This is an archive of the discontinued LLVM Phabricator instance.

Differential D126110

[BOLT] Fix AND evaluation bug in shrink wrapping
ClosedPublic

Authored by rafauler on May 20 2022, 8:19 PM.

Details

Reviewers
Amir
maksfb
yota9
ayermolo
zr33
Commits
rGc09cd64e5c6d: [BOLT] Fix AND evaluation bug in shrink wrapping
Summary

Fix a bug where shrink-wrapping would use wrong stack offsets
because the stack was being aligned with an AND instruction, hence,
making its true offsets only available during runtime (we can't
statically determine where are the stack elements and we must give up
on this case).

Diff Detail

Event Timeline

rafauler created this revision.May 20 2022, 8:19 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 20 2022, 8:19 PM
Herald added a subscriber: pengfei. · View Herald Transcript
rafauler requested review of this revision.May 20 2022, 8:19 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 20 2022, 8:19 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B165635: Diff 431115.May 20 2022, 8:25 PM
Amir added a comment.May 20 2022, 9:36 PM

I'm concerned that the fix is an overkill and doesn't address the root cause.
From what I understand, evaluateSimple can only evaluate a constant when given an instruction it understands and a pair of <reg, val> for use in evaluation. So the problem must be with the calling code – that the value of rsp is considered a constant while it's actually not (at least not in this case).

Even if it's not the case, I would like to keep the evaluation of and – it might be handy in other contexts – but restrict shrink-wrapping from using it.

rafauler added a comment.May 23 2022, 3:23 PM
In D126110#3529103, @Amir wrote:

I'm concerned that the fix is an overkill and doesn't address the root cause.
From what I understand, evaluateSimple can only evaluate a constant when given an instruction it understands and a pair of <reg, val> for use in evaluation. So the problem must be with the calling code – that the value of rsp is considered a constant while it's actually not (at least not in this case).

Even if it's not the case, I would like to keep the evaluation of and – it might be handy in other contexts – but restrict shrink-wrapping from using it.

That makes a lot of sense! Here's what I'm thinking. I would like to have two versions of this function to support this requirement. When we are evaluating offsets (such as stack offsets), only a subset of operations are supported. That's because most of the time we are operating without full knowledge of the actual operands, but rather offsets that are added to an unknown base (x + Offset, and we are doing transformations to Offset to reason about a specific property). In these cases, using other operators that don't have associativity with addition of (x + Offset), where x is the stack base, will break the analysis. In the case of the bug fixed here, "(x + Offset) AND Constant" is not the same as "x + (Offset AND Constant)" (no associativity), hence we can't support AND. But "(x + Offset) + Displacement+ Index * Size", such as LEA, is the same as "x + (Offset + Displacement + Index * Size)", so it's fine to support LEA as long as we are only feeding Base as the input of the expression. ADD and SUB are supported as well.

But I don't think it's a good idea to add a boolean value such as "OnlyBaseOffsetAssociativeOperations=true" as a parameter to this function. Rather, I would prefer to break it into two functions, evaluateSimple, used for offsets, and evaluate(), which calls evaluateSimple and if it fails, try a bunch more operations that assume that the operands are fully known during evaluation time. But at the moment, I can't find any places in our codebase that would be users of evaluate() (the more general evaluation function), and thus I'm less inclined to add it as it would be currently dead code. Let me know if you have other ideas on how to move forward. Meanwhile I'll improve the comments on the usage of evaluateSimple to make it clear its intended usage.

Amir added a comment.May 23 2022, 3:45 PM
In D126110#3532607, @rafauler wrote:
In D126110#3529103, @Amir wrote:

I'm concerned that the fix is an overkill and doesn't address the root cause.
From what I understand, evaluateSimple can only evaluate a constant when given an instruction it understands and a pair of <reg, val> for use in evaluation. So the problem must be with the calling code – that the value of rsp is considered a constant while it's actually not (at least not in this case).

Even if it's not the case, I would like to keep the evaluation of and – it might be handy in other contexts – but restrict shrink-wrapping from using it.

