| blob | 05e6d59afa516e3cf9774c1f529f05427ab1a366 |
2 /*--------------------------------------------------------------------*/
3 /*--- Instrument IR to perform memory checking operations. ---*/
4 /*--- mc_translate.c ---*/
5 /*--------------------------------------------------------------------*/
7 /*
8 This file is part of MemCheck, a heavyweight Valgrind tool for
9 detecting memory errors.
11 Copyright (C) 2000-2017 Julian Seward
12 jseward@acm.org
14 This program is free software; you can redistribute it and/or
15 modify it under the terms of the GNU General Public License as
16 published by the Free Software Foundation; either version 2 of the
17 License, or (at your option) any later version.
19 This program is distributed in the hope that it will be useful, but
20 WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, see <http://www.gnu.org/licenses/>.
27 The GNU General Public License is contained in the file COPYING.
28 */
44 /* FIXMEs JRS 2011-June-16.
46 Check the interpretation for vector narrowing and widening ops,
47 particularly the saturating ones. I suspect they are either overly
48 pessimistic and/or wrong.
50 Iop_QandSQsh64x2 and friends (vector-by-vector bidirectional
51 saturating shifts): the interpretation is overly pessimistic.
52 See comments on the relevant cases below for details.
54 Iop_Sh64Sx2 and friends (vector-by-vector bidirectional shifts,
55 both rounding and non-rounding variants): ditto
56 */
58 /* This file implements the Memcheck instrumentation, and in
59 particular contains the core of its undefined value detection
60 machinery. For a comprehensive background of the terminology,
61 algorithms and rationale used herein, read:
63 Using Valgrind to detect undefined value errors with
64 bit-precision
66 Julian Seward and Nicholas Nethercote
68 2005 USENIX Annual Technical Conference (General Track),
69 Anaheim, CA, USA, April 10-15, 2005.
71 ----
73 Here is as good a place as any to record exactly when V bits are and
74 should be checked, why, and what function is responsible.
77 Memcheck complains when an undefined value is used:
79 1. In the condition of a conditional branch. Because it could cause
80 incorrect control flow, and thus cause incorrect externally-visible
81 behaviour. [mc_translate.c:complainIfUndefined]
83 2. As an argument to a system call, or as the value that specifies
84 the system call number. Because it could cause an incorrect
85 externally-visible side effect. [mc_translate.c:mc_pre_reg_read]
87 3. As the address in a load or store. Because it could cause an
88 incorrect value to be used later, which could cause externally-visible
89 behaviour (eg. via incorrect control flow or an incorrect system call
90 argument) [complainIfUndefined]
92 4. As the target address of a branch. Because it could cause incorrect
93 control flow. [complainIfUndefined]
95 5. As an argument to setenv, unsetenv, or putenv. Because it could put
96 an incorrect value into the external environment.
97 [mc_replace_strmem.c:VG_WRAP_FUNCTION_ZU(*, *env)]
99 6. As the index in a GETI or PUTI operation. I'm not sure why... (njn).
100 [complainIfUndefined]
102 7. As an argument to the VALGRIND_CHECK_MEM_IS_DEFINED and
103 VALGRIND_CHECK_VALUE_IS_DEFINED client requests. Because the user
104 requested it. [in memcheck.h]
107 Memcheck also complains, but should not, when an undefined value is used:
109 8. As the shift value in certain SIMD shift operations (but not in the
110 standard integer shift operations). This inconsistency is due to
111 historical reasons.) [complainIfUndefined]
114 Memcheck does not complain, but should, when an undefined value is used:
116 9. As an input to a client request. Because the client request may
117 affect the visible behaviour -- see bug #144362 for an example
118 involving the malloc replacements in vg_replace_malloc.c and
119 VALGRIND_NON_SIMD_CALL* requests, where an uninitialised argument
120 isn't identified. That bug report also has some info on how to solve
121 the problem. [valgrind.h:VALGRIND_DO_CLIENT_REQUEST]
124 In practice, 1 and 2 account for the vast majority of cases.
125 */
127 /* Generation of addr-definedness, addr-validity and
128 guard-definedness checks pertaining to loads and stores (Iex_Load,
129 Ist_Store, IRLoadG, IRStoreG, LLSC, CAS and Dirty memory
130 loads/stores) was re-checked 11 May 2013. */
133 /*------------------------------------------------------------*/
134 /*--- Forward decls ---*/
135 /*------------------------------------------------------------*/
139 // See below for comments explaining what this is for.
140 typedef
142 HowUsed;
152 /*------------------------------------------------------------*/
153 /*--- Memcheck running state, and tmp management. ---*/
154 /*------------------------------------------------------------*/
156 /* For a few (maybe 1%) IROps, we have both a cheaper, less exact vbit
157 propagation scheme, and a more expensive, more precise vbit propagation
158 scheme. This enum describes, for such an IROp, which scheme to use. */
159 typedef
161 // Use the cheaper, less-exact variant.
163 // Choose between cheap and expensive based on analysis of the block
164 // to be instrumented. Note that the choice may be done on a
165 // per-instance basis of the IROp that this DetailLevel describes.
166 DLauto,
167 // Use the more expensive, more-exact variant.
168 DLexpensive
169 }
170 DetailLevel;
173 /* A readonly part of the running state. For IROps that have both a
174 less-exact and more-exact interpretation, records which interpretation is
175 to be used. */
176 typedef
178 // For Add32/64 and Sub32/64, all 3 settings are allowed. For the
179 // DLauto case, a per-instance decision is to be made by inspecting
180 // the associated tmp's entry in MCEnv.tmpHowUsed.
181 DetailLevel dl_Add32;
182 DetailLevel dl_Add64;
183 DetailLevel dl_Sub32;
184 DetailLevel dl_Sub64;
185 // For Cmp{EQ,NE}{64,32,16,8}, only DLcheap and DLexpensive are
186 // allowed.
187 DetailLevel dl_CmpEQ64_CmpNE64;
188 DetailLevel dl_CmpEQ32_CmpNE32;
189 DetailLevel dl_CmpEQ16_CmpNE16;
190 DetailLevel dl_CmpEQ8_CmpNE8;
191 }
192 DetailLevelByOp;
195 DetailLevel dl )
196 {
205 }
208 {
221 }
224 DetailLevel dl )
225 {
236 }
239 /* Carries info about a particular tmp. The tmp's number is not
240 recorded, as this is implied by (equal to) its index in the tmpMap
241 in MCEnv. The tmp's type is also not recorded, as this is present
242 in MCEnv.sb->tyenv.
244 When .kind is Orig, .shadowV and .shadowB may give the identities
245 of the temps currently holding the associated definedness (shadowV)
246 and origin (shadowB) values, or these may be IRTemp_INVALID if code
247 to compute such values has not yet been emitted.
249 When .kind is VSh or BSh then the tmp is holds a V- or B- value,
250 and so .shadowV and .shadowB must be IRTemp_INVALID, since it is
251 illogical for a shadow tmp itself to be shadowed.
252 */
253 typedef
255 TempKind;
257 typedef
259 TempKind kind;
260 IRTemp shadowV;
261 IRTemp shadowB;
262 }
263 TempMapEnt;
266 /* A |HowUsed| value carries analysis results about how values are used,
267 pertaining to whether we need to instrument integer adds expensively or
268 not. The running state carries a (readonly) mapping from original tmp to
269 a HowUsed value for it. A usage value can be one of three values,
270 forming a 3-point chain lattice.
272 HuOth ("Other") used in some arbitrary way
273 |
274 HuPCa ("PCast") used *only* in effectively a PCast, in which all
275 | we care about is the all-defined vs not-all-defined distinction
276 |
277 HuUnU ("Unused") not used at all.
279 The "safe" (don't-know) end of the lattice is "HuOth". See comments
280 below in |preInstrumentationAnalysis| for further details.
281 */
282 /* DECLARED ABOVE:
283 typedef
284 enum __attribute__((packed)) { HuUnU=0, HuPCa=1, HuOth=2 }
285 HowUsed;
286 */
288 // Not actually necessary, but we don't want to waste D1 space.
292 /* Carries around state during memcheck instrumentation. */
293 typedef
295 /* MODIFIED: the superblock being constructed. IRStmts are
296 added. */
298 Bool trace;
300 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
301 current kind and possibly shadow temps for each temp in the
302 IRSB being constructed. Note that it does not contain the
303 type of each tmp. If you want to know the type, look at the
304 relevant entry in sb->tyenv. It follows that at all times
305 during the instrumentation process, the valid indices for
306 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
307 total number of Orig, V- and B- temps allocated so far.
309 The reason for this strange split (types in one place, all
310 other info in another) is that we need the types to be
311 attached to sb so as to make it possible to do
312 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
313 instrumentation process. */
316 /* READONLY: contains details of which ops should be expensively
317 instrumented. */
318 DetailLevelByOp dlbo;
320 /* READONLY: for each original tmp, how the tmp is used. This is
321 computed by |preInstrumentationAnalysis|. Valid indices are
322 0 .. #temps_in_sb-1 (same as for tmpMap). */
325 /* READONLY: the guest layout. This indicates which parts of
326 the guest state should be regarded as 'always defined'. */
329 /* READONLY: the host word type. Needed for constructing
330 arguments of type 'HWord' to be passed to helper functions.
331 Ity_I32 or Ity_I64 only. */
332 IRType hWordTy;
333 }
334 MCEnv;
337 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
338 demand), as they are encountered. This is for two reasons.
340 (1) (less important reason): Many original tmps are unused due to
341 initial IR optimisation, and we do not want to spaces in tables
342 tracking them.
344 Shadow IRTemps are therefore allocated on demand. mce.tmpMap is a
345 table indexed [0 .. n_types-1], which gives the current shadow for
346 each original tmp, or INVALID_IRTEMP if none is so far assigned.
347 It is necessary to support making multiple assignments to a shadow
348 -- specifically, after testing a shadow for definedness, it needs
349 to be made defined. But IR's SSA property disallows this.
351 (2) (more important reason): Therefore, when a shadow needs to get
352 a new value, a new temporary is created, the value is assigned to
353 that, and the tmpMap is updated to reflect the new binding.
355 A corollary is that if the tmpMap maps a given tmp to
356 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
357 there's a read-before-write error in the original tmps. The IR
358 sanity checker should catch all such anomalies, however.
359 */
361 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
362 both the table in mce->sb and to our auxiliary mapping. Note that
363 newTemp may cause mce->tmpMap to resize, hence previous results
364 from VG_(indexXA)(mce->tmpMap) are invalidated. */
366 {
367 Word newIx;
368 TempMapEnt ent;
376 }
379 /* Find the tmp currently shadowing the given original tmp. If none
380 so far exists, allocate one. */
382 {
384 /* VG_(indexXA) range-checks 'orig', hence no need to check
385 here. */
389 IRTemp tmpV
391 /* newTemp may cause mce->tmpMap to resize, hence previous results
392 from VG_(indexXA) are invalid. */
397 }
399 }
401 /* Allocate a new shadow for the given original tmp. This means any
402 previous shadow is abandoned. This is needed because it is
403 necessary to give a new value to a shadow once it has been tested
404 for undefinedness, but unfortunately IR's SSA property disallows
405 this. Instead we must abandon the old shadow, allocate a new one
406 and use that instead.
408 This is the same as findShadowTmpV, except we don't bother to see
409 if a shadow temp already existed -- we simply allocate a new one
410 regardless. */
412 {
414 /* VG_(indexXA) range-checks 'orig', hence no need to check
415 here. */
419 IRTemp tmpV
421 /* newTemp may cause mce->tmpMap to resize, hence previous results
422 from VG_(indexXA) are invalid. */
426 }
427 }
430 /*------------------------------------------------------------*/
431 /*--- IRAtoms -- a subset of IRExprs ---*/
432 /*------------------------------------------------------------*/
434 /* An atom is either an IRExpr_Const or an IRExpr_Tmp, as defined by
435 isIRAtom() in libvex_ir.h. Because this instrumenter expects flat
436 input, most of this code deals in atoms. Usefully, a value atom
437 always has a V-value which is also an atom: constants are shadowed
438 by constants, and temps are shadowed by the corresponding shadow
439 temporary. */
443 /* (used for sanity checks only): is this an atom which looks
444 like it's from original code? */
446 {
452 }
454 }
456 /* (used for sanity checks only): is this an atom which looks
457 like it's from shadow code? */
459 {
465 }
467 }
469 /* (used for sanity checks only): check that both args are atoms and
470 are identically-kinded. */
472 {
478 }
481 /*------------------------------------------------------------*/
482 /*--- Type management ---*/
483 /*------------------------------------------------------------*/
485 /* Shadow state is always accessed using integer types. This returns
486 an integer type with the same size (as per sizeofIRType) as the
487 given type. The only valid shadow types are Bit, I8, I16, I32,
488 I64, I128, V128, V256. */
491 {
510 }
511 }
513 /* Produce a 'defined' value of the given shadow type. Should only be
514 supplied shadow types (Bit/I8/I16/I32/UI64). */
526 }
527 }
530 /*------------------------------------------------------------*/
531 /*--- Constructing IR fragments ---*/
532 /*------------------------------------------------------------*/
534 /* add stmt to a bb */
540 }
542 }
544 /* assign value to tmp */
548 }
550 /* build various kinds of expressions */
551 #define triop(_op, _arg1, _arg2, _arg3) \
552 IRExpr_Triop((_op),(_arg1),(_arg2),(_arg3))
553 #define binop(_op, _arg1, _arg2) IRExpr_Binop((_op),(_arg1),(_arg2))
554 #define unop(_op, _arg) IRExpr_Unop((_op),(_arg))
555 #define mkU1(_n) IRExpr_Const(IRConst_U1(_n))
556 #define mkU8(_n) IRExpr_Const(IRConst_U8(_n))
557 #define mkU16(_n) IRExpr_Const(IRConst_U16(_n))
558 #define mkU32(_n) IRExpr_Const(IRConst_U32(_n))
559 #define mkU64(_n) IRExpr_Const(IRConst_U64(_n))
560 #define mkV128(_n) IRExpr_Const(IRConst_V128(_n))
561 #define mkexpr(_tmp) IRExpr_RdTmp((_tmp))
563 /* Bind the given expression to a new temporary, and return the
564 temporary. This effectively converts an arbitrary expression into
565 an atom.
