This is an archive of the discontinued LLVM Phabricator instance.

[Attributor] Share code for abstract interpretation of allocation sizes with getObjectSize [NFC-ish]
ClosedPublic

Authored by reames on Jan 13 2022, 12:05 PM.

Download Raw Diff

Details

Reviewers

Bryce-MW
durin42
jdoerfert
uenoku
homerdin
sstefan1
baziotis

Commits

rG28b6e2cb3df6: [Attributor] [NFC] Use canonical variable name
rGcf66f01ec138: [Attributor] Share code for abstract interpretation of allocation sizes with…

Summary

This is an alternative to (part of D116971). The basic idea is that we can parameterize the getObjectSize implementation with a callback which lets us replace the operand before analysis if desired. This is what Attributor is doing during it's abstract interpretation, and allows us to have one copy of the code.

Note this is not NFC for two reasons:

The existing attributor code is wrong. (Well, this is under-specified to be honest, but at least inconsistent.) The intermediate math needs to be done in the index type of the pointer space. Imagine e.g. i64 arguments in a 32 bit address space.
I did not preserve the behavior in getAPInt where we return 0 for a partially analyzed value. This looks simply wrong in the original code, and nothing test wise contradicts that.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

reames created this revision.Jan 13 2022, 12:05 PM

Herald added a reviewer: uenoku. · View Herald TranscriptJan 13 2022, 12:05 PM

Herald added a reviewer: homerdin. · View Herald Transcript

Herald added subscribers: ormris, okura, kuter and 4 others. · View Herald Transcript

reames requested review of this revision.Jan 13 2022, 12:05 PM

Herald added a reviewer: sstefan1. · View Herald TranscriptJan 13 2022, 12:05 PM

Herald added a reviewer: baziotis. · View Herald Transcript

Herald added a project: Restricted Project. · View Herald Transcript

reames mentioned this in D116971: [AttributorAttributes] Remove hardcoded parameters.Jan 13 2022, 12:05 PM

reames added a child revision: D117242: [Attributor] Generalize heap to stack to any allocator with relevant properties.Jan 13 2022, 12:22 PM

Harbormaster completed remote builds in B143215: Diff 399746.Jan 13 2022, 1:25 PM

I like this a lot better than my solution and it looks to be correct.

This revision is now accepted and ready to land.Jan 13 2022, 3:18 PM

This revision was landed with ongoing or failed builds.Jan 13 2022, 3:33 PM

Closed by commit rGcf66f01ec138: [Attributor] Share code for abstract interpretation of allocation sizes with… (authored by reames). · Explain Why

This revision was automatically updated to reflect the committed changes.

reames added a commit: rGcf66f01ec138: [Attributor] Share code for abstract interpretation of allocation sizes with….

LG, minor nits below though

llvm/lib/Analysis/MemoryBuiltins.cpp
360	nit: dyn_cast_or_null or document the mapper should not return a nullptr. I prefer the former.
372	same as above.
llvm/lib/Transforms/IPO/AttributorAttributes.cpp
6022	Nit: Not "Dead" but "UsedAssumedInformation". That will need to be exposed once we want to "fix" AllocationInfos in H2S early to avoid looking at them again in future updates. For now, I'd just use the canonical name here.

Bryce-MW added a commit: rG28b6e2cb3df6: [Attributor] [NFC] Use canonical variable name.Jan 13 2022, 11:07 PM

reames added inline comments.Jan 14 2022, 8:06 AM

llvm/lib/Analysis/MemoryBuiltins.cpp
360	I strongly prefer not allowing the mapper to return null for no reason. The wording in the comment is "replace one Value* (operand to the allocation) with another" This already implies the result can't be null to me.
llvm/lib/Transforms/IPO/AttributorAttributes.cpp
6022	Bryce already got this. Though I'll note that this appears to be a dead outparam, and the more general mechanism a bunch of code complexity which is unused. (I haven't looked at the general case closely, I might be missing something.)

