1 //===-- LowerBitSets.cpp - Bitset lowering pass ---------------------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This pass lowers bitset metadata and calls to the llvm.bitset.test intrinsic.
11 // See http://llvm.org/docs/LangRef.html#bitsets for more information.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "llvm/Transforms/IPO/LowerBitSets.h"
16 #include "llvm/Transforms/IPO.h"
17 #include "llvm/ADT/EquivalenceClasses.h"
18 #include "llvm/ADT/Statistic.h"
19 #include "llvm/ADT/Triple.h"
20 #include "llvm/IR/Constant.h"
21 #include "llvm/IR/Constants.h"
22 #include "llvm/IR/Function.h"
23 #include "llvm/IR/GlobalObject.h"
24 #include "llvm/IR/GlobalVariable.h"
25 #include "llvm/IR/IRBuilder.h"
26 #include "llvm/IR/Instructions.h"
27 #include "llvm/IR/Intrinsics.h"
28 #include "llvm/IR/Module.h"
29 #include "llvm/IR/Operator.h"
30 #include "llvm/Pass.h"
31 #include "llvm/Support/Debug.h"
32 #include "llvm/Support/raw_ostream.h"
33 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
34 
35 using namespace llvm;
36 
37 #define DEBUG_TYPE "lowerbitsets"
38 
39 STATISTIC(ByteArraySizeBits, "Byte array size in bits");
40 STATISTIC(ByteArraySizeBytes, "Byte array size in bytes");
41 STATISTIC(NumByteArraysCreated, "Number of byte arrays created");
42 STATISTIC(NumBitSetCallsLowered, "Number of bitset calls lowered");
43 STATISTIC(NumBitSetDisjointSets, "Number of disjoint sets of bitsets");
44 
45 static cl::opt<bool> AvoidReuse(
46     "lowerbitsets-avoid-reuse",
47     cl::desc("Try to avoid reuse of byte array addresses using aliases"),
48     cl::Hidden, cl::init(true));
49 
containsGlobalOffset(uint64_t Offset) const50 bool BitSetInfo::containsGlobalOffset(uint64_t Offset) const {
51   if (Offset < ByteOffset)
52     return false;
53 
54   if ((Offset - ByteOffset) % (uint64_t(1) << AlignLog2) != 0)
55     return false;
56 
57   uint64_t BitOffset = (Offset - ByteOffset) >> AlignLog2;
58   if (BitOffset >= BitSize)
59     return false;
60 
61   return Bits.count(BitOffset);
62 }
63 
containsValue(const DataLayout & DL,const DenseMap<GlobalObject *,uint64_t> & GlobalLayout,Value * V,uint64_t COffset) const64 bool BitSetInfo::containsValue(
65     const DataLayout &DL,
66     const DenseMap<GlobalObject *, uint64_t> &GlobalLayout, Value *V,
67     uint64_t COffset) const {
68   if (auto GV = dyn_cast<GlobalObject>(V)) {
69     auto I = GlobalLayout.find(GV);
70     if (I == GlobalLayout.end())
71       return false;
72     return containsGlobalOffset(I->second + COffset);
73   }
74 
75   if (auto GEP = dyn_cast<GEPOperator>(V)) {
76     APInt APOffset(DL.getPointerSizeInBits(0), 0);
77     bool Result = GEP->accumulateConstantOffset(DL, APOffset);
78     if (!Result)
79       return false;
80     COffset += APOffset.getZExtValue();
81     return containsValue(DL, GlobalLayout, GEP->getPointerOperand(),
82                          COffset);
83   }
84 
85   if (auto Op = dyn_cast<Operator>(V)) {
86     if (Op->getOpcode() == Instruction::BitCast)
87       return containsValue(DL, GlobalLayout, Op->getOperand(0), COffset);
88 
89     if (Op->getOpcode() == Instruction::Select)
90       return containsValue(DL, GlobalLayout, Op->getOperand(1), COffset) &&
91              containsValue(DL, GlobalLayout, Op->getOperand(2), COffset);
92   }
93 
94   return false;
95 }
96 
print(raw_ostream & OS) const97 void BitSetInfo::print(raw_ostream &OS) const {
98   OS << "offset " << ByteOffset << " size " << BitSize << " align "
99      << (1 << AlignLog2);
100 
101   if (isAllOnes()) {
102     OS << " all-ones\n";
103     return;
104   }
105 
106   OS << " { ";
107   for (uint64_t B : Bits)
108     OS << B << ' ';
109   OS << "}\n";
110 }
111 
build()112 BitSetInfo BitSetBuilder::build() {
113   if (Min > Max)
114     Min = 0;
115 
116   // Normalize each offset against the minimum observed offset, and compute
117   // the bitwise OR of each of the offsets. The number of trailing zeros
118   // in the mask gives us the log2 of the alignment of all offsets, which
119   // allows us to compress the bitset by only storing one bit per aligned
120   // address.
121   uint64_t Mask = 0;
122   for (uint64_t &Offset : Offsets) {
123     Offset -= Min;
124     Mask |= Offset;
125   }
126 
127   BitSetInfo BSI;
128   BSI.ByteOffset = Min;
129 
130   BSI.AlignLog2 = 0;
131   if (Mask != 0)
132     BSI.AlignLog2 = countTrailingZeros(Mask, ZB_Undefined);
133 
134   // Build the compressed bitset while normalizing the offsets against the
135   // computed alignment.
136   BSI.BitSize = ((Max - Min) >> BSI.AlignLog2) + 1;
137   for (uint64_t Offset : Offsets) {
138     Offset >>= BSI.AlignLog2;
139     BSI.Bits.insert(Offset);
140   }
141 
142   return BSI;
143 }
144 
addFragment(const std::set<uint64_t> & F)145 void GlobalLayoutBuilder::addFragment(const std::set<uint64_t> &F) {
146   // Create a new fragment to hold the layout for F.
147   Fragments.emplace_back();
148   std::vector<uint64_t> &Fragment = Fragments.back();
149   uint64_t FragmentIndex = Fragments.size() - 1;
150 
151   for (auto ObjIndex : F) {
152     uint64_t OldFragmentIndex = FragmentMap[ObjIndex];
153     if (OldFragmentIndex == 0) {
154       // We haven't seen this object index before, so just add it to the current
155       // fragment.
