values
4572 from right arg. So rearrange the vbits in the same way but
4573 pessimise wrt steering values. */
4576 mce,
4579 );
4581 /* Q-and-Qshift-by-vector of the form (V128, V128) -> V256.
4582 Handle the shifted results in the same way that other
4583 binary Q ops are handled, eg QSub: UifU the two args,
4584 then pessimise -- which is binaryNIxM. But for the upper
4585 V128, we require to generate just 1 bit which is the
4586 pessimised shift result, with 127 defined zeroes above it.
4588 Note that this overly pessimistic in that in fact only the
4589 bottom 8 bits of each lane of the second arg determine the shift
4590 amount. Really we ought to ignore any undefinedness in the
4591 rest of the lanes of the second arg. */
4600 {
4601 // The function to generate the pessimised shift result
4630 }
4632 // Pessimised shift result, shV[127:0]
4634 // Generates: Def--(127)--Def PCast-to-I1(shV)
4636 // and assemble the result
4639 }
4644 }
4645 }
4648 static
4650 {
4651 /* For the widening operations {8,16,32}{U,S}to{16,32,64}, the
4652 selection of shadow operation implicitly duplicates the logic in
4653 do_shadow_LoadG and should be kept in sync (in the very unlikely
4654 event that the interpretation of such widening ops changes in
4655 future). See comment in do_shadow_LoadG. */
4997 }
4998 }
5001 /* Worker function -- do not call directly. See comments on
5002 expr2vbits_Load for the meaning of |guard|.
5004 Generates IR to (1) perform a definedness test of |addr|, (2)
5005 perform a validity test of |addr|, and (3) return the Vbits for the
5006 location indicated by |addr|. All of this only happens when
5007 |guard| is NULL or |guard| evaluates to True at run time.
5009 If |guard| evaluates to False at run time, the returned value is
5010 the IR-mandated 0x55..55 value, and no checks nor shadow loads are
5011 performed.
5013 The definedness of |guard| itself is not checked. That is assumed
5014 to have been done before this point, by the caller. */
5015 static
5019 {
5023 /* First, emit a definedness test for the address. This also sets
5024 the address (shadow) to 'defined' following the test. */
5027 /* Now cook up a call to the relevant helper function, to read the
5028 data V bits from shadow memory. */
5059 }
5084 }
5085 }
5090 /* Generate the actual address into addrAct. */
5095 IROp mkAdd;
5102 }
5104 /* We need to have a place to park the V bits we're just about to
5105 read. */
5108 /* Here's the call. */
5120 }
5125 /* Ideally the didn't-happen return value here would be all-ones
5126 (all-undefined), so it'd be obvious if it got used
5127 inadvertently. We can get by with the IR-mandated default
5128 value (0b01 repeating, 0x55 etc) as that'll still look pretty
5129 undefined if it ever leaks out. */
5130 }
5134 }
5137 /* Generate IR to do a shadow load. The helper is expected to check
5138 the validity of the address and return the V bits for that address.
5139 This can optionally be controlled by a guard, which is assumed to
5140 be True if NULL. In the case where the guard is False at runtime,
5141 the helper will return the didn't-do-the-call value of 0x55..55.
5142 Since that means "completely undefined result", the caller of
5143 this function will need to fix up the result somehow in that
5144 case.
5146 Caller of this function is also expected to have checked the
5147 definedness of |guard| before this point.
5148 */
5149 static
5154 {
5166 }
5167 }
5170 /* The most general handler for guarded loads. Assumes the
5171 definedness of GUARD has already been checked by the caller. A
5172 GUARD of NULL is assumed to mean "always True". Generates code to
5173 check the definedness and validity of ADDR.
5175 Generate IR to do a shadow load from ADDR and return the V bits.
5176 The loaded type is TY. The loaded data is then (shadow) widened by
5177 using VWIDEN, which can be Iop_INVALID to denote a no-op. If GUARD
5178 evaluates to False at run time then the returned Vbits are simply
5179 VALT instead. Note therefore that the argument type of VWIDEN must
5180 be TY and the result type of VWIDEN must equal the type of VALT.
5181 */
5182 static
5188 {
5189 /* Sanity check the conversion operation, and also set TYWIDE. */
5200 }
5202 /* If the guard evaluates to True, this will hold the loaded V bits
5203 at TY. If the guard evaluates to False, this will be all
5204 ones, meaning "all undefined", in which case we will have to
5205 replace it using an ITE below. */
5206 IRAtom* iftrue1
5209 /* Now (shadow-) widen the loaded V bits to the desired width. In
5210 the guard-is-False case, the allowable widening operators will
5211 in the worst case (unsigned widening) at least leave the
5212 pre-widened part as being marked all-undefined, and in the best
5213 case (signed widening) mark the whole widened result as
5214 undefined. Anyway, it doesn't matter really, since in this case
5215 we will replace said value with the default value |valt| using an
5216 ITE. */
5217 IRAtom* iftrue2
5219 ? iftrue1
5221 /* These are the V bits we will return if the load doesn't take
5222 place. */
5223 IRAtom* iffalse
5225 /* Prepare the cond for the ITE. Convert a NULL cond into
5226 something that iropt knows how to fold out later. */
5227 IRAtom* cond
5229 /* And assemble the final result. */
5231 }
5234 /* A simpler handler for guarded loads, in which there is no
5235 conversion operation, and the default V bit return (when the guard
5236 evaluates to False at runtime) is "all defined". If there is no
5237 guard expression or the guard is always TRUE this function behaves
5238 like expr2vbits_Load. It is assumed that definedness of GUARD has
5239 already been checked at the call site. */
5240 static
5245 {
5248 );
5249 }
5252 static
5255 {
5257 IRType ty;
5258 /* Given ITE(cond, iftrue, iffalse), generate
5259 ITE(cond, iftrue#, iffalse#) `UifU` PCast(cond#)
5260 That is, steer the V bits like the originals, but trash the
5261 result if the steering value is undefined. This gives
5262 lazy propagation. */
5272 return
5276 }
5278 /* --------- This is the main expression-handling function. --------- */
5280 static
5283 {
5301 mce,
5305 );
5309 mce,
5313 );
5317 mce,
5320 hu
5321 );
5346 }
5347 }
5350 /*------------------------------------------------------------*/
5351 /*--- Generate shadow stmts from all kinds of IRStmts. ---*/
5352 /*------------------------------------------------------------*/
5354 /* Widen a value to the host word size. */
5356 static
5358 {
5361 /* vatom is vbits-value and as such can only have a shadow type. */
5377 }
5391 }
5394 }
5395 unhandled:
5398 }
5401 /* Generate a shadow store. |addr| is always the original address
5402 atom. You can pass in either originals or V-bits for the data
5403 atom, but obviously not both. This function generates a check for
5404 the definedness and (indirectly) the validity of |addr|, but only
5405 when |guard| evaluates to True at run time (or is NULL).