567 'ty' is the type of 'e' and hence the type that the new temporary
568 needs to be. But passing it in is redundant, since we can deduce
569 the type merely by inspecting 'e'. So at least use that fact to
570 assert that the two types agree. */
572 {
573 TempKind k;
574 IRTemp t;
582 /* happens when we are making up new "orig"
583 expressions, for IRCAS handling */
585 }
589 }
592 /*------------------------------------------------------------*/
593 /*--- Helper functions for 128-bit ops ---*/
594 /*------------------------------------------------------------*/
597 {
600 }
602 /* There are no I128-bit loads and/or stores [as generated by any
603 current front ends]. So we do not need to worry about that in
604 expr2vbits_Load */
607 /*------------------------------------------------------------*/
608 /*--- Constructing definedness primitive ops ---*/
609 /*------------------------------------------------------------*/
611 /* --------- Defined-if-either-defined --------- */
617 }
623 }
629 }
635 }
641 }
647 }
653 }
655 /* --------- Undefined-if-either-undefined --------- */
661 }
667 }
673 }
679 }
685 }
699 }
705 }
711 }
725 }
726 }
728 /* --------- The Left-family of operations. --------- */
733 }
738 }
743 }
748 }
750 /* --------- The Right-family of operations. --------- */
752 /* Unfortunately these are a lot more expensive then their Left
753 counterparts. Fortunately they are only very rarely used -- only for
754 count-leading-zeroes instrumentation. */
757 {
759 // a1 |= (a1 >>u i)
760 IRAtom* tmp
763 }
765 }
768 {
770 // a1 |= (a1 >>u i)
771 IRAtom* tmp
774 }
776 }
778 /* --------- 'Improvement' functions for AND/OR. --------- */
780 /* ImproveAND(data, vbits) = data OR vbits. Defined (0) data 0s give
781 defined (0); all other -> undefined (1).
782 */
784 {
789 }
792 {
797 }
800 {
805 }
808 {
813 }
816 {
821 }
824 {
829 }
832 {
837 }
839 /* ImproveOR(data, vbits) = ~data OR vbits. Defined (0) data 1s give
840 defined (0); all other -> undefined (1).
841 */
843 {
851 vbits) );
852 }
855 {
863 vbits) );
864 }
867 {
875 vbits) );
876 }
879 {
887 vbits) );
888 }
891 {
899 vbits) );
900 }
903 {
911 vbits) );
912 }
915 {
923 vbits) );
924 }
926 /* --------- Pessimising casts. --------- */
928 /* The function returns an expression of type DST_TY. If any of the VBITS
929 is undefined (value == 1) the resulting expression has all bits set to
930 1. Otherwise, all bits are 0. */
933 {
934 IRType src_ty;
937 /* Note, dst_ty is a shadow type, not an original type. */
941 /* Fast-track some common cases */
949 /* PCast the arg, then clone it. */
952 }
955 /* PCast the arg, then clone it 4 times. */
959 }
962 /* PCast the arg, then clone it 8 times. */
967 }
970 /* PCast the arg. This gives all 0s or all 1s. Then throw away
971 the top half. */
974 }
977 /* Use InterleaveHI64x2 to copy the top half of the vector into
978 the bottom half. Then we can UifU it with the original, throw
979 away the upper half of the result, and PCast-I64-to-I64
980 the lower half. */
981 // Generates vbits[127:64] : vbits[127:64]
982 IRAtom* hi64hi64
985 // Generates
986 // UifU(vbits[127:64],vbits[127:64]) : UifU(vbits[127:64],vbits[63:0])
987 // == vbits[127:64] : UifU(vbits[127:64],vbits[63:0])
988 IRAtom* lohi64
990 // Generates UifU(vbits[127:64],vbits[63:0])
991 IRAtom* lo64
993 // Generates
994 // PCast-to-I64( UifU(vbits[127:64], vbits[63:0] )
995 // == PCast-to-I64( vbits[127:0] )
996 IRAtom* res
999 }
1001 /* Else do it the slow way .. */
1002 /* First of all, collapse vbits down to a single bit. */
1021 /* Gah. Chop it in half, OR the halves together, and compare
1022 that with zero. */
1029 }
1031 /* Chop it in half, OR the halves together, and compare that
1032 * with zero.
1033 */
1040 }
1044 }
1046 /* Now widen up to the dst type. */
1076 }
1077 }
1079 /* This is a minor variant. It takes an arg of some type and returns
1080 a value of the same type. The result consists entirely of Defined
1081 (zero) bits except its least significant bit, which is a PCast of
1082 the entire argument down to a single bit. */
1084 {
1086 /* --- Case for V128 --- */
1088 // generates: PCast-to-I64(varg128)
1090 // Now introduce zeros (defined bits) in the top 63 places
1091 // generates: Def--(63)--Def PCast-to-I1(varg128)
1092 IRAtom* d63pc
1094 // generates: Def--(64)--Def
1095 IRAtom* d64
1097 // generates: Def--(127)--Def PCast-to-I1(varg128)
1098 IRAtom* res
1101 }
1103 /* --- Case for I64 --- */
1104 // PCast to 64
1106 // Zero (Def) out the top 63 bits
1107 IRAtom* res
1110 }
1111 /*NOTREACHED*/
1113 }
1115 /* --------- Optimistic casts. --------- */
1117 /* The function takes and returns an expression of type TY. If any of the
1118 VBITS indicate defined (value == 0) the resulting expression has all bits
1119 set to 0. Otherwise, all bits are 1. In words, if any bits are defined
1120 then all bits are made to be defined.
1122 In short we compute (vbits - (vbits >>u 1)) >>s (bitsize(vbits)-1).
1123 */
1125 {
1127 UInt sh;
1145 }
1152 }
1155 /* --------- Accurate interpretation of CmpEQ/CmpNE. --------- */
1156 /*
1157 Normally, we can do CmpEQ/CmpNE by doing UifU on the arguments, and
1158 PCasting to Ity_U1. However, sometimes it is necessary to be more
1159 accurate. The insight is that the result is defined if two
1160 corresponding bits can be found, one from each argument, so that
1161 both bits are defined but are different -- that makes EQ say "No"
1162 and NE say "Yes". Hence, we compute an improvement term and DifD
1163 it onto the "normal" (UifU) result.
1165 The result is:
1167 PCastTo<1> (
1168 -- naive version
1169 UifU<sz>(vxx, vyy)
1171 `DifD<sz>`
1173 -- improvement term
1174 OCast<sz>(vec)
1175 )
1177 where
1178 vec contains 0 (defined) bits where the corresponding arg bits
1179 are defined but different, and 1 bits otherwise.
1181 vec = Or<sz>( vxx, // 0 iff bit defined
1182 vyy, // 0 iff bit defined
1183 Not<sz>(Xor<sz>( xx, yy )) // 0 iff bits different
1184 )
1186 If any bit of vec is 0, the result is defined and so the
1187 improvement term should produce 0...0, else it should produce
1188 1...1.
1190 Hence require for the improvement term:
1192 OCast(vec) = if vec == 1...1 then 1...1 else 0...0
1194 which you can think of as an "optimistic cast" (OCast, the opposite of
1195 the normal "pessimistic cast" (PCast) family. An OCast says all bits
1196 are defined if any bit is defined.
1198 It is possible to show that
1200 if vec == 1...1 then 1...1 else 0...0
1202 can be implemented in straight-line code as
1204 (vec - (vec >>u 1)) >>s (word-size-in-bits - 1)
1206 We note that vec contains the sub-term Or<sz>(vxx, vyy). Since UifU is
1207 implemented with Or (since 1 signifies undefinedness), this is a
1208 duplicate of the UifU<sz>(vxx, vyy) term and so we can CSE it out, giving
1209 a final version of:
1211 let naive = UifU<sz>(vxx, vyy)
1212 vec = Or<sz>(naive, Not<sz>(Xor<sz)(xx, yy))
1213 in
1214 PCastTo<1>( DifD<sz>(naive, OCast<sz>(vec)) )
1216 This was extensively re-analysed and checked on 6 July 05 and again
1217 in July 2017.
1218 */
1220 IRType ty,
1223 {
1265 }
1267 naive
1270 vec
1274 naive,
1280 improved
1284 final_cast
1288 }
1290 /* Check if we can know, despite the uncertain bits, that xx is greater than yy.
1291 Notice that it's xx > yy and not the other way around. This is Intel syntax
1292 with destination first. It will appear reversed in gdb disassembly (AT&T
1293 syntax).
1294 */
1296 IROp opGT,
1299 {
1301 IRType ty;
1303 Bool is_signed;
1335 }
1352 }
1362 // For unsigned it's easy to make the min and max: Just set the unknown
1363 // bits all to 0s or 1s. For signed it's harder because having a 1 in the
1364 // MSB makes a number smaller, not larger! We can work around this by
1365 // flipping the MSB before and after computing the min and max values.
1370 // From here on out, we're dealing with MSB-flipped integers.
1371 }
1372 // We can combine xx and vxx to create two values: the largest that xx could
1373 // possibly be and the smallest that xx could possibly be. Likewise, we can
1374 // do the same for yy. We'll call those max_xx and min_xx and max_yy and
1375 // min_yy.
1383 // Unflip the MSBs.
1388 }
1391 // If min_xx is greater than max_yy then xx is surely greater than yy so we know
1392 // our answer for sure. If max_xx is not greater than min_yy then xx can't
1393 // possible be greater than yy so again we know the answer for sure. For all
1394 // other cases, we can't know.
1395 //
1396 // So the result is defined if:
1397 //
1398 // min_xx_gt_max_yy | ~max_xx_gt_min_yy
1399 //
1400 // Because defined in vbits is 0s and not 1s, we need to invert that:
1401 //
1402 // ~(min_xx_gt_max_yy | ~max_xx_gt_min_yy)
1403 //
1404 // We can use DeMorgan's Law to simplify the above:
1405 //
1406 // ~min_xx_gt_max_yy & max_xx_gt_min_yy
1409 }
1411 /* --------- Semi-accurate interpretation of CmpORD. --------- */
1413 /* CmpORD32{S,U} does PowerPC-style 3-way comparisons:
1415 CmpORD32S(x,y) = 1<<3 if x <s y
1416 = 1<<2 if x >s y
1417 = 1<<1 if x == y
1419 and similarly the unsigned variant. The default interpretation is:
1421 CmpORD32{S,U}#(x,y,x#,y#) = PCast(x# `UifU` y#)
1422 & (7<<1)
1424 The "& (7<<1)" reflects the fact that all result bits except 3,2,1
1425 are zero and therefore defined (viz, zero).
1427 Also deal with a special case better:
1429 CmpORD32S(x,0)
1431 Here, bit 3 (LT) of the result is a copy of the top bit of x and
1432 will be defined even if the rest of x isn't. In which case we do:
1434 CmpORD32S#(x,x#,0,{impliedly 0}#)
1435 = PCast(x#) & (3<<1) -- standard interp for GT#,EQ#
1436 | (x# >>u 31) << 3 -- LT# = x#[31]
1438 Analogous handling for CmpORD64{S,U}.
1439 */
1441 {
1442 return
1446 }
1449 {
1450 return
1454 }
1457 IROp cmp_op,
1460 {
1485 }
1488 /* fancy interpretation */
1489 /* if yy is zero, then it must be fully defined (zero#). */
1491 // This is still inaccurate, but I don't think it matters, since
1492 // nobody writes code of the form
1493 // "is <partially-undefined-value> signedly greater than zero?".
1494 // We therefore simply declare "x >s 0" to be undefined if any bit in
1495 // x is undefined. That's clearly suboptimal in some cases. Eg, if
1496 // the highest order bit is a defined 1 then x is negative so it
1497 // doesn't matter whether the remaining bits are defined or not.
1498 IRAtom* t_0_gt_0_0
1502 opAND,
1505 ));
1506 // For "x <s 0", we can just copy the definedness of the top bit of x
1507 // and we have a precise result.
1508 IRAtom* t_lt_0_0_0
1512 opSHL,
1517 ));
1518 // For "x == 0" we can hand the problem off to expensiveCmpEQorNE.
1519 IRAtom* t_0_0_eq_0
1523 opSHL,
1526 op1UtoWS,
1528 ),
1530 ));
1531 return
1533 opOR,
1535 t_0_0_eq_0
1536 );
1538 /* standard interpretation */
1540 return
1542 opAND,
1545 sevenLeft1
1546 );
1547 }
1548 }
1551 /*------------------------------------------------------------*/
1552 /*--- Emit a test and complaint if something is undefined. ---*/
1553 /*------------------------------------------------------------*/
1558 /* Set the annotations on a dirty helper to indicate that the stack
1559 pointer and instruction pointers might be read. This is the
1560 behaviour of all 'emit-a-complaint' style functions we might
1561 call. */
1575 }
1578 /* Check the supplied *original* |atom| for undefinedness, and emit a
1579 complaint if so. Once that happens, mark it as defined. This is
1580 possible because the atom is either a tmp or literal. If it's a
1581 tmp, it will be shadowed by a tmp, and so we can set the shadow to
1582 be defined. In fact as mentioned above, we will have to allocate a
1583 new tmp to carry the new 'defined' shadow value, and update the
1584 original->tmp mapping accordingly; we cannot simply assign a new
1585 value to an existing shadow tmp as this breaks SSAness.
1587 The checks are performed, any resulting complaint emitted, and
1588 |atom|'s shadow temp set to 'defined', ONLY in the case that
1589 |guard| evaluates to True at run-time. If it evaluates to False
1590 then no action is performed. If |guard| is NULL (the usual case)
1591 then it is assumed to be always-true, and hence these actions are
1592 performed unconditionally.
1594 This routine does not generate code to check the definedness of
1595 |guard|. The caller is assumed to have taken care of that already.
1596 */
1598 {
1600 IRType ty;
1601 Int sz;
1608 Int nargs;
1610 // Don't do V bit tests if we're not reporting undefined value errors.
