1 //===-- ImplicitNullChecks.cpp - Fold null checks into memory accesses ----===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This pass turns explicit null checks of the form
11 //
12 // test %r10, %r10
13 // je throw_npe
14 // movl (%r10), %esi
15 // ...
16 //
17 // to
18 //
19 // faulting_load_op("movl (%r10), %esi", throw_npe)
20 // ...
21 //
22 // With the help of a runtime that understands the .fault_maps section,
23 // faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs
24 // a page fault.
25 //
26 //===----------------------------------------------------------------------===//
27
28 #include "llvm/ADT/DenseSet.h"
29 #include "llvm/ADT/SmallVector.h"
30 #include "llvm/ADT/Statistic.h"
31 #include "llvm/Analysis/AliasAnalysis.h"
32 #include "llvm/CodeGen/Passes.h"
33 #include "llvm/CodeGen/MachineFunction.h"
34 #include "llvm/CodeGen/MachineMemOperand.h"
35 #include "llvm/CodeGen/MachineOperand.h"
36 #include "llvm/CodeGen/MachineFunctionPass.h"
37 #include "llvm/CodeGen/MachineInstrBuilder.h"
38 #include "llvm/CodeGen/MachineRegisterInfo.h"
39 #include "llvm/CodeGen/MachineModuleInfo.h"
40 #include "llvm/IR/BasicBlock.h"
41 #include "llvm/IR/Instruction.h"
42 #include "llvm/IR/LLVMContext.h"
43 #include "llvm/Support/CommandLine.h"
44 #include "llvm/Support/Debug.h"
45 #include "llvm/Target/TargetSubtargetInfo.h"
46 #include "llvm/Target/TargetInstrInfo.h"
47
48 using namespace llvm;
49
50 static cl::opt<int> PageSize("imp-null-check-page-size",
51 cl::desc("The page size of the target in bytes"),
52 cl::init(4096));
53
54 #define DEBUG_TYPE "implicit-null-checks"
55
56 STATISTIC(NumImplicitNullChecks,
57 "Number of explicit null checks made implicit");
58
59 namespace {
60
61 class ImplicitNullChecks : public MachineFunctionPass {
62 /// Represents one null check that can be made implicit.
63 class NullCheck {
64 // The memory operation the null check can be folded into.
65 MachineInstr *MemOperation;
66
67 // The instruction actually doing the null check (Ptr != 0).
68 MachineInstr *CheckOperation;
69
70 // The block the check resides in.
71 MachineBasicBlock *CheckBlock;
72
73 // The block branched to if the pointer is non-null.
74 MachineBasicBlock *NotNullSucc;
75
76 // The block branched to if the pointer is null.
77 MachineBasicBlock *NullSucc;
78
79 // If this is non-null, then MemOperation has a dependency on on this
80 // instruction; and it needs to be hoisted to execute before MemOperation.