That makes a lot of sense! Here's what I'm thinking. I would like to have two versions of this function to support this requirement. When we are evaluating offsets (such as stack offsets), only a subset of operations are supported. That's because most of the time we are operating without full knowledge of the actual operands, but rather offsets that are added to an unknown base (x + Offset, and we are doing transformations to Offset to reason about a specific property). In these cases, using other operators that don't have associativity with addition of (x + Offset), where x is the stack base, will break the analysis. In the case of the bug fixed here, "(x + Offset) AND Constant" is not the same as "x + (Offset AND Constant)" (no associativity), hence we can't support AND. But "(x + Offset) + Displacement+ Index * Size", such as LEA, is the same as "x + (Offset + Displacement + Index * Size)", so it's fine to support LEA as long as we are only feeding Base as the input of the expression. ADD and SUB are supported as well.

But I don't think it's a good idea to add a boolean value such as "OnlyBaseOffsetAssociativeOperations=true" as a parameter to this function. Rather, I would prefer to break it into two functions, evaluateSimple, used for offsets, and evaluate(), which calls evaluateSimple and if it fails, try a bunch more operations that assume that the operands are fully known during evaluation time. But at the moment, I can't find any places in our codebase that would be users of evaluate() (the more general evaluation function), and thus I'm less inclined to add it as it would be currently dead code. Let me know if you have other ideas on how to move forward. Meanwhile I'll improve the comments on the usage of evaluateSimple to make it clear its intended usage.

Thank you, now I understand the problem and how this change addresses it.
I agree that removing the handling of AND and renaming the function to something like evaluateAssociative (simple is not self-explanatory) would be OK.
We can add a generic evaluate later on when the need arises.

rafauler updated this revision to Diff 431504.May 23 2022, 3:45 PM

Rename evaluateSimple function and make it clear its intended usage.

Amir accepted this revision.May 23 2022, 3:49 PM

Thanks!

This revision is now accepted and ready to land.May 23 2022, 3:49 PM
Harbormaster completed remote builds in B165933: Diff 431504.May 23 2022, 3:52 PM
rafauler updated this revision to Diff 431507.May 23 2022, 3:55 PM

Fix nit in testcase and update assert message in ValidateInternalCalls

Harbormaster completed remote builds in B165936: Diff 431507.May 23 2022, 4:01 PM
Closed by commit rGc09cd64e5c6d: [BOLT] Fix AND evaluation bug in shrink wrapping (authored by rafauler). · Explain WhyMay 26 2022, 2:59 PM
This revision was automatically updated to reflect the committed changes.
rafauler added a commit: rGc09cd64e5c6d: [BOLT] Fix AND evaluation bug in shrink wrapping.

Revision Contents

PathSize
bolt/
include/
bolt/
Core/
22 lines
Passes/
4 lines
lib/
Passes/
6 lines
4 lines
2 lines
4 lines
Target/
X86/
17 lines
test/
X86/
55 lines