1617 /* Since the original expression is atomic, there's no duplicated
1618 work generated by making multiple V-expressions for it. So we
1619 don't really care about the possibility that someone else may
1620 also create a V-interpretion for it. */
1628 /* sz is only used for constructing the error message */
1632 /* cond will be 0 if all defined, and 1 if any not defined. */
1634 /* Get the origin info for the value we are about to check. At
1635 least, if we are doing origin tracking. If not, use a dummy
1636 zero origin. */
1641 }
1644 }
1663 }
1676 }
1689 }
1702 }
1716 }
1720 }
1733 /* If the complaint is to be issued under a guard condition, AND
1734 that into the guard condition for the helper call. */
1740 }
1745 /* If |atom| is shadowed by an IRTemp, set the shadow tmp to be
1746 defined -- but only in the case where the guard evaluates to
1747 True at run-time. Do the update by setting the orig->shadow
1748 mapping for tmp to reflect the fact that this shadow is getting
1749 a new value. */
1751 /* sameKindedAtoms ... */
1755 // guard is 'always True', hence update unconditionally
1760 // update the temp only conditionally. Do this by copying
1761 // its old value when the guard is False.
1762 // The old value ..
1765 IRAtom* new_tmpV
1770 }
1771 }
1772 }
1775 /*------------------------------------------------------------*/
1776 /*--- Shadowing PUTs/GETs, and indexed variants thereof ---*/
1777 /*------------------------------------------------------------*/
1779 /* Examine the always-defined sections declared in layout to see if
1780 the (offset,size) section is within one. Note, is is an error to
1781 partially fall into such a region: (offset,size) should either be
1782 completely in such a region or completely not-in such a region.
1783 */
1785 {
1804 }
1806 }
1809 /* Generate into bb suitable actions to shadow this Put. If the state
1810 slice is marked 'always defined', do nothing. Otherwise, write the
1811 supplied V bits to the shadow state. We can pass in either an
1812 original atom or a V-atom, but not both. In the former case the
1813 relevant V-bits are then generated from the original.
1814 We assume here, that the definedness of GUARD has already been checked.
1815 */
1816 static
1819 {
1820 IRType ty;
1822 // Don't do shadow PUTs if we're not doing undefined value checking.
1823 // Their absence lets Vex's optimiser remove all the shadow computation
1824 // that they depend on, which includes GETs of the shadow registers.
1835 }
1840 /* later: no ... */
1841 /* emit code to emit a complaint if any of the vbits are 1. */
1842 /* complainIfUndefined(mce, atom); */
1844 /* Do a plain shadow Put. */
1846 /* If the guard expression evaluates to false we simply Put the value
1847 that is already stored in the guest state slot */
1854 }
1856 }
1857 }
1860 /* Return an expression which contains the V bits corresponding to the
1861 given GETI (passed in in pieces).
1862 */
1863 static
1865 {
1868 Int arrSize;;
1874 // Don't do shadow PUTIs if we're not doing undefined value checking.
1875 // Their absence lets Vex's optimiser remove all the shadow computation
1876 // that they depend on, which includes GETIs of the shadow registers.
1890 /* later: no ... */
1891 /* emit code to emit a complaint if any of the vbits are 1. */
1892 /* complainIfUndefined(mce, atom); */
1894 /* Do a cloned version of the Put that refers to the shadow
1895 area. */
1896 IRRegArray* new_descr
1900 }
1901 }
1904 /* Return an expression which contains the V bits corresponding to the
1905 given GET (passed in in pieces).
1906 */
1907 static
1909 {
1914 /* Always defined, return all zeroes of the relevant type */
1917 /* return a cloned version of the Get that refers to the shadow
1918 area. */
1919 /* FIXME: this isn't an atom! */
1921 }
1922 }
1925 /* Return an expression which contains the V bits corresponding to the
1926 given GETI (passed in in pieces).
1927 */
1928 static
1931 {
1939 /* Always defined, return all zeroes of the relevant type */
1942 /* return a cloned version of the Get that refers to the shadow
1943 area. */
1944 IRRegArray* new_descr
1948 }
1949 }
1952 /*------------------------------------------------------------*/
1953 /*--- Generating approximations for unknown operations, ---*/
1954 /*--- using lazy-propagate semantics ---*/
1955 /*------------------------------------------------------------*/
1957 /* Lazy propagation of undefinedness from two values, resulting in the
1958 specified shadow type.
1959 */
1960 static
1962 {
1969 /* The general case is inefficient because PCast is an expensive
1970 operation. Here are some special cases which use PCast only
1971 once rather than twice. */
1973 /* I64 x I64 -> I64 */
1979 }
1981 /* I64 x I64 -> I32 */
1987 }
1989 /* I32 x I32 -> I32 */
1995 }
2005 }
2007 /* General case: force everything via 32-bit intermediaries. */
2012 }
2015 /* 3-arg version of the above. */
2016 static
2019 {
2028 /* The general case is inefficient because PCast is an expensive
2029 operation. Here are some special cases which use PCast only
2030 twice rather than three times. */
2032 /* I32 x I64 x I64 -> I64 */
2033 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2037 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
2038 mode indication which is fully defined, this should get
2039 folded out later. */
2041 /* Now fold in 2nd and 3rd args. */
2044 /* and PCast once again. */
2047 }
2049 /* I32 x I8 x I64 -> I64 */
2053 /* Widen 1st and 2nd args to I64. Since 1st arg is typically a
2054 * rounding mode indication which is fully defined, this should
2055 * get folded out later.
2056 */
2061 /* and PCast once again. */
2064 }
2066 /* I32 x I64 x I64 -> I32 */
2075 }
2077 /* I32 x I32 x I32 -> I32 */
2078 /* 32-bit FP idiom, as (eg) happens on ARM */
2087 }
2089 /* I32 x I16 x I16 -> I16 */
2090 /* 16-bit half-precision FP idiom, as (eg) happens on arm64 v8.2 onwards */
2099 }
2101 /* I32 x I128 x I128 -> I128 */
2102 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2106 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
2107 mode indication which is fully defined, this should get
2108 folded out later. */
2110 /* Now fold in 2nd and 3rd args. */
2113 /* and PCast once again. */
2116 }
2118 /* I32 x I8 x I128 -> I128 */
2119 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2123 /* Use I64 as an intermediate type, which means PCasting all 3
2124 args to I64 to start with. 1st arg is typically a rounding
2125 mode indication which is fully defined, so we hope that it
2126 will get folded out later. */
2130 /* Now UifU all three together. */
2133 /* and PCast once again. */
2136 }
2147 }
2150 /* General case: force everything via 32-bit intermediaries. */
2151 /*
2152 at = mkPCastTo(mce, Ity_I32, va1);
2153 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va2));
2154 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va3));
2155 at = mkPCastTo(mce, finalVty, at);
2156 return at;
2157 */
2158 }
2161 /* 4-arg version of the above. */
2162 static
2165 {
2176 /* The general case is inefficient because PCast is an expensive
2177 operation. Here are some special cases which use PCast only
2178 twice rather than three times. */
2180 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2185 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
2186 mode indication which is fully defined, this should get
2187 folded out later. */
2189 /* Now fold in 2nd, 3rd, 4th args. */
2193 /* and PCast once again. */
2196 }
2198 /* I32 x I64 x I64 x I64 -> I64 */
2202 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
2203 mode indication which is fully defined, this should get
2204 folded out later. */
2206 /* Now fold in 2nd, 3rd, 4th args. */
2210 /* and PCast once again. */
2213 }
2214 /* I32 x I32 x I32 x I32 -> I32 */
2215 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2220 /* Now fold in 2nd, 3rd, 4th args. */
2226 }
2232 /* Now fold in 2nd, 3rd, 4th args. */
2238 }
2244 /* Now fold in 2nd, 3rd, 4th args. */
2250 }
2264 }
2267 }
2270 /* Do the lazy propagation game from a null-terminated vector of
2271 atoms. This is presumably the arguments to a helper call, so the
2272 IRCallee info is also supplied in order that we can know which
2273 arguments should be ignored (via the .mcx_mask field).
2274 */
2275 static
2278 {
2279 Int i;
2282 IRType mergeTy;
2285 /* Decide on the type of the merge intermediary. If all relevant
2286 args are I64, then it's I64. In all other circumstances, use
2287 I32. */
2295 }
2303 /* Only take notice of this arg if the callee's mc-exclusion
2304 mask does not say it is to be excluded. */
2306 /* the arg is to be excluded from definedness checking. Do
2307 nothing. */
2310 /* calculate the arg's definedness, and pessimistically merge
2311 it in. */
2313 curr = mergeTy64
2316 }
2317 }
2319 }
2322 /*------------------------------------------------------------*/
2323 /*--- Generating expensive sequences for exact carry-chain ---*/
2324 /*--- propagation in add/sub and related operations. ---*/
2325 /*------------------------------------------------------------*/
2327 static
2329 Bool add,
2330 IRType ty,
2333 {
2363 }
2365 // a_min = aa & ~qaa
2370 // b_min = bb & ~qbb
2375 // a_max = aa | qaa
2378 // b_max = bb | qbb
2382 // result = (qaa | qbb) | ((a_min + b_min) ^ (a_max + b_max))
2383 return
2391 )
2392 )
2393 )
2394 );
2396 // result = (qaa | qbb) | ((a_min - b_max) ^ (a_max - b_min))
2397 return
2405 )
2406 )
2407 )
2408 );
2409 }
2411 }
2414 static
2417 {
2418 IRType ty;
2444 }
2446 // improver = atom ^ (atom - 1)
2447 //
2448 // That is, improver has its low ctz(atom)+1 bits equal to one;
2449 // higher bits (if any) equal to zero. So it's exactly the right
2450 // mask to use to remove the irrelevant undefined input bits.
2451 /* Here are some examples:
2452 atom = U...U 1 0...0
2453 atom-1 = U...U 0 1...1
2454 ^ed = 0...0 1 11111, which correctly describes which bits of |atom|
2455 actually influence the result
2456 A boundary case
2457 atom = 0...0
2458 atom-1 = 1...1
2459 ^ed = 11111, also a correct mask for the input: all input bits
2460 are relevant
2461 Another boundary case
2462 atom = 1..1 1
2463 atom-1 = 1..1 0
2464 ^ed = 0..0 1, also a correct mask: only the rightmost input bit
2465 is relevant
2466 Now with misc U bits interspersed:
2467 atom = U...U 1 0 U...U 0 1 0...0
2468 atom-1 = U...U 1 0 U...U 0 0 1...1
2469 ^ed = 0...0 0 0 0...0 0 1 1...1, also correct
2470 (Per re-check/analysis of 14 Nov 2018)
2471 */
2474 atom,
2478 // improved = vatom & improver
2479 //
2480 // That is, treat any V bits to the left of the rightmost ctz(atom)+1
2481 // bits as "defined".
2485 // Return pessimizing cast of improved.
2487 }
2489 static
2492 {
2493 IRType ty;
2519 }
2521 // This is in principle very similar to how expensiveCountTrailingZeroes
2522 // works. That function computed an "improver", which it used to mask
2523 // off all but the rightmost 1-bit and the zeroes to the right of it,
2524 // hence removing irrelevant bits from the input. Here, we play the
2525 // exact same game but with the left-vs-right roles interchanged.
2526 // Unfortunately calculation of the improver in this case is
2527 // significantly more expensive.
2528 //
2529 // improver = ~(RIGHT(atom) >>u 1)
2530 //
2531 // That is, improver has its upper clz(atom)+1 bits equal to one;
2532 // lower bits (if any) equal to zero. So it's exactly the right
2533 // mask to use to remove the irrelevant undefined input bits.
2534 /* Here are some examples:
2535 atom = 0...0 1 U...U
2536 R(atom) = 0...0 1 1...1
2537 R(atom) >>u 1 = 0...0 0 1...1
2538 ~(R(atom) >>u 1) = 1...1 1 0...0
2539 which correctly describes which bits of |atom|
2540 actually influence the result
2541 A boundary case
2542 atom = 0...0
2543 R(atom) = 0...0
2544 R(atom) >>u 1 = 0...0
2545 ~(R(atom) >>u 1) = 1...1
2546 also a correct mask for the input: all input bits
2547 are relevant
2548 Another boundary case
2549 atom = 1 1..1
2550 R(atom) = 1 1..1
2551 R(atom) >>u 1 = 0 1..1
2552 ~(R(atom) >>u 1) = 1 0..0
2553 also a correct mask: only the leftmost input bit
2554 is relevant
2555 Now with misc U bits interspersed:
2556 atom = 0...0 1 U...U 0 1 U...U
2557 R(atom) = 0...0 1 1...1 1 1 1...1
2558 R(atom) >>u 1 = 0...0 0 1...1 1 1 1...1
2559 ~(R(atom) >>u 1) = 1...1 1 0...0 0 0 0...0, also correct
2560 (Per initial implementation of 15 Nov 2018)
2561 */
2566 // improved = vatom & improver
2567 //
2568 // That is, treat any V bits to the right of the leftmost clz(atom)+1
2569 // bits as "defined".
2573 // Return pessimizing cast of improved.
2575 }
2578 /*------------------------------------------------------------*/
2579 /*--- Scalar shifts. ---*/
2580 /*------------------------------------------------------------*/
2582 /* Produce an interpretation for (aa << bb) (or >>s, >>u). The basic
2583 idea is to shift the definedness bits by the original shift amount.
2584 This introduces 0s ("defined") in new positions for left shifts and
2585 unsigned right shifts, and copies the top definedness bit for
2586 signed right shifts. So, conveniently, applying the original shift
2587 operator to the definedness bits for the left arg is exactly the
2588 right thing to do:
2590 (qaa << bb)
2592 However if the shift amount is undefined then the whole result
2593 is undefined. Hence need:
2595 (qaa << bb) `UifU` PCast(qbb)
2597 If the shift amount bb is a literal than qbb will say 'all defined'
2598 and the UifU and PCast will get folded out by post-instrumentation
2599 optimisation.
