This is an archive of the discontinued LLVM Phabricator instance.

Differential D11044

[ImplicitNullChecks] Be smarter in picking the memory op.
ClosedPublic

Authored by sanjoy on Jul 8 2015, 2:34 PM.

Details

Reviewers
reames
atrick
JosephTremoulet
Commits
rGb771845461f6: [ImplicitNullChecks] Be smarter in picking the memory op.
rL241850: [ImplicitNullChecks] Be smarter in picking the memory op.
Summary

Before this change ImplicitNullChecks would only pick loads of the form:

  test Reg, Reg
  jz elsewhere
fallthrough:
  movl 32(Reg), Reg2

but not (say)

  test Reg, Reg
  jz elsewhere
fallthrough:
  inc Reg3
  movl 32(Reg), Reg2

This change teaches ImplicitNullChecks to look through "unrelated"
instructions like inc Reg3 when searching for a load instruction
to convert to a trapping load.

Diff Detail

Event Timeline

sanjoy updated this revision to Diff 29288.Jul 8 2015, 2:34 PM
sanjoy retitled this revision from to [ImplicitNullChecks] Be smarter in picking the memory op..
sanjoy updated this object.
sanjoy added reviewers: atrick, JosephTremoulet, reames.
sanjoy added a subscriber: llvm-commits.
reames added inline comments.Jul 8 2015, 10:50 PM
lib/CodeGen/ImplicitNullChecks.cpp
212

Naming wise, this is a bit confusing. It's specifically whether the instruction is safe to reorder past the previously saved information. At first, I had expected this predicate to by applied to each instruction skipped.

255

If one of these loads potentially overlap with the value we eventually load from, don't we end up with a faulting instruction not recorded in the side table?

(To say this differently, I think you need to account for aliasing in your loads.)

sanjoy added inline comments.Jul 8 2015, 11:58 PM
lib/CodeGen/ImplicitNullChecks.cpp
212

Makes sense, I'll try and come up with a better name tomorrow.

255

The faulting instruction is reordered to where the original branch was, so the control flow remains intact. So if I start with

test reg, reg
jz throw_NPE
maybe_aliasing_load
candidate_load

I'll end up with

candidate_load ;; handler_pc = throw_NPE
maybe_aliasing_load

so maybe_aliasing_load won't execute if reg was null.

Does this answer your question?

JosephTremoulet edited edge metadata.Jul 9 2015, 10:15 AM

LGTM, aside from the one question.

lib/CodeGen/ImplicitNullChecks.cpp
274–278

This may just be my ignorance of machine instruction modeling, but this reads like you're taking care to skip explicit use operands; why is that?

Closed by commit rL241850: [ImplicitNullChecks] Be smarter in picking the memory op. (authored by sanjoy). · Explain WhyJul 9 2015, 1:13 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
CodeGen/
90 lines
test/
CodeGen/
X86/
42 lines
44 lines

Diff 29288

lib/CodeGen/ImplicitNullChecks.cpp

Show All 19 Lines
// ... // ...
// //
// With the help of a runtime that understands the .fault_maps section, // With the help of a runtime that understands the .fault_maps section,
// faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs // faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs
// a page fault. // a page fault.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/CodeGen/MachineFunction.h" #include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineMemOperand.h"
#include "llvm/CodeGen/MachineOperand.h" #include "llvm/CodeGen/MachineOperand.h"
#include "llvm/CodeGen/MachineFunctionPass.h" #include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/MachineInstrBuilder.h" #include "llvm/CodeGen/MachineInstrBuilder.h"
#include "llvm/CodeGen/MachineRegisterInfo.h" #include "llvm/CodeGen/MachineRegisterInfo.h"
#include "llvm/CodeGen/MachineModuleInfo.h" #include "llvm/CodeGen/MachineModuleInfo.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Instruction.h" #include "llvm/IR/Instruction.h"
#include "llvm/Support/CommandLine.h" #include "llvm/Support/CommandLine.h"
▲ Show 20 LinesShow All 132 Lines▼ Show 20 Linesbool ImplicitNullChecks::analyzeBlockForNullChecks(
// //
// test %RAX, %RAX // test %RAX, %RAX
// jne LblNotNull // jne LblNotNull
// //
// LblNull: // LblNull:
// callq throw_NullPointerException // callq throw_NullPointerException
// //
// LblNotNull: // LblNotNull:
// Inst0
// Inst1
// ...
// Def = Load (%RAX + <offset>) // Def = Load (%RAX + <offset>)
// ... // ...
// //
// //
// we want to end up with // we want to end up with
// //
// Def = TrappingLoad (%RAX + <offset>), LblNull // Def = TrappingLoad (%RAX + <offset>), LblNull
// jmp LblNotNull ;; explicit or fallthrough // jmp LblNotNull ;; explicit or fallthrough
// //
// LblNotNull: // LblNotNull:
// Inst0
// Inst1
// ... // ...
// //
// LblNull: // LblNull:
// callq throw_NullPointerException // callq throw_NullPointerException
// //
unsigned PointerReg = MBP.LHS.getReg(); unsigned PointerReg = MBP.LHS.getReg();
MachineInstr *MemOp = &*NotNullSucc->begin();
// As we scan NotNullSucc for a suitable load instruction, we keep track of
// the registers defined and used by the instructions we scan past. This bit
// of information lets us decide if it is legal to reorder the load
// instruction we find (if we do find such an instruction) to before
// NotNullSucc.
DenseSet<unsigned> RegDefs, RegUses;
// Returns true if it is safe to reorder MI to before NotNullSucc.
reamesUnsubmitted
Not Done
ReplyInline Actions

