| blob | 666719160092d44d9e054e0fffb9ef0949e29aa4 |
2 /*--------------------------------------------------------------------*/
3 /*--- Instrument IR to perform memory checking operations. ---*/
4 /*--- mc_translate.c ---*/
5 /*--------------------------------------------------------------------*/
7 /*
8 This file is part of MemCheck, a heavyweight Valgrind tool for
9 detecting memory errors.
11 Copyright (C) 2000-2017 Julian Seward
12 jseward@acm.org
14 This program is free software; you can redistribute it and/or
15 modify it under the terms of the GNU General Public License as
16 published by the Free Software Foundation; either version 2 of the
17 License, or (at your option) any later version.
19 This program is distributed in the hope that it will be useful, but
20 WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, write to the Free Software
26 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
27 02111-1307, USA.
29 The GNU General Public License is contained in the file COPYING.
30 */
46 /* FIXMEs JRS 2011-June-16.
48 Check the interpretation for vector narrowing and widening ops,
49 particularly the saturating ones. I suspect they are either overly
50 pessimistic and/or wrong.
52 Iop_QandSQsh64x2 and friends (vector-by-vector bidirectional
53 saturating shifts): the interpretation is overly pessimistic.
54 See comments on the relevant cases below for details.
56 Iop_Sh64Sx2 and friends (vector-by-vector bidirectional shifts,
57 both rounding and non-rounding variants): ditto
58 */
60 /* This file implements the Memcheck instrumentation, and in
61 particular contains the core of its undefined value detection
62 machinery. For a comprehensive background of the terminology,
63 algorithms and rationale used herein, read:
65 Using Valgrind to detect undefined value errors with
66 bit-precision
68 Julian Seward and Nicholas Nethercote
70 2005 USENIX Annual Technical Conference (General Track),
71 Anaheim, CA, USA, April 10-15, 2005.
73 ----
75 Here is as good a place as any to record exactly when V bits are and
76 should be checked, why, and what function is responsible.
79 Memcheck complains when an undefined value is used:
81 1. In the condition of a conditional branch. Because it could cause
82 incorrect control flow, and thus cause incorrect externally-visible
83 behaviour. [mc_translate.c:complainIfUndefined]
85 2. As an argument to a system call, or as the value that specifies
86 the system call number. Because it could cause an incorrect
87 externally-visible side effect. [mc_translate.c:mc_pre_reg_read]
89 3. As the address in a load or store. Because it could cause an
90 incorrect value to be used later, which could cause externally-visible
91 behaviour (eg. via incorrect control flow or an incorrect system call
92 argument) [complainIfUndefined]
94 4. As the target address of a branch. Because it could cause incorrect
95 control flow. [complainIfUndefined]
97 5. As an argument to setenv, unsetenv, or putenv. Because it could put
98 an incorrect value into the external environment.
99 [mc_replace_strmem.c:VG_WRAP_FUNCTION_ZU(*, *env)]
101 6. As the index in a GETI or PUTI operation. I'm not sure why... (njn).
102 [complainIfUndefined]
104 7. As an argument to the VALGRIND_CHECK_MEM_IS_DEFINED and
105 VALGRIND_CHECK_VALUE_IS_DEFINED client requests. Because the user
106 requested it. [in memcheck.h]
109 Memcheck also complains, but should not, when an undefined value is used:
111 8. As the shift value in certain SIMD shift operations (but not in the
112 standard integer shift operations). This inconsistency is due to
113 historical reasons.) [complainIfUndefined]
116 Memcheck does not complain, but should, when an undefined value is used:
118 9. As an input to a client request. Because the client request may
119 affect the visible behaviour -- see bug #144362 for an example
120 involving the malloc replacements in vg_replace_malloc.c and
121 VALGRIND_NON_SIMD_CALL* requests, where an uninitialised argument
122 isn't identified. That bug report also has some info on how to solve
123 the problem. [valgrind.h:VALGRIND_DO_CLIENT_REQUEST]
126 In practice, 1 and 2 account for the vast majority of cases.
127 */
129 /* Generation of addr-definedness, addr-validity and
130 guard-definedness checks pertaining to loads and stores (Iex_Load,
131 Ist_Store, IRLoadG, IRStoreG, LLSC, CAS and Dirty memory
132 loads/stores) was re-checked 11 May 2013. */
135 /*------------------------------------------------------------*/
136 /*--- Forward decls ---*/
137 /*------------------------------------------------------------*/
141 // See below for comments explaining what this is for.
142 typedef
144 HowUsed;
154 /*------------------------------------------------------------*/
155 /*--- Memcheck running state, and tmp management. ---*/
156 /*------------------------------------------------------------*/
158 /* For a few (maybe 1%) IROps, we have both a cheaper, less exact vbit
159 propagation scheme, and a more expensive, more precise vbit propagation
160 scheme. This enum describes, for such an IROp, which scheme to use. */
161 typedef
163 // Use the cheaper, less-exact variant.
165 // Choose between cheap and expensive based on analysis of the block
166 // to be instrumented. Note that the choice may be done on a
167 // per-instance basis of the IROp that this DetailLevel describes.
168 DLauto,
169 // Use the more expensive, more-exact variant.
170 DLexpensive
171 }
172 DetailLevel;
175 /* A readonly part of the running state. For IROps that have both a
176 less-exact and more-exact interpretation, records which interpretation is
177 to be used. */
178 typedef
180 // For Add32/64 and Sub32/64, all 3 settings are allowed. For the
181 // DLauto case, a per-instance decision is to be made by inspecting
182 // the associated tmp's entry in MCEnv.tmpHowUsed.
183 DetailLevel dl_Add32;
184 DetailLevel dl_Add64;
185 DetailLevel dl_Sub32;
186 DetailLevel dl_Sub64;
187 // For Cmp{EQ,NE}{64,32,16,8}, only DLcheap and DLexpensive are
188 // allowed.
189 DetailLevel dl_CmpEQ64_CmpNE64;
190 DetailLevel dl_CmpEQ32_CmpNE32;
191 DetailLevel dl_CmpEQ16_CmpNE16;
192 DetailLevel dl_CmpEQ8_CmpNE8;
193 }
194 DetailLevelByOp;
197 DetailLevel dl )
198 {
207 }
210 {
223 }
226 DetailLevel dl )
227 {
238 }
241 /* Carries info about a particular tmp. The tmp's number is not
242 recorded, as this is implied by (equal to) its index in the tmpMap
243 in MCEnv. The tmp's type is also not recorded, as this is present
244 in MCEnv.sb->tyenv.
246 When .kind is Orig, .shadowV and .shadowB may give the identities
247 of the temps currently holding the associated definedness (shadowV)
248 and origin (shadowB) values, or these may be IRTemp_INVALID if code
249 to compute such values has not yet been emitted.
251 When .kind is VSh or BSh then the tmp is holds a V- or B- value,
252 and so .shadowV and .shadowB must be IRTemp_INVALID, since it is
253 illogical for a shadow tmp itself to be shadowed.
254 */
255 typedef
257 TempKind;
259 typedef
261 TempKind kind;
262 IRTemp shadowV;
263 IRTemp shadowB;
264 }
265 TempMapEnt;
268 /* A |HowUsed| value carries analysis results about how values are used,
269 pertaining to whether we need to instrument integer adds expensively or
270 not. The running state carries a (readonly) mapping from original tmp to
271 a HowUsed value for it. A usage value can be one of three values,
272 forming a 3-point chain lattice.
274 HuOth ("Other") used in some arbitrary way
275 |
276 HuPCa ("PCast") used *only* in effectively a PCast, in which all
277 | we care about is the all-defined vs not-all-defined distinction
278 |
279 HuUnU ("Unused") not used at all.
281 The "safe" (don't-know) end of the lattice is "HuOth". See comments
282 below in |preInstrumentationAnalysis| for further details.
283 */
284 /* DECLARED ABOVE:
285 typedef
286 enum __attribute__((packed)) { HuUnU=0, HuPCa=1, HuOth=2 }
287 HowUsed;
288 */
290 // Not actually necessary, but we don't want to waste D1 space.
294 /* Carries around state during memcheck instrumentation. */
295 typedef
297 /* MODIFIED: the superblock being constructed. IRStmts are
298 added. */
300 Bool trace;
302 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
303 current kind and possibly shadow temps for each temp in the
304 IRSB being constructed. Note that it does not contain the
305 type of each tmp. If you want to know the type, look at the
306 relevant entry in sb->tyenv. It follows that at all times
307 during the instrumentation process, the valid indices for
308 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
309 total number of Orig, V- and B- temps allocated so far.
311 The reason for this strange split (types in one place, all
312 other info in another) is that we need the types to be
313 attached to sb so as to make it possible to do
314 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
315 instrumentation process. */
318 /* READONLY: contains details of which ops should be expensively
319 instrumented. */
320 DetailLevelByOp dlbo;
322 /* READONLY: for each original tmp, how the tmp is used. This is
323 computed by |preInstrumentationAnalysis|. Valid indices are
324 0 .. #temps_in_sb-1 (same as for tmpMap). */
327 /* READONLY: the guest layout. This indicates which parts of
328 the guest state should be regarded as 'always defined'. */
331 /* READONLY: the host word type. Needed for constructing
332 arguments of type 'HWord' to be passed to helper functions.
333 Ity_I32 or Ity_I64 only. */
334 IRType hWordTy;
335 }
336 MCEnv;
339 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
340 demand), as they are encountered. This is for two reasons.
342 (1) (less important reason): Many original tmps are unused due to
343 initial IR optimisation, and we do not want to spaces in tables
344 tracking them.
346 Shadow IRTemps are therefore allocated on demand. mce.tmpMap is a
347 table indexed [0 .. n_types-1], which gives the current shadow for
348 each original tmp, or INVALID_IRTEMP if none is so far assigned.
349 It is necessary to support making multiple assignments to a shadow
350 -- specifically, after testing a shadow for definedness, it needs
351 to be made defined. But IR's SSA property disallows this.
353 (2) (more important reason): Therefore, when a shadow needs to get
354 a new value, a new temporary is created, the value is assigned to
355 that, and the tmpMap is updated to reflect the new binding.
357 A corollary is that if the tmpMap maps a given tmp to
358 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
359 there's a read-before-write error in the original tmps. The IR
360 sanity checker should catch all such anomalies, however.
361 */
363 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
364 both the table in mce->sb and to our auxiliary mapping. Note that
365 newTemp may cause mce->tmpMap to resize, hence previous results
366 from VG_(indexXA)(mce->tmpMap) are invalidated. */
368 {
369 Word newIx;
370 TempMapEnt ent;
378 }
381 /* Find the tmp currently shadowing the given original tmp. If none
382 so far exists, allocate one. */
384 {
386 /* VG_(indexXA) range-checks 'orig', hence no need to check
387 here. */
391 IRTemp tmpV
393 /* newTemp may cause mce->tmpMap to resize, hence previous results
394 from VG_(indexXA) are invalid. */
399 }
401 }
403 /* Allocate a new shadow for the given original tmp. This means any
404 previous shadow is abandoned. This is needed because it is
405 necessary to give a new value to a shadow once it has been tested
406 for undefinedness, but unfortunately IR's SSA property disallows
407 this. Instead we must abandon the old shadow, allocate a new one
408 and use that instead.