2600 */
2602 IRType ty,
2603 IROp original_op,
2606 {
2613 return
2619 )
2620 );
2621 }
2624 /*------------------------------------------------------------*/
2625 /*--- Helpers for dealing with vector primops. ---*/
2626 /*------------------------------------------------------------*/
2628 /* Vector pessimisation -- pessimise within each lane individually. */
2631 {
2633 }
2636 {
2638 }
2641 {
2643 }
2646 {
2648 }
2651 {
2653 }
2656 {
2658 }
2661 {
2663 }
2666 {
2668 }
2671 {
2673 }
2676 {
2678 }
2681 {
2683 }
2686 {
2688 }
2691 {
2693 }
2696 {
2698 }
2701 /* Here's a simple scheme capable of handling ops derived from SSE1
2702 code and while only generating ops that can be efficiently
2703 implemented in SSE1. */
2705 /* All-lanes versions are straightforward:
2707 binary32Fx4(x,y) ==> PCast32x4(UifUV128(x#,y#))
2709 unary32Fx4(x,y) ==> PCast32x4(x#)
2711 Lowest-lane-only versions are more complex:
2713 binary32F0x4(x,y) ==> SetV128lo32(
2714 x#,
2715 PCast32(V128to32(UifUV128(x#,y#)))
2716 )
2718 This is perhaps not so obvious. In particular, it's faster to
2719 do a V128-bit UifU and then take the bottom 32 bits than the more
2720 obvious scheme of taking the bottom 32 bits of each operand
2721 and doing a 32-bit UifU. Basically since UifU is fast and
2722 chopping lanes off vector values is slow.
2724 Finally:
2726 unary32F0x4(x) ==> SetV128lo32(
2727 x#,
2728 PCast32(V128to32(x#))
2729 )
2731 Where:
2733 PCast32(v#) = 1Sto32(CmpNE32(v#,0))
2734 PCast32x4(v#) = CmpNEZ32x4(v#)
2735 */
2737 static
2739 {
2746 }
2748 static
2750 {
2755 }
2757 static
2759 {
2768 }
2770 static
2772 {
2779 }
2781 /* --- ... and ... 64Fx2 versions of the same ... --- */
2783 static
2785 {
2792 }
2794 static
2796 {
2801 }
2803 static
2805 {
2814 }
2816 static
2818 {
2825 }
2827 /* --- --- ... and ... 16Fx8 versions of the same --- --- */
2829 static
2831 {
2838 }
2840 static
2842 {
2847 }
2849 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision IR is
2850 implemented.
2851 */
2853 /* --- --- ... and ... 32Fx2 versions of the same --- --- */
2855 static
2857 {
2864 }
2866 static
2868 {
2873 }
2875 /* --- ... and ... 64Fx4 versions of the same ... --- */
2877 static
2879 {
2886 }
2888 static
2890 {
2895 }
2897 /* --- ... and ... 32Fx8 versions of the same ... --- */
2899 static
2901 {
2908 }
2910 static
2912 {
2917 }
2919 /* --- 64Fx2 binary FP ops, with rounding mode --- */
2921 static
2924 {
2925 /* This is the same as binary64Fx2, except that we subsequently
2926 pessimise vRM (definedness of the rounding mode), widen to 128
2927 bits and UifU it into the result. As with the scalar cases, if
2928 the RM is a constant then it is defined and so this extra bit
2929 will get constant-folded out later. */
2930 // "do" the vector args
2932 // PCast the RM, and widen it to 128 bits
2934 // Roll it into the result
2937 }
2939 /* --- ... and ... 32Fx4 versions of the same --- */
2941 static
2944 {
2946 // PCast the RM, and widen it to 128 bits
2948 // Roll it into the result
2951 }
2953 /* --- ... and ... 64Fx4 versions of the same --- */
2955 static
2958 {
2960 // PCast the RM, and widen it to 256 bits
2962 // Roll it into the result
2965 }
2967 /* --- ... and ... 16Fx8 versions of the same --- */
2969 static
2972 {
2974 // PCast the RM, and widen it to 128 bits
2976 // Roll it into the result
2979 }
2981 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision IR is
2982 implemented.
2983 */
2985 /* --- ... and ... 32Fx8 versions of the same --- */
2987 static
2990 {
2992 // PCast the RM, and widen it to 256 bits
2994 // Roll it into the result
2997 }
2999 /* --- 64Fx2 unary FP ops, with rounding mode --- */
3001 static
3003 {
3004 /* Same scheme as binary64Fx2_w_rm. */
3005 // "do" the vector arg
3007 // PCast the RM, and widen it to 128 bits
3009 // Roll it into the result
3012 }
3014 /* --- ... and ... 32Fx4 versions of the same --- */
3016 static
3018 {
3019 /* Same scheme as binaryFx4_w_rm. */
3021 // PCast the RM, and widen it to 128 bits
3023 // Roll it into the result
3026 }
3028 /* --- ... and ... 16Fx8 versions of the same --- */
3030 static
3032 {
3033 /* Same scheme as binaryFx4_w_rm. */
3035 // PCast the RM, and widen it to 128 bits
3037 // Roll it into the result
3040 }
3042 /* --- ... and ... 32Fx8 versions of the same --- */
3044 static
3046 {
3047 /* Same scheme as unary32Fx8_w_rm. */
3049 // PCast the RM, and widen it to 256 bits
3051 // Roll it into the result
3054 }
3057 /* --- --- Vector saturated narrowing --- --- */
3059 /* We used to do something very clever here, but on closer inspection
3060 (2011-Jun-15), and in particular bug #279698, it turns out to be
3061 wrong. Part of the problem came from the fact that for a long
3062 time, the IR primops to do with saturated narrowing were
3063 underspecified and managed to confuse multiple cases which needed
3064 to be separate: the op names had a signedness qualifier, but in
3065 fact the source and destination signednesses needed to be specified
3066 independently, so the op names really need two independent
3067 signedness specifiers.
3069 As of 2011-Jun-15 (ish) the underspecification was sorted out
3070 properly. The incorrect instrumentation remained, though. That
3071 has now (2011-Oct-22) been fixed.
3073 What we now do is simple:
3075 Let the original narrowing op be QNarrowBinXtoYxZ, where Z is a
3076 number of lanes, X is the source lane width and signedness, and Y
3077 is the destination lane width and signedness. In all cases the
3078 destination lane width is half the source lane width, so the names
3079 have a bit of redundancy, but are at least easy to read.
3081 For example, Iop_QNarrowBin32Sto16Ux8 narrows 8 lanes of signed 32s
3082 to unsigned 16s.
3084 Let Vanilla(OP) be a function that takes OP, one of these
3085 saturating narrowing ops, and produces the same "shaped" narrowing
3086 op which is not saturating, but merely dumps the most significant
3087 bits. "same shape" means that the lane numbers and widths are the
3088 same as with OP.
3090 For example, Vanilla(Iop_QNarrowBin32Sto16Ux8)
3091 = Iop_NarrowBin32to16x8,
3092 that is, narrow 8 lanes of 32 bits to 8 lanes of 16 bits, by
3093 dumping the top half of each lane.
3095 So, with that in place, the scheme is simple, and it is simple to
3096 pessimise each lane individually and then apply Vanilla(OP) so as
3097 to get the result in the right "shape". If the original OP is
3098 QNarrowBinXtoYxZ then we produce
3100 Vanilla(OP)( PCast-X-to-X-x-Z(vatom1), PCast-X-to-X-x-Z(vatom2) )
3102 or for the case when OP is unary (Iop_QNarrowUn*)
3104 Vanilla(OP)( PCast-X-to-X-x-Z(vatom) )
3105 */
3106 static
3108 {
3110 /* Binary: (128, 128) -> 128 */
3121 /* Binary: (64, 64) -> 64 */
3127 /* Unary: 128 -> 64 */
3144 }
3145 }
3147 static
3150 {
3163 }
3171 }
3173 static
3176 {
3184 }
3192 }
3194 static
3197 {
3201 /* For vanilla narrowing (non-saturating), we can just apply
3202 the op directly to the V bits. */
3212 }
3213 /* Plan B: for ops that involve a saturation operation on the args,
3214 we must PCast before the vanilla narrow. */
3226 }
3231 }
3233 static
3236 {
3248 }
3253 }
3256 /* --- --- Vector integer arithmetic --- --- */
3258 /* Simple ... UifU the args and per-lane pessimise the results. */
3260 /* --- V256-bit versions --- */
3262 static
3264 {
3269 }
3271 static
3273 {
3278 }
3280 static
3282 {
3287 }
3289 static
3291 {
3296 }
3298 /* --- V128-bit versions --- */
3300 static
3302 {
3307 }
3309 static
3311 {
3316 }
3318 static
3320 {
3325 }
3327 static
3329 {
3334 }
3336 static
3338 {
3343 }
3345 /* --- 64-bit versions --- */
3347 static
3349 {
3354 }
3356 static
3358 {
3363 }
3365 static
3367 {
3372 }
3374 static
3376 {
3381 }
3383 /* --- 32-bit versions --- */
3385 static
3387 {
3392 }
3394 static
3396 {
3401 }
3404 /*------------------------------------------------------------*/
3405 /*--- Generate shadow values from all kinds of IRExprs. ---*/
3406 /*------------------------------------------------------------*/
3408 static
3410 IROp op,
3413 {
3436 /* I32(rm) x F64 x F64 x F64 -> F64 */
3441 /* I32(rm) x F32 x F32 x F32 -> F32 */
3448 /* I32(rm) x F128 x F128 x F128 -> F128 */
3451 /* V256-bit data-steering */
3456 /* I32/I64 x I8 x I8 x I8 -> I32/I64 */
3464 }
3465 }
3468 static
3470 IROp op,
3472 {
3496 /* I32(rm) x F128/D128 x F128/D128 -> F128/D128 */
3517 /* I32(rm) x F64/D64 x F64/D64 -> F64/D64 */
3521 /* I32(rm) x F64 x F64 -> I32 */
3527 /* I32(rm) x F32 x F32 -> I32 */
3531 /* I32(rm) x F16 x F16 -> I16 */
3534 /* IRRoundingMode(I32) x I8 x D64 -> D64 */
3537 /* IRRoundingMode(I32) x I8 x D128 -> D128 */
3540 /* (V128, V128, I8) -> V128 */
3544 /* (I64, I64, I8) -> I64 */
3560 /* Int 128-bit Integer three arg */
3563 /* (V128, V128, V128) -> V128 */
3566 mce,
3569 );
3571 /* Vector FP with rounding mode as the first arg */
3592 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision
3593 IR is implemented.
3594 */
3619 }
3620 }
3623 static
3625 IROp op,
3628 {
3645 /* 32-bit SIMD */
3671 /* 64-bit SIMD */
3682 /* Same scheme as with all other shifts. */
3843 );
3852 );
3861 );
3863 /* 64-bit data-steering */
3890 /* Perm8x8: rearrange values in left arg using steering values from
3891 right arg. So rearrange the vbits in the same way but pessimise wrt
3892 steering values. We assume that unused bits in the steering value
3893 are defined zeros, so we can safely PCast within each lane of the the
3894 steering value without having to take precautions to avoid a
3895 dependency on those unused bits.
3897 This is also correct for PermOrZero8x8, but it is a bit subtle. For
3898 each lane, if bit 7 of the steering value is zero, then we'll steer
3899 the shadow value exactly as per Perm8x8. If that bit is one, then
3900 the operation will set the resulting (concrete) value to zero. That
3901 means it is defined, and should have a shadow value of zero. Hence
3902 in both cases (bit 7 is 0 or 1) we can self-shadow (in the same way
3903 as Perm8x8) and then pessimise against the steering values. */
3907 mce,
3910 );
3912 /* V128-bit SIMD */
3935 /* Same scheme as with all other shifts. Note: 22 Oct 05:
3936 this is wrong now, scalar shifts are done properly lazily.
3937 Vector shifts should be fixed too. */
3941 /* V x V shifts/rotates are done using the standard lazy scheme. */
3942 /* For the non-rounding variants of bi-di vector x vector
3943 shifts (the Iop_Sh.. ops, that is) we use the lazy scheme.
3944 But note that this is overly pessimistic, because in fact only
3945 the bottom 8 bits of each lane of the second argument are taken
3946 into account when shifting. So really we ought to ignore
3947 undefinedness in bits 8 and above of each lane in the
3948 second argument. */
3959 );
3971 );
3983 );
3995 );
3997 /* For the rounding variants of bi-di vector x vector shifts, the
3998 rounding adjustment can cause undefinedness to propagate through
3999 the entire lane, in the worst case. Too complex to handle
4000 properly .. just UifU the arguments and then PCast them.
4001 Suboptimal but safe. */
4076 /* PwExtUSMulQAdd8x16 is a bit subtle. The effect of it is that each
4077 16-bit chunk of the output is formed from corresponding 16-bit chunks
4078 of the input args, so we can treat it like an other binary 16x8
4079 operation. That's despite it having '8x16' in its name. */
4155 /* I128 x I128 -> I128 */
4255 /* Q-and-Qshift-by-imm-and-narrow of the form (V128, I8) -> V128.
4256 To make this simpler, do the following:
4257 * complain if the shift amount (the I8) is undefined
4258 * pcast each lane at the wide width
4259 * truncate each lane to half width
4260 * pcast the resulting 64-bit value to a single bit and use
4261 that as the least significant bit of the upper half of the
4262 result. */
4281 {
4314 }
4316 // Pessimised shift result
4317 IRAtom* shV
4319 // Narrowed, pessimised shift result
4320 IRAtom* shVnarrowed
4322 // Generates: Def--(63)--Def PCast-to-I1(narrowed)
4324 // and assemble the result
4327 }
4362 /* V128-bit data-steering */
4407 /* Perm8x16: rearrange values in left arg using steering values
4408 from right arg. So rearrange the vbits in the same way but
4409 pessimise wrt steering values. Perm32x4 ditto. */
4410 /* PermOrZero8x16: see comments above for PermOrZero8x8. */
4414 mce,
4417 );
4420 mce,
4423 );
4425 /* These two take the lower half of each 16-bit lane, sign/zero
4426 extend it to 32, and multiply together, producing a 32x4
4427 result (and implicitly ignoring half the operand bits). So
4428 treat it as a bunch of independent 16x8 operations, but then
4429 do 32-bit shifts left-right to copy the lower half results
4430 (which are all 0s or all 1s due to PCasting in binary16Ix8)
4431 into the upper half of each result lane. */
4439 }
4441 /* Same deal as Iop_MullEven16{S,U}x8 */
4449 }
4451 /* Same deal as Iop_MullEven16{S,U}x8 */
4459 }
4461 /* narrow 2xV128 into 1xV128, hi half from left arg, in a 2 x
4462 32x4 -> 16x8 laneage, discarding the upper half of each lane.
