llvm-project
1227 строк · 40.8 Кб
1//===- StackSafetyAnalysis.cpp - Stack memory safety analysis -------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9//===----------------------------------------------------------------------===//
10
11#include "llvm/Analysis/StackSafetyAnalysis.h"
12#include "llvm/ADT/APInt.h"
13#include "llvm/ADT/SmallPtrSet.h"
14#include "llvm/ADT/SmallVector.h"
15#include "llvm/ADT/Statistic.h"
16#include "llvm/Analysis/ModuleSummaryAnalysis.h"
17#include "llvm/Analysis/ScalarEvolution.h"
18#include "llvm/Analysis/StackLifetime.h"
19#include "llvm/IR/ConstantRange.h"
20#include "llvm/IR/DerivedTypes.h"
21#include "llvm/IR/GlobalValue.h"
22#include "llvm/IR/InstIterator.h"
23#include "llvm/IR/Instruction.h"
24#include "llvm/IR/Instructions.h"
25#include "llvm/IR/IntrinsicInst.h"
26#include "llvm/IR/ModuleSummaryIndex.h"
27#include "llvm/InitializePasses.h"
28#include "llvm/Support/Casting.h"
29#include "llvm/Support/CommandLine.h"
30#include "llvm/Support/FormatVariadic.h"
31#include "llvm/Support/raw_ostream.h"
32#include <algorithm>
33#include <memory>
34#include <tuple>
35
36using namespace llvm;
37
38#define DEBUG_TYPE "stack-safety"
39
40STATISTIC(NumAllocaStackSafe, "Number of safe allocas");
41STATISTIC(NumAllocaTotal, "Number of total allocas");
42
43STATISTIC(NumCombinedCalleeLookupTotal,
44"Number of total callee lookups on combined index.");
45STATISTIC(NumCombinedCalleeLookupFailed,
46"Number of failed callee lookups on combined index.");
47STATISTIC(NumModuleCalleeLookupTotal,
48"Number of total callee lookups on module index.");
49STATISTIC(NumModuleCalleeLookupFailed,
50"Number of failed callee lookups on module index.");
51STATISTIC(NumCombinedParamAccessesBefore,
52"Number of total param accesses before generateParamAccessSummary.");
53STATISTIC(NumCombinedParamAccessesAfter,
54"Number of total param accesses after generateParamAccessSummary.");
55STATISTIC(NumCombinedDataFlowNodes,
56"Number of total nodes in combined index for dataflow processing.");
57STATISTIC(NumIndexCalleeUnhandled, "Number of index callee which are unhandled.");
58STATISTIC(NumIndexCalleeMultipleWeak, "Number of index callee non-unique weak.");
59STATISTIC(NumIndexCalleeMultipleExternal, "Number of index callee non-unique external.");
60
61
62static cl::opt<int> StackSafetyMaxIterations("stack-safety-max-iterations",
63cl::init(20), cl::Hidden);
64
65static cl::opt<bool> StackSafetyPrint("stack-safety-print", cl::init(false),
66cl::Hidden);
67
68static cl::opt<bool> StackSafetyRun("stack-safety-run", cl::init(false),
69cl::Hidden);
70
71namespace {
72
73// Check if we should bailout for such ranges.
74bool isUnsafe(const ConstantRange &R) {
75return R.isEmptySet() || R.isFullSet() || R.isUpperSignWrapped();
76}
77
78ConstantRange addOverflowNever(const ConstantRange &L, const ConstantRange &R) {
79assert(!L.isSignWrappedSet());
80assert(!R.isSignWrappedSet());
81if (L.signedAddMayOverflow(R) !=
82ConstantRange::OverflowResult::NeverOverflows)
83return ConstantRange::getFull(L.getBitWidth());
84ConstantRange Result = L.add(R);
85assert(!Result.isSignWrappedSet());
86return Result;
87}
88
89ConstantRange unionNoWrap(const ConstantRange &L, const ConstantRange &R) {
90assert(!L.isSignWrappedSet());
91assert(!R.isSignWrappedSet());
92auto Result = L.unionWith(R);
93// Two non-wrapped sets can produce wrapped.
94if (Result.isSignWrappedSet())
95Result = ConstantRange::getFull(Result.getBitWidth());
96return Result;
97}
98
99/// Describes use of address in as a function call argument.
100template <typename CalleeTy> struct CallInfo {
101/// Function being called.
102const CalleeTy *Callee = nullptr;
103/// Index of argument which pass address.
104size_t ParamNo = 0;
105
106CallInfo(const CalleeTy *Callee, size_t ParamNo)
107: Callee(Callee), ParamNo(ParamNo) {}
108
109struct Less {
110bool operator()(const CallInfo &L, const CallInfo &R) const {
111return std::tie(L.ParamNo, L.Callee) < std::tie(R.ParamNo, R.Callee);
112}
113};
114};
115
116/// Describe uses of address (alloca or parameter) inside of the function.