81 MachineInstr *OnlyDependency;
82
83 public:
NullCheck(MachineInstr * memOperation,MachineInstr * checkOperation,MachineBasicBlock * checkBlock,MachineBasicBlock * notNullSucc,MachineBasicBlock * nullSucc,MachineInstr * onlyDependency)84 explicit NullCheck(MachineInstr *memOperation, MachineInstr *checkOperation,
85 MachineBasicBlock *checkBlock,
86 MachineBasicBlock *notNullSucc,
87 MachineBasicBlock *nullSucc,
88 MachineInstr *onlyDependency)
89 : MemOperation(memOperation), CheckOperation(checkOperation),
90 CheckBlock(checkBlock), NotNullSucc(notNullSucc), NullSucc(nullSucc),
91 OnlyDependency(onlyDependency) {}
92
getMemOperation() const93 MachineInstr *getMemOperation() const { return MemOperation; }
94
getCheckOperation() const95 MachineInstr *getCheckOperation() const { return CheckOperation; }
96
getCheckBlock() const97 MachineBasicBlock *getCheckBlock() const { return CheckBlock; }
98
getNotNullSucc() const99 MachineBasicBlock *getNotNullSucc() const { return NotNullSucc; }
100
getNullSucc() const101 MachineBasicBlock *getNullSucc() const { return NullSucc; }
102
getOnlyDependency() const103 MachineInstr *getOnlyDependency() const { return OnlyDependency; }
104 };
105
106 const TargetInstrInfo *TII = nullptr;
107 const TargetRegisterInfo *TRI = nullptr;
108 AliasAnalysis *AA = nullptr;
109 MachineModuleInfo *MMI = nullptr;
110
111 bool analyzeBlockForNullChecks(MachineBasicBlock &MBB,
112 SmallVectorImpl<NullCheck> &NullCheckList);
113 MachineInstr *insertFaultingLoad(MachineInstr *LoadMI, MachineBasicBlock *MBB,
114 MachineBasicBlock *HandlerMBB);
115 void rewriteNullChecks(ArrayRef<NullCheck> NullCheckList);
116
117 public:
118 static char ID;
119
ImplicitNullChecks()120 ImplicitNullChecks() : MachineFunctionPass(ID) {
121 initializeImplicitNullChecksPass(*PassRegistry::getPassRegistry());
122 }
123
124 bool runOnMachineFunction(MachineFunction &MF) override;
getAnalysisUsage(AnalysisUsage & AU) const125 void getAnalysisUsage(AnalysisUsage &AU) const override {
126 AU.addRequired<AAResultsWrapperPass>();
127 MachineFunctionPass::getAnalysisUsage(AU);
128 }
129
getRequiredProperties() const130 MachineFunctionProperties getRequiredProperties() const override {
131 return MachineFunctionProperties().set(
132 MachineFunctionProperties::Property::AllVRegsAllocated);
133 }
134 };
135
136 /// \brief Detect re-ordering hazards and dependencies.
137 ///
138 /// This class keeps track of defs and uses, and can be queried if a given
139 /// machine instruction can be re-ordered from after the machine instructions
140 /// seen so far to before them.
141 class HazardDetector {
getUnknownMI()142 static MachineInstr *getUnknownMI() {
143 return DenseMapInfo<MachineInstr *>::getTombstoneKey();
144 }
145
146 // Maps physical registers to the instruction defining them. If there has
147 // been more than one def of an specific register, that register is mapped to
148 // getUnknownMI().
149 DenseMap<unsigned, MachineInstr *> RegDefs;
150 DenseSet<unsigned> RegUses;
151 const TargetRegisterInfo &TRI;
152 bool hasSeenClobber;
153 AliasAnalysis &AA;
154
155 public:
HazardDetector(const TargetRegisterInfo & TRI,AliasAnalysis & AA)156 explicit HazardDetector(const TargetRegisterInfo &TRI, AliasAnalysis &AA)
157 : TRI(TRI), hasSeenClobber(false), AA(AA) {}
158
159 /// \brief Make a note of \p MI for later queries to isSafeToHoist.
160 ///
161 /// May clobber this HazardDetector instance. \see isClobbered.
162 void rememberInstruction(MachineInstr *MI);
163
164 /// \brief Return true if it is safe to hoist \p MI from after all the
165 /// instructions seen so far (via rememberInstruction) to before it. If \p MI
166 /// has one and only one transitive dependency, set \p Dependency to that
167 /// instruction. If there are more dependencies, return false.
168 bool isSafeToHoist(MachineInstr *MI, MachineInstr *&Dependency);
169
170 /// \brief Return true if this instance of HazardDetector has been clobbered
171 /// (i.e. has no more useful information).
172 ///
173 /// A HazardDetecter is clobbered when it sees a construct it cannot
174 /// understand, and it would have to return a conservative answer for all
175 /// future queries. Having a separate clobbered state lets the client code
176 /// bail early, without making queries about all of the future instructions
177 /// (which would have returned the most conservative answer anyway).