4463 Simply apply same op to the V bits, since this really no more
4464 than a data steering operation. */
4475 /* Same scheme as with all other shifts. Note: 10 Nov 05:
4476 this is wrong now, scalar shifts are done properly lazily.
4477 Vector shifts should be fixed too. */
4489 /* SHA Iops */
4495 /* I128-bit data-steering */
4499 /* V256-bit SIMD */
4509 /* V256-bit data-steering */
4513 /* Scalar floating point */
4517 /* I32(rm) x F32 -> I64 */
4521 /* I32(rm) x I64 -> F32 */
4536 /* I32(rm) x I64/F64 -> I64/F64 */
4542 /* I32(rm) x D64 -> D64 */
4548 /* I32(rm) x D128 -> D128 */
4552 /* I32(rm) x F128 -> F128 */
4559 /* I32(rm) x I64/D64 -> D64/I64 */
4568 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D32/F32 */
4577 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D64/F64 */
4587 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D128/F128 */
4591 /* I32(rm) x F16 -> F16 */
4597 /* I32(rm) x I32/F32 -> I32/F32 */
4601 /* I32(rm) x F128 -> F128 */
4608 /* First arg is I32 (rounding mode), second is F32/I32 (data). */
4613 /* First arg is I32 (rounding mode), second is F64/F32 (data). */
4647 /* First arg is I32 (rounding mode), second is F64/D64 (data). */
4651 /* First arg is I32 (rounding mode), second is D64 (data). */
4655 /* First arg is I32 (rounding mode), second is F64 (data). */
4659 /* I64 x I64 -> D64 */
4663 /* I64 x I128 -> D128 */
4678 /* F32 x F32 -> F32 */
4683 /* F64 x F64 -> F64 */
4686 /* non-FP after here */
4708 }
4716 }
4723 }
4731 }
4739 }
4746 }
4770 }
4778 }
4780 cheap_AddSub32:
4797 }
4805 }
4807 cheap_AddSub64:
4821 ////---- CmpXX64
4825 else
4828 expensive_cmp64:
4832 cheap_cmp64:
4837 ////---- CmpXX32
4841 else
4844 expensive_cmp32:
4848 cheap_cmp32:
4853 ////---- CmpXX16
4857 else
4860 expensive_cmp16:
4864 cheap_cmp16:
4867 ////---- CmpXX8
4871 else
4874 expensive_cmp8:
4877 cheap_cmp8:
4880 ////---- end CmpXX{64,32,16,8}
4886 /* Just say these all produce a defined result, regardless
4887 of their arguments. See COMMENT_ON_CasCmpEQ in this file. */
4946 do_And_Or:
4965 /* V256-bit SIMD */
4975 /* Same scheme as with all other shifts. Note: 22 Oct 05:
4976 this is wrong now, scalar shifts are done properly lazily.
4977 Vector shifts should be fixed too. */
5035 /* Perm32x8: rearrange values in left arg using steering values
5036 from right arg. So rearrange the vbits in the same way but
5037 pessimise wrt steering values. */
5040 mce,
5043 );
5045 /* Q-and-Qshift-by-vector of the form (V128, V128) -> V256.
5046 Handle the shifted results in the same way that other
5047 binary Q ops are handled, eg QSub: UifU the two args,
5048 then pessimise -- which is binaryNIxM. But for the upper
5049 V128, we require to generate just 1 bit which is the
5050 pessimised shift result, with 127 defined zeroes above it.
5052 Note that this overly pessimistic in that in fact only the
5053 bottom 8 bits of each lane of the second arg determine the shift
5054 amount. Really we ought to ignore any undefinedness in the
5055 rest of the lanes of the second arg. */
5064 {
5065 // The function to generate the pessimised shift result
5094 }
5096 // Pessimised shift result, shV[127:0]
5098 // Generates: Def--(127)--Def PCast-to-I1(shV)
5100 // and assemble the result
5103 }
5106 // First, PCast the input vector, retaining the 32x4 format.
5108 // Now truncate each 32 bit lane to 16 bits. Since we already PCasted
5109 // the input, we're not going to lose any information.
5110 IRAtom* pcHI64
5112 IRAtom* pcLO64
5114 IRAtom* narrowed
5117 // Finally, roll in any badness from the rounding mode.
5120 }
5123 // Same scheme as for Iop_F32toF16x4.
5125 IRAtom* pcHI128
5128 IRAtom* pcLO128
5131 IRAtom* narrowed
5134 // Finally, roll in any badness from the rounding mode.
5137 }
5142 }
5143 }
5146 static
5148 {
5149 /* For the widening operations {8,16,32}{U,S}to{16,32,64}, the
5150 selection of shadow operation implicitly duplicates the logic in
5151 do_shadow_LoadG and should be kept in sync (in the very unlikely
5152 event that the interpretation of such widening ops changes in
5153 future). See comment in do_shadow_LoadG. */
5211 // These are self-shadowing.
5255 // FIXME JRS 2018-Nov-15. This is surely not correct!
5327 // PopCount32: this is slightly pessimistic. It is true that the
5328 // result depends on all input bits, so that aspect of the PCast is
5329 // correct. However, regardless of the input, only the lowest 5 bits
5330 // out of the output can ever be undefined. So we could actually
5331 // "improve" the results here by marking the top 27 bits of output as
5332 // defined. A similar comment applies for PopCount64.
5338 // These are self-shadowing.
5364 // These are self-shadowing.
5377 // These are self-shadowing.
5387 // These are self-shadowing.
5410 // FIXME JRS 2018-Nov-15. This is surely not correct!
5476 // This is self-shadowing.
5494 // JRS FIXME 2019 Mar 17: per comments on F16toF32x4, this is probably not
5495 // right.
5508 // JRS 2019 Mar 17: this definitely isn't right, but it probably works
5509 // OK by accident if -- as seems likely -- the F16 to F32 conversion
5510 // preserves will generate an output 32 bits with at least one 1 bit
5511 // set if there's one or more 1 bits set in the input 16 bits. More
5512 // correct code for this is just below, but commented out, so as to
5513 // avoid short-term backend failures on targets that can't do
5514 // Iop_Interleave{LO,HI}16x4.
5518 // PCast the input at 16x8. This makes each lane hold either all
5519 // zeroes or all ones.
5521 // Now double the width of each lane to 32 bits. Because the lanes are
5522 // all zeroes or all ones, we can just copy the each lane twice into
5523 // the result. Here's the low half:
5527 // And the high half:
5531 // Glue them back together:
5534 }
5536 // See comment just above, for Iop_F16toF32x4
5537 //case Iop_F16toF32x4: {
5538 // // Same scheme as F16toF32x4
5539 // IRAtom* pcasted = mkPCast16x4(mce, vatom); // :: I16x4
5540 // IRAtom* widenedLO // :: I32x2
5541 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveLO16x4,
5542 // pcasted, pcasted));
5543 // IRAtom* widenedHI // :: I32x4
5544 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveHI16x4,
5545 // pcasted, pcasted));
5546 // // Glue them back together:
5547 // return assignNew('V', mce, Ity_V128, binop(Iop_64HLtoV128,
5548 // widenedHI, widenedLO));
5549 //}
5589 }
5590 }
5593 /* Worker function -- do not call directly. See comments on
5594 expr2vbits_Load for the meaning of |guard|.
5596 Generates IR to (1) perform a definedness test of |addr|, (2)
5597 perform a validity test of |addr|, and (3) return the Vbits for the
5598 location indicated by |addr|. All of this only happens when
5599 |guard| is NULL or |guard| evaluates to True at run time.
5601 If |guard| evaluates to False at run time, the returned value is
5602 the IR-mandated 0x55..55 value, and no checks nor shadow loads are
5603 performed.
5605 The definedness of |guard| itself is not checked. That is assumed
5606 to have been done before this point, by the caller. */
5607 static
5611 {
5615 /* First, emit a definedness test for the address. This also sets
5616 the address (shadow) to 'defined' following the test. */
5619 /* Now cook up a call to the relevant helper function, to read the data V
5620 bits from shadow memory. Note that I128 loads are done by pretending
5621 we're doing a V128 load, and then converting the resulting V128 vbits
5622 word to an I128, right at the end of this function -- see `castedToI128`
5623 below. (It's only a minor hack :-) This pertains to bug 444399. */
5655 }
5680 }
5681 }
5686 /* Generate the actual address into addrAct. */
5691 IROp mkAdd;
5698 }
5700 /* We need to have a place to park the V bits we're just about to
5701 read. */
5704 /* Here's the call. */
5716 }
5721 /* Ideally the didn't-happen return value here would be all-ones
5722 (all-undefined), so it'd be obvious if it got used
5723 inadvertently. We can get by with the IR-mandated default
5724 value (0b01 repeating, 0x55 etc) as that'll still look pretty
5725 undefined if it ever leaks out. */
5726 }
5730 IRAtom* castedToI128
5736 }
5737 }
5740 /* Generate IR to do a shadow load. The helper is expected to check
5741 the validity of the address and return the V bits for that address.
5742 This can optionally be controlled by a guard, which is assumed to
5743 be True if NULL. In the case where the guard is False at runtime,
5744 the helper will return the didn't-do-the-call value of 0x55..55.
5745 Since that means "completely undefined result", the caller of
5746 this function will need to fix up the result somehow in that
5747 case.
5749 Caller of this function is also expected to have checked the
5750 definedness of |guard| before this point.
5751 */
5752 static
5757 {
5770 }
5771 }
5774 /* The most general handler for guarded loads. Assumes the
5775 definedness of GUARD has already been checked by the caller. A
5776 GUARD of NULL is assumed to mean "always True". Generates code to
5777 check the definedness and validity of ADDR.
5779 Generate IR to do a shadow load from ADDR and return the V bits.
5780 The loaded type is TY. The loaded data is then (shadow) widened by
5781 using VWIDEN, which can be Iop_INVALID to denote a no-op. If GUARD
5782 evaluates to False at run time then the returned Vbits are simply
5783 VALT instead. Note therefore that the argument type of VWIDEN must
5784 be TY and the result type of VWIDEN must equal the type of VALT.
5785 */
5786 static
5792 {
5793 /* Sanity check the conversion operation, and also set TYWIDE. */
5804 }
5806 /* If the guard evaluates to True, this will hold the loaded V bits
5807 at TY. If the guard evaluates to False, this will be all
5808 ones, meaning "all undefined", in which case we will have to
5809 replace it using an ITE below. */
5810 IRAtom* iftrue1
5813 /* Now (shadow-) widen the loaded V bits to the desired width. In
5814 the guard-is-False case, the allowable widening operators will
5815 in the worst case (unsigned widening) at least leave the
5816 pre-widened part as being marked all-undefined, and in the best
5817 case (signed widening) mark the whole widened result as
5818 undefined. Anyway, it doesn't matter really, since in this case
5819 we will replace said value with the default value |valt| using an
5820 ITE. */
5821 IRAtom* iftrue2
5823 ? iftrue1
5825 /* These are the V bits we will return if the load doesn't take
5826 place. */
5827 IRAtom* iffalse
5829 /* Prepare the cond for the ITE. Convert a NULL cond into
5830 something that iropt knows how to fold out later. */
5831 IRAtom* cond
5833 /* And assemble the final result. */
5835 }
5838 /* A simpler handler for guarded loads, in which there is no
5839 conversion operation, and the default V bit return (when the guard
5840 evaluates to False at runtime) is "all defined". If there is no
5841 guard expression or the guard is always TRUE this function behaves
5842 like expr2vbits_Load. It is assumed that definedness of GUARD has
5843 already been checked at the call site. */
5844 static
5849 {
5852 );
5853 }
5856 static
5859 {
5861 IRType ty;
5862 /* Given ITE(cond, iftrue, iffalse), generate
5863 ITE(cond, iftrue#, iffalse#) `UifU` PCast(cond#)
5864 That is, steer the V bits like the originals, but trash the
5865 result if the steering value is undefined. This gives
5866 lazy propagation. */
5876 return
5880 }
5882 /* --------- This is the main expression-handling function. --------- */
5884 static
5887 {
5905 mce,
5909 );
5913 mce,
5917 );
5921 mce,
5924 hu
5925 );
5950 }
5951 }
5954 /*------------------------------------------------------------*/
5955 /*--- Generate shadow stmts from all kinds of IRStmts. ---*/
5956 /*------------------------------------------------------------*/
5958 /* Widen a value to the host word size. */
5960 static
5962 {
5965 /* vatom is vbits-value and as such can only have a shadow type. */
5981 }
5995 }
5998 }
5999 unhandled:
6002 }
6005 /* Generate a shadow store. |addr| is always the original address
6006 atom. You can pass in either originals or V-bits for the data
6007 atom, but obviously not both. This function generates a check for
6008 the definedness and (indirectly) the validity of |addr|, but only
6009 when |guard| evaluates to True at run time (or is NULL).
6011 |guard| :: Ity_I1 controls whether the store really happens; NULL
6012 means it unconditionally does. Note that |guard| itself is not
6013 checked for definedness; the caller of this function must do that
6014 if necessary.
6015 */
6016 static
6018 IREndness end,
6022 {
6023 IROp mkAdd;
6041 }
6049 }
6053 // If we're not doing undefined value checking, pretend that this value
6054 // is "all valid". That lets Vex's optimiser remove some of the V bit
6055 // shadow computation ops that precede it.