5407 |guard| :: Ity_I1 controls whether the store really happens; NULL
5408 means it unconditionally does. Note that |guard| itself is not
5409 checked for definedness; the caller of this function must do that
5410 if necessary.
5411 */
5412 static
5414 IREndness end,
5418 {
5419 IROp mkAdd;
5437 }
5445 }
5449 // If we're not doing undefined value checking, pretend that this value
5450 // is "all valid". That lets Vex's optimiser remove some of the V bit
5451 // shadow computation ops that precede it.
5463 }
5465 }
5467 /* First, emit a definedness test for the address. This also sets
5468 the address (shadow) to 'defined' following the test. Both of
5469 those actions are gated on |guard|. */
5472 /* Now decide which helper function to call to write the data V
5473 bits into shadow memory. */
5491 }
5507 /* Note, no V256 case here, because no big-endian target that
5508 we support, has 256 vectors. */
5510 }
5511 }
5515 /* V256-bit case -- phrased in terms of 64 bit units (Qs), with
5516 Q3 being the most significant lane. */
5517 /* These are the offsets of the Qs in memory. */
5520 /* Various bits for constructing the 4 lane helper calls */
5530 }
5539 );
5548 );
5557 );
5566 );
5580 }
5583 /* V128-bit case */
5584 /* See comment in next clause re 64-bit regparms */
5585 /* also, need to be careful about endianness */
5599 }
5608 );
5616 );
5629 /* 8/16/32/64-bit cases */
5630 /* Generate the actual address into addrAct. */
5636 }
5639 /* We can't do this with regparm 2 on 32-bit platforms, since
5640 the back ends aren't clever enough to handle 64-bit
5641 regparm args. Therefore be different. */
5646 );
5653 );
5654 }
5658 }
5660 }
5663 /* Do lazy pessimistic propagation through a dirty helper call, by
5664 looking at the annotations on it. This is the most complex part of
5665 Memcheck. */
5668 {
5675 }
5676 }
5678 static
5680 {
5684 IRTemp dst;
5685 IREndness end;
5687 /* What's the native endianness? We need to know this. */
5688 # if defined(VG_BIGENDIAN)
5690 # elif defined(VG_LITTLEENDIAN)
5692 # else
5694 # endif
5696 /* First check the guard. */
5699 /* Now round up all inputs and PCast over them. */
5702 /* Inputs: unmasked args
5703 Note: arguments are evaluated REGARDLESS of the guard expression */
5708 /* ignore this arg */
5712 }
5713 }
5715 /* Inputs: guest state that we read. */
5721 /* Enumerate the described state segments */
5726 /* Ignore any sections marked as 'always defined'. */
5732 }
5734 /* This state element is read or modified. So we need to
5735 consider it. If larger than 8 bytes, deal with it in
5736 8-byte chunks. */
5741 /* update 'curr' with UifU of the state slice
5742 gOff .. gOff+n-1 */
5745 /* Observe the guard expression. If it is false use an
5746 all-bits-defined bit pattern */
5759 }
5760 }
5761 }
5763 /* Inputs: memory. First set up some info needed regardless of
5764 whether we're doing reads or writes. */
5767 /* Because we may do multiple shadow loads/stores from the same
5768 base address, it's best to do a single test of its
5769 definedness right now. Post-instrumentation optimisation
5770 should remove all but this test. */
5771 IRType tyAddr;
5778 }
5780 /* Deal with memory inputs (reads or modifies) */
5783 /* chew off 32-bit chunks. We don't care about the endianness
5784 since it's all going to be condensed down to a single bit,
5785 but nevertheless choose an endianness which is hopefully
5786 native to the platform. */
5792 );
5795 }
5796 /* chew off 16-bit chunks */
5802 );
5805 }
5806 /* chew off the remaining 8-bit chunk, if any */
5812 );
5815 }
5817 }
5819 /* Whew! So curr is a 32-bit V-value summarising pessimistically
5820 all the inputs to the helper. Now we need to re-distribute the
5821 results to all destinations. */
5823 /* Outputs: the destination temporary, if there is one. */
5828 }
5830 /* Outputs: guest state that we write or modify. */
5836 /* Enumerate the described state segments */
5841 /* Ignore any sections marked as 'always defined'. */
5845 /* This state element is written or modified. So we need to
5846 consider it. If larger than 8 bytes, deal with it in
5847 8-byte chunks. */
5852 /* Write suitably-casted 'curr' to the state slice
5853 gOff .. gOff+n-1 */
5860 }
5861 }
5862 }
5864 /* Outputs: memory that we write or modify. Same comments about
5865 endianness as above apply. */
5868 /* chew off 32-bit chunks */
5875 }
5876 /* chew off 16-bit chunks */
5883 }
5884 /* chew off the remaining 8-bit chunk, if any */
5891 }
5893 }
5895 }
5898 /* We have an ABI hint telling us that [base .. base+len-1] is to
5899 become undefined ("writable"). Generate code to call a helper to
5900 notify the A/V bit machinery of this fact.
5902 We call
5903 void MC_(helperc_MAKE_STACK_UNINIT) ( Addr base, UWord len,
5904 Addr nia );
5905 */
5906 static
5908 {
5917 );
5919 /* We ignore the supplied nia, since it is irrelevant. */
5921 /* Special-case the len==128 case, since that is for amd64-ELF,
5922 which is a very common target. */
5929 );
5936 );
5937 }
5938 }
5941 }
5944 /* ------ Dealing with IRCAS (big and complex) ------ */
5946 /* FWDS */
5958 /* Either ORIG and SHADOW are both IRExpr.RdTmps, or they are both
5959 IRExpr.Consts, else this asserts. If they are both Consts, it
5960 doesn't do anything. So that just leaves the RdTmp case.