178 ///
179 /// Calling rememberInstruction or isSafeToHoist on a clobbered HazardDetector
180 /// is an error.
isClobbered()181 bool isClobbered() { return hasSeenClobber; }
182 };
183 }
184
185
rememberInstruction(MachineInstr * MI)186 void HazardDetector::rememberInstruction(MachineInstr *MI) {
187 assert(!isClobbered() &&
188 "Don't add instructions to a clobbered hazard detector");
189
190 if (MI->mayStore() || MI->hasUnmodeledSideEffects()) {
191 hasSeenClobber = true;
192 return;
193 }
194
195 for (auto *MMO : MI->memoperands()) {
196 // Right now we don't want to worry about LLVM's memory model.
197 if (!MMO->isUnordered()) {
198 hasSeenClobber = true;
199 return;
200 }
201 }
202
203 for (auto &MO : MI->operands()) {
204 if (!MO.isReg() || !MO.getReg())
205 continue;
206
207 if (MO.isDef()) {
208 auto It = RegDefs.find(MO.getReg());
209 if (It == RegDefs.end())
210 RegDefs.insert({MO.getReg(), MI});
211 else {
212 assert(It->second && "Found null MI?");
213 It->second = getUnknownMI();
214 }
215 } else
216 RegUses.insert(MO.getReg());
217 }
218 }
219
isSafeToHoist(MachineInstr * MI,MachineInstr * & Dependency)220 bool HazardDetector::isSafeToHoist(MachineInstr *MI,
221 MachineInstr *&Dependency) {
222 assert(!isClobbered() && "isSafeToHoist cannot do anything useful!");
223 Dependency = nullptr;
224
225 // Right now we don't want to worry about LLVM's memory model. This can be
226 // made more precise later.
227 for (auto *MMO : MI->memoperands())
228 if (!MMO->isUnordered())
229 return false;
230
231 for (auto &MO : MI->operands()) {
232 if (MO.isReg() && MO.getReg()) {
233 for (auto &RegDef : RegDefs) {
234 unsigned Reg = RegDef.first;
235 MachineInstr *MI = RegDef.second;
236 if (!TRI.regsOverlap(Reg, MO.getReg()))
237 continue;
238
239 // We found a write-after-write or read-after-write, see if the
240 // instruction causing this dependency can be hoisted too.
241
242 if (MI == getUnknownMI())
243 // We don't have precise dependency information.
244 return false;
245
246 if (Dependency) {
247 if (Dependency == MI)
248 continue;
249 // We already have one dependency, and we can track only one.
250 return false;
251 }
252
253 // Now check if MI is actually a dependency that can be hoisted.
254
255 // We don't want to track transitive dependencies. We already know that
256 // MI is the only instruction that defines Reg, but we need to be sure
257 // that it does not use any registers that have been defined (trivially
258 // checked below by ensuring that there are no register uses), and that
259 // it is the only def for every register it defines (otherwise we could
260 // violate a write after write hazard).
261 auto IsMIOperandSafe = [&](MachineOperand &MO) {
262 if (!MO.isReg() || !MO.getReg())
263 return true;
264 if (MO.isUse())
265 return false;
266 assert((!MO.isDef() || RegDefs.count(MO.getReg())) &&
267 "All defs must be tracked in RegDefs by now!");
268 return !MO.isDef() || RegDefs.find(MO.getReg())->second == MI;
269 };
270
271 if (!all_of(MI->operands(), IsMIOperandSafe))
272 return false;
273
274 // Now check for speculation safety:
275 bool SawStore = true;
276 if (!MI->isSafeToMove(&AA, SawStore) || MI->mayLoad())
277 return false;
278
279 Dependency = MI;
280 }
281
282 if (MO.isDef())
283 for (unsigned Reg : RegUses)
284 if (TRI.regsOverlap(Reg, MO.getReg()))
285 return false; // We found a write-after-read
286 }
287 }
288
289 return true;
290 }
291
runOnMachineFunction(MachineFunction & MF)292 bool ImplicitNullChecks::runOnMachineFunction(MachineFunction &MF) {
293 TII = MF.getSubtarget().getInstrInfo();
294 TRI = MF.getRegInfo().getTargetRegisterInfo();
295 MMI = &MF.getMMI();
296 AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
297
298 SmallVector<NullCheck, 16> NullCheckList;
299
300 for (auto &MBB : MF)
301 analyzeBlockForNullChecks(MBB, NullCheckList);
302
303 if (!NullCheckList.empty())
304 rewriteNullChecks(NullCheckList);
305
306 return !NullCheckList.empty();
307 }
308
309 // Return true if any register aliasing \p Reg is live-in into \p MBB.