Naming wise, this is a bit confusing. It's specifically whether the instruction is safe to reorder past the previously saved information. At first, I had expected this predicate to by applied to each instruction skipped.

reames: Naming wise, this is a bit confusing. It's specifically whether the instruction is safe to…
sanjoyAuthorUnsubmitted
Not Done
ReplyInline Actions

Makes sense, I'll try and come up with a better name tomorrow.

sanjoy: Makes sense, I'll try and come up with a better name tomorrow.
auto IsSafeToReorder = [&](MachineInstr *MI) {
// Right now we don't want to worry about LLVM's memory model. This can be
// made more precise later.
for (auto *MMO : MI->memoperands())
if (!MMO->isUnordered())
return false;
for (auto &MO : MI->operands()) {
if (MO.isReg() && MO.getReg()) {
for (unsigned Reg : RegDefs)
if (TRI->regsOverlap(Reg, MO.getReg()))
return false; // We found a write-after-write or read-after-write
if (MO.isDef())
for (unsigned Reg : RegUses)
if (TRI->regsOverlap(Reg, MO.getReg()))
return false; // We found a write-after-read
}
}
return true;
};
for (auto MII = NotNullSucc->begin(), MIE = NotNullSucc->end(); MII != MIE;
++MII) {
MachineInstr *MI = &*MII;
unsigned BaseReg, Offset; unsigned BaseReg, Offset;
if (TII->getMemOpBaseRegImmOfs(MemOp, BaseReg, Offset, TRI)) if (TII->getMemOpBaseRegImmOfs(MI, BaseReg, Offset, TRI))
if (MemOp->mayLoad() && !MemOp->isPredicable() && BaseReg == PointerReg && if (MI->mayLoad() && !MI->isPredicable() && BaseReg == PointerReg &&
Offset < PageSize && MemOp->getDesc().getNumDefs() == 1) { Offset < PageSize && MI->getDesc().getNumDefs() == 1 &&
NullCheckList.emplace_back(MemOp, MBP.ConditionDef, &MBB, NotNullSucc, IsSafeToReorder(MI)) {
NullCheckList.emplace_back(MI, MBP.ConditionDef, &MBB, NotNullSucc,
NullSucc); NullSucc);
return true; return true;
} }
// MI did not match our criteria for conversion to a trapping load. Check
// if we can continue looking.
if (MI->mayStore() || MI->hasUnmodeledSideEffects())
return false;
for (auto *MMO : MI->memoperands())
reamesUnsubmitted
Not Done
ReplyInline Actions

If one of these loads potentially overlap with the value we eventually load from, don't we end up with a faulting instruction not recorded in the side table?

(To say this differently, I think you need to account for aliasing in your loads.)

reames: If one of these loads potentially overlap with the value we eventually load from, don't we end…
sanjoyAuthorUnsubmitted
Not Done
ReplyInline Actions

The faulting instruction is reordered to where the original branch was, so the control flow remains intact. So if I start with

test reg, reg
jz throw_NPE
maybe_aliasing_load
candidate_load

I'll end up with

candidate_load ;; handler_pc = throw_NPE
maybe_aliasing_load

so maybe_aliasing_load won't execute if reg was null.