410 This is the same as findShadowTmpV, except we don't bother to see
411 if a shadow temp already existed -- we simply allocate a new one
412 regardless. */
414 {
416 /* VG_(indexXA) range-checks 'orig', hence no need to check
417 here. */
421 IRTemp tmpV
423 /* newTemp may cause mce->tmpMap to resize, hence previous results
424 from VG_(indexXA) are invalid. */
428 }
429 }
432 /*------------------------------------------------------------*/
433 /*--- IRAtoms -- a subset of IRExprs ---*/
434 /*------------------------------------------------------------*/
436 /* An atom is either an IRExpr_Const or an IRExpr_Tmp, as defined by
437 isIRAtom() in libvex_ir.h. Because this instrumenter expects flat
438 input, most of this code deals in atoms. Usefully, a value atom
439 always has a V-value which is also an atom: constants are shadowed
440 by constants, and temps are shadowed by the corresponding shadow
441 temporary. */
445 /* (used for sanity checks only): is this an atom which looks
446 like it's from original code? */
448 {
454 }
456 }
458 /* (used for sanity checks only): is this an atom which looks
459 like it's from shadow code? */
461 {
467 }
469 }
471 /* (used for sanity checks only): check that both args are atoms and
472 are identically-kinded. */
474 {
480 }
483 /*------------------------------------------------------------*/
484 /*--- Type management ---*/
485 /*------------------------------------------------------------*/
487 /* Shadow state is always accessed using integer types. This returns
488 an integer type with the same size (as per sizeofIRType) as the
489 given type. The only valid shadow types are Bit, I8, I16, I32,
490 I64, I128, V128, V256. */
493 {
512 }
513 }
515 /* Produce a 'defined' value of the given shadow type. Should only be
516 supplied shadow types (Bit/I8/I16/I32/UI64). */
528 }
529 }
532 /*------------------------------------------------------------*/
533 /*--- Constructing IR fragments ---*/
534 /*------------------------------------------------------------*/
536 /* add stmt to a bb */
542 }
544 }
546 /* assign value to tmp */
550 }
552 /* build various kinds of expressions */
553 #define triop(_op, _arg1, _arg2, _arg3) \
554 IRExpr_Triop((_op),(_arg1),(_arg2),(_arg3))
555 #define binop(_op, _arg1, _arg2) IRExpr_Binop((_op),(_arg1),(_arg2))
556 #define unop(_op, _arg) IRExpr_Unop((_op),(_arg))
557 #define mkU1(_n) IRExpr_Const(IRConst_U1(_n))
558 #define mkU8(_n) IRExpr_Const(IRConst_U8(_n))
559 #define mkU16(_n) IRExpr_Const(IRConst_U16(_n))
560 #define mkU32(_n) IRExpr_Const(IRConst_U32(_n))
561 #define mkU64(_n) IRExpr_Const(IRConst_U64(_n))
562 #define mkV128(_n) IRExpr_Const(IRConst_V128(_n))
563 #define mkexpr(_tmp) IRExpr_RdTmp((_tmp))
565 /* Bind the given expression to a new temporary, and return the
566 temporary. This effectively converts an arbitrary expression into
567 an atom.
569 'ty' is the type of 'e' and hence the type that the new temporary
570 needs to be. But passing it in is redundant, since we can deduce
571 the type merely by inspecting 'e'. So at least use that fact to
572 assert that the two types agree. */
574 {
575 TempKind k;
576 IRTemp t;
584 /* happens when we are making up new "orig"
585 expressions, for IRCAS handling */
587 }
591 }
594 /*------------------------------------------------------------*/
595 /*--- Helper functions for 128-bit ops ---*/
596 /*------------------------------------------------------------*/
599 {
602 }
604 /* There are no I128-bit loads and/or stores [as generated by any
605 current front ends]. So we do not need to worry about that in
606 expr2vbits_Load */
609 /*------------------------------------------------------------*/
610 /*--- Constructing definedness primitive ops ---*/
611 /*------------------------------------------------------------*/
613 /* --------- Defined-if-either-defined --------- */
619 }
625 }
631 }
637 }
643 }
649 }
651 /* --------- Undefined-if-either-undefined --------- */
657 }
663 }
669 }
675 }
689 }
695 }
701 }
715 }
716 }
718 /* --------- The Left-family of operations. --------- */
723 }
728 }
733 }
738 }
740 /* --------- 'Improvement' functions for AND/OR. --------- */
742 /* ImproveAND(data, vbits) = data OR vbits. Defined (0) data 0s give
743 defined (0); all other -> undefined (1).
744 */
746 {
751 }
754 {
759 }
762 {
767 }
770 {
775 }
778 {
783 }
786 {
791 }
793 /* ImproveOR(data, vbits) = ~data OR vbits. Defined (0) data 1s give
794 defined (0); all other -> undefined (1).
795 */
797 {
805 vbits) );
806 }
809 {
817 vbits) );
818 }
821 {
829 vbits) );
830 }
833 {
841 vbits) );
842 }
845 {
853 vbits) );
854 }
857 {
865 vbits) );
866 }
868 /* --------- Pessimising casts. --------- */
870 /* The function returns an expression of type DST_TY. If any of the VBITS
871 is undefined (value == 1) the resulting expression has all bits set to
872 1. Otherwise, all bits are 0. */
875 {
876 IRType src_ty;
879 /* Note, dst_ty is a shadow type, not an original type. */
883 /* Fast-track some common cases */
891 /* PCast the arg, then clone it. */
894 }
897 /* PCast the arg, then clone it 4 times. */
901 }
904 /* PCast the arg, then clone it 8 times. */
909 }
912 /* PCast the arg. This gives all 0s or all 1s. Then throw away
913 the top half. */
916 }
919 /* Use InterleaveHI64x2 to copy the top half of the vector into
920 the bottom half. Then we can UifU it with the original, throw
921 away the upper half of the result, and PCast-I64-to-I64
922 the lower half. */
923 // Generates vbits[127:64] : vbits[127:64]
924 IRAtom* hi64hi64
927 // Generates
928 // UifU(vbits[127:64],vbits[127:64]) : UifU(vbits[127:64],vbits[63:0])
929 // == vbits[127:64] : UifU(vbits[127:64],vbits[63:0])
930 IRAtom* lohi64
932 // Generates UifU(vbits[127:64],vbits[63:0])
933 IRAtom* lo64
935 // Generates
936 // PCast-to-I64( UifU(vbits[127:64], vbits[63:0] )
937 // == PCast-to-I64( vbits[127:0] )
938 IRAtom* res
941 }
943 /* Else do it the slow way .. */
944 /* First of all, collapse vbits down to a single bit. */
963 /* Gah. Chop it in half, OR the halves together, and compare
964 that with zero. */
971 }
973 /* Chop it in half, OR the halves together, and compare that
974 * with zero.
975 */
982 }
986 }
988 /* Now widen up to the dst type. */
1018 }
1019 }
1021 /* This is a minor variant. It takes an arg of some type and returns
1022 a value of the same type. The result consists entirely of Defined
1023 (zero) bits except its least significant bit, which is a PCast of
1024 the entire argument down to a single bit. */
1026 {
1028 /* --- Case for V128 --- */
1030 // generates: PCast-to-I64(varg128)
1032 // Now introduce zeros (defined bits) in the top 63 places
1033 // generates: Def--(63)--Def PCast-to-I1(varg128)
1034 IRAtom* d63pc
1036 // generates: Def--(64)--Def
1037 IRAtom* d64
1039 // generates: Def--(127)--Def PCast-to-I1(varg128)
1040 IRAtom* res
1043 }
1045 /* --- Case for I64 --- */
1046 // PCast to 64
1048 // Zero (Def) out the top 63 bits
1049 IRAtom* res
1052 }
1053 /*NOTREACHED*/
1055 }
1057 /* --------- Optimistic casts. --------- */
1059 /* The function takes and returns an expression of type TY. If any of the
1060 VBITS indicate defined (value == 0) the resulting expression has all bits
1061 set to 0. Otherwise, all bits are 1. In words, if any bits are defined
1062 then all bits are made to be defined.
1064 In short we compute (vbits - (vbits >>u 1)) >>s (bitsize(vbits)-1).
1065 */
1067 {
1069 UInt sh;
1087 }
1094 }
1097 /* --------- Accurate interpretation of CmpEQ/CmpNE. --------- */
1098 /*
1099 Normally, we can do CmpEQ/CmpNE by doing UifU on the arguments, and
1100 PCasting to Ity_U1. However, sometimes it is necessary to be more
1101 accurate. The insight is that the result is defined if two
1102 corresponding bits can be found, one from each argument, so that
1103 both bits are defined but are different -- that makes EQ say "No"
1104 and NE say "Yes". Hence, we compute an improvement term and DifD
1105 it onto the "normal" (UifU) result.
1107 The result is:
1109 PCastTo<1> (
1110 -- naive version
1111 UifU<sz>(vxx, vyy)
1113 `DifD<sz>`
1115 -- improvement term
1116 OCast<sz>(vec)
1117 )
1119 where
1120 vec contains 0 (defined) bits where the corresponding arg bits
1121 are defined but different, and 1 bits otherwise.
1123 vec = Or<sz>( vxx, // 0 iff bit defined
1124 vyy, // 0 iff bit defined
1125 Not<sz>(Xor<sz>( xx, yy )) // 0 iff bits different
1126 )
1128 If any bit of vec is 0, the result is defined and so the
1129 improvement term should produce 0...0, else it should produce
1130 1...1.
1132 Hence require for the improvement term:
1134 OCast(vec) = if vec == 1...1 then 1...1 else 0...0
1136 which you can think of as an "optimistic cast" (OCast, the opposite of
1137 the normal "pessimistic cast" (PCast) family. An OCast says all bits
1138 are defined if any bit is defined.
1140 It is possible to show that
1142 if vec == 1...1 then 1...1 else 0...0
1144 can be implemented in straight-line code as
1146 (vec - (vec >>u 1)) >>s (word-size-in-bits - 1)
1148 We note that vec contains the sub-term Or<sz>(vxx, vyy). Since UifU is
1149 implemented with Or (since 1 signifies undefinedness), this is a
1150 duplicate of the UifU<sz>(vxx, vyy) term and so we can CSE it out, giving
1151 a final version of:
1153 let naive = UifU<sz>(vxx, vyy)
1154 vec = Or<sz>(naive, Not<sz>(Xor<sz)(xx, yy))
1155 in
1156 PCastTo<1>( DifD<sz>(naive, OCast<sz>(vec)) )
1158 This was extensively re-analysed and checked on 6 July 05 and again
1159 in July 2017.
1160 */
1162 IRType ty,
1165 {
1207 }
1209 naive
1212 vec
1216 naive,
1222 improved
1226 final_cast
1230 }
1233 /* --------- Semi-accurate interpretation of CmpORD. --------- */
1235 /* CmpORD32{S,U} does PowerPC-style 3-way comparisons:
1237 CmpORD32S(x,y) = 1<<3 if x <s y
1238 = 1<<2 if x >s y
1239 = 1<<1 if x == y
1241 and similarly the unsigned variant. The default interpretation is:
1243 CmpORD32{S,U}#(x,y,x#,y#) = PCast(x# `UifU` y#)
1244 & (7<<1)
1246 The "& (7<<1)" reflects the fact that all result bits except 3,2,1
1247 are zero and therefore defined (viz, zero).
1249 Also deal with a special case better:
1251 CmpORD32S(x,0)
1253 Here, bit 3 (LT) of the result is a copy of the top bit of x and
1254 will be defined even if the rest of x isn't. In which case we do:
1256 CmpORD32S#(x,x#,0,{impliedly 0}#)
1257 = PCast(x#) & (3<<1) -- standard interp for GT#,EQ#
1258 | (x# >>u 31) << 3 -- LT# = x#[31]
1260 Analogous handling for CmpORD64{S,U}.
1261 */
1263 {
1264 return
1268 }
1271 {
1272 return
1276 }
1279 IROp cmp_op,
1282 {
1309 }
1312 /* fancy interpretation */
1313 /* if yy is zero, then it must be fully defined (zero#). */
1316 return
1318 opOR,
1322 opAND,
1324 threeLeft1
1325 )),
1329 opSHL,
1334 ))
1335 );
1337 /* standard interpretation */
1339 return
1341 opAND,
1344 sevenLeft1
1345 );
1346 }
1347 }
1350 /*------------------------------------------------------------*/
1351 /*--- Emit a test and complaint if something is undefined. ---*/
1352 /*------------------------------------------------------------*/
1357 /* Set the annotations on a dirty helper to indicate that the stack
1358 pointer and instruction pointers might be read. This is the
1359 behaviour of all 'emit-a-complaint' style functions we might
1360 call. */
1374 }
1377 /* Check the supplied *original* |atom| for undefinedness, and emit a
1378 complaint if so. Once that happens, mark it as defined. This is
1379 possible because the atom is either a tmp or literal. If it's a
1380 tmp, it will be shadowed by a tmp, and so we can set the shadow to
1381 be defined. In fact as mentioned above, we will have to allocate a
1382 new tmp to carry the new 'defined' shadow value, and update the
1383 original->tmp mapping accordingly; we cannot simply assign a new
1384 value to an existing shadow tmp as this breaks SSAness.
1386 The checks are performed, any resulting complaint emitted, and
1387 |atom|'s shadow temp set to 'defined', ONLY in the case that
1388 |guard| evaluates to True at run-time. If it evaluates to False
1389 then no action is performed. If |guard| is NULL (the usual case)
1390 then it is assumed to be always-true, and hence these actions are
1391 performed unconditionally.
1393 This routine does not generate code to check the definedness of
1394 |guard|. The caller is assumed to have taken care of that already.
1395 */
1397 {
1399 IRType ty;
1400 Int sz;
1407 Int nargs;
1409 // Don't do V bit tests if we're not reporting undefined value errors.