5962 In which case: this assigns the shadow value SHADOW to the IR
5963 shadow temporary associated with ORIG. That is, ORIG, being an
5964 original temporary, will have a shadow temporary associated with
5965 it. However, in the case envisaged here, there will so far have
5966 been no IR emitted to actually write a shadow value into that
5967 temporary. What this routine does is to (emit IR to) copy the
5968 value in SHADOW into said temporary, so that after this call,
5969 IRExpr.RdTmps of ORIG's shadow temp will correctly pick up the
5970 value in SHADOW.
5972 Point is to allow callers to compute "by hand" a shadow value for
5973 ORIG, and force it to be associated with ORIG.
5975 How do we know that that shadow associated with ORIG has not so far
5976 been assigned to? Well, we don't per se know that, but supposing
5977 it had. Then this routine would create a second assignment to it,
5978 and later the IR sanity checker would barf. But that never
5979 happens. QED.
5980 */
5984 {
5995 shadow);
5999 shadow);
6000 }
6004 }
6005 }
6008 static
6010 {
6011 /* Scheme is (both single- and double- cases):
6013 1. fetch data#,dataB (the proposed new value)
6015 2. fetch expd#,expdB (what we expect to see at the address)
6017 3. check definedness of address
6019 4. load old#,oldB from shadow memory; this also checks
6020 addressibility of the address
6022 5. the CAS itself
6024 6. compute "expected == old". See COMMENT_ON_CasCmpEQ below.
6026 7. if "expected == old" (as computed by (6))
6027 store data#,dataB to shadow memory
6029 Note that 5 reads 'old' but 4 reads 'old#'. Similarly, 5 stores
6030 'data' but 7 stores 'data#'. Hence it is possible for the
6031 shadow data to be incorrectly checked and/or updated:
6033 * 7 is at least gated correctly, since the 'expected == old'
6034 condition is derived from outputs of 5. However, the shadow
6035 write could happen too late: imagine after 5 we are
6036 descheduled, a different thread runs, writes a different
6037 (shadow) value at the address, and then we resume, hence
6038 overwriting the shadow value written by the other thread.
6040 Because the original memory access is atomic, there's no way to
6041 make both the original and shadow accesses into a single atomic
6042 thing, hence this is unavoidable.
6044 At least as Valgrind stands, I don't think it's a problem, since
6045 we're single threaded *and* we guarantee that there are no
6046 context switches during the execution of any specific superblock
6047 -- context switches can only happen at superblock boundaries.
6049 If Valgrind ever becomes MT in the future, then it might be more
6050 of a problem. A possible kludge would be to artificially
6051 associate with the location, a lock, which we must acquire and
6052 release around the transaction as a whole. Hmm, that probably
6053 would't work properly since it only guards us against other
6054 threads doing CASs on the same location, not against other
6055 threads doing normal reads and writes.
6057 ------------------------------------------------------------
6059 COMMENT_ON_CasCmpEQ:
6061 Note two things. Firstly, in the sequence above, we compute
6062 "expected == old", but we don't check definedness of it. Why
6063 not? Also, the x86 and amd64 front ends use
6064 Iop_CasCmp{EQ,NE}{8,16,32,64} comparisons to make the equivalent
6065 determination (expected == old ?) for themselves, and we also
6066 don't check definedness for those primops; we just say that the
6067 result is defined. Why? Details follow.
6069 x86/amd64 contains various forms of locked insns:
6070 * lock prefix before all basic arithmetic insn;
6071 eg lock xorl %reg1,(%reg2)
6072 * atomic exchange reg-mem
6073 * compare-and-swaps
6075 Rather than attempt to represent them all, which would be a
6076 royal PITA, I used a result from Maurice Herlihy
6077 (http://en.wikipedia.org/wiki/Maurice_Herlihy), in which he
6078 demonstrates that compare-and-swap is a primitive more general
6079 than the other two, and so can be used to represent all of them.
6080 So the translation scheme for (eg) lock incl (%reg) is as
6081 follows:
6083 again:
6084 old = * %reg
6085 new = old + 1
6086 atomically { if (* %reg == old) { * %reg = new } else { goto again } }
6088 The "atomically" is the CAS bit. The scheme is always the same:
6089 get old value from memory, compute new value, atomically stuff
6090 new value back in memory iff the old value has not changed (iow,
6091 no other thread modified it in the meantime). If it has changed
6092 then we've been out-raced and we have to start over.
6094 Now that's all very neat, but it has the bad side effect of
6095 introducing an explicit equality test into the translation.
6096 Consider the behaviour of said code on a memory location which
6097 is uninitialised. We will wind up doing a comparison on
6098 uninitialised data, and mc duly complains.
6100 What's difficult about this is, the common case is that the
6101 location is uncontended, and so we're usually comparing the same
6102 value (* %reg) with itself. So we shouldn't complain even if it
6103 is undefined. But mc doesn't know that.
6105 My solution is to mark the == in the IR specially, so as to tell
6106 mc that it almost certainly compares a value with itself, and we
6107 should just regard the result as always defined. Rather than
6108 add a bit to all IROps, I just cloned Iop_CmpEQ{8,16,32,64} into
6109 Iop_CasCmpEQ{8,16,32,64} so as not to disturb anything else.
6111 So there's always the question of, can this give a false
6112 negative? eg, imagine that initially, * %reg is defined; and we
6113 read that; but then in the gap between the read and the CAS, a
6114 different thread writes an undefined (and different) value at
6115 the location. Then the CAS in this thread will fail and we will
6116 go back to "again:", but without knowing that the trip back
6117 there was based on an undefined comparison. No matter; at least
6118 the other thread won the race and the location is correctly
6119 marked as undefined. What if it wrote an uninitialised version
6120 of the same value that was there originally, though?
6122 etc etc. Seems like there's a small corner case in which we
6123 might lose the fact that something's defined -- we're out-raced
6124 in between the "old = * reg" and the "atomically {", _and_ the
6125 other thread is writing in an undefined version of what's
6126 already there. Well, that seems pretty unlikely.
6128 ---
6130 If we ever need to reinstate it .. code which generates a
6131 definedness test for "expected == old" was removed at r10432 of
6132 this file.
