This is an archive of the discontinued LLVM Phabricator instance.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
344	It's a little strange to compute type size in a pointer, but SCEV does not care as long as the number of bits is the same, so I guess it is fine.
402–405	move getTypeStoreSize into getTypeSize

In D113160#3116741, @eugenis wrote:

This looks nice. Any idea how much does it improve analysis success rate in practice?

Would be great to have a test with some loop, if it works.

It doesn't support loops yet, I've been experimenting with isKnownAtEveryIteration without success so far. Will keep trying.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
402–405	The way it is now makes it more obvious that this TypeSize is the same that we use in the `getAccessRange` call, so I'd prefer to leave it like this. WDYT?

improve naming

llvm/lib/Analysis/StackSafetyAnalysis.cpp
402–405	I changed the name of getTypeSize to make more explicit what it does.

Harbormaster completed remote builds in B133633: Diff 386379.Nov 10 2021, 6:41 PM

fix typo

rebase

Harbormaster completed remote builds in B133649: Diff 386407.Nov 10 2021, 7:59 PM

LGTM but please wait for review from Vitaly, too

kstoimenov added inline comments.Nov 11 2021, 3:08 PM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
121	Isn't that just a set?
258	If this is an output param, please consider moving it to the end of the argument list.
399	Add the var you are setting in comments like so: /x=/false to increase readability. Here and below.

kstoimenov added inline comments.Nov 11 2021, 3:19 PM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
876	If converted to set this loop could be: Info->AccessIsUnsafe[A.first].insert(KV.second.AccessIsUnsafe.first, KV.second.AccessIsUnsafe.end); There is also set::merge in C++ 17, but it will move the elements from the second set I think.

address comments

llvm/lib/Analysis/StackSafetyAnalysis.cpp
258	There is no output parameter in this. This is just non-const because getSCEV does not take const.

Harbormaster completed remote builds in B133860: Diff 386718.Nov 11 2021, 8:25 PM

format

Harbormaster completed remote builds in B133977: Diff 386870.Nov 12 2021, 10:13 AM

kstoimenov added inline comments.Nov 12 2021, 11:36 AM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
121	I am not sure what is the ratio of unsafe to safe accesses is, but I would expect that more of them are unsafe, right? In that case it makes more sense to have a set of SafeAccesses to use less memory.
951	Nit: could be !Info.UnsafeAccesses.contains(&I).

fmayer marked 2 inline comments as done.Nov 12 2021, 11:45 AM

fmayer added inline comments.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
121	That doesn't work though. What we want is any(instr is unsafe for alloca for all allocas reachable) for that we need to keep track of the unsafe instructions for each alloca.
951	No, that doesn't work because it's too new for LLVM code. Unless otherwise documented, LLVM subprojects are written using standard C++14 code and avoid unnecessary vendor-specific extensions.

LGTM for my comments.

@vitalybuka friendly ping

vitalybuka added inline comments.Nov 18 2021, 12:30 AM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
260	Can you replace typeSizeToSCEV with two overloads? bool isSafeAccess(... Value *AccessSize) bool isSafeAccess(...TypeSize AccessSize)
319–325	why don't we do this in case if isSafeAccess?
344	auto *IntTy = IntegerType::getIntNTy(SE.getContext(), PointerSize); return SE.getConstant(IntTy, TS.getFixedSize());
353	UI -> U
354	I is not needed, it can be retrived from U
367–369	In all 3 cases can you please replace toCharPtr with getIntNTy, at least for readability not sure if it make a difference for SCEV
399	maybe add for this case a dedicated function US.addUnsaveAccess(I);
466	for consistency either (i prefer this one): US.addRange(I, getAccessRange(UI, Ptr, TypeSize);, isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize))); or: auto AccessRange = getAccessRange(UI, Ptr, TypeSize); bool Safe = isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize)); US.addRange(I, AccessRange, Safe);

address comments

llvm/lib/Analysis/StackSafetyAnalysis.cpp
260	I think that just adds more complexity, as this way we will need bool isSafeAccess(... Value AccessSize) bool isSafeAccess(... TypeSize AccessSize) which only do the conversion and call some isSafeAccess(... SCEV AccessSize). Doing the conversion explicitly in the caller seems more readable to me.
319–325	Added this and a test that fails without this. Thanks!
353	Ok. Although this is called `UI` in `analyzeAllUses`.
399	Let's hold off of this for now, as that needs some changes (UnknownRange is in StackSafetyLocalAnalysis).

formatting

Harbormaster completed remote builds in B135242: Diff 388667.Nov 19 2021, 5:30 PM

vitalybuka added inline comments.Nov 19 2021, 6:52 PM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
260	please do this to remove SCEV stuff from that long loop
367–369	maybe: can you make toCharPtr same local lambda? or you plan to use it outside?
447	it's going to make instruction safe even if user is not alloca For consistency isSafeMemIntrinsicAccess will help

fmayer added inline comments.Nov 19 2021, 6:55 PM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
447	This is consistent with the API this is used in // Returns true if the instruction can be proven to do only two types of // memory accesses: // (1) live stack locations in-bounds or // (2) non-stack locations. If the user is not alloca, that is (2).

vitalybuka added inline comments.Nov 20 2021, 12:39 AM

llvm/lib/Analysis/StackSafetyAnalysis.cpp
121	Just noticed: Why this is in UseInfo and per alloca, and then we merge them latter anyway? It should be FunctionInfo::UnsafeAccesses? Then you pass that reference to the set as new arg of analyzeAllUses
447	it's going to make instruction safe even if user is not alloca user -> location isSafeAccess() line 355 return false for !AI I don't like to have undefined behavior for (2) even if you don't use it now. It's trivial to make it defined either true or false. However if instruction access function argument, we don't know if it a stack of another function. So unsafe (false) seems reasonable choose here. BTW why this is not important for current callers?