Diff 432396

bolt/include/bolt/Core/MCPlusBuilder.h

Show First 20 LinesShow All 903 Lines▼ Show 20 Linespublic:
/// Identify stack adjustment instructions -- those that change the stack /// Identify stack adjustment instructions -- those that change the stack
/// pointer by adding or subtracting an immediate. /// pointer by adding or subtracting an immediate.
virtual bool isStackAdjustment(const MCInst &Inst) const { virtual bool isStackAdjustment(const MCInst &Inst) const {
llvm_unreachable("not implemented"); llvm_unreachable("not implemented");
return false; return false;
} }
/// Use \p Input1 or Input2 as the current value for the input register and /// Use \p Input1 or Input2 as the current value for the input
/// put in \p Output the changes incurred by executing \p Inst. Return false /// register and put in \p Output the changes incurred by executing
/// if it was not possible to perform the evaluation. /// \p Inst. Return false if it was not possible to perform the
virtual bool evaluateSimple(const MCInst &Inst, int64_t &Output, /// evaluation. evaluateStackOffsetExpr is restricted to operations
/// that have associativity with addition. Its intended usage is for
/// evaluating stack offset changes. In these cases, expressions
/// appear in the form of (x + offset) OP constant, where x is an
/// unknown base (such as stack base) but offset and constant are
/// known. In these cases, \p Output represents the new stack offset
/// after executing \p Inst. Because we don't know x, we can't
/// evaluate operations such as multiply or AND/OR, e.g. (x +
/// offset) OP constant is not the same as x + (offset OP constant).
virtual bool
evaluateStackOffsetExpr(const MCInst &Inst, int64_t &Output,
std::pair<MCPhysReg, int64_t> Input1, std::pair<MCPhysReg, int64_t> Input1,
std::pair<MCPhysReg, int64_t> Input2) const { std::pair<MCPhysReg, int64_t> Input2) const {
llvm_unreachable("not implemented"); llvm_unreachable("not implemented");
return false; return false;
} }
virtual bool isRegToRegMove(const MCInst &Inst, MCPhysReg &From, virtual bool isRegToRegMove(const MCInst &Inst, MCPhysReg &From,
MCPhysReg &To) const { MCPhysReg &To) const {
llvm_unreachable("not implemented"); llvm_unreachable("not implemented");
return false; return false;
▲ Show 20 LinesShow All 1,005 LinesShow Last 20 Lines

bolt/include/bolt/Passes/StackPointerTracking.h

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines if (this->BC.MII->get(Point.getOpcode())
else else
SP = std::make_pair(0, 0); SP = std::make_pair(0, 0);
std::pair<MCPhysReg, int64_t> FP; std::pair<MCPhysReg, int64_t> FP;
if (FPVal != EMPTY && FPVal != SUPERPOSITION) if (FPVal != EMPTY && FPVal != SUPERPOSITION)
FP = std::make_pair(MIB->getFramePointer(), FPVal); FP = std::make_pair(MIB->getFramePointer(), FPVal);
else else
FP = std::make_pair(0, 0); FP = std::make_pair(0, 0);
int64_t Output; int64_t Output;
if (!MIB->evaluateSimple(Point, Output, SP, FP)) { if (!MIB->evaluateStackOffsetExpr(Point, Output, SP, FP)) {
if (SPVal == EMPTY && FPVal == EMPTY) if (SPVal == EMPTY && FPVal == EMPTY)
return SPVal; return SPVal;
return SUPERPOSITION; return SUPERPOSITION;
} }
return static_cast<int>(Output); return static_cast<int>(Output);
} }
Show All 18 Lines if (this->BC.MII->get(Point.getOpcode())
else else
FP = std::make_pair(0, 0); FP = std::make_pair(0, 0);
std::pair<MCPhysReg, int64_t> SP; std::pair<MCPhysReg, int64_t> SP;
if (SPVal != EMPTY && SPVal != SUPERPOSITION) if (SPVal != EMPTY && SPVal != SUPERPOSITION)
SP = std::make_pair(MIB->getStackPointer(), SPVal); SP = std::make_pair(MIB->getStackPointer(), SPVal);
else else
SP = std::make_pair(0, 0); SP = std::make_pair(0, 0);
int64_t Output; int64_t Output;
if (!MIB->evaluateSimple(Point, Output, SP, FP)) { if (!MIB->evaluateStackOffsetExpr(Point, Output, SP, FP)) {
if (SPVal == EMPTY && FPVal == EMPTY) if (SPVal == EMPTY && FPVal == EMPTY)
return FPVal; return FPVal;
return SUPERPOSITION; return SUPERPOSITION;
} }
if (!HasFramePointer && MIB->escapesVariable(Point, false)) if (!HasFramePointer && MIB->escapesVariable(Point, false))
HasFramePointer = true; HasFramePointer = true;
return static_cast<int>(Output); return static_cast<int>(Output);
▲ Show 20 LinesShow All 48 LinesShow Last 20 Lines