6133 */
6138 }
6139 }
6143 {
6148 IROp opCasCmpEQ;
6149 Int elemSzB;
6150 IRType elemTy;
6153 /* single CAS */
6165 }
6167 /* 1. fetch data# (the proposed new value) */
6169 vdataLo
6173 bdataLo
6176 }
6178 /* 2. fetch expected# (what we expect to see at the address) */
6180 vexpdLo
6184 bexpdLo
6187 }
6189 /* 3. check definedness of address */
6190 /* 4. fetch old# from shadow memory; this also checks
6191 addressibility of the address */
6192 voldLo
6196 mce,
6198 NULL/*always happens*/
6199 ));
6202 boldLo
6206 }
6208 /* 5. the CAS itself */
6211 /* 6. compute "expected == old" */
6212 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6213 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6214 tree, but it's not copied from the input block. */
6215 expd_eq_old
6219 /* 7. if "expected == old"
6220 store data# to shadow memory */
6228 }
6229 }
6233 {
6244 IRType elemTy;
6247 /* double CAS */
6272 }
6274 /* 1. fetch data# (the proposed new value) */
6277 vdataHi
6279 vdataLo
6284 bdataHi
6286 bdataLo
6290 }
6292 /* 2. fetch expected# (what we expect to see at the address) */
6295 vexpdHi
6297 vexpdLo
6302 bexpdHi
6304 bexpdLo
6308 }
6310 /* 3. check definedness of address */
6311 /* 4. fetch old# from shadow memory; this also checks
6312 addressibility of the address */
6320 }
6321 voldHi
6325 mce,
6327 NULL/*always happens*/
6328 ));
6329 voldLo
6333 mce,
6335 NULL/*always happens*/
6336 ));
6340 boldHi
6344 boldLo
6350 }
6352 /* 5. the CAS itself */
6355 /* 6. compute "expected == old" */
6356 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6357 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6358 tree, but it's not copied from the input block. */
6359 /*
6360 xHi = oldHi ^ expdHi;
6361 xLo = oldLo ^ expdLo;
6362 xHL = xHi | xLo;
6363 expd_eq_old = xHL == 0;
6364 */
6371 expd_eq_old
6375 /* 7. if "expected == old"
6376 store data# to shadow memory */
6390 }
6391 }
6394 /* ------ Dealing with LL/SC (not difficult) ------ */
6397 IREndness stEnd,
6398 IRTemp stResult,
6401 {
6402 /* In short: treat a load-linked like a normal load followed by an
6403 assignment of the loaded (shadow) data to the result temporary.
6404 Treat a store-conditional like a normal store, and mark the
6405 result temporary as defined. */
6414 /* Load Linked */
6415 /* Just treat this as a normal load, followed by an assignment of
6416 the value to .result. */
6417 /* Stay sane */
6425 /* Store Conditional */
6426 /* Stay sane */
6428 stStoredata);
6433 stStoredata,
6436 /* This is a store conditional, so it writes to .result a value
6437 indicating whether or not the store succeeded. Just claim
6438 this value is always defined. In the PowerPC interpretation
6439 of store-conditional, definedness of the success indication
6440 depends on whether the address of the store matches the
6441 reservation address. But we can't tell that here (and
6442 anyway, we're not being PowerPC-specific). At least we are
6443 guaranteed that the definedness of the store address, and its
6444 addressibility, will be checked as per normal. So it seems
6445 pretty safe to just say that the success indication is always
6446 defined.
6448 In schemeS, for origin tracking, we must correspondingly set
6449 a no-origin value for the origin shadow of .result.
6450 */
6453 }
6454 }
6457 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
6460 {
6462 /* do_shadow_Store will generate code to check the definedness and
6463 validity of sg->addr, in the case where sg->guard evaluates to
6464 True at run-time. */
6470 }
6473 {
6475 /* expr2vbits_Load_guarded_General will generate code to check the
6476 definedness and validity of lg->addr, in the case where
6477 lg->guard evaluates to True at run-time. */
6479 /* Look at the LoadG's built-in conversion operation, to determine
6480 the source (actual loaded data) type, and the equivalent IROp.
6481 NOTE that implicitly we are taking a widening operation to be
6482 applied to original atoms and producing one that applies to V
6483 bits. Since signed and unsigned widening are self-shadowing,
6484 this is a straight copy of the op (modulo swapping from the
6485 IRLoadGOp form to the IROp form). Note also therefore that this
6486 implicitly duplicates the logic to do with said widening ops in
6487 expr2vbits_Unop. See comment at the start of expr2vbits_Unop. */
6499 }
6501 IRAtom* vbits_alt
6503 IRAtom* vbits_final
6507 /* And finally, bind the V bits to the destination temporary. */
6509 }
6512 /*------------------------------------------------------------*/
6513 /*--- Origin tracking stuff ---*/
6514 /*------------------------------------------------------------*/
6516 /* Almost identical to findShadowTmpV. */
6518 {
6520 /* VG_(indexXA) range-checks 'orig', hence no need to check
6521 here. */
6525 IRTemp tmpB
6527 /* newTemp may cause mce->tmpMap to resize, hence previous results
6528 from VG_(indexXA) are invalid. */
6533 }
6535 }
6538 {
6540 }
6543 /* Make a guarded origin load, with no special handling in the
6544 didn't-happen case. A GUARD of NULL is assumed to mean "always
6545 True".
6547 Generate IR to do a shadow origins load from BASEADDR+OFFSET and
6548 return the otag. The loaded size is SZB. If GUARD evaluates to
6549 False at run time then the returned otag is zero.
6550 */
6554 {
6557 IRTemp bTmp;
6566 }
6591 }
6595 );
6598 /* Ideally the didn't-happen return value here would be
6599 all-zeroes (unknown-origin), so it'd be harmless if it got
6600 used inadvertently. We slum it out with the IR-mandated
6601 default value (0b01 repeating, 0x55 etc) as that'll probably
6602 trump all legitimate otags via Max32, and it's pretty
6603 obviously bogus. */
6604 }
6605 /* no need to mess with any annotations. This call accesses
6606 neither guest state nor guest memory. */
6609 /* 64-bit host */
6614 /* 32-bit host */
6616 }
6617 }
6620 /* Generate IR to do a shadow origins load from BASEADDR+OFFSET. The
6621 loaded size is SZB. The load is regarded as unconditional (always
6622 happens).
6623 */
6625 Int offset )
6626 {
6628 }
6631 /* The most general handler for guarded origin loads. A GUARD of NULL
6632 is assumed to mean "always True".
6634 Generate IR to do a shadow origin load from ADDR+BIAS and return
6635 the B bits. The loaded type is TY. If GUARD evaluates to False at
6636 run time then the returned B bits are simply BALT instead.