address comments

llvm/lib/Analysis/StackSafetyAnalysis.cpp
121	Can we do this in a separate change? This doesn't really belong here.
447	Good point, if `!AI` in `isSafeAccess` we should also return true, for consistency. Then the semantics remain well-defined and the same: "all stack accesses done by this instruction are safe. The callers check `findAllocaForValue` to make sure this is definitely a stack access before calling `stackAccessIsSafe`.

vitalybuka accepted this revision.Nov 23 2021, 12:08 PM

vitalybuka added inline comments.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
121	sure in would be nice in follow up patches also to switch from UnsafeAccesses to SaveAccessesOnAlloca probably we can track two sets: a. all instructions on any alloca b. unsafe instructions on any alloca and then keep (a-b) for result.
447	i don't like this assumption on what user will do this seems like a goal of this analysis and it should tell without external tricks. However It should be easier to do after "UnsafeAccesses" followup patch.

This revision is now accepted and ready to land.Nov 23 2021, 12:08 PM

Harbormaster completed remote builds in B135684: Diff 389270.Nov 23 2021, 3:26 PM

This revision was landed with ongoing or failed builds.Nov 23 2021, 3:29 PM

Closed by commit rG6c06d8e310bd: [stack-safety] Check SCEV constraints at memory instructions. (authored by fmayer). · Explain Why

This revision was automatically updated to reflect the committed changes.

fmayer added a commit: rG6c06d8e310bd: [stack-safety] Check SCEV constraints at memory instructions..

Revision Contents

Path

Size

llvm/

lib/

Analysis/

StackSafetyAnalysis.cpp

103 lines

test/

Analysis/

StackSafetyAnalysis/

local.ll

95 lines

Diff 386718

llvm/lib/Analysis/StackSafetyAnalysis.cpp

//===- StackSafetyAnalysis.cpp - Stack memory safety analysis -------------===//		//===- StackSafetyAnalysis.cpp - Stack memory safety analysis -------------===//
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "llvm/Analysis/StackSafetyAnalysis.h"		#include "llvm/Analysis/StackSafetyAnalysis.h"
#include "llvm/ADT/APInt.h"		#include "llvm/ADT/APInt.h"
#include "llvm/ADT/SmallPtrSet.h"		#include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallVector.h"		#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h"		#include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/ModuleSummaryAnalysis.h"		#include "llvm/Analysis/ModuleSummaryAnalysis.h"
		#include "llvm/Analysis/ScalarEvolution.h"
#include "llvm/Analysis/ScalarEvolutionExpressions.h"		#include "llvm/Analysis/ScalarEvolutionExpressions.h"
#include "llvm/Analysis/StackLifetime.h"		#include "llvm/Analysis/StackLifetime.h"
#include "llvm/IR/ConstantRange.h"		#include "llvm/IR/ConstantRange.h"
#include "llvm/IR/DerivedTypes.h"		#include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/GlobalValue.h"		#include "llvm/IR/GlobalValue.h"
#include "llvm/IR/InstIterator.h"		#include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h"		#include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h"		#include "llvm/IR/IntrinsicInst.h"
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines	template <typename CalleeTy> struct CallInfo {
};		};
};		};

/// Describe uses of address (alloca or parameter) inside of the function.		/// Describe uses of address (alloca or parameter) inside of the function.
template <typename CalleeTy> struct UseInfo {		template <typename CalleeTy> struct UseInfo {
// Access range if the address (alloca or parameters).		// Access range if the address (alloca or parameters).
// It is allowed to be empty-set when there are no known accesses.		// It is allowed to be empty-set when there are no known accesses.
ConstantRange Range;		ConstantRange Range;
std::map<const Instruction *, ConstantRange> Accesses;		std::set<const Instruction *> UnsafeAccesses;
		kstoimenovUnsubmitted Done Reply Inline Actions Isn't that just a set? kstoimenov: Isn't that just a set?
		kstoimenovUnsubmitted Done Reply Inline Actions I am not sure what is the ratio of unsafe to safe accesses is, but I would expect that more of them are unsafe, right? In that case it makes more sense to have a set of SafeAccesses to use less memory. kstoimenov: I am not sure what is the ratio of unsafe to safe accesses is, but I would expect that more of…
		fmayerAuthorUnsubmitted Done Reply Inline Actions That doesn't work though. What we want is any(instr is unsafe for alloca for all allocas reachable) for that we need to keep track of the unsafe instructions for each alloca. fmayer: That doesn't work though. What we want is any(instr is unsafe for alloca for all allocas…
		vitalybukaUnsubmitted Done Reply Inline Actions Just noticed: Why this is in UseInfo and per alloca, and then we merge them latter anyway? It should be FunctionInfo::UnsafeAccesses? Then you pass that reference to the set as new arg of analyzeAllUses vitalybuka: Just noticed: Why this is in UseInfo and per alloca, and then we merge them latter anyway? It…
		fmayerAuthorUnsubmitted Done Reply Inline Actions Can we do this in a separate change? This doesn't really belong here. fmayer: Can we do this in a separate change? This doesn't really belong here.
		vitalybukaUnsubmitted Not Done Reply Inline Actions sure in would be nice in follow up patches also to switch from UnsafeAccesses to SaveAccessesOnAlloca probably we can track two sets: a. all instructions on any alloca b. unsafe instructions on any alloca and then keep (a-b) for result. vitalybuka: sure in would be nice in follow up patches also to switch from UnsafeAccesses to…