156       Fragment.push_back(ObjIndex);
157     } else {
158       // This index belongs to an existing fragment. Copy the elements of the
159       // old fragment into this one and clear the old fragment. We don't update
160       // the fragment map just yet, this ensures that any further references to
161       // indices from the old fragment in this fragment do not insert any more
162       // indices.
163       std::vector<uint64_t> &OldFragment = Fragments[OldFragmentIndex];
164       Fragment.insert(Fragment.end(), OldFragment.begin(), OldFragment.end());
165       OldFragment.clear();
166     }
167   }
168 
169   // Update the fragment map to point our object indices to this fragment.
170   for (uint64_t ObjIndex : Fragment)
171     FragmentMap[ObjIndex] = FragmentIndex;
172 }
173 
allocate(const std::set<uint64_t> & Bits,uint64_t BitSize,uint64_t & AllocByteOffset,uint8_t & AllocMask)174 void ByteArrayBuilder::allocate(const std::set<uint64_t> &Bits,
175                                 uint64_t BitSize, uint64_t &AllocByteOffset,
176                                 uint8_t &AllocMask) {
177   // Find the smallest current allocation.
178   unsigned Bit = 0;
179   for (unsigned I = 1; I != BitsPerByte; ++I)
180     if (BitAllocs[I] < BitAllocs[Bit])
181       Bit = I;
182 
183   AllocByteOffset = BitAllocs[Bit];
184 
185   // Add our size to it.
186   unsigned ReqSize = AllocByteOffset + BitSize;
187   BitAllocs[Bit] = ReqSize;
188   if (Bytes.size() < ReqSize)
189     Bytes.resize(ReqSize);
190 
191   // Set our bits.
192   AllocMask = 1 << Bit;
193   for (uint64_t B : Bits)
194     Bytes[AllocByteOffset + B] |= AllocMask;
195 }
196 
197 namespace {
198 
199 struct ByteArrayInfo {
200   std::set<uint64_t> Bits;
201   uint64_t BitSize;
202   GlobalVariable *ByteArray;
203   Constant *Mask;
204 };
205 
206 struct LowerBitSets : public ModulePass {
207   static char ID;
LowerBitSets__anonefacfc6e0111::LowerBitSets208   LowerBitSets() : ModulePass(ID) {
209     initializeLowerBitSetsPass(*PassRegistry::getPassRegistry());
210   }
211 
212   Module *M;
213 
214   bool LinkerSubsectionsViaSymbols;
215   Triple::ArchType Arch;
216   Triple::ObjectFormatType ObjectFormat;
217   IntegerType *Int1Ty;
218   IntegerType *Int8Ty;
219   IntegerType *Int32Ty;
220   Type *Int32PtrTy;
221   IntegerType *Int64Ty;
222   IntegerType *IntPtrTy;
223 
224   // The llvm.bitsets named metadata.
225   NamedMDNode *BitSetNM;
226 
227   // Mapping from bitset identifiers to the call sites that test them.
228   DenseMap<Metadata *, std::vector<CallInst *>> BitSetTestCallSites;
229 
230   std::vector<ByteArrayInfo> ByteArrayInfos;
231 
232   BitSetInfo
233   buildBitSet(Metadata *BitSet,
234               const DenseMap<GlobalObject *, uint64_t> &GlobalLayout);
235   ByteArrayInfo *createByteArray(BitSetInfo &BSI);
236   void allocateByteArrays();
237   Value *createBitSetTest(IRBuilder<> &B, BitSetInfo &BSI, ByteArrayInfo *&BAI,
238                           Value *BitOffset);
239   void lowerBitSetCalls(ArrayRef<Metadata *> BitSets,
240                         Constant *CombinedGlobalAddr,
241                         const DenseMap<GlobalObject *, uint64_t> &GlobalLayout);
242   Value *
243   lowerBitSetCall(CallInst *CI, BitSetInfo &BSI, ByteArrayInfo *&BAI,
244                   Constant *CombinedGlobal,
245                   const DenseMap<GlobalObject *, uint64_t> &GlobalLayout);
246   void buildBitSetsFromGlobalVariables(ArrayRef<Metadata *> BitSets,
247                                        ArrayRef<GlobalVariable *> Globals);
248   unsigned getJumpTableEntrySize();
249   Type *getJumpTableEntryType();
250   Constant *createJumpTableEntry(GlobalObject *Src, Function *Dest,
251                                  unsigned Distance);
252   void verifyBitSetMDNode(MDNode *Op);
253   void buildBitSetsFromFunctions(ArrayRef<Metadata *> BitSets,
254                                  ArrayRef<Function *> Functions);
255   void buildBitSetsFromDisjointSet(ArrayRef<Metadata *> BitSets,
256                                    ArrayRef<GlobalObject *> Globals);
257   bool buildBitSets();
258   bool eraseBitSetMetadata();
259 
260   bool doInitialization(Module &M) override;
261   bool runOnModule(Module &M) override;
262 };
263 
264 } // anonymous namespace
265 
266 INITIALIZE_PASS_BEGIN(LowerBitSets, "lowerbitsets",
267                 "Lower bitset metadata", false, false)
268 INITIALIZE_PASS_END(LowerBitSets, "lowerbitsets",
269                 "Lower bitset metadata", false, false)
270 char LowerBitSets::ID = 0;
271 
createLowerBitSetsPass()272 ModulePass *llvm::createLowerBitSetsPass() { return new LowerBitSets; }
273 
doInitialization(Module & Mod)274 bool LowerBitSets::doInitialization(Module &Mod) {
275   M = &Mod;
276   const DataLayout &DL = Mod.getDataLayout();
277 
278   Triple TargetTriple(M->getTargetTriple());
279   LinkerSubsectionsViaSymbols = TargetTriple.isMacOSX();
280   Arch = TargetTriple.getArch();
281   ObjectFormat = TargetTriple.getObjectFormat();
282 
283   Int1Ty = Type::getInt1Ty(M->getContext());
284   Int8Ty = Type::getInt8Ty(M->getContext());
285   Int32Ty = Type::getInt32Ty(M->getContext());
286   Int32PtrTy = PointerType::getUnqual(Int32Ty);
287   Int64Ty = Type::getInt64Ty(M->getContext());
288   IntPtrTy = DL.getIntPtrType(M->getContext(), 0);
289 
290   BitSetNM = M->getNamedMetadata("llvm.bitsets");
291 
292   BitSetTestCallSites.clear();
293 
294   return false;
295 }
296 
297 /// Build a bit set for BitSet using the object layouts in
298 /// GlobalLayout.
buildBitSet(Metadata * BitSet,const DenseMap<GlobalObject *,uint64_t> & GlobalLayout)299 BitSetInfo LowerBitSets::buildBitSet(
300     Metadata *BitSet,
301     const DenseMap<GlobalObject *, uint64_t> &GlobalLayout) {
302   BitSetBuilder BSB;
303 
304   // Compute the byte offset of each element of this bitset.