6068 }
6070 }
6072 /* First, emit a definedness test for the address. This also sets
6073 the address (shadow) to 'defined' following the test. Both of
6074 those actions are gated on |guard|. */
6077 /* Now decide which helper function to call to write the data V
6078 bits into shadow memory. */
6097 }
6113 /* Note, no V256 case here, because no big-endian target that
6114 we support, has 256 vectors. */
6116 }
6117 }
6121 /* V256-bit case -- phrased in terms of 64 bit units (Qs), with
6122 Q3 being the most significant lane. */
6123 /* These are the offsets of the Qs in memory. */
6126 /* Various bits for constructing the 4 lane helper calls */
6136 }
6145 );
6154 );
6163 );
6172 );
6186 }
6189 /* V128/I128-bit case */
6190 /* See comment in next clause re 64-bit regparms */
6191 /* also, need to be careful about endianness */
6206 }
6214 }
6223 );
6231 );
6244 /* 8/16/32/64-bit cases */
6245 /* Generate the actual address into addrAct. */
6251 }
6254 /* We can't do this with regparm 2 on 32-bit platforms, since
6255 the back ends aren't clever enough to handle 64-bit
6256 regparm args. Therefore be different. */
6261 );
6268 );
6269 }
6273 }
6275 }
6278 /* Do lazy pessimistic propagation through a dirty helper call, by
6279 looking at the annotations on it. This is the most complex part of
6280 Memcheck. */
6283 {
6290 }
6291 }
6293 static
6295 {
6299 IRTemp dst;
6300 IREndness end;
6302 /* What's the native endianness? We need to know this. */
6303 # if defined(VG_BIGENDIAN)
6305 # elif defined(VG_LITTLEENDIAN)
6307 # else
6309 # endif
6311 /* First check the guard. */
6314 /* Now round up all inputs and PCast over them. */
6317 /* Inputs: unmasked args
6318 Note: arguments are evaluated REGARDLESS of the guard expression */
6323 /* ignore this arg */
6327 }
6328 }
6330 /* Inputs: guest state that we read. */
6336 /* Enumerate the described state segments */
6341 /* Ignore any sections marked as 'always defined'. */
6347 }
6349 /* This state element is read or modified. So we need to
6350 consider it. If larger than 8 bytes, deal with it in
6351 8-byte chunks. */
6356 /* update 'curr' with UifU of the state slice
6357 gOff .. gOff+n-1 */
6360 /* Observe the guard expression. If it is false use an
6361 all-bits-defined bit pattern */
6374 }
6375 }
6376 }
6378 /* Inputs: memory. First set up some info needed regardless of
6379 whether we're doing reads or writes. */
6382 /* Because we may do multiple shadow loads/stores from the same
6383 base address, it's best to do a single test of its
6384 definedness right now. Post-instrumentation optimisation
6385 should remove all but this test. */
6386 IRType tyAddr;
6393 }
6395 /* Deal with memory inputs (reads or modifies) */
6398 /* chew off 32-bit chunks. We don't care about the endianness
6399 since it's all going to be condensed down to a single bit,
6400 but nevertheless choose an endianness which is hopefully
6401 native to the platform. */
6407 );
6410 }
6411 /* chew off 16-bit chunks */
6417 );
6420 }
6421 /* chew off the remaining 8-bit chunk, if any */
6427 );
6430 }
6432 }
6434 /* Whew! So curr is a 32-bit V-value summarising pessimistically
6435 all the inputs to the helper. Now we need to re-distribute the
6436 results to all destinations. */
6438 /* Outputs: the destination temporary, if there is one. */
6443 }
6445 /* Outputs: guest state that we write or modify. */
6451 /* Enumerate the described state segments */
6456 /* Ignore any sections marked as 'always defined'. */
6460 /* This state element is written or modified. So we need to
6461 consider it. If larger than 8 bytes, deal with it in
6462 8-byte chunks. */
6467 /* Write suitably-casted 'curr' to the state slice
6468 gOff .. gOff+n-1 */
6475 }
6476 }
6477 }
6479 /* Outputs: memory that we write or modify. Same comments about
6480 endianness as above apply. */
6483 /* chew off 32-bit chunks */
6490 }
6491 /* chew off 16-bit chunks */
6498 }
6499 /* chew off the remaining 8-bit chunk, if any */
6506 }
6508 }
6510 }
6513 /* We have an ABI hint telling us that [base .. base+len-1] is to
6514 become undefined ("writable"). Generate code to call a helper to
6515 notify the A/V bit machinery of this fact.
6517 We call
6518 void MC_(helperc_MAKE_STACK_UNINIT) ( Addr base, UWord len,
6519 Addr nia );
6520 */
6521 static
6523 {
6532 );
6534 /* We ignore the supplied nia, since it is irrelevant. */
6536 /* Special-case the len==128 case, since that is for amd64-ELF,
6537 which is a very common target. */
6544 );
6551 );
6552 }
6553 }
6556 }
6559 /* ------ Dealing with IRCAS (big and complex) ------ */
6561 /* FWDS */
6573 /* Either ORIG and SHADOW are both IRExpr.RdTmps, or they are both
6574 IRExpr.Consts, else this asserts. If they are both Consts, it
6575 doesn't do anything. So that just leaves the RdTmp case.
6577 In which case: this assigns the shadow value SHADOW to the IR
6578 shadow temporary associated with ORIG. That is, ORIG, being an
6579 original temporary, will have a shadow temporary associated with
6580 it. However, in the case envisaged here, there will so far have
6581 been no IR emitted to actually write a shadow value into that
6582 temporary. What this routine does is to (emit IR to) copy the
6583 value in SHADOW into said temporary, so that after this call,
6584 IRExpr.RdTmps of ORIG's shadow temp will correctly pick up the
6585 value in SHADOW.
6587 Point is to allow callers to compute "by hand" a shadow value for
6588 ORIG, and force it to be associated with ORIG.
6590 How do we know that that shadow associated with ORIG has not so far
6591 been assigned to? Well, we don't per se know that, but supposing
6592 it had. Then this routine would create a second assignment to it,
6593 and later the IR sanity checker would barf. But that never
6594 happens. QED.
6595 */
6599 {
6610 shadow);
6614 shadow);
6615 }
6619 }
6620 }
6623 static
6625 {
6626 /* Scheme is (both single- and double- cases):
6628 1. fetch data#,dataB (the proposed new value)
6630 2. fetch expd#,expdB (what we expect to see at the address)
6632 3. check definedness of address
6634 4. load old#,oldB from shadow memory; this also checks
6635 addressibility of the address
6637 5. the CAS itself
6639 6. compute "expected == old". See COMMENT_ON_CasCmpEQ below.
6641 7. if "expected == old" (as computed by (6))
6642 store data#,dataB to shadow memory
6644 Note that 5 reads 'old' but 4 reads 'old#'. Similarly, 5 stores
6645 'data' but 7 stores 'data#'. Hence it is possible for the
6646 shadow data to be incorrectly checked and/or updated:
6648 * 7 is at least gated correctly, since the 'expected == old'
6649 condition is derived from outputs of 5. However, the shadow
6650 write could happen too late: imagine after 5 we are
6651 descheduled, a different thread runs, writes a different
6652 (shadow) value at the address, and then we resume, hence
6653 overwriting the shadow value written by the other thread.
6655 Because the original memory access is atomic, there's no way to
6656 make both the original and shadow accesses into a single atomic
6657 thing, hence this is unavoidable.
6659 At least as Valgrind stands, I don't think it's a problem, since
6660 we're single threaded *and* we guarantee that there are no
6661 context switches during the execution of any specific superblock
6662 -- context switches can only happen at superblock boundaries.
6664 If Valgrind ever becomes MT in the future, then it might be more
6665 of a problem. A possible kludge would be to artificially
6666 associate with the location, a lock, which we must acquire and
6667 release around the transaction as a whole. Hmm, that probably
6668 would't work properly since it only guards us against other
6669 threads doing CASs on the same location, not against other
6670 threads doing normal reads and writes.
6672 ------------------------------------------------------------
6674 COMMENT_ON_CasCmpEQ:
6676 Note two things. Firstly, in the sequence above, we compute
6677 "expected == old", but we don't check definedness of it. Why
6678 not? Also, the x86 and amd64 front ends use
6679 Iop_CasCmp{EQ,NE}{8,16,32,64} comparisons to make the equivalent
6680 determination (expected == old ?) for themselves, and we also
6681 don't check definedness for those primops; we just say that the
6682 result is defined. Why? Details follow.
6684 x86/amd64 contains various forms of locked insns:
6685 * lock prefix before all basic arithmetic insn;
6686 eg lock xorl %reg1,(%reg2)
6687 * atomic exchange reg-mem
6688 * compare-and-swaps
6690 Rather than attempt to represent them all, which would be a
6691 royal PITA, I used a result from Maurice Herlihy
6692 (http://en.wikipedia.org/wiki/Maurice_Herlihy), in which he
6693 demonstrates that compare-and-swap is a primitive more general
6694 than the other two, and so can be used to represent all of them.
6695 So the translation scheme for (eg) lock incl (%reg) is as
6696 follows:
6698 again:
6699 old = * %reg
6700 new = old + 1
6701 atomically { if (* %reg == old) { * %reg = new } else { goto again } }
6703 The "atomically" is the CAS bit. The scheme is always the same:
6704 get old value from memory, compute new value, atomically stuff
6705 new value back in memory iff the old value has not changed (iow,
6706 no other thread modified it in the meantime). If it has changed
6707 then we've been out-raced and we have to start over.
6709 Now that's all very neat, but it has the bad side effect of
6710 introducing an explicit equality test into the translation.
6711 Consider the behaviour of said code on a memory location which
6712 is uninitialised. We will wind up doing a comparison on
6713 uninitialised data, and mc duly complains.
6715 What's difficult about this is, the common case is that the
6716 location is uncontended, and so we're usually comparing the same
6717 value (* %reg) with itself. So we shouldn't complain even if it
6718 is undefined. But mc doesn't know that.
6720 My solution is to mark the == in the IR specially, so as to tell
6721 mc that it almost certainly compares a value with itself, and we
6722 should just regard the result as always defined. Rather than
6723 add a bit to all IROps, I just cloned Iop_CmpEQ{8,16,32,64} into
6724 Iop_CasCmpEQ{8,16,32,64} so as not to disturb anything else.
6726 So there's always the question of, can this give a false
6727 negative? eg, imagine that initially, * %reg is defined; and we
6728 read that; but then in the gap between the read and the CAS, a
6729 different thread writes an undefined (and different) value at
6730 the location. Then the CAS in this thread will fail and we will
6731 go back to "again:", but without knowing that the trip back
6732 there was based on an undefined comparison. No matter; at least
6733 the other thread won the race and the location is correctly
6734 marked as undefined. What if it wrote an uninitialised version
6735 of the same value that was there originally, though?
6737 etc etc. Seems like there's a small corner case in which we
6738 might lose the fact that something's defined -- we're out-raced
6739 in between the "old = * reg" and the "atomically {", _and_ the
6740 other thread is writing in an undefined version of what's
6741 already there. Well, that seems pretty unlikely.
6743 ---
6745 If we ever need to reinstate it .. code which generates a
6746 definedness test for "expected == old" was removed at r10432 of
6747 this file.
6748 */
6753 }
6754 }
6758 {
6763 IROp opCasCmpEQ;
6764 Int elemSzB;
6765 IRType elemTy;
6768 /* single CAS */
6780 }
6782 /* 1. fetch data# (the proposed new value) */
6784 vdataLo
6788 bdataLo
6791 }
6793 /* 2. fetch expected# (what we expect to see at the address) */
6795 vexpdLo
6799 bexpdLo
6802 }
6804 /* 3. check definedness of address */
6805 /* 4. fetch old# from shadow memory; this also checks
6806 addressibility of the address */
6807 voldLo
6811 mce,
6813 NULL/*always happens*/
6814 ));
6817 boldLo
6821 }
6823 /* 5. the CAS itself */
6826 /* 6. compute "expected == old" */
6827 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6828 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6829 tree, but it's not copied from the input block. */
6830 expd_eq_old
6834 /* 7. if "expected == old"
6835 store data# to shadow memory */
6843 }
6844 }
6848 {
6859 IRType elemTy;
6862 /* double CAS */
6887 }
6889 /* 1. fetch data# (the proposed new value) */
6892 vdataHi
6894 vdataLo
6899 bdataHi
6901 bdataLo
6905 }
6907 /* 2. fetch expected# (what we expect to see at the address) */
6910 vexpdHi
6912 vexpdLo
6917 bexpdHi
6919 bexpdLo
6923 }
6925 /* 3. check definedness of address */
6926 /* 4. fetch old# from shadow memory; this also checks
6927 addressibility of the address */
6935 }
6936 voldHi
6940 mce,
6942 NULL/*always happens*/
6943 ));
6944 voldLo
6948 mce,
6950 NULL/*always happens*/
6951 ));
6955 boldHi
6959 boldLo
6965 }
6967 /* 5. the CAS itself */
6970 /* 6. compute "expected == old" */
6971 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6972 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6973 tree, but it's not copied from the input block. */
6974 /*
6975 xHi = oldHi ^ expdHi;
6976 xLo = oldLo ^ expdLo;
6977 xHL = xHi | xLo;
6978 expd_eq_old = xHL == 0;
6979 */
6986 expd_eq_old
6990 /* 7. if "expected == old"
6991 store data# to shadow memory */
7005 }
7006 }
7009 /* ------ Dealing with LL/SC (not difficult) ------ */
7012 IREndness stEnd,
7013 IRTemp stResult,
7016 {
7017 /* In short: treat a load-linked like a normal load followed by an
7018 assignment of the loaded (shadow) data to the result temporary.
7019 Treat a store-conditional like a normal store, and mark the
7020 result temporary as defined. */
7029 /* Load Linked */
7030 /* Just treat this as a normal load, followed by an assignment of
7031 the value to .result. */
7032 /* Stay sane */
7040 /* Store Conditional */
7041 /* Stay sane */
7043 stStoredata);
7048 stStoredata,
7051 /* This is a store conditional, so it writes to .result a value
7052 indicating whether or not the store succeeded. Just claim
7053 this value is always defined. In the PowerPC interpretation
7054 of store-conditional, definedness of the success indication
7055 depends on whether the address of the store matches the
7056 reservation address. But we can't tell that here (and
7057 anyway, we're not being PowerPC-specific). At least we are
7058 guaranteed that the definedness of the store address, and its
7059 addressibility, will be checked as per normal. So it seems
7060 pretty safe to just say that the success indication is always
7061 defined.
7063 In schemeS, for origin tracking, we must correspondingly set
7064 a no-origin value for the origin shadow of .result.
7065 */
7068 }
7069 }
7072 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7075 {
7077 /* do_shadow_Store will generate code to check the definedness and
7078 validity of sg->addr, in the case where sg->guard evaluates to
7079 True at run-time. */
7085 }
7088 {
7090 /* expr2vbits_Load_guarded_General will generate code to check the
7091 definedness and validity of lg->addr, in the case where
7092 lg->guard evaluates to True at run-time. */
7094 /* Look at the LoadG's built-in conversion operation, to determine
7095 the source (actual loaded data) type, and the equivalent IROp.