1416 /* Since the original expression is atomic, there's no duplicated
1417 work generated by making multiple V-expressions for it. So we
1418 don't really care about the possibility that someone else may
1419 also create a V-interpretion for it. */
1427 /* sz is only used for constructing the error message */
1431 /* cond will be 0 if all defined, and 1 if any not defined. */
1433 /* Get the origin info for the value we are about to check. At
1434 least, if we are doing origin tracking. If not, use a dummy
1435 zero origin. */
1440 }
1443 }
1462 }
1475 }
1488 }
1501 }
1515 }
1519 }
1532 /* If the complaint is to be issued under a guard condition, AND
1533 that into the guard condition for the helper call. */
1539 }
1544 /* If |atom| is shadowed by an IRTemp, set the shadow tmp to be
1545 defined -- but only in the case where the guard evaluates to
1546 True at run-time. Do the update by setting the orig->shadow
1547 mapping for tmp to reflect the fact that this shadow is getting
1548 a new value. */
1550 /* sameKindedAtoms ... */
1554 // guard is 'always True', hence update unconditionally
1559 // update the temp only conditionally. Do this by copying
1560 // its old value when the guard is False.
1561 // The old value ..
1564 IRAtom* new_tmpV
1569 }
1570 }
1571 }
1574 /*------------------------------------------------------------*/
1575 /*--- Shadowing PUTs/GETs, and indexed variants thereof ---*/
1576 /*------------------------------------------------------------*/
1578 /* Examine the always-defined sections declared in layout to see if
1579 the (offset,size) section is within one. Note, is is an error to
1580 partially fall into such a region: (offset,size) should either be
1581 completely in such a region or completely not-in such a region.
1582 */
1584 {
1603 }
1605 }
1608 /* Generate into bb suitable actions to shadow this Put. If the state
1609 slice is marked 'always defined', do nothing. Otherwise, write the
1610 supplied V bits to the shadow state. We can pass in either an
1611 original atom or a V-atom, but not both. In the former case the
1612 relevant V-bits are then generated from the original.
1613 We assume here, that the definedness of GUARD has already been checked.
1614 */
1615 static
1618 {
1619 IRType ty;
1621 // Don't do shadow PUTs if we're not doing undefined value checking.
1622 // Their absence lets Vex's optimiser remove all the shadow computation
1623 // that they depend on, which includes GETs of the shadow registers.
1634 }
1639 /* later: no ... */
1640 /* emit code to emit a complaint if any of the vbits are 1. */
1641 /* complainIfUndefined(mce, atom); */
1643 /* Do a plain shadow Put. */
1645 /* If the guard expression evaluates to false we simply Put the value
1646 that is already stored in the guest state slot */
1653 }
1655 }
1656 }
1659 /* Return an expression which contains the V bits corresponding to the
1660 given GETI (passed in in pieces).
1661 */
1662 static
1664 {
1667 Int arrSize;;
1673 // Don't do shadow PUTIs if we're not doing undefined value checking.
1674 // Their absence lets Vex's optimiser remove all the shadow computation
1675 // that they depend on, which includes GETIs of the shadow registers.
1689 /* later: no ... */
1690 /* emit code to emit a complaint if any of the vbits are 1. */
1691 /* complainIfUndefined(mce, atom); */
1693 /* Do a cloned version of the Put that refers to the shadow
1694 area. */
1695 IRRegArray* new_descr
1699 }
1700 }
1703 /* Return an expression which contains the V bits corresponding to the
1704 given GET (passed in in pieces).
1705 */
1706 static
1708 {
1713 /* Always defined, return all zeroes of the relevant type */
1716 /* return a cloned version of the Get that refers to the shadow
1717 area. */
1718 /* FIXME: this isn't an atom! */
1720 }
1721 }
1724 /* Return an expression which contains the V bits corresponding to the
1725 given GETI (passed in in pieces).
1726 */
1727 static
1730 {
1738 /* Always defined, return all zeroes of the relevant type */
1741 /* return a cloned version of the Get that refers to the shadow
1742 area. */
1743 IRRegArray* new_descr
1747 }
1748 }
1751 /*------------------------------------------------------------*/
1752 /*--- Generating approximations for unknown operations, ---*/
1753 /*--- using lazy-propagate semantics ---*/
1754 /*------------------------------------------------------------*/
1756 /* Lazy propagation of undefinedness from two values, resulting in the
1757 specified shadow type.
1758 */
1759 static
1761 {
1768 /* The general case is inefficient because PCast is an expensive
1769 operation. Here are some special cases which use PCast only
1770 once rather than twice. */
1772 /* I64 x I64 -> I64 */
1778 }
1780 /* I64 x I64 -> I32 */
1786 }
1788 /* I32 x I32 -> I32 */
1794 }
1804 }
1806 /* General case: force everything via 32-bit intermediaries. */
1811 }
1814 /* 3-arg version of the above. */
1815 static
1818 {
1827 /* The general case is inefficient because PCast is an expensive
1828 operation. Here are some special cases which use PCast only
1829 twice rather than three times. */
1831 /* I32 x I64 x I64 -> I64 */
1832 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1836 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
1837 mode indication which is fully defined, this should get
1838 folded out later. */
1840 /* Now fold in 2nd and 3rd args. */
1843 /* and PCast once again. */
1846 }
1848 /* I32 x I8 x I64 -> I64 */
1852 /* Widen 1st and 2nd args to I64. Since 1st arg is typically a
1853 * rounding mode indication which is fully defined, this should
1854 * get folded out later.
1855 */
1860 /* and PCast once again. */
1863 }
1865 /* I32 x I64 x I64 -> I32 */
1874 }
1876 /* I32 x I32 x I32 -> I32 */
1877 /* 32-bit FP idiom, as (eg) happens on ARM */
1886 }
1888 /* I32 x I128 x I128 -> I128 */
1889 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1893 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
1894 mode indication which is fully defined, this should get
1895 folded out later. */
1897 /* Now fold in 2nd and 3rd args. */
1900 /* and PCast once again. */
1903 }
1905 /* I32 x I8 x I128 -> I128 */
1906 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1910 /* Use I64 as an intermediate type, which means PCasting all 3
1911 args to I64 to start with. 1st arg is typically a rounding
1912 mode indication which is fully defined, so we hope that it
1913 will get folded out later. */
1917 /* Now UifU all three together. */
1920 /* and PCast once again. */
1923 }
1934 }
1937 /* General case: force everything via 32-bit intermediaries. */
1938 /*
1939 at = mkPCastTo(mce, Ity_I32, va1);
1940 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va2));
1941 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va3));
1942 at = mkPCastTo(mce, finalVty, at);
1943 return at;
1944 */
1945 }
1948 /* 4-arg version of the above. */
1949 static
1952 {
1963 /* The general case is inefficient because PCast is an expensive
1964 operation. Here are some special cases which use PCast only
1965 twice rather than three times. */
1967 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
1972 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
1973 mode indication which is fully defined, this should get
1974 folded out later. */
1976 /* Now fold in 2nd, 3rd, 4th args. */
1980 /* and PCast once again. */
1983 }
1985 /* I32 x I64 x I64 x I64 -> I64 */
1989 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
1990 mode indication which is fully defined, this should get
1991 folded out later. */
1993 /* Now fold in 2nd, 3rd, 4th args. */
1997 /* and PCast once again. */
2000 }
2001 /* I32 x I32 x I32 x I32 -> I32 */
2002 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2007 /* Now fold in 2nd, 3rd, 4th args. */
2013 }
2019 /* Now fold in 2nd, 3rd, 4th args. */
2025 }
2031 /* Now fold in 2nd, 3rd, 4th args. */
2037 }
2051 }
2054 }
2057 /* Do the lazy propagation game from a null-terminated vector of
2058 atoms. This is presumably the arguments to a helper call, so the
2059 IRCallee info is also supplied in order that we can know which
2060 arguments should be ignored (via the .mcx_mask field).
2061 */
2062 static
2065 {
2066 Int i;
2069 IRType mergeTy;
2072 /* Decide on the type of the merge intermediary. If all relevant
2073 args are I64, then it's I64. In all other circumstances, use
2074 I32. */
2082 }
2090 /* Only take notice of this arg if the callee's mc-exclusion
2091 mask does not say it is to be excluded. */
2093 /* the arg is to be excluded from definedness checking. Do
2094 nothing. */
2097 /* calculate the arg's definedness, and pessimistically merge
2098 it in. */
2100 curr = mergeTy64
2103 }
2104 }
2106 }
2109 /*------------------------------------------------------------*/
2110 /*--- Generating expensive sequences for exact carry-chain ---*/
2111 /*--- propagation in add/sub and related operations. ---*/
2112 /*------------------------------------------------------------*/
2114 static
2116 Bool add,
2117 IRType ty,
2120 {
2150 }
2152 // a_min = aa & ~qaa
2157 // b_min = bb & ~qbb
2162 // a_max = aa | qaa
2165 // b_max = bb | qbb
2169 // result = (qaa | qbb) | ((a_min + b_min) ^ (a_max + b_max))
2170 return
2178 )
2179 )
2180 )
2181 );
2183 // result = (qaa | qbb) | ((a_min - b_max) ^ (a_max - b_min))
2184 return
2192 )
2193 )
2194 )
2195 );
2196 }
2198 }
2201 static
2204 {
2205 IRType ty;
2231 }
2233 // improver = atom ^ (atom - 1)
2234 //
2235 // That is, improver has its low ctz(atom) bits equal to one;
2236 // higher bits (if any) equal to zero.
2239 atom,
2243 // improved = vatom & improver
2244 //
2245 // That is, treat any V bits above the first ctz(atom) bits as
2246 // "defined".
2250 // Return pessimizing cast of improved.
2252 }
2255 /*------------------------------------------------------------*/
2256 /*--- Scalar shifts. ---*/
2257 /*------------------------------------------------------------*/
2259 /* Produce an interpretation for (aa << bb) (or >>s, >>u). The basic
2260 idea is to shift the definedness bits by the original shift amount.
2261 This introduces 0s ("defined") in new positions for left shifts and
2262 unsigned right shifts, and copies the top definedness bit for
2263 signed right shifts. So, conveniently, applying the original shift
2264 operator to the definedness bits for the left arg is exactly the
2265 right thing to do:
2267 (qaa << bb)
2269 However if the shift amount is undefined then the whole result
2270 is undefined. Hence need:
2272 (qaa << bb) `UifU` PCast(qbb)
2274 If the shift amount bb is a literal than qbb will say 'all defined'
2275 and the UifU and PCast will get folded out by post-instrumentation
2276 optimisation.
2277 */
2279 IRType ty,
2280 IROp original_op,
2283 {
2290 return
2296 )
2297 );
2298 }
2301 /*------------------------------------------------------------*/
2302 /*--- Helpers for dealing with vector primops. ---*/
2303 /*------------------------------------------------------------*/
2305 /* Vector pessimisation -- pessimise within each lane individually. */
2308 {
2310 }
2313 {
2315 }
2318 {
2320 }
2323 {
2325 }
2328 {
2330 }
2333 {
2335 }
2338 {
2340 }
2343 {
2345 }
2348 {
2350 }
2353 {
2355 }
2358 {
2360 }
2363 {
2365 }
2368 {
2370 }
2373 /* Here's a simple scheme capable of handling ops derived from SSE1
2374 code and while only generating ops that can be efficiently
2375 implemented in SSE1. */
2377 /* All-lanes versions are straightforward:
2379 binary32Fx4(x,y) ==> PCast32x4(UifUV128(x#,y#))
2381 unary32Fx4(x,y) ==> PCast32x4(x#)
2383 Lowest-lane-only versions are more complex:
2385 binary32F0x4(x,y) ==> SetV128lo32(
2386 x#,
2387 PCast32(V128to32(UifUV128(x#,y#)))
2388 )
2390 This is perhaps not so obvious. In particular, it's faster to
2391 do a V128-bit UifU and then take the bottom 32 bits than the more
2392 obvious scheme of taking the bottom 32 bits of each operand
2393 and doing a 32-bit UifU. Basically since UifU is fast and
2394 chopping lanes off vector values is slow.