305   if (BitSetNM) {
306     for (MDNode *Op : BitSetNM->operands()) {
307       if (Op->getOperand(0) != BitSet || !Op->getOperand(1))
308         continue;
309       Constant *OpConst =
310           cast<ConstantAsMetadata>(Op->getOperand(1))->getValue();
311       if (auto GA = dyn_cast<GlobalAlias>(OpConst))
312         OpConst = GA->getAliasee();
313       auto OpGlobal = dyn_cast<GlobalObject>(OpConst);
314       if (!OpGlobal)
315         continue;
316       uint64_t Offset =
317           cast<ConstantInt>(cast<ConstantAsMetadata>(Op->getOperand(2))
318                                 ->getValue())->getZExtValue();
319 
320       Offset += GlobalLayout.find(OpGlobal)->second;
321 
322       BSB.addOffset(Offset);
323     }
324   }
325 
326   return BSB.build();
327 }
328 
329 /// Build a test that bit BitOffset mod sizeof(Bits)*8 is set in
330 /// Bits. This pattern matches to the bt instruction on x86.
createMaskedBitTest(IRBuilder<> & B,Value * Bits,Value * BitOffset)331 static Value *createMaskedBitTest(IRBuilder<> &B, Value *Bits,
332                                   Value *BitOffset) {
333   auto BitsType = cast<IntegerType>(Bits->getType());
334   unsigned BitWidth = BitsType->getBitWidth();
335 
336   BitOffset = B.CreateZExtOrTrunc(BitOffset, BitsType);
337   Value *BitIndex =
338       B.CreateAnd(BitOffset, ConstantInt::get(BitsType, BitWidth - 1));
339   Value *BitMask = B.CreateShl(ConstantInt::get(BitsType, 1), BitIndex);
340   Value *MaskedBits = B.CreateAnd(Bits, BitMask);
341   return B.CreateICmpNE(MaskedBits, ConstantInt::get(BitsType, 0));
342 }
343 
createByteArray(BitSetInfo & BSI)344 ByteArrayInfo *LowerBitSets::createByteArray(BitSetInfo &BSI) {
345   // Create globals to stand in for byte arrays and masks. These never actually
346   // get initialized, we RAUW and erase them later in allocateByteArrays() once
347   // we know the offset and mask to use.
348   auto ByteArrayGlobal = new GlobalVariable(
349       *M, Int8Ty, /*isConstant=*/true, GlobalValue::PrivateLinkage, nullptr);
350   auto MaskGlobal = new GlobalVariable(
351       *M, Int8Ty, /*isConstant=*/true, GlobalValue::PrivateLinkage, nullptr);
352 
353   ByteArrayInfos.emplace_back();
354   ByteArrayInfo *BAI = &ByteArrayInfos.back();
355 
356   BAI->Bits = BSI.Bits;
357   BAI->BitSize = BSI.BitSize;
358   BAI->ByteArray = ByteArrayGlobal;
359   BAI->Mask = ConstantExpr::getPtrToInt(MaskGlobal, Int8Ty);
360   return BAI;
361 }
362 
allocateByteArrays()363 void LowerBitSets::allocateByteArrays() {
364   std::stable_sort(ByteArrayInfos.begin(), ByteArrayInfos.end(),
365                    [](const ByteArrayInfo &BAI1, const ByteArrayInfo &BAI2) {
366                      return BAI1.BitSize > BAI2.BitSize;
367                    });
368 
369   std::vector<uint64_t> ByteArrayOffsets(ByteArrayInfos.size());
370 
371   ByteArrayBuilder BAB;
372   for (unsigned I = 0; I != ByteArrayInfos.size(); ++I) {
373     ByteArrayInfo *BAI = &ByteArrayInfos[I];
374 
375     uint8_t Mask;
376     BAB.allocate(BAI->Bits, BAI->BitSize, ByteArrayOffsets[I], Mask);
377 
378     BAI->Mask->replaceAllUsesWith(ConstantInt::get(Int8Ty, Mask));
379     cast<GlobalVariable>(BAI->Mask->getOperand(0))->eraseFromParent();
380   }
381 
382   Constant *ByteArrayConst = ConstantDataArray::get(M->getContext(), BAB.Bytes);
383   auto ByteArray =
384       new GlobalVariable(*M, ByteArrayConst->getType(), /*isConstant=*/true,
385                          GlobalValue::PrivateLinkage, ByteArrayConst);
386 
387   for (unsigned I = 0; I != ByteArrayInfos.size(); ++I) {
388     ByteArrayInfo *BAI = &ByteArrayInfos[I];
389 
390     Constant *Idxs[] = {ConstantInt::get(IntPtrTy, 0),
391                         ConstantInt::get(IntPtrTy, ByteArrayOffsets[I])};
392     Constant *GEP = ConstantExpr::getInBoundsGetElementPtr(
393         ByteArrayConst->getType(), ByteArray, Idxs);
394 
395     // Create an alias instead of RAUW'ing the gep directly. On x86 this ensures
396     // that the pc-relative displacement is folded into the lea instead of the
397     // test instruction getting another displacement.