Revision Contents

Path

Size

llvm/

include/

llvm/

Analysis/

MemoryBuiltins.h

8 lines

lib/

Analysis/

MemoryBuiltins.cpp

144 lines

Transforms/

IPO/

AttributorAttributes.cpp

25 lines

Diff 399812

llvm/include/llvm/Analysis/MemoryBuiltins.h

	Show First 20 Lines • Show All 111 Lines • ▼ Show 20 Lines
	/// Note: Removable really does mean removable; it does not mean observable.			/// Note: Removable really does mean removable; it does not mean observable.
	/// A language (e.g. C++) can allow removing allocations without allowing			/// A language (e.g. C++) can allow removing allocations without allowing
	/// insertion or speculative execution of allocation routines.			/// insertion or speculative execution of allocation routines.
	bool isAllocRemovable(const CallBase V, const TargetLibraryInfo TLI);			bool isAllocRemovable(const CallBase V, const TargetLibraryInfo TLI);

	/// Gets the alignment argument for an aligned_alloc-like function			/// Gets the alignment argument for an aligned_alloc-like function
	Value getAllocAlignment(const CallBase V, const TargetLibraryInfo *TLI);			Value getAllocAlignment(const CallBase V, const TargetLibraryInfo *TLI);

				/// Return the size of the requested allocation. With a trivial mapper, this is
				/// identical to calling getObjectSize(..., Exact). A mapper function can be
				/// used to replace one Value* (operand to the allocation) with another. This
				/// is useful when doing abstract interpretation.
				Optional<APInt> getAllocSize(const CallBase *CB,
				const TargetLibraryInfo *TLI,
				std::function<const Value(const Value)> Mapper);

	/// If this allocation function initializes memory to a fixed value, return			/// If this allocation function initializes memory to a fixed value, return
	/// said value in the requested type. Otherwise, return nullptr.			/// said value in the requested type. Otherwise, return nullptr.
	Constant getInitialValueOfAllocation(const CallBase Alloc,			Constant getInitialValueOfAllocation(const CallBase Alloc,
	const TargetLibraryInfo *TLI,			const TargetLibraryInfo *TLI,
	Type *Ty);			Type *Ty);

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// Utility functions to compute size of objects.			// Utility functions to compute size of objects.
	▲ Show 20 Lines • Show All 171 Lines • Show Last 20 Lines

llvm/lib/Analysis/MemoryBuiltins.cpp

Show First 20 Lines • Show All 299 Lines • ▼ Show 20 Lines	Value llvm::getAllocAlignment(const CallBase V,

const Optional<AllocFnsTy> FnData = getAllocationData(V, AnyAlloc, TLI);		const Optional<AllocFnsTy> FnData = getAllocationData(V, AnyAlloc, TLI);
if (!FnData.hasValue() \|\| FnData->AlignParam < 0) {		if (!FnData.hasValue() \|\| FnData->AlignParam < 0) {
return nullptr;		return nullptr;
}		}
return V->getOperand(FnData->AlignParam);		return V->getOperand(FnData->AlignParam);
}		}

		/// When we're compiling N-bit code, and the user uses parameters that are
		/// greater than N bits (e.g. uint64_t on a 32-bit build), we can run into
		/// trouble with APInt size issues. This function handles resizing + overflow
		/// checks for us. Check and zext or trunc \p I depending on IntTyBits and
		/// I's value.
		static bool CheckedZextOrTrunc(APInt &I, unsigned IntTyBits) {
		// More bits than we can handle. Checking the bit width isn't necessary, but
		// it's faster than checking active bits, and should give `false` in the
		// vast majority of cases.
		if (I.getBitWidth() > IntTyBits && I.getActiveBits() > IntTyBits)
		return false;
		if (I.getBitWidth() != IntTyBits)
		I = I.zextOrTrunc(IntTyBits);
		return true;
		}