2396 Finally:
2398 unary32F0x4(x) ==> SetV128lo32(
2399 x#,
2400 PCast32(V128to32(x#))
2401 )
2403 Where:
2405 PCast32(v#) = 1Sto32(CmpNE32(v#,0))
2406 PCast32x4(v#) = CmpNEZ32x4(v#)
2407 */
2409 static
2411 {
2418 }
2420 static
2422 {
2427 }
2429 static
2431 {
2440 }
2442 static
2444 {
2451 }
2453 /* --- ... and ... 64Fx2 versions of the same ... --- */
2455 static
2457 {
2464 }
2466 static
2468 {
2473 }
2475 static
2477 {
2486 }
2488 static
2490 {
2497 }
2499 /* --- --- ... and ... 32Fx2 versions of the same --- --- */
2501 static
2503 {
2510 }
2512 static
2514 {
2519 }
2521 /* --- ... and ... 64Fx4 versions of the same ... --- */
2523 static
2525 {
2532 }
2534 static
2536 {
2541 }
2543 /* --- ... and ... 32Fx8 versions of the same ... --- */
2545 static
2547 {
2554 }
2556 static
2558 {
2563 }
2565 /* --- 64Fx2 binary FP ops, with rounding mode --- */
2567 static
2570 {
2571 /* This is the same as binary64Fx2, except that we subsequently
2572 pessimise vRM (definedness of the rounding mode), widen to 128
2573 bits and UifU it into the result. As with the scalar cases, if
2574 the RM is a constant then it is defined and so this extra bit
2575 will get constant-folded out later. */
2576 // "do" the vector args
2578 // PCast the RM, and widen it to 128 bits
2580 // Roll it into the result
2583 }
2585 /* --- ... and ... 32Fx4 versions of the same --- */
2587 static
2590 {
2592 // PCast the RM, and widen it to 128 bits
2594 // Roll it into the result
2597 }
2599 /* --- ... and ... 64Fx4 versions of the same --- */
2601 static
2604 {
2606 // PCast the RM, and widen it to 256 bits
2608 // Roll it into the result
2611 }
2613 /* --- ... and ... 32Fx8 versions of the same --- */
2615 static
2618 {
2620 // PCast the RM, and widen it to 256 bits
2622 // Roll it into the result
2625 }
2627 /* --- 64Fx2 unary FP ops, with rounding mode --- */
2629 static
2631 {
2632 /* Same scheme as binary64Fx2_w_rm. */
2633 // "do" the vector arg
2635 // PCast the RM, and widen it to 128 bits
2637 // Roll it into the result
2640 }
2642 /* --- ... and ... 32Fx4 versions of the same --- */
2644 static
2646 {
2647 /* Same scheme as unary32Fx4_w_rm. */
2649 // PCast the RM, and widen it to 128 bits
2651 // Roll it into the result
2654 }
2657 /* --- --- Vector saturated narrowing --- --- */
2659 /* We used to do something very clever here, but on closer inspection
2660 (2011-Jun-15), and in particular bug #279698, it turns out to be
2661 wrong. Part of the problem came from the fact that for a long
2662 time, the IR primops to do with saturated narrowing were
2663 underspecified and managed to confuse multiple cases which needed
2664 to be separate: the op names had a signedness qualifier, but in
2665 fact the source and destination signednesses needed to be specified
2666 independently, so the op names really need two independent
2667 signedness specifiers.
2669 As of 2011-Jun-15 (ish) the underspecification was sorted out
2670 properly. The incorrect instrumentation remained, though. That
2671 has now (2011-Oct-22) been fixed.
2673 What we now do is simple:
2675 Let the original narrowing op be QNarrowBinXtoYxZ, where Z is a
2676 number of lanes, X is the source lane width and signedness, and Y
2677 is the destination lane width and signedness. In all cases the
2678 destination lane width is half the source lane width, so the names
2679 have a bit of redundancy, but are at least easy to read.
2681 For example, Iop_QNarrowBin32Sto16Ux8 narrows 8 lanes of signed 32s
2682 to unsigned 16s.
2684 Let Vanilla(OP) be a function that takes OP, one of these
2685 saturating narrowing ops, and produces the same "shaped" narrowing
2686 op which is not saturating, but merely dumps the most significant
2687 bits. "same shape" means that the lane numbers and widths are the
2688 same as with OP.
2690 For example, Vanilla(Iop_QNarrowBin32Sto16Ux8)
2691 = Iop_NarrowBin32to16x8,
2692 that is, narrow 8 lanes of 32 bits to 8 lanes of 16 bits, by
2693 dumping the top half of each lane.
2695 So, with that in place, the scheme is simple, and it is simple to
2696 pessimise each lane individually and then apply Vanilla(OP) so as
2697 to get the result in the right "shape". If the original OP is
2698 QNarrowBinXtoYxZ then we produce
2700 Vanilla(OP)( PCast-X-to-X-x-Z(vatom1), PCast-X-to-X-x-Z(vatom2) )
2702 or for the case when OP is unary (Iop_QNarrowUn*)
2704 Vanilla(OP)( PCast-X-to-X-x-Z(vatom) )
2705 */
2706 static
2708 {
2710 /* Binary: (128, 128) -> 128 */
2721 /* Binary: (64, 64) -> 64 */
2727 /* Unary: 128 -> 64 */
2744 }
2745 }
2747 static
2750 {
2763 }
2771 }
2773 static
2776 {
2784 }
2792 }
2794 static
2797 {
2801 /* For vanilla narrowing (non-saturating), we can just apply
2802 the op directly to the V bits. */
2812 }
2813 /* Plan B: for ops that involve a saturation operation on the args,
2814 we must PCast before the vanilla narrow. */
2826 }
2831 }
2833 static
2836 {
2848 }
2853 }
2856 /* --- --- Vector integer arithmetic --- --- */
2858 /* Simple ... UifU the args and per-lane pessimise the results. */
2860 /* --- V256-bit versions --- */
2862 static
2864 {
2869 }
2871 static
2873 {
2878 }
2880 static
2882 {
2887 }
2889 static
2891 {
2896 }
2898 /* --- V128-bit versions --- */
2900 static
2902 {
2907 }
2909 static
2911 {
2916 }
2918 static
2920 {
2925 }
2927 static
2929 {
2934 }
2936 /* --- 64-bit versions --- */
2938 static
2940 {
2945 }
2947 static
2949 {
2954 }
2956 static
2958 {
2963 }
2965 static
2967 {
2972 }
2974 /* --- 32-bit versions --- */
2976 static
2978 {
2983 }
2985 static
2987 {
2992 }
2995 /*------------------------------------------------------------*/
2996 /*--- Generate shadow values from all kinds of IRExprs. ---*/
2997 /*------------------------------------------------------------*/
2999 static
3001 IROp op,
3004 {
3027 /* I32(rm) x F64 x F64 x F64 -> F64 */
3032 /* I32(rm) x F32 x F32 x F32 -> F32 */
3039 /* I32(rm) x F128 x F128 x F128 -> F128 */
3042 /* V256-bit data-steering */
3047 /* I32/I64 x I8 x I8 x I8 -> I32/I64 */
3055 }
3056 }
3059 static
3061 IROp op,
3063 {
3087 /* I32(rm) x F128/D128 x F128/D128 -> F128/D128 */
3108 /* I32(rm) x F64/D64 x F64/D64 -> F64/D64 */
3112 /* I32(rm) x F64 x F64 -> I32 */
3118 /* I32(rm) x F32 x F32 -> I32 */
3121 /* IRRoundingMode(I32) x I8 x D64 -> D64 */
3124 /* IRRoundingMode(I32) x I8 x D128 -> D128 */
3127 /* (V128, V128, I8) -> V128 */
3131 /* (I64, I64, I8) -> I64 */
3148 /* (V128, V128, V128) -> V128 */
3151 mce,
3154 );
3156 /* Vector FP with rounding mode as the first arg */
3198 }
3199 }
3202 static
3204 IROp op,
3207 {
3208 IRType and_or_ty;
3224 /* 32-bit SIMD */
3250 /* 64-bit SIMD */
3261 /* Same scheme as with all other shifts. */
3422 );
3431 );
3440 );
3442 /* 64-bit data-steering */
3469 /* Perm8x8: rearrange values in left arg using steering values
3470 from right arg. So rearrange the vbits in the same way but
3471 pessimise wrt steering values. */
3474 mce,
3477 );
3479 /* V128-bit SIMD */
3498 /* Same scheme as with all other shifts. Note: 22 Oct 05:
3499 this is wrong now, scalar shifts are done properly lazily.
3500 Vector shifts should be fixed too. */
3504 /* V x V shifts/rotates are done using the standard lazy scheme. */
3505 /* For the non-rounding variants of bi-di vector x vector
3506 shifts (the Iop_Sh.. ops, that is) we use the lazy scheme.
3507 But note that this is overly pessimistic, because in fact only
3508 the bottom 8 bits of each lane of the second argument are taken
3509 into account when shifting. So really we ought to ignore
3510 undefinedness in bits 8 and above of each lane in the
3511 second argument. */
3522 );
3534 );
3546 );
3558 );
3560 /* For the rounding variants of bi-di vector x vector shifts, the
3561 rounding adjustment can cause undefinedness to propagate through
3562 the entire lane, in the worst case. Too complex to handle
3563 properly .. just UifU the arguments and then PCast them.
3564 Suboptimal but safe. */
3786 /* Q-and-Qshift-by-imm-and-narrow of the form (V128, I8) -> V128.
3787 To make this simpler, do the following:
3788 * complain if the shift amount (the I8) is undefined
3789 * pcast each lane at the wide width
3790 * truncate each lane to half width
3791 * pcast the resulting 64-bit value to a single bit and use
3792 that as the least significant bit of the upper half of the
3793 result. */
3812 {
3845 }
3847 // Pessimised shift result
3848 IRAtom* shV
3850 // Narrowed, pessimised shift result
3851 IRAtom* shVnarrowed
3853 // Generates: Def--(63)--Def PCast-to-I1(narrowed)
3855 // and assemble the result
3858 }
3893 /* V128-bit data-steering */
3938 /* Perm8x16: rearrange values in left arg using steering values
3939 from right arg. So rearrange the vbits in the same way but
3940 pessimise wrt steering values. Perm32x4 ditto. */
3943 mce,
3946 );
3949 mce,
3952 );
3954 /* These two take the lower half of each 16-bit lane, sign/zero
3955 extend it to 32, and multiply together, producing a 32x4
3956 result (and implicitly ignoring half the operand bits). So
3957 treat it as a bunch of independent 16x8 operations, but then
3958 do 32-bit shifts left-right to copy the lower half results
3959 (which are all 0s or all 1s due to PCasting in binary16Ix8)
3960 into the upper half of each result lane. */
3968 }
3970 /* Same deal as Iop_MullEven16{S,U}x8 */
3978 }
3980 /* Same deal as Iop_MullEven16{S,U}x8 */
3988 }
3990 /* narrow 2xV128 into 1xV128, hi half from left arg, in a 2 x
3991 32x4 -> 16x8 laneage, discarding the upper half of each lane.
3992 Simply apply same op to the V bits, since this really no more
3993 than a data steering operation. */
4003 /* Same scheme as with all other shifts. Note: 10 Nov 05:
4004 this is wrong now, scalar shifts are done properly lazily.
4005 Vector shifts should be fixed too. */
4013 /* SHA Iops */
4019 /* I128-bit data-steering */
4023 /* V256-bit SIMD */
4033 /* V256-bit data-steering */
4037 /* Scalar floating point */
4041 /* I32(rm) x F32 -> I64 */
4045 /* I32(rm) x I64 -> F32 */
4060 /* I32(rm) x I64/F64 -> I64/F64 */
4066 /* I32(rm) x D64 -> D64 */
4072 /* I32(rm) x D128 -> D128 */
4076 /* I32(rm) x F128 -> F128 */
4083 /* I32(rm) x I64/D64 -> D64/I64 */
4092 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D32/F32 */
4101 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D64/F64 */
4110 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D128/F128 */
4116 /* I32(rm) x I32/F32 -> I32/F32 */
4120 /* I32(rm) x F128 -> F128 */
4127 /* First arg is I32 (rounding mode), second is F32/I32 (data). */
4132 /* First arg is I32 (rounding mode), second is F64/F32 (data). */
4165 /* First arg is I32 (rounding mode), second is F64/D64 (data). */
4169 /* First arg is I32 (rounding mode), second is D64 (data). */
4173 /* First arg is I32 (rounding mode), second is F64 (data). */
4177 /* I64 x I64 -> D64 */
4181 /* I64 x I128 -> D128 */
4195 /* F32 x F32 -> F32 */
4200 /* F64 x F64 -> F64 */
4203 /* non-FP after here */
4225 }
4233 }
4240 }
4248 }
4256 }
4263 }
4287 }
4295 }
4297 cheap_AddSub32:
4314 }
4322 }
4324 cheap_AddSub64:
4338 ////---- CmpXX64
4342 else
4345 expensive_cmp64:
4349 cheap_cmp64:
4354 ////---- CmpXX32
4358 else
4361 expensive_cmp32:
4365 cheap_cmp32:
4370 ////---- CmpXX16
4374 else
4377 expensive_cmp16:
4381 cheap_cmp16:
4384 ////---- CmpXX8
4388 else
4391 expensive_cmp8:
4394 cheap_cmp8:
4397 ////---- end CmpXX{64,32,16,8}
4403 /* Just say these all produce a defined result, regardless
4404 of their arguments. See COMMENT_ON_CasCmpEQ in this file. */
4457 do_And_Or:
4458 return
4461 and_or_ty,
4479 /* V256-bit SIMD */
4489 /* Same scheme as with all other shifts. Note: 22 Oct 05:
4490 this is wrong now, scalar shifts are done properly lazily.