398     if (LinkerSubsectionsViaSymbols) {
399       BAI->ByteArray->replaceAllUsesWith(GEP);
400     } else {
401       GlobalAlias *Alias = GlobalAlias::create(
402           Int8Ty, 0, GlobalValue::PrivateLinkage, "bits", GEP, M);
403       BAI->ByteArray->replaceAllUsesWith(Alias);
404     }
405     BAI->ByteArray->eraseFromParent();
406   }
407 
408   ByteArraySizeBits = BAB.BitAllocs[0] + BAB.BitAllocs[1] + BAB.BitAllocs[2] +
409                       BAB.BitAllocs[3] + BAB.BitAllocs[4] + BAB.BitAllocs[5] +
410                       BAB.BitAllocs[6] + BAB.BitAllocs[7];
411   ByteArraySizeBytes = BAB.Bytes.size();
412 }
413 
414 /// Build a test that bit BitOffset is set in BSI, where
415 /// BitSetGlobal is a global containing the bits in BSI.
createBitSetTest(IRBuilder<> & B,BitSetInfo & BSI,ByteArrayInfo * & BAI,Value * BitOffset)416 Value *LowerBitSets::createBitSetTest(IRBuilder<> &B, BitSetInfo &BSI,
417                                       ByteArrayInfo *&BAI, Value *BitOffset) {
418   if (BSI.BitSize <= 64) {
419     // If the bit set is sufficiently small, we can avoid a load by bit testing
420     // a constant.
421     IntegerType *BitsTy;
422     if (BSI.BitSize <= 32)
423       BitsTy = Int32Ty;
424     else
425       BitsTy = Int64Ty;
426 
427     uint64_t Bits = 0;
428     for (auto Bit : BSI.Bits)
429       Bits |= uint64_t(1) << Bit;
430     Constant *BitsConst = ConstantInt::get(BitsTy, Bits);
431     return createMaskedBitTest(B, BitsConst, BitOffset);
432   } else {
433     if (!BAI) {
434       ++NumByteArraysCreated;
435       BAI = createByteArray(BSI);
436     }
437 
438     Constant *ByteArray = BAI->ByteArray;
439     Type *Ty = BAI->ByteArray->getValueType();
440     if (!LinkerSubsectionsViaSymbols && AvoidReuse) {
441       // Each use of the byte array uses a different alias. This makes the
442       // backend less likely to reuse previously computed byte array addresses,
443       // improving the security of the CFI mechanism based on this pass.
444       ByteArray = GlobalAlias::create(BAI->ByteArray->getValueType(), 0,
445                                       GlobalValue::PrivateLinkage, "bits_use",
446                                       ByteArray, M);
447     }
448 
449     Value *ByteAddr = B.CreateGEP(Ty, ByteArray, BitOffset);
450     Value *Byte = B.CreateLoad(ByteAddr);
451 
452     Value *ByteAndMask = B.CreateAnd(Byte, BAI->Mask);
453     return B.CreateICmpNE(ByteAndMask, ConstantInt::get(Int8Ty, 0));
454   }
455 }
456 
457 /// Lower a llvm.bitset.test call to its implementation. Returns the value to
458 /// replace the call with.
lowerBitSetCall(CallInst * CI,BitSetInfo & BSI,ByteArrayInfo * & BAI,Constant * CombinedGlobalIntAddr,const DenseMap<GlobalObject *,uint64_t> & GlobalLayout)459 Value *LowerBitSets::lowerBitSetCall(
460     CallInst *CI, BitSetInfo &BSI, ByteArrayInfo *&BAI,
461     Constant *CombinedGlobalIntAddr,
462     const DenseMap<GlobalObject *, uint64_t> &GlobalLayout) {
463   Value *Ptr = CI->getArgOperand(0);
464   const DataLayout &DL = M->getDataLayout();
465 
466   if (BSI.containsValue(DL, GlobalLayout, Ptr))
467     return ConstantInt::getTrue(M->getContext());
468 
469   Constant *OffsetedGlobalAsInt = ConstantExpr::getAdd(
470       CombinedGlobalIntAddr, ConstantInt::get(IntPtrTy, BSI.ByteOffset));
471 
472   BasicBlock *InitialBB = CI->getParent();
473 
474   IRBuilder<> B(CI);
475 
476   Value *PtrAsInt = B.CreatePtrToInt(Ptr, IntPtrTy);
477 
478   if (BSI.isSingleOffset())
479     return B.CreateICmpEQ(PtrAsInt, OffsetedGlobalAsInt);
480 
481   Value *PtrOffset = B.CreateSub(PtrAsInt, OffsetedGlobalAsInt);
482 
483   Value *BitOffset;
484   if (BSI.AlignLog2 == 0) {
485     BitOffset = PtrOffset;
486   } else {
487     // We need to check that the offset both falls within our range and is
488     // suitably aligned. We can check both properties at the same time by
489     // performing a right rotate by log2(alignment) followed by an integer
490     // comparison against the bitset size. The rotate will move the lower
491     // order bits that need to be zero into the higher order bits of the
492     // result, causing the comparison to fail if they are nonzero. The rotate
493     // also conveniently gives us a bit offset to use during the load from
494     // the bitset.
495     Value *OffsetSHR =
496         B.CreateLShr(PtrOffset, ConstantInt::get(IntPtrTy, BSI.AlignLog2));
497     Value *OffsetSHL = B.CreateShl(
498         PtrOffset,
499         ConstantInt::get(IntPtrTy, DL.getPointerSizeInBits(0) - BSI.AlignLog2));
500     BitOffset = B.CreateOr(OffsetSHR, OffsetSHL);
501   }
502 
503   Constant *BitSizeConst = ConstantInt::get(IntPtrTy, BSI.BitSize);
504   Value *OffsetInRange = B.CreateICmpULT(BitOffset, BitSizeConst);
505 
506   // If the bit set is all ones, testing against it is unnecessary.
507   if (BSI.isAllOnes())
508     return OffsetInRange;
509 
510   TerminatorInst *Term = SplitBlockAndInsertIfThen(OffsetInRange, CI, false);
511   IRBuilder<> ThenB(Term);
512 
513   // Now that we know that the offset is in range and aligned, load the
514   // appropriate bit from the bitset.
515   Value *Bit = createBitSetTest(ThenB, BSI, BAI, BitOffset);
516 
517   // The value we want is 0 if we came directly from the initial block
518   // (having failed the range or alignment checks), or the loaded bit if
519   // we came from the block in which we loaded it.