		Optional<APInt>
		llvm::getAllocSize(const CallBase *CB,
		const TargetLibraryInfo *TLI,
		std::function<const Value(const Value)> Mapper) {
		// Note: This handles both explicitly listed allocation functions and
		// allocsize. The code structure could stand to be cleaned up a bit.
		Optional<AllocFnsTy> FnData = getAllocationSize(CB, TLI);
		if (!FnData)
		return None;

		// Get the index type for this address space, results and intermediate
		// computations are performed at that width.
		auto &DL = CB->getModule()->getDataLayout();
		const unsigned IntTyBits = DL.getIndexTypeSizeInBits(CB->getType());

		// Handle strdup-like functions separately.
		if (FnData->AllocTy == StrDupLike) {
		APInt Size(IntTyBits, GetStringLength(Mapper(CB->getArgOperand(0))));
		if (!Size)
		return None;

		// Strndup limits strlen.
		if (FnData->FstParam > 0) {
		const ConstantInt *Arg =
		dyn_cast<ConstantInt>(Mapper(CB->getArgOperand(FnData->FstParam)));
		if (!Arg)
		return None;

		APInt MaxSize = Arg->getValue().zextOrSelf(IntTyBits);
		if (Size.ugt(MaxSize))
		Size = MaxSize + 1;
		}
		return Size;
		}

		const ConstantInt *Arg =
		dyn_cast<ConstantInt>(Mapper(CB->getArgOperand(FnData->FstParam)));
		jdoerfertUnsubmitted Not Done Reply Inline Actions nit: dyn_cast_or_null or document the mapper should not return a nullptr. I prefer the former. jdoerfert: nit: dyn_cast_or_null or document the mapper should not return a nullptr. I prefer the former.
		reamesAuthorUnsubmitted Done Reply Inline Actions I strongly prefer not allowing the mapper to return null for no reason. The wording in the comment is "replace one Value* (operand to the allocation) with another" This already implies the result can't be null to me. reames: I strongly prefer not allowing the mapper to return null for no reason. The wording in the…
		if (!Arg)
		return None;

		APInt Size = Arg->getValue();
		if (!CheckedZextOrTrunc(Size, IntTyBits))
		return None;

		// Size is determined by just 1 parameter.
		if (FnData->SndParam < 0)
		return Size;

		Arg = dyn_cast<ConstantInt>(Mapper(CB->getArgOperand(FnData->SndParam)));
		jdoerfertUnsubmitted Not Done Reply Inline Actions same as above. jdoerfert: same as above.
		if (!Arg)
		return None;

		APInt NumElems = Arg->getValue();
		if (!CheckedZextOrTrunc(NumElems, IntTyBits))
		return None;

		bool Overflow;
		Size = Size.umul_ov(NumElems, Overflow);
		if (Overflow)
		return None;
		return Size;
		}

Constant llvm::getInitialValueOfAllocation(const CallBase Alloc,		Constant llvm::getInitialValueOfAllocation(const CallBase Alloc,
const TargetLibraryInfo *TLI,		const TargetLibraryInfo *TLI,
Type *Ty) {		Type *Ty) {
assert(isAllocationFn(Alloc, TLI));		assert(isAllocationFn(Alloc, TLI));

// malloc and aligned_alloc are uninitialized (undef)		// malloc and aligned_alloc are uninitialized (undef)
if (isMallocLikeFn(Alloc, TLI) \|\| isAlignedAllocLikeFn(Alloc, TLI))		if (isMallocLikeFn(Alloc, TLI) \|\| isAlignedAllocLikeFn(Alloc, TLI))
return UndefValue::get(Ty);		return UndefValue::get(Ty);
▲ Show 20 Lines • Show All 214 Lines • ▼ Show 20 Lines	if (CE->getOpcode() == Instruction::GetElementPtr)
return visitGEPOperator(cast<GEPOperator>(*CE));		return visitGEPOperator(cast<GEPOperator>(*CE));
}		}