AnyAliasLiveIn(const TargetRegisterInfo * TRI,MachineBasicBlock * MBB,unsigned Reg)310 static bool AnyAliasLiveIn(const TargetRegisterInfo *TRI,
311 MachineBasicBlock *MBB, unsigned Reg) {
312 for (MCRegAliasIterator AR(Reg, TRI, /*IncludeSelf*/ true); AR.isValid();
313 ++AR)
314 if (MBB->isLiveIn(*AR))
315 return true;
316 return false;
317 }
318
319 /// Analyze MBB to check if its terminating branch can be turned into an
320 /// implicit null check. If yes, append a description of the said null check to
321 /// NullCheckList and return true, else return false.
analyzeBlockForNullChecks(MachineBasicBlock & MBB,SmallVectorImpl<NullCheck> & NullCheckList)322 bool ImplicitNullChecks::analyzeBlockForNullChecks(
323 MachineBasicBlock &MBB, SmallVectorImpl<NullCheck> &NullCheckList) {
324 typedef TargetInstrInfo::MachineBranchPredicate MachineBranchPredicate;
325
326 MDNode *BranchMD = nullptr;
327 if (auto *BB = MBB.getBasicBlock())
328 BranchMD = BB->getTerminator()->getMetadata(LLVMContext::MD_make_implicit);
329
330 if (!BranchMD)
331 return false;
332
333 MachineBranchPredicate MBP;
334
335 if (TII->analyzeBranchPredicate(MBB, MBP, true))
336 return false;
337
338 // Is the predicate comparing an integer to zero?
339 if (!(MBP.LHS.isReg() && MBP.RHS.isImm() && MBP.RHS.getImm() == 0 &&
340 (MBP.Predicate == MachineBranchPredicate::PRED_NE ||
341 MBP.Predicate == MachineBranchPredicate::PRED_EQ)))
342 return false;
343
344 // If we cannot erase the test instruction itself, then making the null check
345 // implicit does not buy us much.
346 if (!MBP.SingleUseCondition)
347 return false;
348
349 MachineBasicBlock *NotNullSucc, *NullSucc;
350
351 if (MBP.Predicate == MachineBranchPredicate::PRED_NE) {
352 NotNullSucc = MBP.TrueDest;
353 NullSucc = MBP.FalseDest;
354 } else {
355 NotNullSucc = MBP.FalseDest;
356 NullSucc = MBP.TrueDest;
357 }
358
359 // We handle the simplest case for now. We can potentially do better by using
360 // the machine dominator tree.
361 if (NotNullSucc->pred_size() != 1)
362 return false;
363
364 // Starting with a code fragment like:
365 //
366 // test %RAX, %RAX
367 // jne LblNotNull
368 //
369 // LblNull:
370 // callq throw_NullPointerException
371 //
372 // LblNotNull:
373 // Inst0
374 // Inst1
375 // ...
376 // Def = Load (%RAX + <offset>)
377 // ...
378 //
379 //
380 // we want to end up with
381 //
382 // Def = FaultingLoad (%RAX + <offset>), LblNull
383 // jmp LblNotNull ;; explicit or fallthrough
384 //
385 // LblNotNull:
386 // Inst0
387 // Inst1
388 // ...
389 //
390 // LblNull:
391 // callq throw_NullPointerException
392 //
393 //
394 // To see why this is legal, consider the two possibilities:
395 //
396 // 1. %RAX is null: since we constrain <offset> to be less than PageSize, the
397 // load instruction dereferences the null page, causing a segmentation
398 // fault.