6637 */
6638 static
6640 IRType ty,
6643 {
6644 /* If the guard evaluates to True, this will hold the loaded
6645 origin. If the guard evaluates to False, this will be zero,
6646 meaning "unknown origin", in which case we will have to replace
6647 it using an ITE below. */
6648 IRAtom* iftrue
6652 /* These are the bits we will return if the load doesn't take
6653 place. */
6654 IRAtom* iffalse
6656 /* Prepare the cond for the ITE. Convert a NULL cond into
6657 something that iropt knows how to fold out later. */
6658 IRAtom* cond
6660 /* And assemble the final result. */
6662 }
6665 /* Generate a shadow origins store. guard :: Ity_I1 controls whether
6666 the store really happens; NULL means it unconditionally does. */
6670 {
6680 }
6685 }
6710 }
6714 );
6715 /* no need to mess with any annotations. This call accesses
6716 neither guest state nor guest memory. */
6719 }
6728 }
6736 }
6740 {
6749 IRType equivIntTy
6751 /* If this array is unshadowable for whatever reason, use the
6752 usual approximation. */
6759 /* Do a shadow indexed get of the same size, giving t1. Take
6760 the bottom 32 bits of it, giving t2. Compute into t3 the
6761 origin for the index (almost certainly zero, but there's
6762 no harm in being completely general here, since iropt will
6763 remove any useless code), and fold it in, giving a final
6764 value t4. */
6772 }
6774 Int i;
6781 /* Only take notice of this arg if the callee's
6782 mc-exclusion mask does not say it is to be excluded. */
6784 /* the arg is to be excluded from definedness checking.
6785 Do nothing. */
6789 /* calculate the arg's definedness, and pessimistically
6790 merge it in. */
6793 }
6794 }
6796 }
6798 Int dszB;
6800 /* assert that the B value for the address is already
6801 available (somewhere) */
6805 }
6811 }
6819 }
6825 }
6832 /* Just say these all produce a defined result,
6833 regardless of their arguments. See
6834 COMMENT_ON_CasCmpEQ in this file. */
6840 }
6841 }
6843 /*NOTREACHED*/
6844 }
6848 }
6857 );
6861 /* FIXME: this isn't an atom! */
6863 Ity_I32 );
6864 }
6866 }
6871 }
6872 }
6876 {
6877 // This is a hacked version of do_shadow_Dirty
6880 IRTemp dst;
6882 /* First check the guard. */
6885 /* Now round up all inputs and maxU32 over them. */
6887 /* Inputs: unmasked args
6888 Note: arguments are evaluated REGARDLESS of the guard expression */
6893 /* ignore this arg */
6897 }
6898 }
6900 /* Inputs: guest state that we read. */
6906 /* Enumerate the described state segments */
6911 /* Ignore any sections marked as 'always defined'. */
6917 }
6919 /* This state element is read or modified. So we need to
6920 consider it. If larger than 4 bytes, deal with it in
6921 4-byte chunks. */
6923 Int b_offset;
6927 /* update 'curr' with maxU32 of the state slice
6928 gOff .. gOff+n-1 */
6931 /* Observe the guard expression. If it is false use 0, i.e.
6932 nothing is known about the origin */
6940 Ity_I32));
6944 }
6947 }
6948 }
6949 }
6951 /* Inputs: memory */
6954 /* Because we may do multiple shadow loads/stores from the same
6955 base address, it's best to do a single test of its
6956 definedness right now. Post-instrumentation optimisation
6957 should remove all but this test. */
6961 }
6963 /* Deal with memory inputs (reads or modifies) */
6966 /* chew off 32-bit chunks. We don't care about the endianness
6967 since it's all going to be condensed down to a single bit,
6968 but nevertheless choose an endianness which is hopefully
6969 native to the platform. */
6975 }
6976 /* handle possible 16-bit excess */
6982 }
6983 /* chew off the remaining 8-bit chunk, if any */
6989 }
6991 }
6993 /* Whew! So curr is a 32-bit B-value which should give an origin
6994 of some use if any of the inputs to the helper are undefined.
6995 Now we need to re-distribute the results to all destinations. */
6997 /* Outputs: the destination temporary, if there is one. */
7001 }
7003 /* Outputs: guest state that we write or modify. */
7009 /* Enumerate the described state segments */
7014 /* Ignore any sections marked as 'always defined'. */
7018 /* This state element is written or modified. So we need to
7019 consider it. If larger than 4 bytes, deal with it in
7020 4-byte chunks. */
7022 Int b_offset;
7026 /* Write 'curr' to the state slice gOff .. gOff+n-1 */
7030 /* If the guard expression evaluates to false we simply Put
7031 the value that is already stored in the guest state slot */
7039 Ity_I32));
7045 curr ));
7046 }
7049 }
7050 }
7051 }
7053 /* Outputs: memory that we write or modify. Same comments about
7054 endianness as above apply. */
7057 /* chew off 32-bit chunks */
7062 }
7063 /* handle possible 16-bit excess */
7068 }
7069 /* chew off the remaining 8-bit chunk, if any */
7074 }
7076 }
7077 }
7080 /* Generate IR for origin shadowing for a general guarded store. */
7082 IREndness stEnd,
7086 {
7087 Int dszB;
7089 /* assert that the B value for the address is already available
7090 (somewhere), since the call to schemeE will want to see it.
7091 XXXX how does this actually ensure that?? */
7097 }
7100 /* Generate IR for origin shadowing for a plain store. */
7102 IREndness stEnd,
7105 {
7108 }
7111 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7114 {
7117 }
7120 {
7131 }
7132 IRAtom* ori_alt
7134 IRAtom* ori_final
7138 /* And finally, bind the origin to the destination temporary. */
7140 }
7144 {
7150 /* The value-check instrumenter handles this - by arranging
7151 to pass the address of the next instruction to
7152 MC_(helperc_MAKE_STACK_UNINIT). This is all that needs to
7153 happen for origin tracking w.r.t. AbiHints. So there is
7154 nothing to do here. */
7162 IRType equivIntTy
7164 /* If this array is unshadowable for whatever reason,
7165 generate no code. */
7170 descr_b
7173 /* Compute a value to Put - the conjoinment of the origin for
7174 the data to be Put-ted (obviously) and of the index value
7175 (not so obviously). */
7183 }
7204 /* In short: treat a load-linked like a normal load followed
7205 by an assignment of the loaded (shadow) data the result
7206 temporary. Treat a store-conditional like a normal store,
7207 and mark the result temporary as defined. */
7209 /* Load Linked */
7210 IRType resTy
7212 IRExpr* vanillaLoad
7219 /* Store conditional */
7223 /* For the rationale behind this, see comments at the
7224 place where the V-shadow for .result is constructed, in
7225 do_shadow_LLSC. In short, we regard .result as
7226 always-defined. */
7229 }
7231 }
7234 Int b_offset
7238 );
7240 /* FIXME: this isn't an atom! */
7243 }
7245 }
7262 }
7263 }
7266 /*------------------------------------------------------------*/
7267 /*--- Post-tree-build final tidying ---*/
7268 /*------------------------------------------------------------*/
7270 /* This exploits the observation that Memcheck often produces
7271 repeated conditional calls of the form
7273 Dirty G MC_(helperc_value_check0/1/4/8_fail)(UInt otag)
7275 with the same guard expression G guarding the same helper call.