520   B.SetInsertPoint(CI);
521   PHINode *P = B.CreatePHI(Int1Ty, 2);
522   P->addIncoming(ConstantInt::get(Int1Ty, 0), InitialBB);
523   P->addIncoming(Bit, ThenB.GetInsertBlock());
524   return P;
525 }
526 
527 /// Given a disjoint set of bitsets and globals, layout the globals, build the
528 /// bit sets and lower the llvm.bitset.test calls.
buildBitSetsFromGlobalVariables(ArrayRef<Metadata * > BitSets,ArrayRef<GlobalVariable * > Globals)529 void LowerBitSets::buildBitSetsFromGlobalVariables(
530     ArrayRef<Metadata *> BitSets, ArrayRef<GlobalVariable *> Globals) {
531   // Build a new global with the combined contents of the referenced globals.
532   // This global is a struct whose even-indexed elements contain the original
533   // contents of the referenced globals and whose odd-indexed elements contain
534   // any padding required to align the next element to the next power of 2.
535   std::vector<Constant *> GlobalInits;
536   const DataLayout &DL = M->getDataLayout();
537   for (GlobalVariable *G : Globals) {
538     GlobalInits.push_back(G->getInitializer());
539     uint64_t InitSize = DL.getTypeAllocSize(G->getValueType());
540 
541     // Compute the amount of padding required.
542     uint64_t Padding = NextPowerOf2(InitSize - 1) - InitSize;
543 
544     // Cap at 128 was found experimentally to have a good data/instruction
545     // overhead tradeoff.
546     if (Padding > 128)
547       Padding = RoundUpToAlignment(InitSize, 128) - InitSize;
548 
549     GlobalInits.push_back(
550         ConstantAggregateZero::get(ArrayType::get(Int8Ty, Padding)));
551   }
552   if (!GlobalInits.empty())
553     GlobalInits.pop_back();
554   Constant *NewInit = ConstantStruct::getAnon(M->getContext(), GlobalInits);
555   auto *CombinedGlobal =
556       new GlobalVariable(*M, NewInit->getType(), /*isConstant=*/true,
557                          GlobalValue::PrivateLinkage, NewInit);
558 
559   StructType *NewTy = cast<StructType>(NewInit->getType());
560   const StructLayout *CombinedGlobalLayout = DL.getStructLayout(NewTy);
561 
562   // Compute the offsets of the original globals within the new global.
563   DenseMap<GlobalObject *, uint64_t> GlobalLayout;
564   for (unsigned I = 0; I != Globals.size(); ++I)
565     // Multiply by 2 to account for padding elements.
566     GlobalLayout[Globals[I]] = CombinedGlobalLayout->getElementOffset(I * 2);
567 
568   lowerBitSetCalls(BitSets, CombinedGlobal, GlobalLayout);
569 
570   // Build aliases pointing to offsets into the combined global for each
571   // global from which we built the combined global, and replace references
572   // to the original globals with references to the aliases.
573   for (unsigned I = 0; I != Globals.size(); ++I) {
574     // Multiply by 2 to account for padding elements.
575     Constant *CombinedGlobalIdxs[] = {ConstantInt::get(Int32Ty, 0),
576                                       ConstantInt::get(Int32Ty, I * 2)};
577     Constant *CombinedGlobalElemPtr = ConstantExpr::getGetElementPtr(
578         NewInit->getType(), CombinedGlobal, CombinedGlobalIdxs);
579     if (LinkerSubsectionsViaSymbols) {
580       Globals[I]->replaceAllUsesWith(CombinedGlobalElemPtr);
581     } else {
582       assert(Globals[I]->getType()->getAddressSpace() == 0);
583       GlobalAlias *GAlias = GlobalAlias::create(NewTy->getElementType(I * 2), 0,
584                                                 Globals[I]->getLinkage(), "",
585                                                 CombinedGlobalElemPtr, M);
586       GAlias->setVisibility(Globals[I]->getVisibility());
587       GAlias->takeName(Globals[I]);
588       Globals[I]->replaceAllUsesWith(GAlias);
589     }
590     Globals[I]->eraseFromParent();
591   }
592 }
593 
lowerBitSetCalls(ArrayRef<Metadata * > BitSets,Constant * CombinedGlobalAddr,const DenseMap<GlobalObject *,uint64_t> & GlobalLayout)594 void LowerBitSets::lowerBitSetCalls(
595     ArrayRef<Metadata *> BitSets, Constant *CombinedGlobalAddr,
596     const DenseMap<GlobalObject *, uint64_t> &GlobalLayout) {
597   Constant *CombinedGlobalIntAddr =
598       ConstantExpr::getPtrToInt(CombinedGlobalAddr, IntPtrTy);
599 
600   // For each bitset in this disjoint set...
601   for (Metadata *BS : BitSets) {
602     // Build the bitset.
603     BitSetInfo BSI = buildBitSet(BS, GlobalLayout);
604     DEBUG({
605       if (auto BSS = dyn_cast<MDString>(BS))
606         dbgs() << BSS->getString() << ": ";
607       else
608         dbgs() << "<unnamed>: ";
609       BSI.print(dbgs());
610     });
611 
612     ByteArrayInfo *BAI = nullptr;
613 
614     // Lower each call to llvm.bitset.test for this bitset.