7096 NOTE that implicitly we are taking a widening operation to be
7097 applied to original atoms and producing one that applies to V
7098 bits. Since signed and unsigned widening are self-shadowing,
7099 this is a straight copy of the op (modulo swapping from the
7100 IRLoadGOp form to the IROp form). Note also therefore that this
7101 implicitly duplicates the logic to do with said widening ops in
7102 expr2vbits_Unop. See comment at the start of expr2vbits_Unop. */
7114 }
7116 IRAtom* vbits_alt
7118 IRAtom* vbits_final
7122 /* And finally, bind the V bits to the destination temporary. */
7124 }
7127 /*------------------------------------------------------------*/
7128 /*--- Origin tracking stuff ---*/
7129 /*------------------------------------------------------------*/
7131 /* Almost identical to findShadowTmpV. */
7133 {
7135 /* VG_(indexXA) range-checks 'orig', hence no need to check
7136 here. */
7140 IRTemp tmpB
7142 /* newTemp may cause mce->tmpMap to resize, hence previous results
7143 from VG_(indexXA) are invalid. */
7148 }
7150 }
7153 {
7155 }
7158 /* Make a guarded origin load, with no special handling in the
7159 didn't-happen case. A GUARD of NULL is assumed to mean "always
7160 True".
7162 Generate IR to do a shadow origins load from BASEADDR+OFFSET and
7163 return the otag. The loaded size is SZB. If GUARD evaluates to
7164 False at run time then the returned otag is zero.
7165 */
7169 {
7172 IRTemp bTmp;
7181 }
7206 }
7210 );
7213 /* Ideally the didn't-happen return value here would be
7214 all-zeroes (unknown-origin), so it'd be harmless if it got
7215 used inadvertently. We slum it out with the IR-mandated
7216 default value (0b01 repeating, 0x55 etc) as that'll probably
7217 trump all legitimate otags via Max32, and it's pretty
7218 obviously bogus. */
7219 }
7220 /* no need to mess with any annotations. This call accesses
7221 neither guest state nor guest memory. */
7224 /* 64-bit host */
7229 /* 32-bit host */
7231 }
7232 }
7235 /* Generate IR to do a shadow origins load from BASEADDR+OFFSET. The
7236 loaded size is SZB. The load is regarded as unconditional (always
7237 happens).
7238 */
7240 Int offset )
7241 {
7243 }
7246 /* The most general handler for guarded origin loads. A GUARD of NULL
7247 is assumed to mean "always True".
7249 Generate IR to do a shadow origin load from ADDR+BIAS and return
7250 the B bits. The loaded type is TY. If GUARD evaluates to False at
7251 run time then the returned B bits are simply BALT instead.
7252 */
7253 static
7255 IRType ty,
7258 {
7259 /* If the guard evaluates to True, this will hold the loaded
7260 origin. If the guard evaluates to False, this will be zero,
7261 meaning "unknown origin", in which case we will have to replace
7262 it using an ITE below. */
7263 IRAtom* iftrue
7267 /* These are the bits we will return if the load doesn't take
7268 place. */
7269 IRAtom* iffalse
7271 /* Prepare the cond for the ITE. Convert a NULL cond into
7272 something that iropt knows how to fold out later. */
7273 IRAtom* cond
7275 /* And assemble the final result. */
7277 }
7280 /* Generate a shadow origins store. guard :: Ity_I1 controls whether
7281 the store really happens; NULL means it unconditionally does. */
7285 {
7295 }
7300 }
7325 }
7329 );
7330 /* no need to mess with any annotations. This call accesses
7331 neither guest state nor guest memory. */
7334 }
7343 }
7351 }
7355 {
7364 IRType equivIntTy
7366 /* If this array is unshadowable for whatever reason, use the
7367 usual approximation. */
7374 /* Do a shadow indexed get of the same size, giving t1. Take
7375 the bottom 32 bits of it, giving t2. Compute into t3 the
7376 origin for the index (almost certainly zero, but there's
7377 no harm in being completely general here, since iropt will
7378 remove any useless code), and fold it in, giving a final
7379 value t4. */
7387 }
7389 Int i;
7396 /* Only take notice of this arg if the callee's
7397 mc-exclusion mask does not say it is to be excluded. */
7399 /* the arg is to be excluded from definedness checking.
7400 Do nothing. */
7404 /* calculate the arg's definedness, and pessimistically
7405 merge it in. */
7408 }
7409 }
7411 }
7413 Int dszB;
7415 /* assert that the B value for the address is already
7416 available (somewhere) */
7420 }
7426 }
7434 }
7440 }
7447 /* Just say these all produce a defined result,
7448 regardless of their arguments. See
7449 COMMENT_ON_CasCmpEQ in this file. */
7455 }
7456 }
7458 /*NOTREACHED*/
7459 }
7463 }
7472 );
7476 /* FIXME: this isn't an atom! */
7478 Ity_I32 );
7479 }
7481 }
7486 }
7487 }
7491 {
7492 // This is a hacked version of do_shadow_Dirty
7495 IRTemp dst;
7497 /* First check the guard. */
7500 /* Now round up all inputs and maxU32 over them. */
7502 /* Inputs: unmasked args
7503 Note: arguments are evaluated REGARDLESS of the guard expression */
7508 /* ignore this arg */
7512 }
7513 }
7515 /* Inputs: guest state that we read. */
7521 /* Enumerate the described state segments */
7526 /* Ignore any sections marked as 'always defined'. */
7532 }
7534 /* This state element is read or modified. So we need to
7535 consider it. If larger than 4 bytes, deal with it in
7536 4-byte chunks. */
7538 Int b_offset;
7542 /* update 'curr' with maxU32 of the state slice
7543 gOff .. gOff+n-1 */
7546 /* Observe the guard expression. If it is false use 0, i.e.
7547 nothing is known about the origin */
7555 Ity_I32));
7559 }
7562 }
7563 }
7564 }
7566 /* Inputs: memory */
7569 /* Because we may do multiple shadow loads/stores from the same
7570 base address, it's best to do a single test of its
7571 definedness right now. Post-instrumentation optimisation
7572 should remove all but this test. */
7576 }
7578 /* Deal with memory inputs (reads or modifies) */
7581 /* chew off 32-bit chunks. We don't care about the endianness
7582 since it's all going to be condensed down to a single bit,
7583 but nevertheless choose an endianness which is hopefully
7584 native to the platform. */
7590 }
7591 /* handle possible 16-bit excess */
7597 }
7598 /* chew off the remaining 8-bit chunk, if any */
7604 }
7606 }
7608 /* Whew! So curr is a 32-bit B-value which should give an origin
7609 of some use if any of the inputs to the helper are undefined.
7610 Now we need to re-distribute the results to all destinations. */
7612 /* Outputs: the destination temporary, if there is one. */
7616 }
7618 /* Outputs: guest state that we write or modify. */
7624 /* Enumerate the described state segments */
7629 /* Ignore any sections marked as 'always defined'. */
7633 /* This state element is written or modified. So we need to
7634 consider it. If larger than 4 bytes, deal with it in
7635 4-byte chunks. */
7637 Int b_offset;
7641 /* Write 'curr' to the state slice gOff .. gOff+n-1 */
7645 /* If the guard expression evaluates to false we simply Put
7646 the value that is already stored in the guest state slot */
7654 Ity_I32));
7660 curr ));
7661 }
7664 }
7665 }
7666 }
7668 /* Outputs: memory that we write or modify. Same comments about
7669 endianness as above apply. */
7672 /* chew off 32-bit chunks */
7677 }
7678 /* handle possible 16-bit excess */
7683 }
7684 /* chew off the remaining 8-bit chunk, if any */
7689 }
7691 }
7692 }
7695 /* Generate IR for origin shadowing for a general guarded store. */
7697 IREndness stEnd,
7701 {
7702 Int dszB;
7704 /* assert that the B value for the address is already available
7705 (somewhere), since the call to schemeE will want to see it.
7706 XXXX how does this actually ensure that?? */
7712 }
7715 /* Generate IR for origin shadowing for a plain store. */
7717 IREndness stEnd,
7720 {
7723 }
7726 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7729 {
7732 }
7735 {
7746 }
7747 IRAtom* ori_alt
7749 IRAtom* ori_final
7753 /* And finally, bind the origin to the destination temporary. */
7755 }
7759 {
7765 /* The value-check instrumenter handles this - by arranging
7766 to pass the address of the next instruction to
7767 MC_(helperc_MAKE_STACK_UNINIT). This is all that needs to
7768 happen for origin tracking w.r.t. AbiHints. So there is
7769 nothing to do here. */
7777 IRType equivIntTy
7779 /* If this array is unshadowable for whatever reason,
7780 generate no code. */
7785 descr_b
7788 /* Compute a value to Put - the conjoinment of the origin for
7789 the data to be Put-ted (obviously) and of the index value
7790 (not so obviously). */
7798 }
7819 /* In short: treat a load-linked like a normal load followed
7820 by an assignment of the loaded (shadow) data the result
7821 temporary. Treat a store-conditional like a normal store,
7822 and mark the result temporary as defined. */
7824 /* Load Linked */
7825 IRType resTy
7827 IRExpr* vanillaLoad
7834 /* Store conditional */
7838 /* For the rationale behind this, see comments at the
7839 place where the V-shadow for .result is constructed, in
7840 do_shadow_LLSC. In short, we regard .result as
7841 always-defined. */
7844 }
7846 }
7849 Int b_offset
7853 );
7855 /* FIXME: this isn't an atom! */
7858 }
7860 }
7877 }
7878 }
7881 /*------------------------------------------------------------*/
7882 /*--- Post-tree-build final tidying ---*/
7883 /*------------------------------------------------------------*/
7885 /* This exploits the observation that Memcheck often produces
7886 repeated conditional calls of the form
7888 Dirty G MC_(helperc_value_check0/1/4/8_fail)(UInt otag)
7890 with the same guard expression G guarding the same helper call.
7891 The second and subsequent calls are redundant. This usually
7892 results from instrumentation of guest code containing multiple
7893 memory references at different constant offsets from the same base
7894 register. After optimisation of the instrumentation, you get a
7895 test for the definedness of the base register for each memory
7896 reference, which is kinda pointless. MC_(final_tidy) therefore
7897 looks for such repeated calls and removes all but the first. */
7900 /* With some testing on perf/bz2.c, on amd64 and x86, compiled with
7901 gcc-5.3.1 -O2, it appears that 16 entries in the array are enough to
7902 get almost all the benefits of this transformation whilst causing
7903 the slide-back case to just often enough to be verifiably
7904 correct. For posterity, the numbers are:
7906 bz2-32
7908 1 4,336 (112,212 -> 1,709,473; ratio 15.2)
7909 2 4,336 (112,194 -> 1,669,895; ratio 14.9)
7910 3 4,336 (112,194 -> 1,660,713; ratio 14.8)
7911 4 4,336 (112,194 -> 1,658,555; ratio 14.8)
7912 5 4,336 (112,194 -> 1,655,447; ratio 14.8)
7913 6 4,336 (112,194 -> 1,655,101; ratio 14.8)
7914 7 4,336 (112,194 -> 1,654,858; ratio 14.7)
7915 8 4,336 (112,194 -> 1,654,810; ratio 14.7)
7916 10 4,336 (112,194 -> 1,654,621; ratio 14.7)
7917 12 4,336 (112,194 -> 1,654,678; ratio 14.7)
7918 16 4,336 (112,194 -> 1,654,494; ratio 14.7)
7919 32 4,336 (112,194 -> 1,654,602; ratio 14.7)
7920 inf 4,336 (112,194 -> 1,654,602; ratio 14.7)
7922 bz2-64
7924 1 4,113 (107,329 -> 1,822,171; ratio 17.0)
7925 2 4,113 (107,329 -> 1,806,443; ratio 16.8)
7926 3 4,113 (107,329 -> 1,803,967; ratio 16.8)
7927 4 4,113 (107,329 -> 1,802,785; ratio 16.8)
7928 5 4,113 (107,329 -> 1,802,412; ratio 16.8)
7929 6 4,113 (107,329 -> 1,802,062; ratio 16.8)
7930 7 4,113 (107,329 -> 1,801,976; ratio 16.8)
7931 8 4,113 (107,329 -> 1,801,886; ratio 16.8)
7932 10 4,113 (107,329 -> 1,801,653; ratio 16.8)
7933 12 4,113 (107,329 -> 1,801,526; ratio 16.8)
7934 16 4,113 (107,329 -> 1,801,298; ratio 16.8)
7935 32 4,113 (107,329 -> 1,800,827; ratio 16.8)
7936 inf 4,113 (107,329 -> 1,800,827; ratio 16.8)
7937 */
7939 /* Structs for recording which (helper, guard) pairs we have already
7940 seen. */
7942 #define N_TIDYING_PAIRS 16
7944 typedef
7946 Pair;
7948 typedef
7951 UInt pairsUsed;
7952 }
7953 Pairs;
7956 /* Return True if e1 and e2 definitely denote the same value (used to
7957 compare guards). Return False if unknown; False is the safe
7958 answer. Since guest registers and guest memory do not have the
7959 SSA property we must return False if any Gets or Loads appear in
7960 the expression. This implicitly assumes that e1 and e2 have the
7961 same IR type, which is always true here -- the type is Ity_I1. */
7964 {
7986 /* be lazy. Could define equality for these, but they never
7987 appear to be used. */
7992 /* be conservative - these may not give the same value each
7993 time */
7996 /* should never see this */
7997 /* fallthrough */
8003 }
8004 }
8006 /* See if 'pairs' already has an entry for (entry, guard). Return
8007 True if so. If not, add an entry. */
8009 static
8011 {
8018 }
8019 /* (guard, entry) wasn't found in the array. Add it at the end.