4491 Vector shifts should be fixed too. */
4545 /* Perm32x8: rearrange values in left arg using steering values
4546 from right arg. So rearrange the vbits in the same way but
4547 pessimise wrt steering values. */
4550 mce,
4553 );
4555 /* Q-and-Qshift-by-vector of the form (V128, V128) -> V256.
4556 Handle the shifted results in the same way that other
4557 binary Q ops are handled, eg QSub: UifU the two args,
4558 then pessimise -- which is binaryNIxM. But for the upper
4559 V128, we require to generate just 1 bit which is the
4560 pessimised shift result, with 127 defined zeroes above it.
4562 Note that this overly pessimistic in that in fact only the
4563 bottom 8 bits of each lane of the second arg determine the shift
4564 amount. Really we ought to ignore any undefinedness in the
4565 rest of the lanes of the second arg. */
4574 {
4575 // The function to generate the pessimised shift result
4604 }
4606 // Pessimised shift result, shV[127:0]
4608 // Generates: Def--(127)--Def PCast-to-I1(shV)
4610 // and assemble the result
4613 }
4618 }
4619 }
4622 static
4624 {
4625 /* For the widening operations {8,16,32}{U,S}to{16,32,64}, the
4626 selection of shadow operation implicitly duplicates the logic in
4627 do_shadow_LoadG and should be kept in sync (in the very unlikely
4628 event that the interpretation of such widening ops changes in
4629 future). See comment in do_shadow_LoadG. */
4967 }
4968 }
4971 /* Worker function -- do not call directly. See comments on
4972 expr2vbits_Load for the meaning of |guard|.
4974 Generates IR to (1) perform a definedness test of |addr|, (2)
4975 perform a validity test of |addr|, and (3) return the Vbits for the
4976 location indicated by |addr|. All of this only happens when
4977 |guard| is NULL or |guard| evaluates to True at run time.
4979 If |guard| evaluates to False at run time, the returned value is
4980 the IR-mandated 0x55..55 value, and no checks nor shadow loads are
4981 performed.
4983 The definedness of |guard| itself is not checked. That is assumed
4984 to have been done before this point, by the caller. */
4985 static
4989 {
4993 /* First, emit a definedness test for the address. This also sets
4994 the address (shadow) to 'defined' following the test. */
4997 /* Now cook up a call to the relevant helper function, to read the
4998 data V bits from shadow memory. */
5029 }
5054 }
5055 }
5060 /* Generate the actual address into addrAct. */
5065 IROp mkAdd;
5072 }
5074 /* We need to have a place to park the V bits we're just about to
5075 read. */
5078 /* Here's the call. */
5090 }
5095 /* Ideally the didn't-happen return value here would be all-ones
5096 (all-undefined), so it'd be obvious if it got used
5097 inadvertently. We can get by with the IR-mandated default
5098 value (0b01 repeating, 0x55 etc) as that'll still look pretty
5099 undefined if it ever leaks out. */
5100 }
5104 }
5107 /* Generate IR to do a shadow load. The helper is expected to check
5108 the validity of the address and return the V bits for that address.
5109 This can optionally be controlled by a guard, which is assumed to
5110 be True if NULL. In the case where the guard is False at runtime,
5111 the helper will return the didn't-do-the-call value of 0x55..55.
5112 Since that means "completely undefined result", the caller of
5113 this function will need to fix up the result somehow in that
5114 case.
5116 Caller of this function is also expected to have checked the
5117 definedness of |guard| before this point.
5118 */
5119 static
5124 {
5136 }
5137 }
5140 /* The most general handler for guarded loads. Assumes the
5141 definedness of GUARD has already been checked by the caller. A
5142 GUARD of NULL is assumed to mean "always True". Generates code to
5143 check the definedness and validity of ADDR.
5145 Generate IR to do a shadow load from ADDR and return the V bits.
5146 The loaded type is TY. The loaded data is then (shadow) widened by
5147 using VWIDEN, which can be Iop_INVALID to denote a no-op. If GUARD
5148 evaluates to False at run time then the returned Vbits are simply
5149 VALT instead. Note therefore that the argument type of VWIDEN must
5150 be TY and the result type of VWIDEN must equal the type of VALT.
5151 */
5152 static
5158 {
5159 /* Sanity check the conversion operation, and also set TYWIDE. */
5170 }
5172 /* If the guard evaluates to True, this will hold the loaded V bits
5173 at TY. If the guard evaluates to False, this will be all
5174 ones, meaning "all undefined", in which case we will have to
5175 replace it using an ITE below. */
5176 IRAtom* iftrue1
5179 /* Now (shadow-) widen the loaded V bits to the desired width. In
5180 the guard-is-False case, the allowable widening operators will
5181 in the worst case (unsigned widening) at least leave the
5182 pre-widened part as being marked all-undefined, and in the best
5183 case (signed widening) mark the whole widened result as
5184 undefined. Anyway, it doesn't matter really, since in this case
5185 we will replace said value with the default value |valt| using an
5186 ITE. */
5187 IRAtom* iftrue2
5189 ? iftrue1
5191 /* These are the V bits we will return if the load doesn't take
5192 place. */
5193 IRAtom* iffalse
5195 /* Prepare the cond for the ITE. Convert a NULL cond into
5196 something that iropt knows how to fold out later. */
5197 IRAtom* cond
5199 /* And assemble the final result. */
5201 }
5204 /* A simpler handler for guarded loads, in which there is no
5205 conversion operation, and the default V bit return (when the guard
5206 evaluates to False at runtime) is "all defined". If there is no
5207 guard expression or the guard is always TRUE this function behaves
5208 like expr2vbits_Load. It is assumed that definedness of GUARD has
5209 already been checked at the call site. */
5210 static
5215 {
5218 );
5219 }
5222 static
5225 {
5227 IRType ty;
5228 /* Given ITE(cond, iftrue, iffalse), generate
5229 ITE(cond, iftrue#, iffalse#) `UifU` PCast(cond#)
5230 That is, steer the V bits like the originals, but trash the
5231 result if the steering value is undefined. This gives
5232 lazy propagation. */
5242 return
5246 }
5248 /* --------- This is the main expression-handling function. --------- */
5250 static
5253 {
5271 mce,
5275 );
5279 mce,
5283 );
5287 mce,
5290 hu
5291 );
5316 }
5317 }
5320 /*------------------------------------------------------------*/
5321 /*--- Generate shadow stmts from all kinds of IRStmts. ---*/
5322 /*------------------------------------------------------------*/
5324 /* Widen a value to the host word size. */
5326 static
5328 {
5331 /* vatom is vbits-value and as such can only have a shadow type. */
5347 }
5361 }
5364 }
5365 unhandled:
5368 }
5371 /* Generate a shadow store. |addr| is always the original address
5372 atom. You can pass in either originals or V-bits for the data
5373 atom, but obviously not both. This function generates a check for
5374 the definedness and (indirectly) the validity of |addr|, but only
5375 when |guard| evaluates to True at run time (or is NULL).
5377 |guard| :: Ity_I1 controls whether the store really happens; NULL
5378 means it unconditionally does. Note that |guard| itself is not
5379 checked for definedness; the caller of this function must do that
5380 if necessary.
5381 */
5382 static
5384 IREndness end,
5388 {
5389 IROp mkAdd;
5407 }
5415 }
5419 // If we're not doing undefined value checking, pretend that this value
5420 // is "all valid". That lets Vex's optimiser remove some of the V bit
5421 // shadow computation ops that precede it.
5433 }
5435 }
5437 /* First, emit a definedness test for the address. This also sets
5438 the address (shadow) to 'defined' following the test. Both of
5439 those actions are gated on |guard|. */
5442 /* Now decide which helper function to call to write the data V
5443 bits into shadow memory. */
5461 }
5477 /* Note, no V256 case here, because no big-endian target that
5478 we support, has 256 vectors. */
5480 }
5481 }
5485 /* V256-bit case -- phrased in terms of 64 bit units (Qs), with
5486 Q3 being the most significant lane. */
5487 /* These are the offsets of the Qs in memory. */
5490 /* Various bits for constructing the 4 lane helper calls */
5500 }
5509 );
5518 );
5527 );
5536 );
5550 }
5553 /* V128-bit case */
5554 /* See comment in next clause re 64-bit regparms */
5555 /* also, need to be careful about endianness */
5569 }
5578 );
5586 );
5599 /* 8/16/32/64-bit cases */
5600 /* Generate the actual address into addrAct. */
5606 }
5609 /* We can't do this with regparm 2 on 32-bit platforms, since
5610 the back ends aren't clever enough to handle 64-bit
5611 regparm args. Therefore be different. */
5616 );
5623 );
5624 }
5628 }
5630 }
5633 /* Do lazy pessimistic propagation through a dirty helper call, by
5634 looking at the annotations on it. This is the most complex part of
5635 Memcheck. */
5638 {
5645 }
5646 }
5648 static
5650 {
5654 IRTemp dst;
5655 IREndness end;
5657 /* What's the native endianness? We need to know this. */
5658 # if defined(VG_BIGENDIAN)
5660 # elif defined(VG_LITTLEENDIAN)
5662 # else
5664 # endif
5666 /* First check the guard. */
5669 /* Now round up all inputs and PCast over them. */
5672 /* Inputs: unmasked args
5673 Note: arguments are evaluated REGARDLESS of the guard expression */
5678 /* ignore this arg */
5682 }
5683 }
5685 /* Inputs: guest state that we read. */
5691 /* Enumerate the described state segments */
5696 /* Ignore any sections marked as 'always defined'. */
5702 }
5704 /* This state element is read or modified. So we need to
5705 consider it. If larger than 8 bytes, deal with it in
5706 8-byte chunks. */
5711 /* update 'curr' with UifU of the state slice
5712 gOff .. gOff+n-1 */
5715 /* Observe the guard expression. If it is false use an
5716 all-bits-defined bit pattern */
5729 }
5730 }
5731 }
5733 /* Inputs: memory. First set up some info needed regardless of
5734 whether we're doing reads or writes. */
5737 /* Because we may do multiple shadow loads/stores from the same
5738 base address, it's best to do a single test of its
5739 definedness right now. Post-instrumentation optimisation
5740 should remove all but this test. */
5741 IRType tyAddr;
5748 }
5750 /* Deal with memory inputs (reads or modifies) */
5753 /* chew off 32-bit chunks. We don't care about the endianness
5754 since it's all going to be condensed down to a single bit,
5755 but nevertheless choose an endianness which is hopefully
5756 native to the platform. */
5762 );
5765 }
5766 /* chew off 16-bit chunks */
5772 );
5775 }
5776 /* chew off the remaining 8-bit chunk, if any */
5782 );
5785 }
5787 }
5789 /* Whew! So curr is a 32-bit V-value summarising pessimistically
5790 all the inputs to the helper. Now we need to re-distribute the
5791 results to all destinations. */
5793 /* Outputs: the destination temporary, if there is one. */
5798 }
5800 /* Outputs: guest state that we write or modify. */
5806 /* Enumerate the described state segments */
5811 /* Ignore any sections marked as 'always defined'. */
5815 /* This state element is written or modified. So we need to
5816 consider it. If larger than 8 bytes, deal with it in
5817 8-byte chunks. */
5822 /* Write suitably-casted 'curr' to the state slice
5823 gOff .. gOff+n-1 */
5830 }
5831 }
5832 }
5834 /* Outputs: memory that we write or modify. Same comments about
5835 endianness as above apply. */
5838 /* chew off 32-bit chunks */
5845 }
5846 /* chew off 16-bit chunks */
5853 }
5854 /* chew off the remaining 8-bit chunk, if any */
5861 }
5863 }
5865 }
5868 /* We have an ABI hint telling us that [base .. base+len-1] is to
5869 become undefined ("writable"). Generate code to call a helper to
5870 notify the A/V bit machinery of this fact.
5872 We call
5873 void MC_(helperc_MAKE_STACK_UNINIT) ( Addr base, UWord len,
5874 Addr nia );
5875 */
5876 static
5878 {
5887 );
5889 /* We ignore the supplied nia, since it is irrelevant. */
5891 /* Special-case the len==128 case, since that is for amd64-ELF,
5892 which is a very common target. */
5899 );
5906 );
5907 }
5908 }
5911 }
5914 /* ------ Dealing with IRCAS (big and complex) ------ */
5916 /* FWDS */
5928 /* Either ORIG and SHADOW are both IRExpr.RdTmps, or they are both
5929 IRExpr.Consts, else this asserts. If they are both Consts, it
5930 doesn't do anything. So that just leaves the RdTmp case.