615     for (CallInst *CI : BitSetTestCallSites[BS]) {
616       ++NumBitSetCallsLowered;
617       Value *Lowered =
618           lowerBitSetCall(CI, BSI, BAI, CombinedGlobalIntAddr, GlobalLayout);
619       CI->replaceAllUsesWith(Lowered);
620       CI->eraseFromParent();
621     }
622   }
623 }
624 
verifyBitSetMDNode(MDNode * Op)625 void LowerBitSets::verifyBitSetMDNode(MDNode *Op) {
626   if (Op->getNumOperands() != 3)
627     report_fatal_error(
628         "All operands of llvm.bitsets metadata must have 3 elements");
629   if (!Op->getOperand(1))
630     return;
631 
632   auto OpConstMD = dyn_cast<ConstantAsMetadata>(Op->getOperand(1));
633   if (!OpConstMD)
634     report_fatal_error("Bit set element must be a constant");
635   auto OpGlobal = dyn_cast<GlobalObject>(OpConstMD->getValue());
636   if (!OpGlobal)
637     return;
638 
639   if (OpGlobal->isThreadLocal())
640     report_fatal_error("Bit set element may not be thread-local");
641   if (OpGlobal->hasSection())
642     report_fatal_error("Bit set element may not have an explicit section");
643 
644   if (isa<GlobalVariable>(OpGlobal) && OpGlobal->isDeclarationForLinker())
645     report_fatal_error("Bit set global var element must be a definition");
646 
647   auto OffsetConstMD = dyn_cast<ConstantAsMetadata>(Op->getOperand(2));
648   if (!OffsetConstMD)
649     report_fatal_error("Bit set element offset must be a constant");
650   auto OffsetInt = dyn_cast<ConstantInt>(OffsetConstMD->getValue());
651   if (!OffsetInt)
652     report_fatal_error("Bit set element offset must be an integer constant");
653 }
654 
655 static const unsigned kX86JumpTableEntrySize = 8;
656 
getJumpTableEntrySize()657 unsigned LowerBitSets::getJumpTableEntrySize() {
658   if (Arch != Triple::x86 && Arch != Triple::x86_64)
659     report_fatal_error("Unsupported architecture for jump tables");
660 
661   return kX86JumpTableEntrySize;
662 }
663 
664 // Create a constant representing a jump table entry for the target. This
665 // consists of an instruction sequence containing a relative branch to Dest. The
666 // constant will be laid out at address Src+(Len*Distance) where Len is the
667 // target-specific jump table entry size.
createJumpTableEntry(GlobalObject * Src,Function * Dest,unsigned Distance)668 Constant *LowerBitSets::createJumpTableEntry(GlobalObject *Src, Function *Dest,
669                                              unsigned Distance) {
670   if (Arch != Triple::x86 && Arch != Triple::x86_64)
671     report_fatal_error("Unsupported architecture for jump tables");
672 
673   const unsigned kJmpPCRel32Code = 0xe9;
674   const unsigned kInt3Code = 0xcc;
675 
676   ConstantInt *Jmp = ConstantInt::get(Int8Ty, kJmpPCRel32Code);
677 
678   // Build a constant representing the displacement between the constant's
679   // address and Dest. This will resolve to a PC32 relocation referring to Dest.
680   Constant *DestInt = ConstantExpr::getPtrToInt(Dest, IntPtrTy);
681   Constant *SrcInt = ConstantExpr::getPtrToInt(Src, IntPtrTy);
682   Constant *Disp = ConstantExpr::getSub(DestInt, SrcInt);
683   ConstantInt *DispOffset =
684       ConstantInt::get(IntPtrTy, Distance * kX86JumpTableEntrySize + 5);
685   Constant *OffsetedDisp = ConstantExpr::getSub(Disp, DispOffset);
686   OffsetedDisp = ConstantExpr::getTruncOrBitCast(OffsetedDisp, Int32Ty);
687 
688   ConstantInt *Int3 = ConstantInt::get(Int8Ty, kInt3Code);
689 
690   Constant *Fields[] = {
691       Jmp, OffsetedDisp, Int3, Int3, Int3,
692   };
693   return ConstantStruct::getAnon(Fields, /*Packed=*/true);
694 }
695 
getJumpTableEntryType()696 Type *LowerBitSets::getJumpTableEntryType() {
697   if (Arch != Triple::x86 && Arch != Triple::x86_64)
698     report_fatal_error("Unsupported architecture for jump tables");
699 
700   return StructType::get(M->getContext(),
701                          {Int8Ty, Int32Ty, Int8Ty, Int8Ty, Int8Ty},
702                          /*Packed=*/true);
703 }
704 
705 /// Given a disjoint set of bitsets and functions, build a jump table for the
706 /// functions, build the bit sets and lower the llvm.bitset.test calls.
buildBitSetsFromFunctions(ArrayRef<Metadata * > BitSets,ArrayRef<Function * > Functions)707 void LowerBitSets::buildBitSetsFromFunctions(ArrayRef<Metadata *> BitSets,
708                                              ArrayRef<Function *> Functions) {
709   // Unlike the global bitset builder, the function bitset builder cannot
710   // re-arrange functions in a particular order and base its calculations on the
711   // layout of the functions' entry points, as we have no idea how large a
712   // particular function will end up being (the size could even depend on what
713   // this pass does!) Instead, we build a jump table, which is a block of code
714   // consisting of one branch instruction for each of the functions in the bit
715   // set that branches to the target function, and redirect any taken function
716   // addresses to the corresponding jump table entry. In the object file's
717   // symbol table, the symbols for the target functions also refer to the jump
718   // table entries, so that addresses taken outside the module will pass any
719   // verification done inside the module.
720   //
721   // In more concrete terms, suppose we have three functions f, g, h which are
722   // members of a single bitset, and a function foo that returns their
723   // addresses:
724   //
725   // f:
726   // mov 0, %eax
727   // ret
728   //
729   // g:
730   // mov 1, %eax
731   // ret
732   //
733   // h:
734   // mov 2, %eax
735   // ret
736   //
737   // foo:
738   // mov f, %eax
739   // mov g, %edx
740   // mov h, %ecx
741   // ret
742   //
743   // To create a jump table for these functions, we instruct the LLVM code
744   // generator to output a jump table in the .text section. This is done by
745   // representing the instructions in the jump table as an LLVM constant and
746   // placing them in a global variable in the .text section. The end result will
747   // (conceptually) look like this:
748   //
749   // f:
750   // jmp .Ltmp0 ; 5 bytes
751   // int3       ; 1 byte
752   // int3       ; 1 byte
753   // int3       ; 1 byte
754   //
755   // g:
756   // jmp .Ltmp1 ; 5 bytes
757   // int3       ; 1 byte
758   // int3       ; 1 byte
759   // int3       ; 1 byte
760   //
761   // h:
762   // jmp .Ltmp2 ; 5 bytes
763   // int3       ; 1 byte
764   // int3       ; 1 byte
765   // int3       ; 1 byte
766   //
767   // .Ltmp0:
768   // mov 0, %eax
769   // ret
770   //
771   // .Ltmp1:
772   // mov 1, %eax
773   // ret
774   //
775   // .Ltmp2:
776   // mov 2, %eax
777   // ret
778   //
779   // foo:
780   // mov f, %eax
781   // mov g, %edx
782   // mov h, %ecx
783   // ret
784   //
785   // Because the addresses of f, g, h are evenly spaced at a power of 2, in the
786   // normal case the check can be carried out using the same kind of simple
787   // arithmetic that we normally use for globals.