// List of calls which pass address as an argument.		// List of calls which pass address as an argument.
// Value is offset range of address from base address (alloca or calling		// Value is offset range of address from base address (alloca or calling
// function argument). Range should never set to empty-set, that is an invalid		// function argument). Range should never set to empty-set, that is an invalid
// access range that can cause empty-set to be propagated with		// access range that can cause empty-set to be propagated with
// ConstantRange::add		// ConstantRange::add
using CallsTy = std::map<CallInfo<CalleeTy>, ConstantRange,		using CallsTy = std::map<CallInfo<CalleeTy>, ConstantRange,
typename CallInfo<CalleeTy>::Less>;		typename CallInfo<CalleeTy>::Less>;
CallsTy Calls;		CallsTy Calls;

UseInfo(unsigned PointerSize) : Range{PointerSize, false} {}		UseInfo(unsigned PointerSize) : Range{PointerSize, false} {}

void updateRange(const ConstantRange &R) { Range = unionNoWrap(Range, R); }		void updateRange(const ConstantRange &R) { Range = unionNoWrap(Range, R); }
void addRange(const Instruction *I, const ConstantRange &R) {		void addRange(const Instruction *I, const ConstantRange &R, bool IsSafe) {
auto Ins = Accesses.emplace(I, R);		if (!IsSafe)
if (!Ins.second)		UnsafeAccesses.insert(I);
Ins.first->second = unionNoWrap(Ins.first->second, R);
updateRange(R);		updateRange(R);
}		}
};		};

template <typename CalleeTy>		template <typename CalleeTy>
raw_ostream &operator<<(raw_ostream &OS, const UseInfo<CalleeTy> &U) {		raw_ostream &operator<<(raw_ostream &OS, const UseInfo<CalleeTy> &U) {
OS << U.Range;		OS << U.Range;
for (auto &Call : U.Calls)		for (auto &Call : U.Calls)
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines

struct StackSafetyInfo::InfoTy {		struct StackSafetyInfo::InfoTy {
FunctionInfo<GlobalValue> Info;		FunctionInfo<GlobalValue> Info;
};		};

struct StackSafetyGlobalInfo::InfoTy {		struct StackSafetyGlobalInfo::InfoTy {
GVToSSI Info;		GVToSSI Info;
SmallPtrSet<const AllocaInst *, 8> SafeAllocas;		SmallPtrSet<const AllocaInst *, 8> SafeAllocas;
std::map<const Instruction *, bool> AccessIsUnsafe;		std::set<const Instruction *> UnsafeAccesses;
};		};

namespace {		namespace {

class StackSafetyLocalAnalysis {		class StackSafetyLocalAnalysis {
Function &F;		Function &F;
const DataLayout &DL;		const DataLayout &DL;
ScalarEvolution &SE;		ScalarEvolution &SE;
unsigned PointerSize = 0;		unsigned PointerSize = 0;

const ConstantRange UnknownRange;		const ConstantRange UnknownRange;

ConstantRange offsetFrom(Value Addr, Value Base);		ConstantRange offsetFrom(Value Addr, Value Base);
ConstantRange getAccessRange(Value Addr, Value Base,		ConstantRange getAccessRange(Value Addr, Value Base,
const ConstantRange &SizeRange);		const ConstantRange &SizeRange);
ConstantRange getAccessRange(Value Addr, Value Base, TypeSize Size);		ConstantRange getAccessRange(Value Addr, Value Base, TypeSize Size);
ConstantRange getMemIntrinsicAccessRange(const MemIntrinsic *MI, const Use &U,		ConstantRange getMemIntrinsicAccessRange(const MemIntrinsic *MI, const Use &U,
Value *Base);		Value *Base);

void analyzeAllUses(Value *Ptr, UseInfo<GlobalValue> &AS,		void analyzeAllUses(Value *Ptr, UseInfo<GlobalValue> &AS,
const StackLifetime &SL);		const StackLifetime &SL);

		const SCEV toCharPtr(const SCEV V);
		const SCEV *typeSizeToSCEV(TypeSize TS);
		bool isSafeAccess(const Use &UI, AllocaInst AI, const Instruction I,
		kstoimenovUnsubmitted Done Reply Inline Actions If this is an output param, please consider moving it to the end of the argument list. kstoimenov: If this is an output param, please consider moving it to the end of the argument list.
		fmayerAuthorUnsubmitted Done Reply Inline Actions There is no output parameter in this. This is just non-const because getSCEV does not take const. fmayer: There is no output parameter in this. This is just non-const because getSCEV does not take…
		const SCEV *AccessSize);

		vitalybukaUnsubmitted Done Reply Inline Actions Can you replace typeSizeToSCEV with two overloads? bool isSafeAccess(... Value AccessSize) bool isSafeAccess(...TypeSize AccessSize) vitalybuka:* Can you replace typeSizeToSCEV with two overloads? ``` bool isSafeAccess(... Value…
		fmayerAuthorUnsubmitted Done Reply Inline Actions I think that just adds more complexity, as this way we will need bool isSafeAccess(... Value AccessSize) bool isSafeAccess(... TypeSize AccessSize) which only do the conversion and call some isSafeAccess(... SCEV AccessSize). Doing the conversion explicitly in the caller seems more readable to me. fmayer: I think that just adds more complexity, as this way we will need bool isSafeAccess(... Value…
		vitalybukaUnsubmitted Done Reply Inline Actions please do this to remove SCEV stuff from that long loop vitalybuka: please do this to remove SCEV stuff from that long loop
public:		public:
StackSafetyLocalAnalysis(Function &F, ScalarEvolution &SE)		StackSafetyLocalAnalysis(Function &F, ScalarEvolution &SE)
: F(F), DL(F.getParent()->getDataLayout()), SE(SE),		: F(F), DL(F.getParent()->getDataLayout()), SE(SE),
PointerSize(DL.getPointerSizeInBits()),		PointerSize(DL.getPointerSizeInBits()),
UnknownRange(PointerSize, true) {}		UnknownRange(PointerSize, true) {}