5932 In which case: this assigns the shadow value SHADOW to the IR
5933 shadow temporary associated with ORIG. That is, ORIG, being an
5934 original temporary, will have a shadow temporary associated with
5935 it. However, in the case envisaged here, there will so far have
5936 been no IR emitted to actually write a shadow value into that
5937 temporary. What this routine does is to (emit IR to) copy the
5938 value in SHADOW into said temporary, so that after this call,
5939 IRExpr.RdTmps of ORIG's shadow temp will correctly pick up the
5940 value in SHADOW.
5942 Point is to allow callers to compute "by hand" a shadow value for
5943 ORIG, and force it to be associated with ORIG.
5945 How do we know that that shadow associated with ORIG has not so far
5946 been assigned to? Well, we don't per se know that, but supposing
5947 it had. Then this routine would create a second assignment to it,
5948 and later the IR sanity checker would barf. But that never
5949 happens. QED.
5950 */
5954 {
5965 shadow);
5969 shadow);
5970 }
5974 }
5975 }
5978 static
5980 {
5981 /* Scheme is (both single- and double- cases):
5983 1. fetch data#,dataB (the proposed new value)
5985 2. fetch expd#,expdB (what we expect to see at the address)
5987 3. check definedness of address
5989 4. load old#,oldB from shadow memory; this also checks
5990 addressibility of the address
5992 5. the CAS itself
5994 6. compute "expected == old". See COMMENT_ON_CasCmpEQ below.
5996 7. if "expected == old" (as computed by (6))
5997 store data#,dataB to shadow memory
5999 Note that 5 reads 'old' but 4 reads 'old#'. Similarly, 5 stores
6000 'data' but 7 stores 'data#'. Hence it is possible for the
6001 shadow data to be incorrectly checked and/or updated:
6003 * 7 is at least gated correctly, since the 'expected == old'
6004 condition is derived from outputs of 5. However, the shadow
6005 write could happen too late: imagine after 5 we are
6006 descheduled, a different thread runs, writes a different
6007 (shadow) value at the address, and then we resume, hence
6008 overwriting the shadow value written by the other thread.
6010 Because the original memory access is atomic, there's no way to
6011 make both the original and shadow accesses into a single atomic
6012 thing, hence this is unavoidable.
6014 At least as Valgrind stands, I don't think it's a problem, since
6015 we're single threaded *and* we guarantee that there are no
6016 context switches during the execution of any specific superblock
6017 -- context switches can only happen at superblock boundaries.
6019 If Valgrind ever becomes MT in the future, then it might be more
6020 of a problem. A possible kludge would be to artificially
6021 associate with the location, a lock, which we must acquire and
6022 release around the transaction as a whole. Hmm, that probably
6023 would't work properly since it only guards us against other
6024 threads doing CASs on the same location, not against other
6025 threads doing normal reads and writes.
6027 ------------------------------------------------------------
6029 COMMENT_ON_CasCmpEQ:
6031 Note two things. Firstly, in the sequence above, we compute
6032 "expected == old", but we don't check definedness of it. Why
6033 not? Also, the x86 and amd64 front ends use
6034 Iop_CasCmp{EQ,NE}{8,16,32,64} comparisons to make the equivalent
6035 determination (expected == old ?) for themselves, and we also
6036 don't check definedness for those primops; we just say that the
6037 result is defined. Why? Details follow.
6039 x86/amd64 contains various forms of locked insns:
6040 * lock prefix before all basic arithmetic insn;
6041 eg lock xorl %reg1,(%reg2)
6042 * atomic exchange reg-mem
6043 * compare-and-swaps
6045 Rather than attempt to represent them all, which would be a
6046 royal PITA, I used a result from Maurice Herlihy
6047 (http://en.wikipedia.org/wiki/Maurice_Herlihy), in which he
6048 demonstrates that compare-and-swap is a primitive more general
6049 than the other two, and so can be used to represent all of them.
6050 So the translation scheme for (eg) lock incl (%reg) is as
6051 follows:
6053 again:
6054 old = * %reg
6055 new = old + 1
6056 atomically { if (* %reg == old) { * %reg = new } else { goto again } }
6058 The "atomically" is the CAS bit. The scheme is always the same:
6059 get old value from memory, compute new value, atomically stuff
6060 new value back in memory iff the old value has not changed (iow,
6061 no other thread modified it in the meantime). If it has changed
6062 then we've been out-raced and we have to start over.
6064 Now that's all very neat, but it has the bad side effect of
6065 introducing an explicit equality test into the translation.
6066 Consider the behaviour of said code on a memory location which
6067 is uninitialised. We will wind up doing a comparison on
6068 uninitialised data, and mc duly complains.
6070 What's difficult about this is, the common case is that the
6071 location is uncontended, and so we're usually comparing the same
6072 value (* %reg) with itself. So we shouldn't complain even if it
6073 is undefined. But mc doesn't know that.
6075 My solution is to mark the == in the IR specially, so as to tell
6076 mc that it almost certainly compares a value with itself, and we
6077 should just regard the result as always defined. Rather than
6078 add a bit to all IROps, I just cloned Iop_CmpEQ{8,16,32,64} into
6079 Iop_CasCmpEQ{8,16,32,64} so as not to disturb anything else.
6081 So there's always the question of, can this give a false
6082 negative? eg, imagine that initially, * %reg is defined; and we
6083 read that; but then in the gap between the read and the CAS, a
6084 different thread writes an undefined (and different) value at
6085 the location. Then the CAS in this thread will fail and we will
6086 go back to "again:", but without knowing that the trip back
6087 there was based on an undefined comparison. No matter; at least
6088 the other thread won the race and the location is correctly
6089 marked as undefined. What if it wrote an uninitialised version
6090 of the same value that was there originally, though?
6092 etc etc. Seems like there's a small corner case in which we
6093 might lose the fact that something's defined -- we're out-raced
6094 in between the "old = * reg" and the "atomically {", _and_ the
6095 other thread is writing in an undefined version of what's
6096 already there. Well, that seems pretty unlikely.
6098 ---
6100 If we ever need to reinstate it .. code which generates a
6101 definedness test for "expected == old" was removed at r10432 of
6102 this file.
6103 */
6108 }
6109 }
6113 {
6118 IROp opCasCmpEQ;
6119 Int elemSzB;
6120 IRType elemTy;
6123 /* single CAS */
6135 }
6137 /* 1. fetch data# (the proposed new value) */
6139 vdataLo
6143 bdataLo
6146 }
6148 /* 2. fetch expected# (what we expect to see at the address) */
6150 vexpdLo
6154 bexpdLo
6157 }
6159 /* 3. check definedness of address */
6160 /* 4. fetch old# from shadow memory; this also checks
6161 addressibility of the address */
6162 voldLo
6166 mce,
6168 NULL/*always happens*/
6169 ));
6172 boldLo
6176 }
6178 /* 5. the CAS itself */
6181 /* 6. compute "expected == old" */
6182 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6183 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6184 tree, but it's not copied from the input block. */
6185 expd_eq_old
6189 /* 7. if "expected == old"
6190 store data# to shadow memory */
6198 }
6199 }
6203 {
6214 IRType elemTy;
6217 /* double CAS */
6242 }
6244 /* 1. fetch data# (the proposed new value) */
6247 vdataHi
6249 vdataLo
6254 bdataHi
6256 bdataLo
6260 }
6262 /* 2. fetch expected# (what we expect to see at the address) */
6265 vexpdHi
6267 vexpdLo
6272 bexpdHi
6274 bexpdLo
6278 }
6280 /* 3. check definedness of address */
6281 /* 4. fetch old# from shadow memory; this also checks
6282 addressibility of the address */
6290 }
6291 voldHi
6295 mce,
6297 NULL/*always happens*/
6298 ));
6299 voldLo
6303 mce,
6305 NULL/*always happens*/
6306 ));
6310 boldHi
6314 boldLo
6320 }
6322 /* 5. the CAS itself */
6325 /* 6. compute "expected == old" */
6326 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6327 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6328 tree, but it's not copied from the input block. */
6329 /*
6330 xHi = oldHi ^ expdHi;
6331 xLo = oldLo ^ expdLo;
6332 xHL = xHi | xLo;
6333 expd_eq_old = xHL == 0;
6334 */
6341 expd_eq_old
6345 /* 7. if "expected == old"
6346 store data# to shadow memory */
6360 }
6361 }
6364 /* ------ Dealing with LL/SC (not difficult) ------ */
6367 IREndness stEnd,
6368 IRTemp stResult,
6371 {
6372 /* In short: treat a load-linked like a normal load followed by an
6373 assignment of the loaded (shadow) data to the result temporary.
6374 Treat a store-conditional like a normal store, and mark the
6375 result temporary as defined. */
6384 /* Load Linked */
6385 /* Just treat this as a normal load, followed by an assignment of
6386 the value to .result. */
6387 /* Stay sane */
6395 /* Store Conditional */
6396 /* Stay sane */
6398 stStoredata);
6403 stStoredata,
6406 /* This is a store conditional, so it writes to .result a value
6407 indicating whether or not the store succeeded. Just claim
6408 this value is always defined. In the PowerPC interpretation
6409 of store-conditional, definedness of the success indication
6410 depends on whether the address of the store matches the
6411 reservation address. But we can't tell that here (and
6412 anyway, we're not being PowerPC-specific). At least we are
6413 guaranteed that the definedness of the store address, and its
6414 addressibility, will be checked as per normal. So it seems
6415 pretty safe to just say that the success indication is always
6416 defined.
6418 In schemeS, for origin tracking, we must correspondingly set
6419 a no-origin value for the origin shadow of .result.
6420 */
6423 }
6424 }
6427 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
6430 {
6432 /* do_shadow_Store will generate code to check the definedness and
6433 validity of sg->addr, in the case where sg->guard evaluates to
6434 True at run-time. */
6440 }
6443 {
6445 /* expr2vbits_Load_guarded_General will generate code to check the
6446 definedness and validity of lg->addr, in the case where
6447 lg->guard evaluates to True at run-time. */
6449 /* Look at the LoadG's built-in conversion operation, to determine
6450 the source (actual loaded data) type, and the equivalent IROp.
6451 NOTE that implicitly we are taking a widening operation to be
6452 applied to original atoms and producing one that applies to V
6453 bits. Since signed and unsigned widening are self-shadowing,
6454 this is a straight copy of the op (modulo swapping from the
6455 IRLoadGOp form to the IROp form). Note also therefore that this
6456 implicitly duplicates the logic to do with said widening ops in
6457 expr2vbits_Unop. See comment at the start of expr2vbits_Unop. */
6469 }
6471 IRAtom* vbits_alt
6473 IRAtom* vbits_final
6477 /* And finally, bind the V bits to the destination temporary. */
6479 }
6482 /*------------------------------------------------------------*/
6483 /*--- Origin tracking stuff ---*/
6484 /*------------------------------------------------------------*/
6486 /* Almost identical to findShadowTmpV. */
6488 {
6490 /* VG_(indexXA) range-checks 'orig', hence no need to check
6491 here. */
6495 IRTemp tmpB
6497 /* newTemp may cause mce->tmpMap to resize, hence previous results
6498 from VG_(indexXA) are invalid. */
6503 }
6505 }
6508 {
6510 }
6513 /* Make a guarded origin load, with no special handling in the
6514 didn't-happen case. A GUARD of NULL is assumed to mean "always
6515 True".
6517 Generate IR to do a shadow origins load from BASEADDR+OFFSET and
6518 return the otag. The loaded size is SZB. If GUARD evaluates to
6519 False at run time then the returned otag is zero.
6520 */
6524 {
6527 IRTemp bTmp;
6536 }
6561 }
6565 );
6568 /* Ideally the didn't-happen return value here would be
6569 all-zeroes (unknown-origin), so it'd be harmless if it got
6570 used inadvertently. We slum it out with the IR-mandated
6571 default value (0b01 repeating, 0x55 etc) as that'll probably
6572 trump all legitimate otags via Max32, and it's pretty
6573 obviously bogus. */
6574 }
6575 /* no need to mess with any annotations. This call accesses
6576 neither guest state nor guest memory. */
6579 /* 64-bit host */
6584 /* 32-bit host */
6586 }
6587 }
6590 /* Generate IR to do a shadow origins load from BASEADDR+OFFSET. The
6591 loaded size is SZB. The load is regarded as unconditional (always
6592 happens).
6593 */
6595 Int offset )
6596 {
6598 }
6601 /* The most general handler for guarded origin loads. A GUARD of NULL
6602 is assumed to mean "always True".
6604 Generate IR to do a shadow origin load from ADDR+BIAS and return
6605 the B bits. The loaded type is TY. If GUARD evaluates to False at
6606 run time then the returned B bits are simply BALT instead.