bolt/lib/Passes/AllocCombiner.cpp

Show All 23 Lines
namespace llvm { namespace llvm {
namespace bolt { namespace bolt {
namespace { namespace {
bool getStackAdjustmentSize(const BinaryContext &BC, const MCInst &Inst, bool getStackAdjustmentSize(const BinaryContext &BC, const MCInst &Inst,
int64_t &Adjustment) { int64_t &Adjustment) {
return BC.MIB->evaluateSimple(Inst, Adjustment, return BC.MIB->evaluateStackOffsetExpr(
std::make_pair(BC.MIB->getStackPointer(), 0LL), Inst, Adjustment, std::make_pair(BC.MIB->getStackPointer(), 0LL),
std::make_pair(0, 0LL)); std::make_pair(0, 0LL));
} }
bool isIndifferentToSP(const MCInst &Inst, const BinaryContext &BC) { bool isIndifferentToSP(const MCInst &Inst, const BinaryContext &BC) {
if (BC.MIB->isCFI(Inst)) if (BC.MIB->isCFI(Inst))
return true; return true;
const MCInstrDesc II = BC.MII->get(Inst.getOpcode()); const MCInstrDesc II = BC.MII->get(Inst.getOpcode());
if (BC.MIB->isTerminator(Inst) || if (BC.MIB->isTerminator(Inst) ||
▲ Show 20 LinesShow All 81 LinesShow Last 20 Lines

bolt/lib/Passes/ShrinkWrapping.cpp

Show First 20 LinesShow All 240 Lines▼ Show 20 Linesvoid StackLayoutModifier::checkFramePointerInitialization(MCInst &Point) {
std::pair<MCPhysReg, int64_t> SP; std::pair<MCPhysReg, int64_t> SP;
if (SPVal != SPT.EMPTY && SPVal != SPT.SUPERPOSITION) if (SPVal != SPT.EMPTY && SPVal != SPT.SUPERPOSITION)
SP = std::make_pair(BC.MIB->getStackPointer(), SPVal); SP = std::make_pair(BC.MIB->getStackPointer(), SPVal);
else else
SP = std::make_pair(0, 0); SP = std::make_pair(0, 0);
int64_t Output; int64_t Output;
if (!BC.MIB->evaluateSimple(Point, Output, SP, FP)) if (!BC.MIB->evaluateStackOffsetExpr(Point, Output, SP, FP))
return; return;
// Not your regular frame pointer initialization... bail // Not your regular frame pointer initialization... bail
if (Output != SPVal) if (Output != SPVal)
blacklistRegion(0, 0); blacklistRegion(0, 0);
} }
void StackLayoutModifier::checkStackPointerRestore(MCInst &Point) { void StackLayoutModifier::checkStackPointerRestore(MCInst &Point) {
Show All 31 Linesvoid StackLayoutModifier::checkStackPointerRestore(MCInst &Point) {
std::pair<MCPhysReg, int64_t> SP; std::pair<MCPhysReg, int64_t> SP;
if (SPVal != SPT.EMPTY && SPVal != SPT.SUPERPOSITION) if (SPVal != SPT.EMPTY && SPVal != SPT.SUPERPOSITION)
SP = std::make_pair(BC.MIB->getStackPointer(), SPVal); SP = std::make_pair(BC.MIB->getStackPointer(), SPVal);
else else
SP = std::make_pair(0, 0); SP = std::make_pair(0, 0);
int64_t Output; int64_t Output;
if (!BC.MIB->evaluateSimple(Point, Output, SP, FP)) if (!BC.MIB->evaluateStackOffsetExpr(Point, Output, SP, FP))
return; return;
// If the value is the same of FP, no need to adjust it // If the value is the same of FP, no need to adjust it
if (Output == FPVal) if (Output == FPVal)
return; return;
// If an allocation happened through FP, bail // If an allocation happened through FP, bail
if (Output <= SPVal) { if (Output <= SPVal) {
▲ Show 20 LinesShow All 1,769 LinesShow Last 20 Lines