117template <typename CalleeTy> struct UseInfo {
118// Access range if the address (alloca or parameters).
119// It is allowed to be empty-set when there are no known accesses.
120ConstantRange Range;
121std::set<const Instruction *> UnsafeAccesses;
122
123// List of calls which pass address as an argument.
124// Value is offset range of address from base address (alloca or calling
125// function argument). Range should never set to empty-set, that is an invalid
126// access range that can cause empty-set to be propagated with
127// ConstantRange::add
128using CallsTy = std::map<CallInfo<CalleeTy>, ConstantRange,
129typename CallInfo<CalleeTy>::Less>;
130CallsTy Calls;
131
132UseInfo(unsigned PointerSize) : Range{PointerSize, false} {}
133
134void updateRange(const ConstantRange &R) { Range = unionNoWrap(Range, R); }
135void addRange(const Instruction *I, const ConstantRange &R, bool IsSafe) {
136if (!IsSafe)
137UnsafeAccesses.insert(I);
138updateRange(R);
139}
140};
141
142template <typename CalleeTy>
143raw_ostream &operator<<(raw_ostream &OS, const UseInfo<CalleeTy> &U) {
144OS << U.Range;
145for (auto &Call : U.Calls)
146OS << ", "
147<< "@" << Call.first.Callee->getName() << "(arg" << Call.first.ParamNo
148<< ", " << Call.second << ")";
149return OS;
150}
151
152/// Calculate the allocation size of a given alloca. Returns empty range
153// in case of confution.
154ConstantRange getStaticAllocaSizeRange(const AllocaInst &AI) {
155const DataLayout &DL = AI.getDataLayout();
156TypeSize TS = DL.getTypeAllocSize(AI.getAllocatedType());
157unsigned PointerSize = DL.getPointerTypeSizeInBits(AI.getType());
158// Fallback to empty range for alloca size.
159ConstantRange R = ConstantRange::getEmpty(PointerSize);
160if (TS.isScalable())
161return R;
162APInt APSize(PointerSize, TS.getFixedValue(), true);
163if (APSize.isNonPositive())
164return R;
165if (AI.isArrayAllocation()) {
166const auto *C = dyn_cast<ConstantInt>(AI.getArraySize());
167if (!C)
168return R;
169bool Overflow = false;
170APInt Mul = C->getValue();
171if (Mul.isNonPositive())
172return R;
173Mul = Mul.sextOrTrunc(PointerSize);
174APSize = APSize.smul_ov(Mul, Overflow);
175if (Overflow)
176return R;
177}
178R = ConstantRange(APInt::getZero(PointerSize), APSize);
179assert(!isUnsafe(R));
180return R;
181}
182
183template <typename CalleeTy> struct FunctionInfo {
184std::map<const AllocaInst *, UseInfo<CalleeTy>> Allocas;
185std::map<uint32_t, UseInfo<CalleeTy>> Params;
186// TODO: describe return value as depending on one or more of its arguments.
187
188// StackSafetyDataFlowAnalysis counter stored here for faster access.
189int UpdateCount = 0;
190
191void print(raw_ostream &O, StringRef Name, const Function *F) const {
192// TODO: Consider different printout format after
193// StackSafetyDataFlowAnalysis. Calls and parameters are irrelevant then.
194O << " @" << Name << ((F && F->isDSOLocal()) ? "" : " dso_preemptable")
195<< ((F && F->isInterposable()) ? " interposable" : "") << "\n";
196
197O << " args uses:\n";
198for (auto &KV : Params) {
199O << " ";
200if (F)
201O << F->getArg(KV.first)->getName();
202else
203O << formatv("arg{0}", KV.first);
204O << "[]: " << KV.second << "\n";
205}
206
207O << " allocas uses:\n";
208if (F) {
209for (const auto &I : instructions(F)) {
210if (const AllocaInst *AI = dyn_cast<AllocaInst>(&I)) {
211auto &AS = Allocas.find(AI)->second;
212O << " " << AI->getName() << "["
213<< getStaticAllocaSizeRange(*AI).getUpper() << "]: " << AS << "\n";
214}
215}
216} else {
217assert(Allocas.empty());
218}
219}
220};
221
222using GVToSSI = std::map<const GlobalValue *, FunctionInfo<GlobalValue>>;
223
224} // namespace
225
226struct StackSafetyInfo::InfoTy {
227FunctionInfo<GlobalValue> Info;
228};
229
230struct StackSafetyGlobalInfo::InfoTy {
231GVToSSI Info;
232SmallPtrSet<const AllocaInst *, 8> SafeAllocas;
233std::set<const Instruction *> UnsafeAccesses;
234};
235
236namespace {
237
238class StackSafetyLocalAnalysis {
239Function &F;
240const DataLayout &DL;
241ScalarEvolution &SE;
242unsigned PointerSize = 0;
243
244const ConstantRange UnknownRange;
245
246/// FIXME: This function is a bandaid, it's only needed
247/// because this pass doesn't handle address spaces of different pointer
248/// sizes.