6607 */
6608 static
6610 IRType ty,
6613 {
6614 /* If the guard evaluates to True, this will hold the loaded
6615 origin. If the guard evaluates to False, this will be zero,
6616 meaning "unknown origin", in which case we will have to replace
6617 it using an ITE below. */
6618 IRAtom* iftrue
6622 /* These are the bits we will return if the load doesn't take
6623 place. */
6624 IRAtom* iffalse
6626 /* Prepare the cond for the ITE. Convert a NULL cond into
6627 something that iropt knows how to fold out later. */
6628 IRAtom* cond
6630 /* And assemble the final result. */
6632 }
6635 /* Generate a shadow origins store. guard :: Ity_I1 controls whether
6636 the store really happens; NULL means it unconditionally does. */
6640 {
6650 }
6655 }
6680 }
6684 );
6685 /* no need to mess with any annotations. This call accesses
6686 neither guest state nor guest memory. */
6689 }
6698 }
6706 }
6710 {
6719 IRType equivIntTy
6721 /* If this array is unshadowable for whatever reason, use the
6722 usual approximation. */
6729 /* Do a shadow indexed get of the same size, giving t1. Take
6730 the bottom 32 bits of it, giving t2. Compute into t3 the
6731 origin for the index (almost certainly zero, but there's
6732 no harm in being completely general here, since iropt will
6733 remove any useless code), and fold it in, giving a final
6734 value t4. */
6742 }
6744 Int i;
6751 /* Only take notice of this arg if the callee's
6752 mc-exclusion mask does not say it is to be excluded. */
6754 /* the arg is to be excluded from definedness checking.
6755 Do nothing. */
6759 /* calculate the arg's definedness, and pessimistically
6760 merge it in. */
6763 }
6764 }
6766 }
6768 Int dszB;
6770 /* assert that the B value for the address is already
6771 available (somewhere) */
6775 }
6781 }
6789 }
6795 }
6802 /* Just say these all produce a defined result,
6803 regardless of their arguments. See
6804 COMMENT_ON_CasCmpEQ in this file. */
6810 }
6811 }
6813 /*NOTREACHED*/
6814 }
6818 }
6827 );
6831 /* FIXME: this isn't an atom! */
6833 Ity_I32 );
6834 }
6836 }
6841 }
6842 }
6846 {
6847 // This is a hacked version of do_shadow_Dirty
6850 IRTemp dst;
6852 /* First check the guard. */
6855 /* Now round up all inputs and maxU32 over them. */
6857 /* Inputs: unmasked args
6858 Note: arguments are evaluated REGARDLESS of the guard expression */
6863 /* ignore this arg */
6867 }
6868 }
6870 /* Inputs: guest state that we read. */
6876 /* Enumerate the described state segments */
6881 /* Ignore any sections marked as 'always defined'. */
6887 }
6889 /* This state element is read or modified. So we need to
6890 consider it. If larger than 4 bytes, deal with it in
6891 4-byte chunks. */
6893 Int b_offset;
6897 /* update 'curr' with maxU32 of the state slice
6898 gOff .. gOff+n-1 */
6901 /* Observe the guard expression. If it is false use 0, i.e.
6902 nothing is known about the origin */
6910 Ity_I32));
6914 }
6917 }
6918 }
6919 }
6921 /* Inputs: memory */
6924 /* Because we may do multiple shadow loads/stores from the same
6925 base address, it's best to do a single test of its
6926 definedness right now. Post-instrumentation optimisation
6927 should remove all but this test. */
6931 }
6933 /* Deal with memory inputs (reads or modifies) */
6936 /* chew off 32-bit chunks. We don't care about the endianness
6937 since it's all going to be condensed down to a single bit,
6938 but nevertheless choose an endianness which is hopefully
6939 native to the platform. */
6945 }
6946 /* handle possible 16-bit excess */
6952 }
6953 /* chew off the remaining 8-bit chunk, if any */
6959 }
6961 }
6963 /* Whew! So curr is a 32-bit B-value which should give an origin
6964 of some use if any of the inputs to the helper are undefined.
6965 Now we need to re-distribute the results to all destinations. */
6967 /* Outputs: the destination temporary, if there is one. */
6971 }
6973 /* Outputs: guest state that we write or modify. */
6979 /* Enumerate the described state segments */
6984 /* Ignore any sections marked as 'always defined'. */
6988 /* This state element is written or modified. So we need to
6989 consider it. If larger than 4 bytes, deal with it in
6990 4-byte chunks. */
6992 Int b_offset;
6996 /* Write 'curr' to the state slice gOff .. gOff+n-1 */
7000 /* If the guard expression evaluates to false we simply Put
7001 the value that is already stored in the guest state slot */
7009 Ity_I32));
7015 curr ));
7016 }
7019 }
7020 }
7021 }
7023 /* Outputs: memory that we write or modify. Same comments about
7024 endianness as above apply. */
7027 /* chew off 32-bit chunks */
7032 }
7033 /* handle possible 16-bit excess */
7038 }
7039 /* chew off the remaining 8-bit chunk, if any */
7044 }
7046 }
7047 }
7050 /* Generate IR for origin shadowing for a general guarded store. */
7052 IREndness stEnd,
7056 {
7057 Int dszB;
7059 /* assert that the B value for the address is already available
7060 (somewhere), since the call to schemeE will want to see it.
7061 XXXX how does this actually ensure that?? */
7067 }
7070 /* Generate IR for origin shadowing for a plain store. */
7072 IREndness stEnd,
7075 {
7078 }
7081 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7084 {
7087 }
7090 {
7101 }
7102 IRAtom* ori_alt
7104 IRAtom* ori_final
7108 /* And finally, bind the origin to the destination temporary. */
7110 }
7114 {
7120 /* The value-check instrumenter handles this - by arranging
7121 to pass the address of the next instruction to
7122 MC_(helperc_MAKE_STACK_UNINIT). This is all that needs to
7123 happen for origin tracking w.r.t. AbiHints. So there is
7124 nothing to do here. */
7132 IRType equivIntTy
7134 /* If this array is unshadowable for whatever reason,
7135 generate no code. */
7140 descr_b
7143 /* Compute a value to Put - the conjoinment of the origin for
7144 the data to be Put-ted (obviously) and of the index value
7145 (not so obviously). */
7153 }
7174 /* In short: treat a load-linked like a normal load followed
7175 by an assignment of the loaded (shadow) data the result
7176 temporary. Treat a store-conditional like a normal store,
7177 and mark the result temporary as defined. */
7179 /* Load Linked */
7180 IRType resTy
7182 IRExpr* vanillaLoad
7189 /* Store conditional */
7193 /* For the rationale behind this, see comments at the
7194 place where the V-shadow for .result is constructed, in
7195 do_shadow_LLSC. In short, we regard .result as
7196 always-defined. */
7199 }
7201 }
7204 Int b_offset
7208 );
7210 /* FIXME: this isn't an atom! */
7213 }
7215 }
7232 }
7233 }
7236 /*------------------------------------------------------------*/
7237 /*--- Post-tree-build final tidying ---*/
7238 /*------------------------------------------------------------*/
7240 /* This exploits the observation that Memcheck often produces
7241 repeated conditional calls of the form
7243 Dirty G MC_(helperc_value_check0/1/4/8_fail)(UInt otag)
7245 with the same guard expression G guarding the same helper call.
7246 The second and subsequent calls are redundant. This usually
7247 results from instrumentation of guest code containing multiple
7248 memory references at different constant offsets from the same base
7249 register. After optimisation of the instrumentation, you get a
7250 test for the definedness of the base register for each memory
7251 reference, which is kinda pointless. MC_(final_tidy) therefore
7252 looks for such repeated calls and removes all but the first. */
7255 /* With some testing on perf/bz2.c, on amd64 and x86, compiled with
7256 gcc-5.3.1 -O2, it appears that 16 entries in the array are enough to
7257 get almost all the benefits of this transformation whilst causing
7258 the slide-back case to just often enough to be verifiably
7259 correct. For posterity, the numbers are:
7261 bz2-32
7263 1 4,336 (112,212 -> 1,709,473; ratio 15.2)
7264 2 4,336 (112,194 -> 1,669,895; ratio 14.9)
7265 3 4,336 (112,194 -> 1,660,713; ratio 14.8)
7266 4 4,336 (112,194 -> 1,658,555; ratio 14.8)
7267 5 4,336 (112,194 -> 1,655,447; ratio 14.8)
7268 6 4,336 (112,194 -> 1,655,101; ratio 14.8)
7269 7 4,336 (112,194 -> 1,654,858; ratio 14.7)
7270 8 4,336 (112,194 -> 1,654,810; ratio 14.7)
7271 10 4,336 (112,194 -> 1,654,621; ratio 14.7)
7272 12 4,336 (112,194 -> 1,654,678; ratio 14.7)
7273 16 4,336 (112,194 -> 1,654,494; ratio 14.7)
7274 32 4,336 (112,194 -> 1,654,602; ratio 14.7)
7275 inf 4,336 (112,194 -> 1,654,602; ratio 14.7)
7277 bz2-64
7279 1 4,113 (107,329 -> 1,822,171; ratio 17.0)
7280 2 4,113 (107,329 -> 1,806,443; ratio 16.8)
7281 3 4,113 (107,329 -> 1,803,967; ratio 16.8)
7282 4 4,113 (107,329 -> 1,802,785; ratio 16.8)
7283 5 4,113 (107,329 -> 1,802,412; ratio 16.8)
7284 6 4,113 (107,329 -> 1,802,062; ratio 16.8)
7285 7 4,113 (107,329 -> 1,801,976; ratio 16.8)
7286 8 4,113 (107,329 -> 1,801,886; ratio 16.8)
7287 10 4,113 (107,329 -> 1,801,653; ratio 16.8)
7288 12 4,113 (107,329 -> 1,801,526; ratio 16.8)
7289 16 4,113 (107,329 -> 1,801,298; ratio 16.8)
7290 32 4,113 (107,329 -> 1,800,827; ratio 16.8)
7291 inf 4,113 (107,329 -> 1,800,827; ratio 16.8)
7292 */
7294 /* Structs for recording which (helper, guard) pairs we have already
7295 seen. */
7297 #define N_TIDYING_PAIRS 16
7299 typedef
7301 Pair;
7303 typedef
7306 UInt pairsUsed;
7307 }
7308 Pairs;
7311 /* Return True if e1 and e2 definitely denote the same value (used to
7312 compare guards). Return False if unknown; False is the safe
7313 answer. Since guest registers and guest memory do not have the
7314 SSA property we must return False if any Gets or Loads appear in
7315 the expression. This implicitly assumes that e1 and e2 have the
7316 same IR type, which is always true here -- the type is Ity_I1. */
7319 {
7341 /* be lazy. Could define equality for these, but they never
7342 appear to be used. */
7347 /* be conservative - these may not give the same value each
7348 time */
7351 /* should never see this */
7352 /* fallthrough */
7358 }
7359 }
7361 /* See if 'pairs' already has an entry for (entry, guard). Return
7362 True if so. If not, add an entry. */
7364 static
7366 {
7373 }
7374 /* (guard, entry) wasn't found in the array. Add it at the end.
7375 If the array is already full, slide the entries one slot
7376 backwards. This means we will lose to ability to detect
7377 duplicates from the pair in slot zero, but that happens so
7378 rarely that it's unlikely to have much effect on overall code
7379 quality. Also, this strategy loses the check for the oldest
7380 tracked exit (memory reference, basically) and so that is (I'd
7381 guess) least likely to be re-used after this point. */
7386 }
7393 n++;
7395 }
7397 }
7400 {
7401 /* This is expensive because it happens a lot. We are checking to
7402 see whether |name| is one of the following 8 strings:
7404 MC_(helperc_value_check8_fail_no_o)
7405 MC_(helperc_value_check4_fail_no_o)
7406 MC_(helperc_value_check0_fail_no_o)
7407 MC_(helperc_value_check1_fail_no_o)
7408 MC_(helperc_value_check8_fail_w_o)
7409 MC_(helperc_value_check0_fail_w_o)
7410 MC_(helperc_value_check1_fail_w_o)
7411 MC_(helperc_value_check4_fail_w_o)
7413 To speed it up, check the common prefix just once, rather than
7414 all 8 times.