7276 The second and subsequent calls are redundant. This usually
7277 results from instrumentation of guest code containing multiple
7278 memory references at different constant offsets from the same base
7279 register. After optimisation of the instrumentation, you get a
7280 test for the definedness of the base register for each memory
7281 reference, which is kinda pointless. MC_(final_tidy) therefore
7282 looks for such repeated calls and removes all but the first. */
7285 /* With some testing on perf/bz2.c, on amd64 and x86, compiled with
7286 gcc-5.3.1 -O2, it appears that 16 entries in the array are enough to
7287 get almost all the benefits of this transformation whilst causing
7288 the slide-back case to just often enough to be verifiably
7289 correct. For posterity, the numbers are:
7291 bz2-32
7293 1 4,336 (112,212 -> 1,709,473; ratio 15.2)
7294 2 4,336 (112,194 -> 1,669,895; ratio 14.9)
7295 3 4,336 (112,194 -> 1,660,713; ratio 14.8)
7296 4 4,336 (112,194 -> 1,658,555; ratio 14.8)
7297 5 4,336 (112,194 -> 1,655,447; ratio 14.8)
7298 6 4,336 (112,194 -> 1,655,101; ratio 14.8)
7299 7 4,336 (112,194 -> 1,654,858; ratio 14.7)
7300 8 4,336 (112,194 -> 1,654,810; ratio 14.7)
7301 10 4,336 (112,194 -> 1,654,621; ratio 14.7)
7302 12 4,336 (112,194 -> 1,654,678; ratio 14.7)
7303 16 4,336 (112,194 -> 1,654,494; ratio 14.7)
7304 32 4,336 (112,194 -> 1,654,602; ratio 14.7)
7305 inf 4,336 (112,194 -> 1,654,602; ratio 14.7)
7307 bz2-64
7309 1 4,113 (107,329 -> 1,822,171; ratio 17.0)
7310 2 4,113 (107,329 -> 1,806,443; ratio 16.8)
7311 3 4,113 (107,329 -> 1,803,967; ratio 16.8)
7312 4 4,113 (107,329 -> 1,802,785; ratio 16.8)
7313 5 4,113 (107,329 -> 1,802,412; ratio 16.8)
7314 6 4,113 (107,329 -> 1,802,062; ratio 16.8)
7315 7 4,113 (107,329 -> 1,801,976; ratio 16.8)
7316 8 4,113 (107,329 -> 1,801,886; ratio 16.8)
7317 10 4,113 (107,329 -> 1,801,653; ratio 16.8)
7318 12 4,113 (107,329 -> 1,801,526; ratio 16.8)
7319 16 4,113 (107,329 -> 1,801,298; ratio 16.8)
7320 32 4,113 (107,329 -> 1,800,827; ratio 16.8)
7321 inf 4,113 (107,329 -> 1,800,827; ratio 16.8)
7322 */
7324 /* Structs for recording which (helper, guard) pairs we have already
7325 seen. */
7327 #define N_TIDYING_PAIRS 16
7329 typedef
7331 Pair;
7333 typedef
7336 UInt pairsUsed;
7337 }
7338 Pairs;
7341 /* Return True if e1 and e2 definitely denote the same value (used to
7342 compare guards). Return False if unknown; False is the safe
7343 answer. Since guest registers and guest memory do not have the
7344 SSA property we must return False if any Gets or Loads appear in
7345 the expression. This implicitly assumes that e1 and e2 have the
7346 same IR type, which is always true here -- the type is Ity_I1. */
7349 {
7371 /* be lazy. Could define equality for these, but they never
7372 appear to be used. */
7377 /* be conservative - these may not give the same value each
7378 time */
7381 /* should never see this */
7382 /* fallthrough */
7388 }
7389 }
7391 /* See if 'pairs' already has an entry for (entry, guard). Return
7392 True if so. If not, add an entry. */
7394 static
7396 {
7403 }
7404 /* (guard, entry) wasn't found in the array. Add it at the end.
7405 If the array is already full, slide the entries one slot
7406 backwards. This means we will lose to ability to detect
7407 duplicates from the pair in slot zero, but that happens so
7408 rarely that it's unlikely to have much effect on overall code
7409 quality. Also, this strategy loses the check for the oldest
7410 tracked exit (memory reference, basically) and so that is (I'd
7411 guess) least likely to be re-used after this point. */
7416 }
7423 n++;
7425 }
7427 }
7430 {
7431 /* This is expensive because it happens a lot. We are checking to
7432 see whether |name| is one of the following 8 strings:
7434 MC_(helperc_value_check8_fail_no_o)
7435 MC_(helperc_value_check4_fail_no_o)
7436 MC_(helperc_value_check0_fail_no_o)
7437 MC_(helperc_value_check1_fail_no_o)
7438 MC_(helperc_value_check8_fail_w_o)
7439 MC_(helperc_value_check0_fail_w_o)
7440 MC_(helperc_value_check1_fail_w_o)
7441 MC_(helperc_value_check4_fail_w_o)
7443 To speed it up, check the common prefix just once, rather than
7444 all 8 times.