bolt/lib/Passes/StackAllocationAnalysis.cpp

Show First 20 LinesShow All 128 Lines▼ Show 20 Lines if (BC.MII->get(Point.getOpcode())
else else
SP = std::make_pair(0, 0); SP = std::make_pair(0, 0);
std::pair<MCPhysReg, int64_t> FP; std::pair<MCPhysReg, int64_t> FP;
if (FPOffset != SPT.EMPTY && FPOffset != SPT.SUPERPOSITION) if (FPOffset != SPT.EMPTY && FPOffset != SPT.SUPERPOSITION)
FP = std::make_pair(MIB->getFramePointer(), FPOffset); FP = std::make_pair(MIB->getFramePointer(), FPOffset);
else else
FP = std::make_pair(0, 0); FP = std::make_pair(0, 0);
int64_t Output; int64_t Output;
if (!MIB->evaluateSimple(Point, Output, SP, FP)) if (!MIB->evaluateStackOffsetExpr(Point, Output, SP, FP))
return Next; return Next;
if (SPOffset < Output) { if (SPOffset < Output) {
Next = doKill(Point, Next, Output - SPOffset); Next = doKill(Point, Next, Output - SPOffset);
return Next; return Next;
} }
if (SPOffset > Output) { if (SPOffset > Output) {
Next.set(this->ExprToIdx[&Point]); Next.set(this->ExprToIdx[&Point]);
return Next; return Next;
} }
} }
return Next; return Next;
} }
} // end namespace bolt } // end namespace bolt
} // end namespace llvm } // end namespace llvm

bolt/lib/Passes/ValidateInternalCalls.cpp

Show First 20 LinesShow All 255 Lines▼ Show 20 Lines for (MCInst &Inst : BB) {
BitVector UsedRegs = BitVector(BC.MRI->getNumRegs(), false); BitVector UsedRegs = BitVector(BC.MRI->getNumRegs(), false);
BC.MIB->getTouchedRegs(Use, UsedRegs); BC.MIB->getTouchedRegs(Use, UsedRegs);
if (!UsedRegs[Reg]) if (!UsedRegs[Reg])
continue; continue;
UseDetected = true; UseDetected = true;
int64_t Output; int64_t Output;
std::pair<MCPhysReg, int64_t> Input1 = std::make_pair(Reg, 0); std::pair<MCPhysReg, int64_t> Input1 = std::make_pair(Reg, 0);
std::pair<MCPhysReg, int64_t> Input2 = std::make_pair(0, 0); std::pair<MCPhysReg, int64_t> Input2 = std::make_pair(0, 0);
if (!BC.MIB->evaluateSimple(Use, Output, Input1, Input2)) { if (!BC.MIB->evaluateStackOffsetExpr(Use, Output, Input1, Input2)) {
LLVM_DEBUG(dbgs() << "Evaluate simple failed.\n"); LLVM_DEBUG(dbgs() << "Evaluate stack offset expr failed.\n");
return false; return false;
} }
if (Offset + Output < 0 || if (Offset + Output < 0 ||
Offset + Output > static_cast<int64_t>(Function.getSize())) { Offset + Output > static_cast<int64_t>(Function.getSize())) {
LLVM_DEBUG({ LLVM_DEBUG({
dbgs() << "Detected out-of-range PIC reference in " << Function dbgs() << "Detected out-of-range PIC reference in " << Function
<< "\nReturn address load: "; << "\nReturn address load: ";
BC.InstPrinter->printInst(TargetInst, 0, "", *BC.STI, dbgs()); BC.InstPrinter->printInst(TargetInst, 0, "", *BC.STI, dbgs());
▲ Show 20 LinesShow All 70 LinesShow Last 20 Lines