// Run the transformation on the associated function.		// Run the transformation on the associated function.
FunctionInfo<GlobalValue> run();		FunctionInfo<GlobalValue> run();
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines	ConstantRange StackSafetyLocalAnalysis::getAccessRange(Value Addr, Value Base,
if (APSize.isNegative())		if (APSize.isNegative())
return UnknownRange;		return UnknownRange;
return getAccessRange(Addr, Base,		return getAccessRange(Addr, Base,
ConstantRange(APInt::getZero(PointerSize), APSize));		ConstantRange(APInt::getZero(PointerSize), APSize));
}		}

ConstantRange StackSafetyLocalAnalysis::getMemIntrinsicAccessRange(		ConstantRange StackSafetyLocalAnalysis::getMemIntrinsicAccessRange(
const MemIntrinsic MI, const Use &U, Value Base) {		const MemIntrinsic MI, const Use &U, Value Base) {
if (const auto *MTI = dyn_cast<MemTransferInst>(MI)) {		if (const auto *MTI = dyn_cast<MemTransferInst>(MI)) {
if (MTI->getRawSource() != U && MTI->getRawDest() != U)		if (MTI->getRawSource() != U && MTI->getRawDest() != U)
return ConstantRange::getEmpty(PointerSize);		return ConstantRange::getEmpty(PointerSize);
} else {		} else {
if (MI->getRawDest() != U)		if (MI->getRawDest() != U)
return ConstantRange::getEmpty(PointerSize);		return ConstantRange::getEmpty(PointerSize);
}		}
		vitalybukaUnsubmitted Done Reply Inline Actions why don't we do this in case if isSafeAccess? vitalybuka: why don't we do this in case if isSafeAccess?
		fmayerAuthorUnsubmitted Done Reply Inline Actions Added this and a test that fails without this. Thanks! fmayer: Added this and a test that fails without this. Thanks!

auto *CalculationTy = IntegerType::getIntNTy(SE.getContext(), PointerSize);		auto *CalculationTy = IntegerType::getIntNTy(SE.getContext(), PointerSize);
if (!SE.isSCEVable(MI->getLength()->getType()))		if (!SE.isSCEVable(MI->getLength()->getType()))
return UnknownRange;		return UnknownRange;

const SCEV *Expr =		const SCEV *Expr =
SE.getTruncateOrZeroExtend(SE.getSCEV(MI->getLength()), CalculationTy);		SE.getTruncateOrZeroExtend(SE.getSCEV(MI->getLength()), CalculationTy);
ConstantRange Sizes = SE.getSignedRange(Expr);		ConstantRange Sizes = SE.getSignedRange(Expr);
if (Sizes.getUpper().isNegative() \|\| isUnsafe(Sizes))		if (Sizes.getUpper().isNegative() \|\| isUnsafe(Sizes))
return UnknownRange;		return UnknownRange;
Sizes = Sizes.sextOrTrunc(PointerSize);		Sizes = Sizes.sextOrTrunc(PointerSize);
ConstantRange SizeRange(APInt::getZero(PointerSize), Sizes.getUpper() - 1);		ConstantRange SizeRange(APInt::getZero(PointerSize), Sizes.getUpper() - 1);
return getAccessRange(U, Base, SizeRange);		return getAccessRange(U, Base, SizeRange);
}		}

		const SCEV *StackSafetyLocalAnalysis::typeSizeToSCEV(TypeSize TS) {
		if (TS.isScalable())
		return SE.getCouldNotCompute();
		auto *PtrTy = IntegerType::getInt8PtrTy(SE.getContext());
		eugenisUnsubmitted Done Reply Inline Actions It's a little strange to compute type size in a pointer, but SCEV does not care as long as the number of bits is the same, so I guess it is fine. eugenis: It's a little strange to compute type size in a pointer, but SCEV does not care as long as the…
		vitalybukaUnsubmitted Done Reply Inline Actions auto IntTy = IntegerType::getIntNTy(SE.getContext(), PointerSize); return SE.getConstant(IntTy, TS.getFixedSize()); vitalybuka:* ``` auto *IntTy = IntegerType::getIntNTy(SE.getContext(), PointerSize); return SE.getConstant…
		return SE.getConstant(PtrTy, TS.getFixedSize());
		}

		const SCEV StackSafetyLocalAnalysis::toCharPtr(const SCEV V) {
		auto *PtrTy = IntegerType::getInt8PtrTy(SE.getContext());
		return SE.getTruncateOrZeroExtend(V, PtrTy);
		}

		bool StackSafetyLocalAnalysis::isSafeAccess(const Use &UI, AllocaInst *AI,
		vitalybukaUnsubmitted Done Reply Inline Actions UI -> U vitalybuka: UI -> U
		fmayerAuthorUnsubmitted Done Reply Inline Actions Ok. Although this is called `UI` in `analyzeAllUses`. fmayer: Ok. Although this is called `UI` in `analyzeAllUses`.
		const Instruction *I,
		vitalybukaUnsubmitted Done Reply Inline Actions I is not needed, it can be retrived from U vitalybuka: I is not needed, it can be retrived from U
		const SCEV *AccessSize) {
		if (!AI \|\| isa<SCEVCouldNotCompute>(AccessSize))
		return false;