Does this answer your question?

sanjoy: The faulting instruction is reordered to where the original branch was, so the control flow…
// Right now we don't want to worry about LLVM's memory model.
if (!MMO->isUnordered())
return false;
// It _may_ be okay to reorder a later load instruction across MI. Make a
// note of its operands so that we can make the legality check if we find a
// suitable load instruction:
auto RecordOperand = [&](const MachineOperand &MO) {
if (!MO.isReg() || !MO.getReg())
return;
if (MO.isDef())
RegDefs.insert(MO.getReg());
else
RegUses.insert(MO.getReg());
};
for (auto &MO : MI->defs())
RecordOperand(MO);
for (auto &IMO : MI->implicit_operands())
RecordOperand(IMO);
JosephTremouletUnsubmitted
Not Done
ReplyInline Actions

This may just be my ignorance of machine instruction modeling, but this reads like you're taking care to skip explicit use operands; why is that?

JosephTremoulet: This may just be my ignorance of machine instruction modeling, but this reads like you're…
}
return false; return false;
} }
/// Wrap a machine load instruction, LoadMI, into a FAULTING_LOAD_OP machine /// Wrap a machine load instruction, LoadMI, into a FAULTING_LOAD_OP machine
/// instruction. The FAULTING_LOAD_OP instruction does the same load as LoadMI /// instruction. The FAULTING_LOAD_OP instruction does the same load as LoadMI
/// (defining the same register), and branches to HandlerLabel if the load /// (defining the same register), and branches to HandlerLabel if the load
/// faults. The FAULTING_LOAD_OP instruction is inserted at the end of MBB. /// faults. The FAULTING_LOAD_OP instruction is inserted at the end of MBB.
MachineInstr *ImplicitNullChecks::insertFaultingLoad(MachineInstr *LoadMI, MachineInstr *ImplicitNullChecks::insertFaultingLoad(MachineInstr *LoadMI,
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines

test/CodeGen/X86/implicit-null-check-negative.ll

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines
is_null: is_null:
ret i32 42 ret i32 42
not_null: not_null:
%t = load i32, i32* %x %t = load i32, i32* %x
ret i32 %t ret i32 %t
} }
define i32 @imp_null_check_no_hoist_over_acquire_load(i32* %x, i32* %y) {
; We cannot hoist %t1 over %t0 since %t0 is an acquire load
entry:
%c = icmp eq i32* %x, null
br i1 %c, label %is_null, label %not_null, !make.implicit !0
is_null:
ret i32 42
not_null:
%t0 = load atomic i32, i32* %y acquire, align 4
%t1 = load i32, i32* %x
%p = add i32 %t0, %t1
ret i32 %p
}
define i32 @imp_null_check_add_result(i32* %x, i32* %y) {
; This will codegen to:
;
; movl (%rsi), %eax
; addl (%rdi), %eax
;
; The load instruction we wish to hoist is the addl, but there is a
; write-after-write hazard preventing that from happening. We could
; get fancy here and exploit the commutativity of addition, but right
; now -implicit-null-checks isn't that smart.
;
entry:
%c = icmp eq i32* %x, null
br i1 %c, label %is_null, label %not_null, !make.implicit !0
is_null:
ret i32 42
not_null:
%t0 = load i32, i32* %y
%t1 = load i32, i32* %x
%p = add i32 %t0, %t1
ret i32 %p
}
!0 = !{} !0 = !{}