7445 */
7453 /* We still have some prefix to use */
7456 name++;
7457 prefix++;
7458 }
7460 /* Check the part after the prefix. */
7470 }
7473 {
7474 Int i;
7479 Bool alreadyPresent;
7480 Pairs pairs;
7487 /* Scan forwards through the statements. Each time a call to one
7488 of the relevant helpers is seen, check if we have made a
7489 previous call to the same helper using the same guard
7490 expression, and if so, delete the call. */
7503 /* Ok, we have a call to helperc_value_check0/1/4/8_fail with
7504 guard 'guard'. Check if we have already seen a call to this
7505 function with the same guard. If so, delete it. If not,
7506 add it to the set of calls we do know about. */
7511 }
7512 }
7518 }
7520 #undef N_TIDYING_PAIRS
7523 /*------------------------------------------------------------*/
7524 /*--- Startup assertion checking ---*/
7525 /*------------------------------------------------------------*/
7528 {
7529 /* Make a best-effort check to see that is_helperc_value_checkN_fail
7530 is working as we expect. */
7532 # define CHECK(_expected, _string) \
7533 tl_assert((_expected) == is_helperc_value_checkN_fail(_string))
7535 /* It should identify these 8, and no others, as targets. */
7545 /* Ad-hoc selection of other strings gathered via a quick test. */
7575 # undef CHECK
7576 }
7579 /*------------------------------------------------------------*/
7580 /*--- Memcheck main ---*/
7581 /*------------------------------------------------------------*/
7584 {
7604 }
7605 /* VG_(printf)("%llx\n", n); */
7606 /* Shortcuts */
7609 /* The list of bogus atoms is: */
7620 );
7621 }
7624 /* Does 'st' mention any of the literals identified/listed in
7625 isBogusAtom()? */
7627 {
7628 Int i;
7671 }
7679 }
7680 }
7698 }
7703 }
7726 unhandled:
7729 }
7730 }
7733 /* This is the pre-instrumentation analysis. It does a backwards pass over
7734 the stmts in |sb_in| to determine a HowUsed value for each tmp defined in
7735 the block.
7737 Unrelatedly, it also checks all literals in the block with |isBogusAtom|,
7738 as a positive result from that is a strong indication that we need to
7739 expensively instrument add/sub in the block. We do both analyses in one
7740 pass, even though they are independent, so as to avoid the overhead of
7741 having to traverse the whole block twice.
7743 The usage pass proceeds as follows. Let max= be the max operation in the
7744 HowUsed lattice, hence
7746 X max= Y means X = max(X, Y)
7748 then
7750 for t in original tmps . useEnv[t] = HuUnU
7752 for t used in the block's . next field
7753 useEnv[t] max= HuPCa // because jmp targets are PCast-tested
7755 for st iterating *backwards* in the block
7757 match st
7759 case "t1 = load(t2)" // case 1
7760 useEnv[t2] max= HuPCa
7762 case "t1 = add(t2, t3)" // case 2
7763 useEnv[t2] max= useEnv[t1]
7764 useEnv[t3] max= useEnv[t1]
7766 other
7767 for t in st.usedTmps // case 3
7768 useEnv[t] max= HuOth
7769 // same as useEnv[t] = HuOth
7771 The general idea is that we accumulate, in useEnv[], information about
7772 how each tmp is used. That can be updated as we work further back
7773 through the block and find more uses of it, but its HowUsed value can
7774 only ascend the lattice, not descend.
7776 Initially we mark all tmps as unused. In case (1), if a tmp is seen to
7777 be used as a memory address, then its use is at least HuPCa. The point
7778 is that for a memory address we will add instrumentation to check if any
7779 bit of the address is undefined, which means that we won't need expensive
7780 V-bit propagation through an add expression that computed the address --
7781 cheap add instrumentation will be equivalent.
7783 Note in case (1) that if we have previously seen a non-memory-address use
7784 of the tmp, then its use will already be HuOth and will be unchanged by
7785 the max= operation. And if it turns out that the source of the tmp was
7786 an add, then we'll have to expensively instrument the add, because we
7787 can't prove that, for the previous non-memory-address use of the tmp,
7788 cheap and expensive instrumentation will be equivalent.
7790 In case 2, we propagate the usage-mode of the result of an add back
7791 through to its operands. Again, we use max= so as to take account of the
7792 fact that t2 or t3 might later in the block (viz, earlier in the
7793 iteration) have been used in a way that requires expensive add
7794 instrumentation.
7796 In case 3, we deal with all other tmp uses. We assume that we'll need a
7797 result that is as accurate as possible, so we max= HuOth into its use
7798 mode. Since HuOth is the top of the lattice, that's equivalent to just
7799 setting its use to HuOth.
7801 The net result of all this is that:
7803 tmps that are used either
7804 - only as a memory address, or
7805 - only as part of a tree of adds that computes a memory address,
7806 and has no other use
7807 are marked as HuPCa, and so we can instrument their generating Add
7808 nodes cheaply, which is the whole point of this analysis
7810 tmps that are used any other way at all are marked as HuOth
7812 tmps that are unused are marked as HuUnU. We don't expect to see any
7813 since we expect that the incoming IR has had all dead assignments
7814 removed by previous optimisation passes. Nevertheless the analysis is
7815 correct even in the presence of dead tmps.
7817 A final comment on dead tmps. In case 1 and case 2, we could actually
7818 conditionalise the updates thusly:
7820 if (useEnv[t1] > HuUnU) { useEnv[t2] max= HuPCa } // case 1
7822 if (useEnv[t1] > HuUnU) { useEnv[t2] max= useEnv[t1] } // case 2
7823 if (useEnv[t1] > HuUnU) { useEnv[t3] max= useEnv[t1] } // case 2
7825 In other words, if the assigned-to tmp |t1| is never used, then there's
7826 no point in propagating any use through to its operands. That won't
7827 change the final HuPCa-vs-HuOth results, which is what we care about.
7828 Given that we expect to get dead-code-free inputs, there's no point in
7829 adding this extra refinement.
7830 */
7832 /* Helper for |preInstrumentationAnalysis|. */
7834 UInt tyenvUsed,
7836 {
7837 /* For the atom |at|, declare that for any tmp |t| in |at|, we will have
7838 seen a use of |newUse|. So, merge that info into |t|'s accumulated
7839 use info. */
7847 // The "max" operation in the lattice
7850 }
7852 // We should never get here -- it implies non-flat IR
7855 }
7856 /*NOTREACHED*/
7858 }
7864 {
7867 // We've seen no bogus literals so far.
7870 // This is calloc'd, so implicitly all entries are initialised to HuUnU.
7874 // Firstly, roll in contributions from the final dst address.
7878 // Now work backwards through the stmts.
7882 // Deal with literals.
7885 }
7887 // Deal with tmp uses.
7892 // This is the one place where we have to consider all possible
7893 // tags for |rhs|, and can't just assume it is a tmp or a const.
7896 // just propagate demand for |dst| into this tmp use.
7905 // propagate demand for |dst| through to the operands.