		const SCEV *AddrExp = toCharPtr(SE.getSCEV(UI.get()));
		const SCEV *BaseExp = toCharPtr(SE.getSCEV(AI));
		const SCEV *Diff = SE.getMinusSCEV(AddrExp, BaseExp);
		if (isa<SCEVCouldNotCompute>(Diff))
		return false;

		auto Size = getStaticAllocaSizeRange(*AI);

		const SCEV *Min = toCharPtr(SE.getConstant(Size.getLower()));
		const SCEV *Max = SE.getMinusSCEV(toCharPtr(SE.getConstant(Size.getUpper())),
		toCharPtr(AccessSize));
		vitalybukaUnsubmitted Done Reply Inline Actions In all 3 cases can you please replace toCharPtr with getIntNTy, at least for readability not sure if it make a difference for SCEV vitalybuka: In all 3 cases can you please replace toCharPtr with getIntNTy, at least for readability not…
		vitalybukaUnsubmitted Done Reply Inline Actions maybe: can you make toCharPtr same local lambda? or you plan to use it outside? vitalybuka: maybe: can you make toCharPtr same local lambda? or you plan to use it outside?
		return SE.evaluatePredicateAt(ICmpInst::Predicate::ICMP_SGE, Diff, Min, I)
		.getValueOr(false) &&
		SE.evaluatePredicateAt(ICmpInst::Predicate::ICMP_SLE, Diff, Max, I)
		.getValueOr(false);
		}

/// The function analyzes all local uses of Ptr (alloca or argument) and		/// The function analyzes all local uses of Ptr (alloca or argument) and
/// calculates local access range and all function calls where it was used.		/// calculates local access range and all function calls where it was used.
void StackSafetyLocalAnalysis::analyzeAllUses(Value *Ptr,		void StackSafetyLocalAnalysis::analyzeAllUses(Value *Ptr,
UseInfo<GlobalValue> &US,		UseInfo<GlobalValue> &US,
const StackLifetime &SL) {		const StackLifetime &SL) {
SmallPtrSet<const Value *, 16> Visited;		SmallPtrSet<const Value *, 16> Visited;
SmallVector<const Value *, 8> WorkList;		SmallVector<const Value *, 8> WorkList;
WorkList.push_back(Ptr);		WorkList.push_back(Ptr);
const AllocaInst *AI = dyn_cast<AllocaInst>(Ptr);		AllocaInst *AI = dyn_cast<AllocaInst>(Ptr);

// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.		// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
while (!WorkList.empty()) {		while (!WorkList.empty()) {
const Value *V = WorkList.pop_back_val();		const Value *V = WorkList.pop_back_val();
for (const Use &UI : V->uses()) {		for (const Use &UI : V->uses()) {
const auto *I = cast<Instruction>(UI.getUser());		const auto *I = cast<Instruction>(UI.getUser());
if (!SL.isReachable(I))		if (!SL.isReachable(I))
continue;		continue;

assert(V == UI.get());		assert(V == UI.get());

switch (I->getOpcode()) {		switch (I->getOpcode()) {
case Instruction::Load: {		case Instruction::Load: {
if (AI && !SL.isAliveAfter(AI, I)) {		if (AI && !SL.isAliveAfter(AI, I)) {
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
		kstoimenovUnsubmitted Done Reply Inline Actions Add the var you are setting in comments like so: /x=/false to increase readability. Here and below. kstoimenov: Add the var you are setting in comments like so: /x=/false to increase readability. Here and…
		vitalybukaUnsubmitted Done Reply Inline Actions maybe add for this case a dedicated function US.addUnsaveAccess(I); vitalybuka: maybe add for this case a dedicated function US.addUnsaveAccess(I);
		fmayerAuthorUnsubmitted Done Reply Inline Actions Let's hold off of this for now, as that needs some changes (UnknownRange is in StackSafetyLocalAnalysis). fmayer: Let's hold off of this for now, as that needs some changes (UnknownRange is in…
break;		break;
}		}
US.addRange(I,		auto TypeSize = DL.getTypeStoreSize(I->getType());
getAccessRange(UI, Ptr, DL.getTypeStoreSize(I->getType())));		auto AccessRange = getAccessRange(UI, Ptr, TypeSize);
		US.addRange(I, AccessRange,
		isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize)));
		eugenisUnsubmitted Done Reply Inline Actions move getTypeStoreSize into getTypeSize eugenis: move getTypeStoreSize into getTypeSize
		fmayerAuthorUnsubmitted Done Reply Inline Actions The way it is now makes it more obvious that this TypeSize is the same that we use in the `getAccessRange` call, so I'd prefer to leave it like this. WDYT? fmayer: The way it is now makes it more obvious that this TypeSize is the same that we use in the…
		fmayerAuthorUnsubmitted Done Reply Inline Actions I changed the name of getTypeSize to make more explicit what it does. fmayer: I changed the name of getTypeSize to make more explicit what it does.
break;		break;
}		}

case Instruction::VAArg:		case Instruction::VAArg:
// "va-arg" from a pointer is safe.		// "va-arg" from a pointer is safe.
break;		break;
case Instruction::Store: {		case Instruction::Store: {
if (V == I->getOperand(0)) {		if (V == I->getOperand(0)) {
// Stored the pointer - conservatively assume it may be unsafe.		// Stored the pointer - conservatively assume it may be unsafe.
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
break;		break;
}		}
if (AI && !SL.isAliveAfter(AI, I)) {		if (AI && !SL.isAliveAfter(AI, I)) {
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
break;		break;
}		}
US.addRange(		auto TypeSize = DL.getTypeStoreSize(I->getOperand(0)->getType());
I, getAccessRange(		auto AccessRange = getAccessRange(UI, Ptr, TypeSize);
UI, Ptr, DL.getTypeStoreSize(I->getOperand(0)->getType())));		US.addRange(I, AccessRange,
		isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize)));
break;		break;
}		}