788 
789   assert(!Functions.empty());
790 
791   // Build a simple layout based on the regular layout of jump tables.
792   DenseMap<GlobalObject *, uint64_t> GlobalLayout;
793   unsigned EntrySize = getJumpTableEntrySize();
794   for (unsigned I = 0; I != Functions.size(); ++I)
795     GlobalLayout[Functions[I]] = I * EntrySize;
796 
797   // Create a constant to hold the jump table.
798   ArrayType *JumpTableType =
799       ArrayType::get(getJumpTableEntryType(), Functions.size());
800   auto JumpTable = new GlobalVariable(*M, JumpTableType,
801                                       /*isConstant=*/true,
802                                       GlobalValue::PrivateLinkage, nullptr);
803   JumpTable->setSection(ObjectFormat == Triple::MachO
804                             ? "__TEXT,__text,regular,pure_instructions"
805                             : ".text");
806   lowerBitSetCalls(BitSets, JumpTable, GlobalLayout);
807 
808   // Build aliases pointing to offsets into the jump table, and replace
809   // references to the original functions with references to the aliases.
810   for (unsigned I = 0; I != Functions.size(); ++I) {
811     Constant *CombinedGlobalElemPtr = ConstantExpr::getBitCast(
812         ConstantExpr::getGetElementPtr(
813             JumpTableType, JumpTable,
814             ArrayRef<Constant *>{ConstantInt::get(IntPtrTy, 0),
815                                  ConstantInt::get(IntPtrTy, I)}),
816         Functions[I]->getType());
817     if (LinkerSubsectionsViaSymbols || Functions[I]->isDeclarationForLinker()) {
818       Functions[I]->replaceAllUsesWith(CombinedGlobalElemPtr);
819     } else {
820       assert(Functions[I]->getType()->getAddressSpace() == 0);
821       GlobalAlias *GAlias = GlobalAlias::create(Functions[I]->getValueType(), 0,
822                                                 Functions[I]->getLinkage(), "",
823                                                 CombinedGlobalElemPtr, M);
824       GAlias->setVisibility(Functions[I]->getVisibility());
825       GAlias->takeName(Functions[I]);
826       Functions[I]->replaceAllUsesWith(GAlias);
827     }
828     if (!Functions[I]->isDeclarationForLinker())
829       Functions[I]->setLinkage(GlobalValue::PrivateLinkage);
830   }
831 
832   // Build and set the jump table's initializer.
833   std::vector<Constant *> JumpTableEntries;
834   for (unsigned I = 0; I != Functions.size(); ++I)
835     JumpTableEntries.push_back(
836         createJumpTableEntry(JumpTable, Functions[I], I));
837   JumpTable->setInitializer(
838       ConstantArray::get(JumpTableType, JumpTableEntries));
839 }
840 
buildBitSetsFromDisjointSet(ArrayRef<Metadata * > BitSets,ArrayRef<GlobalObject * > Globals)841 void LowerBitSets::buildBitSetsFromDisjointSet(
842     ArrayRef<Metadata *> BitSets, ArrayRef<GlobalObject *> Globals) {
843   llvm::DenseMap<Metadata *, uint64_t> BitSetIndices;
844   llvm::DenseMap<GlobalObject *, uint64_t> GlobalIndices;
845   for (unsigned I = 0; I != BitSets.size(); ++I)
846     BitSetIndices[BitSets[I]] = I;
847   for (unsigned I = 0; I != Globals.size(); ++I)
848     GlobalIndices[Globals[I]] = I;
849 
850   // For each bitset, build a set of indices that refer to globals referenced by
851   // the bitset.
852   std::vector<std::set<uint64_t>> BitSetMembers(BitSets.size());
853   if (BitSetNM) {
854     for (MDNode *Op : BitSetNM->operands()) {
855       // Op = { bitset name, global, offset }
856       if (!Op->getOperand(1))
857         continue;
858       auto I = BitSetIndices.find(Op->getOperand(0));
859       if (I == BitSetIndices.end())
860         continue;
861 
862       auto OpGlobal = dyn_cast<GlobalObject>(
863           cast<ConstantAsMetadata>(Op->getOperand(1))->getValue());
864       if (!OpGlobal)
865         continue;
866       BitSetMembers[I->second].insert(GlobalIndices[OpGlobal]);
867     }
868   }
869 
870   // Order the sets of indices by size. The GlobalLayoutBuilder works best
871   // when given small index sets first.
872   std::stable_sort(
873       BitSetMembers.begin(), BitSetMembers.end(),
874       [](const std::set<uint64_t> &O1, const std::set<uint64_t> &O2) {
875         return O1.size() < O2.size();
876       });
877 
878   // Create a GlobalLayoutBuilder and provide it with index sets as layout
879   // fragments. The GlobalLayoutBuilder tries to lay out members of fragments as
880   // close together as possible.
881   GlobalLayoutBuilder GLB(Globals.size());
882   for (auto &&MemSet : BitSetMembers)
883     GLB.addFragment(MemSet);
884 
885   // Build the bitsets from this disjoint set.
886   if (Globals.empty() || isa<GlobalVariable>(Globals[0])) {
887     // Build a vector of global variables with the computed layout.
888     std::vector<GlobalVariable *> OrderedGVs(Globals.size());
889     auto OGI = OrderedGVs.begin();
890     for (auto &&F : GLB.Fragments) {
891       for (auto &&Offset : F) {
892         auto GV = dyn_cast<GlobalVariable>(Globals[Offset]);
893         if (!GV)
894           report_fatal_error(
895               "Bit set may not contain both global variables and functions");
896         *OGI++ = GV;
897       }
898     }
899 
900     buildBitSetsFromGlobalVariables(BitSets, OrderedGVs);
901   } else {
902     // Build a vector of functions with the computed layout.