LLVM_DEBUG(dbgs() << "ObjectSizeOffsetVisitor::compute() unhandled value: "		LLVM_DEBUG(dbgs() << "ObjectSizeOffsetVisitor::compute() unhandled value: "
<< *V << '\n');		<< *V << '\n');
return unknown();		return unknown();
}		}

/// When we're compiling N-bit code, and the user uses parameters that are
/// greater than N bits (e.g. uint64_t on a 32-bit build), we can run into
/// trouble with APInt size issues. This function handles resizing + overflow
/// checks for us. Check and zext or trunc \p I depending on IntTyBits and
/// I's value.
bool ObjectSizeOffsetVisitor::CheckedZextOrTrunc(APInt &I) {		bool ObjectSizeOffsetVisitor::CheckedZextOrTrunc(APInt &I) {
// More bits than we can handle. Checking the bit width isn't necessary, but		return ::CheckedZextOrTrunc(I, IntTyBits);
// it's faster than checking active bits, and should give `false` in the
// vast majority of cases.
if (I.getBitWidth() > IntTyBits && I.getActiveBits() > IntTyBits)
return false;
if (I.getBitWidth() != IntTyBits)
I = I.zextOrTrunc(IntTyBits);
return true;
}		}

SizeOffsetType ObjectSizeOffsetVisitor::visitAllocaInst(AllocaInst &I) {		SizeOffsetType ObjectSizeOffsetVisitor::visitAllocaInst(AllocaInst &I) {
if (!I.getAllocatedType()->isSized())		if (!I.getAllocatedType()->isSized())
return unknown();		return unknown();

if (isa<ScalableVectorType>(I.getAllocatedType()))		if (isa<ScalableVectorType>(I.getAllocatedType()))
return unknown();		return unknown();
Show All 24 Lines	if (!MemoryTy\|\| !MemoryTy->isSized()) {
return unknown();		return unknown();
}		}

APInt Size(IntTyBits, DL.getTypeAllocSize(MemoryTy));		APInt Size(IntTyBits, DL.getTypeAllocSize(MemoryTy));
return std::make_pair(align(Size, A.getParamAlign()), Zero);		return std::make_pair(align(Size, A.getParamAlign()), Zero);
}		}

SizeOffsetType ObjectSizeOffsetVisitor::visitCallBase(CallBase &CB) {		SizeOffsetType ObjectSizeOffsetVisitor::visitCallBase(CallBase &CB) {
Optional<AllocFnsTy> FnData = getAllocationSize(&CB, TLI);		auto Mapper = [](const Value *V) { return V; };
if (!FnData)		if (Optional<APInt> Size = getAllocSize(&CB, TLI, Mapper))
return unknown();		return std::make_pair(*Size, Zero);

// Handle strdup-like functions separately.
if (FnData->AllocTy == StrDupLike) {
APInt Size(IntTyBits, GetStringLength(CB.getArgOperand(0)));
if (!Size)
return unknown();

// Strndup limits strlen.
if (FnData->FstParam > 0) {
ConstantInt *Arg =
dyn_cast<ConstantInt>(CB.getArgOperand(FnData->FstParam));
if (!Arg)
return unknown();		return unknown();

APInt MaxSize = Arg->getValue().zextOrSelf(IntTyBits);
if (Size.ugt(MaxSize))
Size = MaxSize + 1;
}
return std::make_pair(Size, Zero);
}

ConstantInt *Arg = dyn_cast<ConstantInt>(CB.getArgOperand(FnData->FstParam));
if (!Arg)
return unknown();

APInt Size = Arg->getValue();
if (!CheckedZextOrTrunc(Size))
return unknown();

// Size is determined by just 1 parameter.
if (FnData->SndParam < 0)
return std::make_pair(Size, Zero);

Arg = dyn_cast<ConstantInt>(CB.getArgOperand(FnData->SndParam));
if (!Arg)
return unknown();

APInt NumElems = Arg->getValue();
if (!CheckedZextOrTrunc(NumElems))
return unknown();

bool Overflow;
Size = Size.umul_ov(NumElems, Overflow);
return Overflow ? unknown() : std::make_pair(Size, Zero);
}		}