case Instruction::Ret:		case Instruction::Ret:
// Information leak.		// Information leak.
// FIXME: Process parameters correctly. This is a leak only if we return		// FIXME: Process parameters correctly. This is a leak only if we return
// alloca.		// alloca.
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
break;		break;

case Instruction::Call:		case Instruction::Call:
case Instruction::Invoke: {		case Instruction::Invoke: {
if (I->isLifetimeStartOrEnd())		if (I->isLifetimeStartOrEnd())
break;		break;

if (AI && !SL.isAliveAfter(AI, I)) {		if (AI && !SL.isAliveAfter(AI, I)) {
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
break;		break;
}		}

if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {		if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {
US.addRange(I, getMemIntrinsicAccessRange(MI, UI, Ptr));		auto AccessRange = getMemIntrinsicAccessRange(MI, UI, Ptr);
		US.addRange(I, AccessRange,
		vitalybukaUnsubmitted Done Reply Inline Actions it's going to make instruction safe even if user is not alloca For consistency isSafeMemIntrinsicAccess will help vitalybuka: it's going to make instruction safe even if user is not alloca For consistency…
		fmayerAuthorUnsubmitted Done Reply Inline Actions This is consistent with the API this is used in // Returns true if the instruction can be proven to do only two types of // memory accesses: // (1) live stack locations in-bounds or // (2) non-stack locations. If the user is not alloca, that is (2). fmayer: This is consistent with the API this is used in ``` // Returns true if the instruction can…
		vitalybukaUnsubmitted Done Reply Inline Actions it's going to make instruction safe even if user is not alloca user -> location isSafeAccess() line 355 return false for !AI I don't like to have undefined behavior for (2) even if you don't use it now. It's trivial to make it defined either true or false. However if instruction access function argument, we don't know if it a stack of another function. So unsafe (false) seems reasonable choose here. BTW why this is not important for current callers? vitalybuka: >> it's going to make instruction safe even if user is not alloca user -> location…
		fmayerAuthorUnsubmitted Done Reply Inline Actions Good point, if `!AI` in `isSafeAccess` we should also return true, for consistency. Then the semantics remain well-defined and the same: "all stack accesses done by this instruction are safe. The callers check `findAllocaForValue` to make sure this is definitely a stack access before calling `stackAccessIsSafe`. fmayer: Good point, if `!AI` in `isSafeAccess` we should also return true, for consistency. Then the…
		vitalybukaUnsubmitted Not Done Reply Inline Actions i don't like this assumption on what user will do this seems like a goal of this analysis and it should tell without external tricks. However It should be easier to do after "UnsafeAccesses" followup patch. vitalybuka: i don't like this assumption on what user will do this seems like a goal of this analysis and…
		isSafeAccess(UI, AI, I, SE.getSCEV(MI->getLength())));
break;		break;
}		}

const auto &CB = cast<CallBase>(*I);		const auto &CB = cast<CallBase>(*I);
if (CB.getReturnedArgOperand() == V) {		if (CB.getReturnedArgOperand() == V) {
if (Visited.insert(I).second)		if (Visited.insert(I).second)
WorkList.push_back(cast<const Instruction>(I));		WorkList.push_back(cast<const Instruction>(I));
}		}

if (!CB.isArgOperand(&UI)) {		if (!CB.isArgOperand(&UI)) {
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
break;		break;
}		}

unsigned ArgNo = CB.getArgOperandNo(&UI);		unsigned ArgNo = CB.getArgOperandNo(&UI);
if (CB.isByValArgument(ArgNo)) {		if (CB.isByValArgument(ArgNo)) {
US.addRange(I, getAccessRange(		auto TypeSize = DL.getTypeStoreSize(CB.getParamByValType(ArgNo));
UI, Ptr,		auto AccessRange = getAccessRange(UI, Ptr, TypeSize);
		vitalybukaUnsubmitted Done Reply Inline Actions for consistency either (i prefer this one): US.addRange(I, getAccessRange(UI, Ptr, TypeSize);, isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize))); or: auto AccessRange = getAccessRange(UI, Ptr, TypeSize); bool Safe = isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize)); US.addRange(I, AccessRange, Safe); vitalybuka: for consistency either (i prefer this one): ``` US.addRange(I, getAccessRange(UI…
DL.getTypeStoreSize(CB.getParamByValType(ArgNo))));		US.addRange(I, AccessRange,
		isSafeAccess(UI, AI, I, typeSizeToSCEV(TypeSize)));
break;		break;
}		}