test/CodeGen/X86/implicit-null-check.ll

Show First 20 LinesShow All 70 Lines▼ Show 20 Lines is_null:
ret i32 42 ret i32 42
not_null: not_null:
%t = load i32, i32* %x %t = load i32, i32* %x
%p1 = add i32 %t, %p %p1 = add i32 %t, %p
ret i32 %p1 ret i32 %p1
} }
define i32 @imp_null_check_hoist_over_unrelated_load(i32* %x, i32* %y, i32* %z) {
; CHECK-LABEL: _imp_null_check_hoist_over_unrelated_load:
; CHECK: Ltmp7:
; CHECK: movl (%rdi), %eax
; CHECK: movl (%rsi), %ecx
; CHECK: movl %ecx, (%rdx)
; CHECK: retq
; CHECK: Ltmp6:
; CHECK: movl $42, %eax
; CHECK: retq
entry:
%c = icmp eq i32* %x, null
br i1 %c, label %is_null, label %not_null, !make.implicit !0
is_null:
ret i32 42
not_null:
%t0 = load i32, i32* %y
%t1 = load i32, i32* %x
store i32 %t0, i32* %z
ret i32 %t1
}
!0 = !{} !0 = !{}
; CHECK-LABEL: __LLVM_FaultMaps: ; CHECK-LABEL: __LLVM_FaultMaps:
; Version: ; Version:
; CHECK-NEXT: .byte 1 ; CHECK-NEXT: .byte 1
; Reserved x2 ; Reserved x2
; CHECK-NEXT: .byte 0 ; CHECK-NEXT: .byte 0
; CHECK-NEXT: .short 0 ; CHECK-NEXT: .short 0
; # functions: ; # functions:
; CHECK-NEXT: .long 3 ; CHECK-NEXT: .long 4
; FunctionAddr: ; FunctionAddr:
; CHECK-NEXT: .quad _imp_null_check_add_result ; CHECK-NEXT: .quad _imp_null_check_add_result
; NumFaultingPCs ; NumFaultingPCs
; CHECK-NEXT: .long 1 ; CHECK-NEXT: .long 1
; Reserved: ; Reserved:
; CHECK-NEXT: .long 0 ; CHECK-NEXT: .long 0
; Fault[0].Type: ; Fault[0].Type:
Show All 12 Lines
; Fault[0].Type: ; Fault[0].Type:
; CHECK-NEXT: .long 1 ; CHECK-NEXT: .long 1
; Fault[0].FaultOffset: ; Fault[0].FaultOffset:
; CHECK-NEXT: .long Ltmp3-_imp_null_check_gep_load ; CHECK-NEXT: .long Ltmp3-_imp_null_check_gep_load
; Fault[0].HandlerOffset: ; Fault[0].HandlerOffset:
; CHECK-NEXT: .long Ltmp2-_imp_null_check_gep_load ; CHECK-NEXT: .long Ltmp2-_imp_null_check_gep_load
; FunctionAddr: ; FunctionAddr:
; CHECK-NEXT: .quad _imp_null_check_hoist_over_unrelated_load
; NumFaultingPCs
; CHECK-NEXT: .long 1
; Reserved:
; CHECK-NEXT: .long 0
; Fault[0].Type:
; CHECK-NEXT: .long 1
; Fault[0].FaultOffset:
; CHECK-NEXT: .long Ltmp7-_imp_null_check_hoist_over_unrelated_load
; Fault[0].HandlerOffset:
; CHECK-NEXT: .long Ltmp6-_imp_null_check_hoist_over_unrelated_load
; FunctionAddr:
; CHECK-NEXT: .quad _imp_null_check_load ; CHECK-NEXT: .quad _imp_null_check_load
; NumFaultingPCs ; NumFaultingPCs
; CHECK-NEXT: .long 1 ; CHECK-NEXT: .long 1
; Reserved: ; Reserved:
; CHECK-NEXT: .long 0 ; CHECK-NEXT: .long 0
; Fault[0].Type: ; Fault[0].Type:
; CHECK-NEXT: .long 1 ; CHECK-NEXT: .long 1
; Fault[0].FaultOffset: ; Fault[0].FaultOffset:
; CHECK-NEXT: .long Ltmp1-_imp_null_check_load ; CHECK-NEXT: .long Ltmp1-_imp_null_check_load
; Fault[0].HandlerOffset: ; Fault[0].HandlerOffset:
; CHECK-NEXT: .long Ltmp0-_imp_null_check_load ; CHECK-NEXT: .long Ltmp0-_imp_null_check_load
; OBJDUMP: FaultMap table: ; OBJDUMP: FaultMap table:
; OBJDUMP-NEXT: Version: 0x1 ; OBJDUMP-NEXT: Version: 0x1
; OBJDUMP-NEXT: NumFunctions: 3 ; OBJDUMP-NEXT: NumFunctions: 4
; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1 ; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1
; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 5 ; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 5
; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1 ; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1
; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 7 ; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 7
; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1 ; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1
; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 7
; OBJDUMP-NEXT: FunctionAddress: 0x000000, NumFaultingPCs: 1
; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 3 ; OBJDUMP-NEXT: Fault kind: FaultingLoad, faulting PC offset: 0, handling PC offset: 3