7911 // just say that the operands are used in some unknown way.
7916 }
7919 // All operands are used in some unknown way.
7925 }
7927 // All operands are used in some unknown way.
7934 }
7936 // The address will be checked (== PCasted).
7940 // The condition is PCasted, the then- and else-values
7941 // aren't.
7947 // The args are used in unknown ways.
7950 }
7953 // The index will be checked/PCasted (see do_shadow_GETI)
7956 }
7964 }
7966 }
7968 // The address will be checked (== PCasted). The data will be
7969 // used in some unknown way.
7974 // The guard will be checked (== PCasted)
7982 // The index will be checked/PCasted (see do_shadow_PUTI). The
7983 // data will be used in an unknown way.
7987 }
7990 // The guard will be checked (== PCasted)
7992 // The args will be used in unknown ways.
7995 }
7997 }
8000 // Address will be pcasted, everything else used as unknown
8009 }
8011 // Both exprs are used in unknown ways. TODO: can we safely
8012 // just ignore AbiHints?
8017 // We might be able to do better, and use HuPCa for the addr.
8018 // It's not immediately obvious that we can, because the address
8019 // is regarded as "used" only when the guard is true.
8025 }
8027 // Per similar comments to Ist_StoreG .. not sure whether this
8028 // is really optimal.
8034 }
8040 }
8048 }
8049 }
8052 // Return the computed use env and the bogus-atom flag.
8058 }
8067 {
8071 MCEnv mce;
8075 /* We don't currently support this case. */
8077 }
8079 /* Check we're not completely nuts */
8090 /* Set up SB */
8093 /* Set up the running environment. Both .sb and .tmpMap are
8094 modified as we go along. Note that tmps are added to both
8095 .sb->tyenv and .tmpMap together, so the valid index-set for
8096 those two arrays should always be identical. */
8104 /* BEGIN decide on expense levels for instrumentation. */
8106 /* Initially, select the cheap version of everything for which we have an
8107 option. */
8110 /* Take account of the --expensive-definedness-checks= flag. */
8112 /* We just selected 'cheap for everything', so we don't need to do
8113 anything here. mce.tmpHowUsed remains NULL. */
8114 }
8116 /* Select 'expensive for everything'. mce.tmpHowUsed remains NULL. */
8118 }
8121 /* We'll make our own selection, based on known per-target constraints
8122 and also on analysis of the block to be instrumented. First, set
8123 up default values for detail levels.
8125 On x86 and amd64, we'll routinely encounter code optimised by LLVM
8126 5 and above. Enable accurate interpretation of the following.
8127 LLVM uses adds for some bitfield inserts, and we get a lot of false
8128 errors if the cheap interpretation is used, alas. Could solve this
8129 much better if we knew which of such adds came from x86/amd64 LEA
8130 instructions, since these are the only ones really needing the
8131 expensive interpretation, but that would require some way to tag
8132 them in the _toIR.c front ends, which is a lot of faffing around.
8133 So for now we use preInstrumentationAnalysis() to detect adds which
8134 are used only to construct memory addresses, which is an
8135 approximation to the above, and is self-contained.*/
8136 # if defined(VGA_x86)
8139 # elif defined(VGA_amd64)
8142 # endif
8144 /* preInstrumentationAnalysis() will allocate &mce.tmpHowUsed and then
8145 fill it in. */
8150 /* This happens very rarely. In this case just select expensive
8151 for everything, and throw away the tmp-use analysis results. */
8156 /* Nothing. mce.tmpHowUsed contains tmp-use analysis results,
8157 which will be used for some subset of Iop_{Add,Sub}{32,64},
8158 based on which ones are set to DLauto for this target. */
8159 }
8160 }
8165 // Debug printing: which tmps have been identified as PCast-only use
8171 }
8172 }
8174 }
8176 // Debug printing: number of ops by detail level
8183 }
8184 /* END decide on expense levels for instrumentation. */
8186 /* Initialise the running the tmp environment. */
8192 TempMapEnt ent;
8197 }
8200 /* Finally, begin instrumentation. */
8201 /* Copy verbatim any IR preamble preceding the first IMark */
8214 i++;
8215 }
8217 /* Nasty problem. IR optimisation of the pre-instrumented IR may
8218 cause the IR following the preamble to contain references to IR
8219 temporaries defined in the preamble. Because the preamble isn't
8220 instrumented, these temporaries don't have any shadows.
8221 Nevertheless uses of them following the preamble will cause
8222 memcheck to generate references to their shadows. End effect is
8223 to cause IR sanity check failures, due to references to
8224 non-existent shadows. This is only evident for the complex
8225 preambles used for function wrapping on TOC-afflicted platforms
8226 (ppc64-linux).
8228 The following loop therefore scans the preamble looking for
8229 assignments to temporaries. For each one found it creates an
8230 assignment to the corresponding (V) shadow temp, marking it as
8231 'defined'. This is the same resulting IR as if the main
8232 instrumentation loop before had been applied to the statement
8233 'tmp = CONSTANT'.
8235 Similarly, if origin tracking is enabled, we must generate an
8236 assignment for the corresponding origin (B) shadow, claiming
8237 no-origin, as appropriate for a defined value.
8238 */
8241 /* findShadowTmpV checks its arg is an original tmp;
8242 no need to assert that here. */
8251 }
8256 }
8257 }
8258 }
8260 /* Iterate over the remaining stmts to generate instrumentation. */
8276 }
8279 /* See comments on case Ist_CAS below. */
8282 }
8284 /* Generate instrumentation code for each stmt ... */
8296 }
8348 /* Note, do_shadow_CAS copies the CAS itself to the output
8349 block, because it needs to add instrumentation both
8350 before and after it. Hence skip the copy below. Also
8351 skip the origin-tracking stuff (call to schemeS) above,
8352 since that's all tangled up with it too; do_shadow_CAS
8353 does it all. */
8377 }
8379 }
8381 /* ... and finally copy the stmt itself to the output. Except,
8382 skip the copy of IRCASs; see comments on case Ist_CAS
8383 above. */
8386 }
8388 /* Now we need to complain if the jump target is undefined. */
8395 }
8404 }
8406 }
8408 /* If this fails, there's been some serious snafu with tmp management,
8409 that should be investigated. */
8415 }
8419 }
8422 /*--------------------------------------------------------------------*/
8423 /*--- end mc_translate.c ---*/
8424 /*--------------------------------------------------------------------*/