// FIXME: consult devirt?		// FIXME: consult devirt?
// Do not follow aliases, otherwise we could inadvertently follow		// Do not follow aliases, otherwise we could inadvertently follow
// dso_preemptable aliases or aliases with interposable linkage.		// dso_preemptable aliases or aliases with interposable linkage.
const GlobalValue *Callee =		const GlobalValue *Callee =
dyn_cast<GlobalValue>(CB.getCalledOperand()->stripPointerCasts());		dyn_cast<GlobalValue>(CB.getCalledOperand()->stripPointerCasts());
if (!Callee) {		if (!Callee) {
US.addRange(I, UnknownRange);		US.addRange(I, UnknownRange, /IsSafe=/false);
break;		break;
}		}

assert(isa<Function>(Callee) \|\| isa<GlobalAlias>(Callee));		assert(isa<Function>(Callee) \|\| isa<GlobalAlias>(Callee));
ConstantRange Offsets = offsetFrom(UI, Ptr);		ConstantRange Offsets = offsetFrom(UI, Ptr);
auto Insert =		auto Insert =
US.Calls.emplace(CallInfo<GlobalValue>(Callee, ArgNo), Offsets);		US.Calls.emplace(CallInfo<GlobalValue>(Callee, ArgNo), Offsets);
if (!Insert.second)		if (!Insert.second)
▲ Show 20 Lines • Show All 380 Lines • ▼ Show 20 Lines	for (auto &FnKV : Info->Info) {
for (auto &KV : FnKV.second.Allocas) {		for (auto &KV : FnKV.second.Allocas) {
++NumAllocaTotal;		++NumAllocaTotal;
const AllocaInst *AI = KV.first;		const AllocaInst *AI = KV.first;
auto AIRange = getStaticAllocaSizeRange(*AI);		auto AIRange = getStaticAllocaSizeRange(*AI);
if (AIRange.contains(KV.second.Range)) {		if (AIRange.contains(KV.second.Range)) {
Info->SafeAllocas.insert(AI);		Info->SafeAllocas.insert(AI);
++NumAllocaStackSafe;		++NumAllocaStackSafe;
}		}
for (const auto &A : KV.second.Accesses)		Info->UnsafeAccesses.insert(KV.second.UnsafeAccesses.begin(),
Info->AccessIsUnsafe[A.first] \|= !AIRange.contains(A.second);		KV.second.UnsafeAccesses.end());
		Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - KV.second.UnsafeAccesses.end()); + KV.second.UnsafeAccesses.end()); Lint: Pre-merge checks: clang-format: please reformat the code ``` - KV.second.UnsafeAccesses.end()); +…
		kstoimenovUnsubmitted Done Reply Inline Actions If converted to set this loop could be: Info->AccessIsUnsafe[A.first].insert(KV.second.AccessIsUnsafe.first, KV.second.AccessIsUnsafe.end); There is also set::merge in C++ 17, but it will move the elements from the second set I think. kstoimenov: If converted to set this loop could be: Info->AccessIsUnsafe[A.first].insert(KV.second.
}		}
}		}

if (StackSafetyPrint)		if (StackSafetyPrint)
print(errs());		print(errs());
}		}
return *Info;		return *Info;
}		}
▲ Show 20 Lines • Show All 58 Lines • ▼ Show 20 Lines

bool StackSafetyGlobalInfo::isSafe(const AllocaInst &AI) const {		bool StackSafetyGlobalInfo::isSafe(const AllocaInst &AI) const {
const auto &Info = getInfo();		const auto &Info = getInfo();
return Info.SafeAllocas.count(&AI);		return Info.SafeAllocas.count(&AI);
}		}

bool StackSafetyGlobalInfo::stackAccessIsSafe(const Instruction &I) const {		bool StackSafetyGlobalInfo::stackAccessIsSafe(const Instruction &I) const {
const auto &Info = getInfo();		const auto &Info = getInfo();
auto It = Info.AccessIsUnsafe.find(&I);		return Info.UnsafeAccesses.find(&I) == Info.UnsafeAccesses.end();
		kstoimenovUnsubmitted Done Reply Inline Actions Nit: could be !Info.UnsafeAccesses.contains(&I). kstoimenov: Nit: could be !Info.UnsafeAccesses.contains(&I).
		fmayerAuthorUnsubmitted Done Reply Inline Actions No, that doesn't work because it's too new for LLVM code. Unless otherwise documented, LLVM subprojects are written using standard C++14 code and avoid unnecessary vendor-specific extensions. fmayer: No, that doesn't work because it's too new for LLVM code. > Unless otherwise documented, LLVM…
if (It == Info.AccessIsUnsafe.end()) {
return true;
}
return !It->second;
}		}

void StackSafetyGlobalInfo::print(raw_ostream &O) const {		void StackSafetyGlobalInfo::print(raw_ostream &O) const {
auto &SSI = getInfo().Info;		auto &SSI = getInfo().Info;
if (SSI.empty())		if (SSI.empty())
return;		return;
const Module &M = *SSI.begin()->first->getParent();		const Module &M = *SSI.begin()->first->getParent();
for (auto &F : M.functions()) {		for (auto &F : M.functions()) {
▲ Show 20 Lines • Show All 213 Lines • Show Last 20 Lines

llvm/test/Analysis/StackSafetyAnalysis/local.ll

Show All 38 Lines
; CHECK-EMPTY:		; CHECK-EMPTY:
entry:		entry:
%x = alloca i32, align 4		%x = alloca i32, align 4
%x1 = bitcast i32* %x to i8*		%x1 = bitcast i32* %x to i8*
store i8 0, i8* %x1, align 1		store i8 0, i8* %x1, align 1
ret void		ret void
}		}

		define void @StoreInBoundsCond(i64 %i) {
		; CHECK-LABEL: @StoreInBoundsCond dso_preemptable{{$}}
		; CHECK-NEXT: args uses:
		; CHECK-NEXT: allocas uses:
		; CHECK-NEXT: x[4]: full-set{{$}}
		; GLOBAL-NEXT: safe accesses:
		; GLOBAL-NEXT: store i8 0, i8* %x2, align 1
		; CHECK-EMPTY:
		entry:
		%x = alloca i32, align 4
		%x1 = bitcast i32* %x to i8*
		%c1 = icmp sge i64 %i, 0
		%c2 = icmp slt i64 %i, 4
		br i1 %c1, label %c1.true, label %false