399 //
400 // 2. %RAX is not null: in this case we know that the load cannot fault, as
401 // otherwise the load would've faulted in the original program too and the
402 // original program would've been undefined.
403 //
404 // This reasoning cannot be extended to justify hoisting through arbitrary
405 // control flow. For instance, in the example below (in pseudo-C)
406 //
407 // if (ptr == null) { throw_npe(); unreachable; }
408 // if (some_cond) { return 42; }
409 // v = ptr->field; // LD
410 // ...
411 //
412 // we cannot (without code duplication) use the load marked "LD" to null check
413 // ptr -- clause (2) above does not apply in this case. In the above program
414 // the safety of ptr->field can be dependent on some_cond; and, for instance,
415 // ptr could be some non-null invalid reference that never gets loaded from
416 // because some_cond is always true.
417
418 unsigned PointerReg = MBP.LHS.getReg();
419
420 HazardDetector HD(*TRI, *AA);
421
422 for (auto MII = NotNullSucc->begin(), MIE = NotNullSucc->end(); MII != MIE;
423 ++MII) {
424 MachineInstr &MI = *MII;
425 unsigned BaseReg;
426 int64_t Offset;
427 MachineInstr *Dependency = nullptr;
428 if (TII->getMemOpBaseRegImmOfs(MI, BaseReg, Offset, TRI))
429 if (MI.mayLoad() && !MI.isPredicable() && BaseReg == PointerReg &&
430 Offset < PageSize && MI.getDesc().getNumDefs() <= 1 &&
431 HD.isSafeToHoist(&MI, Dependency)) {
432
433 auto DependencyOperandIsOk = [&](MachineOperand &MO) {
434 assert(!(MO.isReg() && MO.isUse()) &&
435 "No transitive dependendencies please!");
436 if (!MO.isReg() || !MO.getReg() || !MO.isDef())
437 return true;
438
439 // Make sure that we won't clobber any live ins to the sibling block
440 // by hoisting Dependency. For instance, we can't hoist INST to
441 // before the null check (even if it safe, and does not violate any
442 // dependencies in the non_null_block) if %rdx is live in to
443 // _null_block.
444 //
445 // test %rcx, %rcx
446 // je _null_block
447 // _non_null_block:
448 // %rdx<def> = INST
449 // ...
450 if (AnyAliasLiveIn(TRI, NullSucc, MO.getReg()))
451 return false;
452
453 // Make sure Dependency isn't re-defining the base register. Then we
454 // won't get the memory operation on the address we want.
455 if (TRI->regsOverlap(MO.getReg(), BaseReg))
456 return false;
457
458 return true;
459 };
460
461 bool DependencyOperandsAreOk =
462 !Dependency ||
463 all_of(Dependency->operands(), DependencyOperandIsOk);
464
465 if (DependencyOperandsAreOk) {
466 NullCheckList.emplace_back(&MI, MBP.ConditionDef, &MBB, NotNullSucc,
467 NullSucc, Dependency);
468 return true;
469 }
470 }
471
472 HD.rememberInstruction(&MI);
473 if (HD.isClobbered())
474 return false;
475 }
476
477 return false;
478 }
479
480 /// Wrap a machine load instruction, LoadMI, into a FAULTING_LOAD_OP machine
481 /// instruction. The FAULTING_LOAD_OP instruction does the same load as LoadMI
482 /// (defining the same register), and branches to HandlerMBB if the load
483 /// faults. The FAULTING_LOAD_OP instruction is inserted at the end of MBB.
484 MachineInstr *
insertFaultingLoad(MachineInstr * LoadMI,MachineBasicBlock * MBB,MachineBasicBlock * HandlerMBB)485 ImplicitNullChecks::insertFaultingLoad(MachineInstr *LoadMI,
486 MachineBasicBlock *MBB,
487 MachineBasicBlock *HandlerMBB) {
488 const unsigned NoRegister = 0; // Guaranteed to be the NoRegister value for
489 // all targets.