903     std::vector<Function *> OrderedFns(Globals.size());
904     auto OFI = OrderedFns.begin();
905     for (auto &&F : GLB.Fragments) {
906       for (auto &&Offset : F) {
907         auto Fn = dyn_cast<Function>(Globals[Offset]);
908         if (!Fn)
909           report_fatal_error(
910               "Bit set may not contain both global variables and functions");
911         *OFI++ = Fn;
912       }
913     }
914 
915     buildBitSetsFromFunctions(BitSets, OrderedFns);
916   }
917 }
918 
919 /// Lower all bit sets in this module.
buildBitSets()920 bool LowerBitSets::buildBitSets() {
921   Function *BitSetTestFunc =
922       M->getFunction(Intrinsic::getName(Intrinsic::bitset_test));
923   if (!BitSetTestFunc)
924     return false;
925 
926   // Equivalence class set containing bitsets and the globals they reference.
927   // This is used to partition the set of bitsets in the module into disjoint
928   // sets.
929   typedef EquivalenceClasses<PointerUnion<GlobalObject *, Metadata *>>
930       GlobalClassesTy;
931   GlobalClassesTy GlobalClasses;
932 
933   // Verify the bitset metadata and build a mapping from bitset identifiers to
934   // their last observed index in BitSetNM. This will used later to
935   // deterministically order the list of bitset identifiers.
936   llvm::DenseMap<Metadata *, unsigned> BitSetIdIndices;
937   if (BitSetNM) {
938     for (unsigned I = 0, E = BitSetNM->getNumOperands(); I != E; ++I) {
939       MDNode *Op = BitSetNM->getOperand(I);
940       verifyBitSetMDNode(Op);
941       BitSetIdIndices[Op->getOperand(0)] = I;
942     }
943   }
944 
945   for (const Use &U : BitSetTestFunc->uses()) {
946     auto CI = cast<CallInst>(U.getUser());
947 
948     auto BitSetMDVal = dyn_cast<MetadataAsValue>(CI->getArgOperand(1));
949     if (!BitSetMDVal)
950       report_fatal_error(
951           "Second argument of llvm.bitset.test must be metadata");
952     auto BitSet = BitSetMDVal->getMetadata();
953 
954     // Add the call site to the list of call sites for this bit set. We also use
955     // BitSetTestCallSites to keep track of whether we have seen this bit set
956     // before. If we have, we don't need to re-add the referenced globals to the
957     // equivalence class.
958     std::pair<DenseMap<Metadata *, std::vector<CallInst *>>::iterator,
959               bool> Ins =
960         BitSetTestCallSites.insert(
961             std::make_pair(BitSet, std::vector<CallInst *>()));
962     Ins.first->second.push_back(CI);
963     if (!Ins.second)
964       continue;
965 
966     // Add the bitset to the equivalence class.
967     GlobalClassesTy::iterator GCI = GlobalClasses.insert(BitSet);
968     GlobalClassesTy::member_iterator CurSet = GlobalClasses.findLeader(GCI);
969 
970     if (!BitSetNM)
971       continue;
972 
973     // Add the referenced globals to the bitset's equivalence class.
974     for (MDNode *Op : BitSetNM->operands()) {
975       if (Op->getOperand(0) != BitSet || !Op->getOperand(1))
976         continue;
977 
978       auto OpGlobal = dyn_cast<GlobalObject>(
979           cast<ConstantAsMetadata>(Op->getOperand(1))->getValue());
980       if (!OpGlobal)
981         continue;
982 
983       CurSet = GlobalClasses.unionSets(
984           CurSet, GlobalClasses.findLeader(GlobalClasses.insert(OpGlobal)));
985     }
986   }
987 
988   if (GlobalClasses.empty())
989     return false;
990 
991   // Build a list of disjoint sets ordered by their maximum BitSetNM index
992   // for determinism.
993   std::vector<std::pair<GlobalClassesTy::iterator, unsigned>> Sets;
994   for (GlobalClassesTy::iterator I = GlobalClasses.begin(),
995                                  E = GlobalClasses.end();
996        I != E; ++I) {
997     if (!I->isLeader()) continue;
998     ++NumBitSetDisjointSets;
999 
1000     unsigned MaxIndex = 0;
1001     for (GlobalClassesTy::member_iterator MI = GlobalClasses.member_begin(I);
1002          MI != GlobalClasses.member_end(); ++MI) {
1003       if ((*MI).is<Metadata *>())
1004         MaxIndex = std::max(MaxIndex, BitSetIdIndices[MI->get<Metadata *>()]);
1005     }
1006     Sets.emplace_back(I, MaxIndex);
1007   }
1008   std::sort(Sets.begin(), Sets.end(),
1009             [](const std::pair<GlobalClassesTy::iterator, unsigned> &S1,
1010                const std::pair<GlobalClassesTy::iterator, unsigned> &S2) {
1011               return S1.second < S2.second;
1012             });
1013 
1014   // For each disjoint set we found...
1015   for (const auto &S : Sets) {
1016     // Build the list of bitsets in this disjoint set.
1017     std::vector<Metadata *> BitSets;
1018     std::vector<GlobalObject *> Globals;
1019     for (GlobalClassesTy::member_iterator MI =
1020              GlobalClasses.member_begin(S.first);
1021          MI != GlobalClasses.member_end(); ++MI) {
1022       if ((*MI).is<Metadata *>())
1023         BitSets.push_back(MI->get<Metadata *>());
1024       else
1025         Globals.push_back(MI->get<GlobalObject *>());
1026     }
1027 
1028     // Order bitsets by BitSetNM index for determinism. This ordering is stable
1029     // as there is a one-to-one mapping between metadata and indices.
1030     std::sort(BitSets.begin(), BitSets.end(), [&](Metadata *M1, Metadata *M2) {
1031       return BitSetIdIndices[M1] < BitSetIdIndices[M2];
1032     });
1033 
1034     // Lower the bitsets in this disjoint set.
1035     buildBitSetsFromDisjointSet(BitSets, Globals);
1036   }
1037 
1038   allocateByteArrays();
1039 
1040   return true;
1041 }
1042 
eraseBitSetMetadata()1043 bool LowerBitSets::eraseBitSetMetadata() {
1044   if (!BitSetNM)
1045     return false;
1046 
1047   M->eraseNamedMetadata(BitSetNM);
1048   return true;
1049 }
1050 
runOnModule(Module & M)1051 bool LowerBitSets::runOnModule(Module &M) {
1052   bool Changed = buildBitSets();
1053   Changed |= eraseBitSetMetadata();
1054   return Changed;
1055 }
1056