SizeOffsetType		SizeOffsetType
ObjectSizeOffsetVisitor::visitConstantPointerNull(ConstantPointerNull& CPN) {		ObjectSizeOffsetVisitor::visitConstantPointerNull(ConstantPointerNull& CPN) {
// If null is unknown, there's nothing we can do. Additionally, non-zero		// If null is unknown, there's nothing we can do. Additionally, non-zero
// address spaces can make use of null, so we don't presume to know anything		// address spaces can make use of null, so we don't presume to know anything
// about that.		// about that.
//		//
▲ Show 20 Lines • Show All 323 Lines • Show Last 20 Lines

llvm/lib/Transforms/IPO/AttributorAttributes.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 6,011 Lines • ▼ Show 20 Lines	if (!SimpleV.hasValue())
return APInt(64, 0);		return APInt(64, 0);
if (auto *CI = dyn_cast_or_null<ConstantInt>(SimpleV.getValue()))		if (auto *CI = dyn_cast_or_null<ConstantInt>(SimpleV.getValue()))
return CI->getValue();		return CI->getValue();
return llvm::None;		return llvm::None;
}		}

Optional<APInt> getSize(Attributor &A, const AbstractAttribute &AA,		Optional<APInt> getSize(Attributor &A, const AbstractAttribute &AA,
AllocationInfo &AI) {		AllocationInfo &AI) {
		auto Mapper = [&](const Value V) -> const Value {
		bool Dead = false;
		if (Optional<Constant > SimpleV = A.getAssumedConstant(V, AA, Dead))
		jdoerfertUnsubmitted Not Done Reply Inline Actions Nit: Not "Dead" but "UsedAssumedInformation". That will need to be exposed once we want to "fix" AllocationInfos in H2S early to avoid looking at them again in future updates. For now, I'd just use the canonical name here. jdoerfert: Nit: Not "Dead" but "UsedAssumedInformation". That will need to be exposed once we want to…
		reamesAuthorUnsubmitted Done Reply Inline Actions Bryce already got this. Though I'll note that this appears to be a dead outparam, and the more general mechanism a bunch of code complexity which is unused. (I haven't looked at the general case closely, I might be missing something.) reames: Bryce already got this. Though I'll note that this appears to be a dead outparam, and the more…
		if (*SimpleV)
		return *SimpleV;
		return V;
		};

if (AI.Kind == AllocationInfo::AllocationKind::MALLOC)		const Function *F = getAnchorScope();
return getAPInt(A, AA, *AI.CB->getArgOperand(0));		const auto TLI = A.getInfoCache().getTargetLibraryInfoForFunction(F);
		return getAllocSize(AI.CB, TLI, Mapper);
if (AI.Kind == AllocationInfo::AllocationKind::ALIGNED_ALLOC)
return getAPInt(A, AA, *AI.CB->getArgOperand(1));

assert(AI.Kind == AllocationInfo::AllocationKind::CALLOC &&
"Expected only callocs are left");
Optional<APInt> Num = getAPInt(A, AA, *AI.CB->getArgOperand(0));
Optional<APInt> Size = getAPInt(A, AA, *AI.CB->getArgOperand(1));
if (!Num.hasValue() \|\| !Size.hasValue())
return llvm::None;
bool Overflow = false;
Size = Size.getValue().umul_ov(Num.getValue(), Overflow);
return Overflow ? llvm::None : Size;
}		}

/// Collection of all malloc-like calls in a function with associated		/// Collection of all malloc-like calls in a function with associated
/// information.		/// information.
DenseMap<CallBase , AllocationInfo > AllocationInfos;		DenseMap<CallBase , AllocationInfo > AllocationInfos;

/// Collection of all free-like calls in a function with associated		/// Collection of all free-like calls in a function with associated
/// information.		/// information.
▲ Show 20 Lines • Show All 3,936 Lines • Show Last 20 Lines