bolt/lib/Target/X86/X86MCPlusBuilder.cpp

Show First 20 LinesShow All 1,238 Lines▼ Show 20 Lines bool isStackAdjustment(const MCInst &Inst) const override {
for (int I = 0, E = MCII.getNumDefs(); I != E; ++I) { for (int I = 0, E = MCII.getNumDefs(); I != E; ++I) {
const MCOperand &Operand = Inst.getOperand(I); const MCOperand &Operand = Inst.getOperand(I);
if (Operand.isReg() && Operand.getReg() == X86::RSP) if (Operand.isReg() && Operand.getReg() == X86::RSP)
return true; return true;
} }
return false; return false;
} }
bool evaluateSimple(const MCInst &Inst, int64_t &Output, bool
evaluateStackOffsetExpr(const MCInst &Inst, int64_t &Output,
std::pair<MCPhysReg, int64_t> Input1, std::pair<MCPhysReg, int64_t> Input1,
std::pair<MCPhysReg, int64_t> Input2) const override { std::pair<MCPhysReg, int64_t> Input2) const override {
auto getOperandVal = [&](MCPhysReg Reg) -> ErrorOr<int64_t> { auto getOperandVal = [&](MCPhysReg Reg) -> ErrorOr<int64_t> {
if (Reg == Input1.first) if (Reg == Input1.first)
return Input1.second; return Input1.second;
if (Reg == Input2.first) if (Reg == Input2.first)
return Input2.second; return Input2.second;
return make_error_code(errc::result_out_of_range); return make_error_code(errc::result_out_of_range);
}; };
switch (Inst.getOpcode()) { switch (Inst.getOpcode()) {
default: default:
return false; return false;
case X86::AND64ri32:
case X86::AND64ri8:
if (!Inst.getOperand(2).isImm())
return false;
if (ErrorOr<int64_t> InputVal =
getOperandVal(Inst.getOperand(1).getReg()))
Output = *InputVal & Inst.getOperand(2).getImm();
else
return false;
break;
case X86::SUB64ri32: case X86::SUB64ri32:
case X86::SUB64ri8: case X86::SUB64ri8:
if (!Inst.getOperand(2).isImm()) if (!Inst.getOperand(2).isImm())
return false; return false;
if (ErrorOr<int64_t> InputVal = if (ErrorOr<int64_t> InputVal =
getOperandVal(Inst.getOperand(1).getReg())) getOperandVal(Inst.getOperand(1).getReg()))
Output = *InputVal - Inst.getOperand(2).getImm(); Output = *InputVal - Inst.getOperand(2).getImm();
else else
▲ Show 20 LinesShow All 2,444 LinesShow Last 20 Lines

bolt/test/X86/shrinkwrapping-and-rsp.s

  • This file was added.
# This checks that shrink wrapping does attempt at accessing stack elements
# using RSP when the function is aligning RSP and changing offsets.
# REQUIRES: system-linux
# RUN: llvm-mc -filetype=obj -triple x86_64-unknown-unknown \
# RUN: %s -o %t.o
# RUN: link_fdata %s %t.o %t.fdata
# RUN: llvm-strip --strip-unneeded %t.o
# RUN: %clang %cflags %t.o -o %t.exe -Wl,-q -nostdlib
# RUN: llvm-bolt %t.exe -o %t.out -data %t.fdata \
# RUN: -frame-opt=all -simplify-conditional-tail-calls=false \
# RUN: -eliminate-unreachable=false | FileCheck %s
# Here we have a function that aligns the stack at prologue. Stack pointer
# analysis can't try to infer offset positions after AND because that depends
# on the runtime value of the stack pointer of callee (whether it is misaligned
# or not).
.globl _start
.type _start, %function
_start:
.cfi_startproc
# FDATA: 0 [unknown] 0 1 _start 0 0 1
push %rbp
mov %rsp, %rbp
push %rbx
push %r14
and $0xffffffffffffffe0,%rsp
subq $0x20, %rsp
b: je hot_path
# FDATA: 1 _start #b# 1 _start #hot_path# 0 1
cold_path:
mov %r14, %rdi
mov %rbx, %rdi
# Block push-pop mode by using an instruction that requires the
# stack to be aligned to 128B. This will force the pass
# to try to index stack elements by using RSP +offset directly, but
# we do not know how to access individual elements of the stack thanks
# to the alignment.
movdqa %xmm8, (%rsp)
addq $0x20, %rsp
pop %r14
pop %rbx
pop %rbp
ret
hot_path:
addq $0x20, %rsp
pop %r14
pop %rbx
pop %rbp
ret
.cfi_endproc
.size _start, .-_start
# CHECK: BOLT-INFO: Shrink wrapping moved 0 spills inserting load/stores and 0 spills inserting push/pops