		c1.true:
		br i1 %c2, label %c2.true, label %false

		c2.true:
		%x2 = getelementptr i8, i8* %x1, i64 %i
		store i8 0, i8* %x2, align 1
		br label %false

		false:
		ret void
		}

		define void @StoreInBoundsMinMax(i64 %i) {
		; CHECK-LABEL: @StoreInBoundsMinMax dso_preemptable{{$}}
		; CHECK-NEXT: args uses:
		; CHECK-NEXT: allocas uses:
		; CHECK-NEXT: x[4]: [0,4){{$}}
		; GLOBAL-NEXT: safe accesses:
		; GLOBAL-NEXT: store i8 0, i8* %x2, align 1
		; CHECK-EMPTY:
		entry:
		%x = alloca i32, align 4
		%x1 = bitcast i32* %x to i8*
		%c1 = icmp sge i64 %i, 0
		%i1 = select i1 %c1, i64 %i, i64 0
		%c2 = icmp slt i64 %i1, 3
		%i2 = select i1 %c2, i64 %i1, i64 3
		%x2 = getelementptr i8, i8* %x1, i64 %i2
		store i8 0, i8* %x2, align 1
		ret void
		}

define void @StoreInBounds2() {		define void @StoreInBounds2() {
; CHECK-LABEL: @StoreInBounds2 dso_preemptable{{$}}		; CHECK-LABEL: @StoreInBounds2 dso_preemptable{{$}}
; CHECK-NEXT: args uses:		; CHECK-NEXT: args uses:
; CHECK-NEXT: allocas uses:		; CHECK-NEXT: allocas uses:
; CHECK-NEXT: x[4]: [0,4){{$}}		; CHECK-NEXT: x[4]: [0,4){{$}}
; GLOBAL-NEXT: safe accesses:		; GLOBAL-NEXT: safe accesses:
; GLOBAL-NEXT: store i32 0, i32* %x, align 4		; GLOBAL-NEXT: store i32 0, i32* %x, align 4
; CHECK-EMPTY:		; CHECK-EMPTY:
▲ Show 20 Lines • Show All 97 Lines • ▼ Show 20 Lines	entry:
%x = alloca i32, align 4		%x = alloca i32, align 4
%x1 = bitcast i32* %x to i8*		%x1 = bitcast i32* %x to i8*
%x2 = getelementptr i8, i8* %x1, i64 2		%x2 = getelementptr i8, i8* %x1, i64 2
%x3 = bitcast i8* %x2 to i32*		%x3 = bitcast i8* %x2 to i32*
store i32 0, i32* %x3, align 1		store i32 0, i32* %x3, align 1
ret void		ret void
}		}

		define void @StoreOutOfBoundsCond(i64 %i) {
		; CHECK-LABEL: @StoreOutOfBoundsCond dso_preemptable{{$}}
		; CHECK-NEXT: args uses:
		; CHECK-NEXT: allocas uses:
		; CHECK-NEXT: x[4]: full-set{{$}}
		; GLOBAL-NEXT: safe accesses:
		; CHECK-EMPTY:
		entry:
		%x = alloca i32, align 4
		%x1 = bitcast i32* %x to i8*
		%c1 = icmp sge i64 %i, 0
		%c2 = icmp slt i64 %i, 5
		br i1 %c1, label %c1.true, label %false

		c1.true:
		br i1 %c2, label %c2.true, label %false

		c2.true:
		%x2 = getelementptr i8, i8* %x1, i64 %i
		store i8 0, i8* %x2, align 1
		br label %false

		false:
		ret void
		}

		define void @StoreOutOfBoundsCond2(i64 %i) {
		; CHECK-LABEL: @StoreOutOfBoundsCond2 dso_preemptable{{$}}
		; CHECK-NEXT: args uses:
		; CHECK-NEXT: allocas uses:
		; CHECK-NEXT: x[4]: full-set{{$}}
		; GLOBAL-NEXT: safe accesses:
		; CHECK-EMPTY:
		entry:
		%x = alloca i32, align 4
		%x1 = bitcast i32* %x to i8*
		%c2 = icmp slt i64 %i, 5
		br i1 %c2, label %c2.true, label %false

		c2.true:
		%x2 = getelementptr i8, i8* %x1, i64 %i
		store i8 0, i8* %x2, align 1
		br label %false

		false:
		ret void
		}

define void @StoreOutOfBounds2() {		define void @StoreOutOfBounds2() {
; CHECK-LABEL: @StoreOutOfBounds2 dso_preemptable{{$}}		; CHECK-LABEL: @StoreOutOfBounds2 dso_preemptable{{$}}
; CHECK-NEXT: args uses:		; CHECK-NEXT: args uses:
; CHECK-NEXT: allocas uses:		; CHECK-NEXT: allocas uses:
; GLOBAL-NEXT: x[4]: full-set, @retptr(arg0, [2,3)){{$}}		; GLOBAL-NEXT: x[4]: full-set, @retptr(arg0, [2,3)){{$}}
; LOCAL-NEXT: x[4]: [2,6), @retptr(arg0, [2,3)){{$}}		; LOCAL-NEXT: x[4]: [2,6), @retptr(arg0, [2,3)){{$}}
; GLOBAL-NEXT: safe accesses:		; GLOBAL-NEXT: safe accesses:
; CHECK-EMPTY:		; CHECK-EMPTY:
▲ Show 20 Lines • Show All 826 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[stack-safety] Check SCEV constraints at memory instructions.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 386718

llvm/lib/Analysis/StackSafetyAnalysis.cpp

llvm/test/Analysis/StackSafetyAnalysis/local.ll

[stack-safety] Check SCEV constraints at memory instructions.
ClosedPublic