8020 If the array is already full, slide the entries one slot
8021 backwards. This means we will lose to ability to detect
8022 duplicates from the pair in slot zero, but that happens so
8023 rarely that it's unlikely to have much effect on overall code
8024 quality. Also, this strategy loses the check for the oldest
8025 tracked exit (memory reference, basically) and so that is (I'd
8026 guess) least likely to be re-used after this point. */
8031 }
8038 n++;
8040 }
8042 }
8045 {
8046 /* This is expensive because it happens a lot. We are checking to
8047 see whether |name| is one of the following 8 strings:
8049 MC_(helperc_value_check8_fail_no_o)
8050 MC_(helperc_value_check4_fail_no_o)
8051 MC_(helperc_value_check0_fail_no_o)
8052 MC_(helperc_value_check1_fail_no_o)
8053 MC_(helperc_value_check8_fail_w_o)
8054 MC_(helperc_value_check0_fail_w_o)
8055 MC_(helperc_value_check1_fail_w_o)
8056 MC_(helperc_value_check4_fail_w_o)
8058 To speed it up, check the common prefix just once, rather than
8059 all 8 times.
8060 */
8068 /* We still have some prefix to use */
8071 name++;
8072 prefix++;
8073 }
8075 /* Check the part after the prefix. */
8085 }
8088 {
8089 Int i;
8094 Bool alreadyPresent;
8095 Pairs pairs;
8102 /* Scan forwards through the statements. Each time a call to one
8103 of the relevant helpers is seen, check if we have made a
8104 previous call to the same helper using the same guard
8105 expression, and if so, delete the call. */
8118 /* Ok, we have a call to helperc_value_check0/1/4/8_fail with
8119 guard 'guard'. Check if we have already seen a call to this
8120 function with the same guard. If so, delete it. If not,
8121 add it to the set of calls we do know about. */
8126 }
8127 }
8133 }
8135 #undef N_TIDYING_PAIRS
8138 /*------------------------------------------------------------*/
8139 /*--- Startup assertion checking ---*/
8140 /*------------------------------------------------------------*/
8143 {
8144 /* Make a best-effort check to see that is_helperc_value_checkN_fail
8145 is working as we expect. */
8147 # define CHECK(_expected, _string) \
8148 tl_assert((_expected) == is_helperc_value_checkN_fail(_string))
8150 /* It should identify these 8, and no others, as targets. */
8160 /* Ad-hoc selection of other strings gathered via a quick test. */
8190 # undef CHECK
8191 }
8194 /*------------------------------------------------------------*/
8195 /*--- Memcheck main ---*/
8196 /*------------------------------------------------------------*/
8199 {
8219 }
8220 /* VG_(printf)("%llx\n", n); */
8221 /* Shortcuts */
8224 /* The list of bogus atoms is: */
8235 );
8236 }
8239 /* Does 'st' mention any of the literals identified/listed in
8240 isBogusAtom()? */
8242 {
8243 Int i;
8286 }
8294 }
8295 }
8313 }
8318 }
8341 unhandled:
8344 }
8345 }
8348 /* This is the pre-instrumentation analysis. It does a backwards pass over
8349 the stmts in |sb_in| to determine a HowUsed value for each tmp defined in
8350 the block.
8352 Unrelatedly, it also checks all literals in the block with |isBogusAtom|,
8353 as a positive result from that is a strong indication that we need to
8354 expensively instrument add/sub in the block. We do both analyses in one
8355 pass, even though they are independent, so as to avoid the overhead of
8356 having to traverse the whole block twice.
8358 The usage pass proceeds as follows. Let max= be the max operation in the
8359 HowUsed lattice, hence
8361 X max= Y means X = max(X, Y)
8363 then
8365 for t in original tmps . useEnv[t] = HuUnU
8367 for t used in the block's . next field
8368 useEnv[t] max= HuPCa // because jmp targets are PCast-tested
8370 for st iterating *backwards* in the block
8372 match st
8374 case "t1 = load(t2)" // case 1
8375 useEnv[t2] max= HuPCa
8377 case "t1 = add(t2, t3)" // case 2
8378 useEnv[t2] max= useEnv[t1]
8379 useEnv[t3] max= useEnv[t1]
8381 other
8382 for t in st.usedTmps // case 3
8383 useEnv[t] max= HuOth
8384 // same as useEnv[t] = HuOth
8386 The general idea is that we accumulate, in useEnv[], information about
8387 how each tmp is used. That can be updated as we work further back
8388 through the block and find more uses of it, but its HowUsed value can
8389 only ascend the lattice, not descend.
8391 Initially we mark all tmps as unused. In case (1), if a tmp is seen to
8392 be used as a memory address, then its use is at least HuPCa. The point
8393 is that for a memory address we will add instrumentation to check if any
8394 bit of the address is undefined, which means that we won't need expensive
8395 V-bit propagation through an add expression that computed the address --
8396 cheap add instrumentation will be equivalent.
8398 Note in case (1) that if we have previously seen a non-memory-address use
8399 of the tmp, then its use will already be HuOth and will be unchanged by
8400 the max= operation. And if it turns out that the source of the tmp was
8401 an add, then we'll have to expensively instrument the add, because we
8402 can't prove that, for the previous non-memory-address use of the tmp,
8403 cheap and expensive instrumentation will be equivalent.
8405 In case 2, we propagate the usage-mode of the result of an add back
8406 through to its operands. Again, we use max= so as to take account of the
8407 fact that t2 or t3 might later in the block (viz, earlier in the
8408 iteration) have been used in a way that requires expensive add
8409 instrumentation.
8411 In case 3, we deal with all other tmp uses. We assume that we'll need a
8412 result that is as accurate as possible, so we max= HuOth into its use
8413 mode. Since HuOth is the top of the lattice, that's equivalent to just
8414 setting its use to HuOth.
8416 The net result of all this is that:
8418 tmps that are used either
8419 - only as a memory address, or
8420 - only as part of a tree of adds that computes a memory address,
8421 and has no other use
8422 are marked as HuPCa, and so we can instrument their generating Add
8423 nodes cheaply, which is the whole point of this analysis
8425 tmps that are used any other way at all are marked as HuOth
8427 tmps that are unused are marked as HuUnU. We don't expect to see any
8428 since we expect that the incoming IR has had all dead assignments
8429 removed by previous optimisation passes. Nevertheless the analysis is
8430 correct even in the presence of dead tmps.
8432 A final comment on dead tmps. In case 1 and case 2, we could actually
8433 conditionalise the updates thusly:
8435 if (useEnv[t1] > HuUnU) { useEnv[t2] max= HuPCa } // case 1
8437 if (useEnv[t1] > HuUnU) { useEnv[t2] max= useEnv[t1] } // case 2
8438 if (useEnv[t1] > HuUnU) { useEnv[t3] max= useEnv[t1] } // case 2
8440 In other words, if the assigned-to tmp |t1| is never used, then there's
8441 no point in propagating any use through to its operands. That won't
8442 change the final HuPCa-vs-HuOth results, which is what we care about.
8443 Given that we expect to get dead-code-free inputs, there's no point in
8444 adding this extra refinement.
8445 */
8447 /* Helper for |preInstrumentationAnalysis|. */
8449 UInt tyenvUsed,
8451 {
8452 /* For the atom |at|, declare that for any tmp |t| in |at|, we will have
8453 seen a use of |newUse|. So, merge that info into |t|'s accumulated
8454 use info. */
8463 // The "max" operation in the lattice
8466 }
8468 // We should never get here -- it implies non-flat IR
8471 }
8472 /*NOTREACHED*/
8474 }
8480 {
8483 // We've seen no bogus literals so far.
8486 // This is calloc'd, so implicitly all entries are initialised to HuUnU.
8490 // Firstly, roll in contributions from the final dst address.
8494 // Now work backwards through the stmts.
8498 // Deal with literals.
8501 }
8503 // Deal with tmp uses.
8508 // This is the one place where we have to consider all possible
8509 // tags for |rhs|, and can't just assume it is a tmp or a const.
8512 // just propagate demand for |dst| into this tmp use.
8521 // propagate demand for |dst| through to the operands.
8527 // just say that the operands are used in some unknown way.
8532 }
8535 // All operands are used in some unknown way.
8541 }
8543 // All operands are used in some unknown way.
8550 }
8552 // The address will be checked (== PCasted).
8556 // The condition is PCasted, the then- and else-values
8557 // aren't.
8563 // The args are used in unknown ways.
8566 }
8569 // The index will be checked/PCasted (see do_shadow_GETI)
8572 }
8580 }
8582 }
8584 // The address will be checked (== PCasted). The data will be
8585 // used in some unknown way.
8590 // The guard will be checked (== PCasted)
8598 // The index will be checked/PCasted (see do_shadow_PUTI). The
8599 // data will be used in an unknown way.
8603 }
8606 // The guard will be checked (== PCasted)
8608 // The args will be used in unknown ways.
8611 }
8613 }
8616 // Address will be pcasted, everything else used as unknown
8625 }
8627 // Both exprs are used in unknown ways. TODO: can we safely
8628 // just ignore AbiHints?
8633 // We might be able to do better, and use HuPCa for the addr.
8634 // It's not immediately obvious that we can, because the address
8635 // is regarded as "used" only when the guard is true.
8641 }
8643 // Per similar comments to Ist_StoreG .. not sure whether this
8644 // is really optimal.
8650 }
8656 }
8664 }
8665 }
8668 // Return the computed use env and the bogus-atom flag.
8674 }
8683 {
8687 MCEnv mce;
8691 /* We don't currently support this case. */
8693 }
8695 /* Check we're not completely nuts */
8706 /* Set up SB */
8709 /* Set up the running environment. Both .sb and .tmpMap are
8710 modified as we go along. Note that tmps are added to both
8711 .sb->tyenv and .tmpMap together, so the valid index-set for
8712 those two arrays should always be identical. */
8720 /* BEGIN decide on expense levels for instrumentation. */
8722 /* Initially, select the cheap version of everything for which we have an
8723 option. */
8726 /* Take account of the --expensive-definedness-checks= flag. */
8728 /* We just selected 'cheap for everything', so we don't need to do
8729 anything here. mce.tmpHowUsed remains NULL. */
8730 }
8732 /* Select 'expensive for everything'. mce.tmpHowUsed remains NULL. */
8734 }
8737 /* We'll make our own selection, based on known per-target constraints
8738 and also on analysis of the block to be instrumented. First, set
8739 up default values for detail levels.
8741 On x86 and amd64, we'll routinely encounter code optimised by LLVM
8742 5 and above. Enable accurate interpretation of the following.
8743 LLVM uses adds for some bitfield inserts, and we get a lot of false
8744 errors if the cheap interpretation is used, alas. Could solve this
8745 much better if we knew which of such adds came from x86/amd64 LEA
8746 instructions, since these are the only ones really needing the
8747 expensive interpretation, but that would require some way to tag
8748 them in the _toIR.c front ends, which is a lot of faffing around.
8749 So for now we use preInstrumentationAnalysis() to detect adds which
8750 are used only to construct memory addresses, which is an
8751 approximation to the above, and is self-contained.*/
8752 # if defined(VGA_x86)
8756 # elif defined(VGA_amd64)
8762 # elif defined(VGA_ppc64le)
8763 // Needed by (at least) set_AV_CR6() in the front end.
8765 # elif defined(VGA_arm64)
8768 # elif defined(VGA_arm)
8770 # endif
8772 /* preInstrumentationAnalysis() will allocate &mce.tmpHowUsed and then
8773 fill it in. */
8778 /* This happens very rarely. In this case just select expensive
8779 for everything, and throw away the tmp-use analysis results. */
8784 /* Nothing. mce.tmpHowUsed contains tmp-use analysis results,
8785 which will be used for some subset of Iop_{Add,Sub}{32,64},
8786 based on which ones are set to DLauto for this target. */
8787 }
8788 }
8793 // Debug printing: which tmps have been identified as PCast-only use
8799 }
8800 }
8802 }
8804 // Debug printing: number of ops by detail level
8811 }
8812 /* END decide on expense levels for instrumentation. */
8814 /* Initialise the running the tmp environment. */
8820 TempMapEnt ent;
8825 }
8828 /* Finally, begin instrumentation. */
8829 /* Copy verbatim any IR preamble preceding the first IMark */
8842 i++;
8843 }
8845 /* Nasty problem. IR optimisation of the pre-instrumented IR may
8846 cause the IR following the preamble to contain references to IR
8847 temporaries defined in the preamble. Because the preamble isn't
8848 instrumented, these temporaries don't have any shadows.
8849 Nevertheless uses of them following the preamble will cause
8850 memcheck to generate references to their shadows. End effect is
8851 to cause IR sanity check failures, due to references to
8852 non-existent shadows. This is only evident for the complex
8853 preambles used for function wrapping on TOC-afflicted platforms
8854 (ppc64-linux).
8856 The following loop therefore scans the preamble looking for
8857 assignments to temporaries. For each one found it creates an
8858 assignment to the corresponding (V) shadow temp, marking it as
8859 'defined'. This is the same resulting IR as if the main
8860 instrumentation loop before had been applied to the statement
8861 'tmp = CONSTANT'.
8863 Similarly, if origin tracking is enabled, we must generate an
8864 assignment for the corresponding origin (B) shadow, claiming
8865 no-origin, as appropriate for a defined value.
8866 */
8869 /* findShadowTmpV checks its arg is an original tmp;
8870 no need to assert that here. */
8879 }
8884 }
8885 }
8886 }
8888 /* Iterate over the remaining stmts to generate instrumentation. */
8904 }
8907 /* See comments on case Ist_CAS below. */
8910 }
8912 /* Generate instrumentation code for each stmt ... */
8924 }
8976 /* Note, do_shadow_CAS copies the CAS itself to the output
8977 block, because it needs to add instrumentation both
8978 before and after it. Hence skip the copy below. Also
8979 skip the origin-tracking stuff (call to schemeS) above,
8980 since that's all tangled up with it too; do_shadow_CAS
8981 does it all. */
9005 }
9007 }
9009 /* ... and finally copy the stmt itself to the output. Except,
9010 skip the copy of IRCASs; see comments on case Ist_CAS
9011 above. */
9014 }
9016 /* Now we need to complain if the jump target is undefined. */
9023 }
9032 }
9034 }
9036 /* If this fails, there's been some serious snafu with tmp management,
9037 that should be investigated. */
9043 }
9047 }
9050 /*--------------------------------------------------------------------*/
9051 /*--- end mc_translate.c ---*/
9052 /*--------------------------------------------------------------------*/