490
491 DebugLoc DL;
492 unsigned NumDefs = LoadMI->getDesc().getNumDefs();
493 assert(NumDefs <= 1 && "other cases unhandled!");
494
495 unsigned DefReg = NoRegister;
496 if (NumDefs != 0) {
497 DefReg = LoadMI->defs().begin()->getReg();
498 assert(std::distance(LoadMI->defs().begin(), LoadMI->defs().end()) == 1 &&
499 "expected exactly one def!");
500 }
501
502 auto MIB = BuildMI(MBB, DL, TII->get(TargetOpcode::FAULTING_LOAD_OP), DefReg)
503 .addMBB(HandlerMBB)
504 .addImm(LoadMI->getOpcode());
505
506 for (auto &MO : LoadMI->uses())
507 MIB.addOperand(MO);
508
509 MIB.setMemRefs(LoadMI->memoperands_begin(), LoadMI->memoperands_end());
510
511 return MIB;
512 }
513
514 /// Rewrite the null checks in NullCheckList into implicit null checks.
rewriteNullChecks(ArrayRef<ImplicitNullChecks::NullCheck> NullCheckList)515 void ImplicitNullChecks::rewriteNullChecks(
516 ArrayRef<ImplicitNullChecks::NullCheck> NullCheckList) {
517 DebugLoc DL;
518
519 for (auto &NC : NullCheckList) {
520 // Remove the conditional branch dependent on the null check.
521 unsigned BranchesRemoved = TII->RemoveBranch(*NC.getCheckBlock());
522 (void)BranchesRemoved;
523 assert(BranchesRemoved > 0 && "expected at least one branch!");
524
525 if (auto *DepMI = NC.getOnlyDependency()) {
526 DepMI->removeFromParent();
527 NC.getCheckBlock()->insert(NC.getCheckBlock()->end(), DepMI);
528 }
529
530 // Insert a faulting load where the conditional branch was originally. We
531 // check earlier ensures that this bit of code motion is legal. We do not
532 // touch the successors list for any basic block since we haven't changed
533 // control flow, we've just made it implicit.
534 MachineInstr *FaultingLoad = insertFaultingLoad(
535 NC.getMemOperation(), NC.getCheckBlock(), NC.getNullSucc());
536 // Now the values defined by MemOperation, if any, are live-in of
537 // the block of MemOperation.
538 // The original load operation may define implicit-defs alongside
539 // the loaded value.
540 MachineBasicBlock *MBB = NC.getMemOperation()->getParent();
541 for (const MachineOperand &MO : FaultingLoad->operands()) {
542 if (!MO.isReg() || !MO.isDef())
543 continue;
544 unsigned Reg = MO.getReg();
545 if (!Reg || MBB->isLiveIn(Reg))
546 continue;
547 MBB->addLiveIn(Reg);
548 }
549
550 if (auto *DepMI = NC.getOnlyDependency()) {
551 for (auto &MO : DepMI->operands()) {
552 if (!MO.isReg() || !MO.getReg() || !MO.isDef())
553 continue;
554 if (!NC.getNotNullSucc()->isLiveIn(MO.getReg()))
555 NC.getNotNullSucc()->addLiveIn(MO.getReg());
556 }
557 }
558
559 NC.getMemOperation()->eraseFromParent();
560 NC.getCheckOperation()->eraseFromParent();
561
562 // Insert an *unconditional* branch to not-null successor.
563 TII->InsertBranch(*NC.getCheckBlock(), NC.getNotNullSucc(), nullptr,
564 /*Cond=*/None, DL);
565
566 NumImplicitNullChecks++;
567 }
568 }
569
570 char ImplicitNullChecks::ID = 0;
571 char &llvm::ImplicitNullChecksID = ImplicitNullChecks::ID;
572 INITIALIZE_PASS_BEGIN(ImplicitNullChecks, "implicit-null-checks",
573 "Implicit null checks", false, false)
574 INITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass)
575 INITIALIZE_PASS_END(ImplicitNullChecks, "implicit-null-checks",
576 "Implicit null checks", false, false)
577