7415 */
7423 /* We still have some prefix to use */
7426 name++;
7427 prefix++;
7428 }
7430 /* Check the part after the prefix. */
7440 }
7443 {
7444 Int i;
7449 Bool alreadyPresent;
7450 Pairs pairs;
7457 /* Scan forwards through the statements. Each time a call to one
7458 of the relevant helpers is seen, check if we have made a
7459 previous call to the same helper using the same guard
7460 expression, and if so, delete the call. */
7473 /* Ok, we have a call to helperc_value_check0/1/4/8_fail with
7474 guard 'guard'. Check if we have already seen a call to this
7475 function with the same guard. If so, delete it. If not,
7476 add it to the set of calls we do know about. */
7481 }
7482 }
7488 }
7490 #undef N_TIDYING_PAIRS
7493 /*------------------------------------------------------------*/
7494 /*--- Startup assertion checking ---*/
7495 /*------------------------------------------------------------*/
7498 {
7499 /* Make a best-effort check to see that is_helperc_value_checkN_fail
7500 is working as we expect. */
7502 # define CHECK(_expected, _string) \
7503 tl_assert((_expected) == is_helperc_value_checkN_fail(_string))
7505 /* It should identify these 8, and no others, as targets. */
7515 /* Ad-hoc selection of other strings gathered via a quick test. */
7545 # undef CHECK
7546 }
7549 /*------------------------------------------------------------*/
7550 /*--- Memcheck main ---*/
7551 /*------------------------------------------------------------*/
7554 {
7574 }
7575 /* VG_(printf)("%llx\n", n); */
7576 /* Shortcuts */
7579 /* The list of bogus atoms is: */
7590 );
7591 }
7594 /* Does 'st' mention any of the literals identified/listed in
7595 isBogusAtom()? */
7597 {
7598 Int i;
7641 }
7649 }
7650 }
7668 }
7673 }
7696 unhandled:
7699 }
7700 }
7703 /* This is the pre-instrumentation analysis. It does a backwards pass over
7704 the stmts in |sb_in| to determine a HowUsed value for each tmp defined in
7705 the block.
7707 Unrelatedly, it also checks all literals in the block with |isBogusAtom|,
7708 as a positive result from that is a strong indication that we need to
7709 expensively instrument add/sub in the block. We do both analyses in one
7710 pass, even though they are independent, so as to avoid the overhead of
7711 having to traverse the whole block twice.
7713 The usage pass proceeds as follows. Let max= be the max operation in the
7714 HowUsed lattice, hence
7716 X max= Y means X = max(X, Y)
7718 then
7720 for t in original tmps . useEnv[t] = HuUnU
7722 for t used in the block's . next field
7723 useEnv[t] max= HuPCa // because jmp targets are PCast-tested
7725 for st iterating *backwards* in the block
7727 match st
7729 case "t1 = load(t2)" // case 1
7730 useEnv[t2] max= HuPCa
7732 case "t1 = add(t2, t3)" // case 2
7733 useEnv[t2] max= useEnv[t1]
7734 useEnv[t3] max= useEnv[t1]
7736 other
7737 for t in st.usedTmps // case 3
7738 useEnv[t] max= HuOth
7739 // same as useEnv[t] = HuOth
7741 The general idea is that we accumulate, in useEnv[], information about
7742 how each tmp is used. That can be updated as we work further back
7743 through the block and find more uses of it, but its HowUsed value can
7744 only ascend the lattice, not descend.
7746 Initially we mark all tmps as unused. In case (1), if a tmp is seen to
7747 be used as a memory address, then its use is at least HuPCa. The point
7748 is that for a memory address we will add instrumentation to check if any
7749 bit of the address is undefined, which means that we won't need expensive
7750 V-bit propagation through an add expression that computed the address --
7751 cheap add instrumentation will be equivalent.
7753 Note in case (1) that if we have previously seen a non-memory-address use
7754 of the tmp, then its use will already be HuOth and will be unchanged by
7755 the max= operation. And if it turns out that the source of the tmp was
7756 an add, then we'll have to expensively instrument the add, because we
7757 can't prove that, for the previous non-memory-address use of the tmp,
7758 cheap and expensive instrumentation will be equivalent.
7760 In case 2, we propagate the usage-mode of the result of an add back
7761 through to its operands. Again, we use max= so as to take account of the
7762 fact that t2 or t3 might later in the block (viz, earlier in the
7763 iteration) have been used in a way that requires expensive add
7764 instrumentation.
7766 In case 3, we deal with all other tmp uses. We assume that we'll need a
7767 result that is as accurate as possible, so we max= HuOth into its use
7768 mode. Since HuOth is the top of the lattice, that's equivalent to just
7769 setting its use to HuOth.
7771 The net result of all this is that:
7773 tmps that are used either
7774 - only as a memory address, or
7775 - only as part of a tree of adds that computes a memory address,
7776 and has no other use
7777 are marked as HuPCa, and so we can instrument their generating Add
7778 nodes cheaply, which is the whole point of this analysis
7780 tmps that are used any other way at all are marked as HuOth
7782 tmps that are unused are marked as HuUnU. We don't expect to see any
7783 since we expect that the incoming IR has had all dead assignments
7784 removed by previous optimisation passes. Nevertheless the analysis is
7785 correct even in the presence of dead tmps.
7787 A final comment on dead tmps. In case 1 and case 2, we could actually
7788 conditionalise the updates thusly:
7790 if (useEnv[t1] > HuUnU) { useEnv[t2] max= HuPCa } // case 1
7792 if (useEnv[t1] > HuUnU) { useEnv[t2] max= useEnv[t1] } // case 2
7793 if (useEnv[t1] > HuUnU) { useEnv[t3] max= useEnv[t1] } // case 2
7795 In other words, if the assigned-to tmp |t1| is never used, then there's
7796 no point in propagating any use through to its operands. That won't
7797 change the final HuPCa-vs-HuOth results, which is what we care about.
7798 Given that we expect to get dead-code-free inputs, there's no point in
7799 adding this extra refinement.
7800 */
7802 /* Helper for |preInstrumentationAnalysis|. */
7804 UInt tyenvUsed,
7806 {
7807 /* For the atom |at|, declare that for any tmp |t| in |at|, we will have
7808 seen a use of |newUse|. So, merge that info into |t|'s accumulated
7809 use info. */
7817 // The "max" operation in the lattice
7820 }
7822 // We should never get here -- it implies non-flat IR
7825 }
7826 /*NOTREACHED*/
7828 }
7834 {
7837 // We've seen no bogus literals so far.
7840 // This is calloc'd, so implicitly all entries are initialised to HuUnU.
7844 // Firstly, roll in contributions from the final dst address.
7848 // Now work backwards through the stmts.
7852 // Deal with literals.
7855 }
7857 // Deal with tmp uses.
7862 // This is the one place where we have to consider all possible
7863 // tags for |rhs|, and can't just assume it is a tmp or a const.
7866 // just propagate demand for |dst| into this tmp use.
7875 // propagate demand for |dst| through to the operands.
7881 // just say that the operands are used in some unknown way.
7886 }
7889 // All operands are used in some unknown way.
7895 }
7897 // All operands are used in some unknown way.
7904 }
7906 // The address will be checked (== PCasted).
7910 // The condition is PCasted, the then- and else-values
7911 // aren't.
7917 // The args are used in unknown ways.
7920 }
7923 // The index will be checked/PCasted (see do_shadow_GETI)
7926 }
7934 }
7936 }
7938 // The address will be checked (== PCasted). The data will be
7939 // used in some unknown way.
7944 // The guard will be checked (== PCasted)
7952 // The index will be checked/PCasted (see do_shadow_PUTI). The
7953 // data will be used in an unknown way.
7957 }
7960 // The guard will be checked (== PCasted)
7962 // The args will be used in unknown ways.
7965 }
7967 }
7970 // Address will be pcasted, everything else used as unknown
7979 }
7981 // Both exprs are used in unknown ways. TODO: can we safely
7982 // just ignore AbiHints?
7987 // We might be able to do better, and use HuPCa for the addr.
7988 // It's not immediately obvious that we can, because the address
7989 // is regarded as "used" only when the guard is true.
7995 }
7997 // Per similar comments to Ist_StoreG .. not sure whether this
7998 // is really optimal.
8004 }
8010 }
8018 }
8019 }
8022 // Return the computed use env and the bogus-atom flag.
8028 }
8037 {
8041 MCEnv mce;
8045 /* We don't currently support this case. */
8047 }
8049 /* Check we're not completely nuts */
8060 /* Set up SB */
8063 /* Set up the running environment. Both .sb and .tmpMap are
8064 modified as we go along. Note that tmps are added to both
8065 .sb->tyenv and .tmpMap together, so the valid index-set for
8066 those two arrays should always be identical. */
8074 /* BEGIN decide on expense levels for instrumentation. */
8076 /* Initially, select the cheap version of everything for which we have an
8077 option. */
8080 /* Take account of the --expensive-definedness-checks= flag. */
8082 /* We just selected 'cheap for everything', so we don't need to do
8083 anything here. mce.tmpHowUsed remains NULL. */
8084 }
8086 /* Select 'expensive for everything'. mce.tmpHowUsed remains NULL. */
8088 }
8091 /* We'll make our own selection, based on known per-target constraints
8092 and also on analysis of the block to be instrumented. First, set
8093 up default values for detail levels.
8095 On x86 and amd64, we'll routinely encounter code optimised by LLVM
8096 5 and above. Enable accurate interpretation of the following.
8097 LLVM uses adds for some bitfield inserts, and we get a lot of false
8098 errors if the cheap interpretation is used, alas. Could solve this
8099 much better if we knew which of such adds came from x86/amd64 LEA
8100 instructions, since these are the only ones really needing the
8101 expensive interpretation, but that would require some way to tag
8102 them in the _toIR.c front ends, which is a lot of faffing around.
8103 So for now we use preInstrumentationAnalysis() to detect adds which
8104 are used only to construct memory addresses, which is an
8105 approximation to the above, and is self-contained.*/
8106 # if defined(VGA_x86)
8108 # elif defined(VGA_amd64)
8111 # endif
8113 /* preInstrumentationAnalysis() will allocate &mce.tmpHowUsed and then
8114 fill it in. */
8119 /* This happens very rarely. In this case just select expensive
8120 for everything, and throw away the tmp-use analysis results. */
8125 /* Nothing. mce.tmpHowUsed contains tmp-use analysis results,
8126 which will be used for some subset of Iop_{Add,Sub}{32,64},
8127 based on which ones are set to DLauto for this target. */
8128 }
8129 }
8134 // Debug printing: which tmps have been identified as PCast-only use
8140 }
8141 }
8143 }
8145 // Debug printing: number of ops by detail level
8152 }
8153 /* END decide on expense levels for instrumentation. */
8155 /* Initialise the running the tmp environment. */
8161 TempMapEnt ent;
8166 }
8169 /* Finally, begin instrumentation. */
8170 /* Copy verbatim any IR preamble preceding the first IMark */
8183 i++;
8184 }
8186 /* Nasty problem. IR optimisation of the pre-instrumented IR may
8187 cause the IR following the preamble to contain references to IR
8188 temporaries defined in the preamble. Because the preamble isn't
8189 instrumented, these temporaries don't have any shadows.
8190 Nevertheless uses of them following the preamble will cause
8191 memcheck to generate references to their shadows. End effect is
8192 to cause IR sanity check failures, due to references to
8193 non-existent shadows. This is only evident for the complex
8194 preambles used for function wrapping on TOC-afflicted platforms
8195 (ppc64-linux).
8197 The following loop therefore scans the preamble looking for
8198 assignments to temporaries. For each one found it creates an
8199 assignment to the corresponding (V) shadow temp, marking it as
8200 'defined'. This is the same resulting IR as if the main
8201 instrumentation loop before had been applied to the statement
8202 'tmp = CONSTANT'.
8204 Similarly, if origin tracking is enabled, we must generate an
8205 assignment for the corresponding origin (B) shadow, claiming
8206 no-origin, as appropriate for a defined value.
8207 */
8210 /* findShadowTmpV checks its arg is an original tmp;
8211 no need to assert that here. */
8220 }
8225 }
8226 }
8227 }
8229 /* Iterate over the remaining stmts to generate instrumentation. */
8245 }
8248 /* See comments on case Ist_CAS below. */
8251 }
8253 /* Generate instrumentation code for each stmt ... */
8265 }
8317 /* Note, do_shadow_CAS copies the CAS itself to the output
8318 block, because it needs to add instrumentation both
8319 before and after it. Hence skip the copy below. Also
8320 skip the origin-tracking stuff (call to schemeS) above,
8321 since that's all tangled up with it too; do_shadow_CAS
8322 does it all. */
8346 }
8348 }
8350 /* ... and finally copy the stmt itself to the output. Except,
8351 skip the copy of IRCASs; see comments on case Ist_CAS
8352 above. */
8355 }
8357 /* Now we need to complain if the jump target is undefined. */
8364 }
8373 }
8375 }
8377 /* If this fails, there's been some serious snafu with tmp management,
8378 that should be investigated. */
8384 }
8388 }
8391 /*--------------------------------------------------------------------*/
8392 /*--- end mc_translate.c ---*/
8393 /*--------------------------------------------------------------------*/