249///
250/// \returns \p Val's SCEV as a pointer of AS zero, or nullptr if it can't be
251/// converted to AS 0.
252const SCEV *getSCEVAsPointer(Value *Val);
253
254ConstantRange offsetFrom(Value *Addr, Value *Base);
255ConstantRange getAccessRange(Value *Addr, Value *Base,
256const ConstantRange &SizeRange);
257ConstantRange getAccessRange(Value *Addr, Value *Base, TypeSize Size);
258ConstantRange getMemIntrinsicAccessRange(const MemIntrinsic *MI, const Use &U,
259Value *Base);
260
261void analyzeAllUses(Value *Ptr, UseInfo<GlobalValue> &AS,
262const StackLifetime &SL);
263
264
265bool isSafeAccess(const Use &U, AllocaInst *AI, const SCEV *AccessSize);
266bool isSafeAccess(const Use &U, AllocaInst *AI, Value *V);
267bool isSafeAccess(const Use &U, AllocaInst *AI, TypeSize AccessSize);
268
269public:
270StackSafetyLocalAnalysis(Function &F, ScalarEvolution &SE)
271: F(F), DL(F.getDataLayout()), SE(SE),
272PointerSize(DL.getPointerSizeInBits()),
273UnknownRange(PointerSize, true) {}
274
275// Run the transformation on the associated function.
276FunctionInfo<GlobalValue> run();
277};
278
279const SCEV *StackSafetyLocalAnalysis::getSCEVAsPointer(Value *Val) {
280Type *ValTy = Val->getType();
281
282// We don't handle targets with multiple address spaces.
283if (!ValTy->isPointerTy()) {
284auto *PtrTy = PointerType::getUnqual(SE.getContext());
285return SE.getTruncateOrZeroExtend(SE.getSCEV(Val), PtrTy);
286}
287
288if (ValTy->getPointerAddressSpace() != 0)
289return nullptr;
290return SE.getSCEV(Val);
291}
292
293ConstantRange StackSafetyLocalAnalysis::offsetFrom(Value *Addr, Value *Base) {
294if (!SE.isSCEVable(Addr->getType()) || !SE.isSCEVable(Base->getType()))
295return UnknownRange;
296
297const SCEV *AddrExp = getSCEVAsPointer(Addr);
298const SCEV *BaseExp = getSCEVAsPointer(Base);
299if (!AddrExp || !BaseExp)
300return UnknownRange;
301
302const SCEV *Diff = SE.getMinusSCEV(AddrExp, BaseExp);
303if (isa<SCEVCouldNotCompute>(Diff))
304return UnknownRange;
305
306ConstantRange Offset = SE.getSignedRange(Diff);
307if (isUnsafe(Offset))
308return UnknownRange;
309return Offset.sextOrTrunc(PointerSize);
310}
311
312ConstantRange
313StackSafetyLocalAnalysis::getAccessRange(Value *Addr, Value *Base,
314const ConstantRange &SizeRange) {
315// Zero-size loads and stores do not access memory.
316if (SizeRange.isEmptySet())
317return ConstantRange::getEmpty(PointerSize);
318assert(!isUnsafe(SizeRange));
319
320ConstantRange Offsets = offsetFrom(Addr, Base);
321if (isUnsafe(Offsets))
322return UnknownRange;
323
324Offsets = addOverflowNever(Offsets, SizeRange);
325if (isUnsafe(Offsets))
326return UnknownRange;
327return Offsets;
328}
329
330ConstantRange StackSafetyLocalAnalysis::getAccessRange(Value *Addr, Value *Base,
331TypeSize Size) {
332if (Size.isScalable())
333return UnknownRange;
334APInt APSize(PointerSize, Size.getFixedValue(), true);
335if (APSize.isNegative())
336return UnknownRange;
337return getAccessRange(Addr, Base,
338ConstantRange(APInt::getZero(PointerSize), APSize));
339}
340
341ConstantRange StackSafetyLocalAnalysis::getMemIntrinsicAccessRange(
342const MemIntrinsic *MI, const Use &U, Value *Base) {
343if (const auto *MTI = dyn_cast<MemTransferInst>(MI)) {
344if (MTI->getRawSource() != U && MTI->getRawDest() != U)
345return ConstantRange::getEmpty(PointerSize);
346} else {
347if (MI->getRawDest() != U)
348return ConstantRange::getEmpty(PointerSize);
349}
350
351auto *CalculationTy = IntegerType::getIntNTy(SE.getContext(), PointerSize);
352if (!SE.isSCEVable(MI->getLength()->getType()))
353return UnknownRange;
354
355const SCEV *Expr =
356SE.getTruncateOrZeroExtend(SE.getSCEV(MI->getLength()), CalculationTy);
357ConstantRange Sizes = SE.getSignedRange(Expr);
358if (!Sizes.getUpper().isStrictlyPositive() || isUnsafe(Sizes))
359return UnknownRange;
360Sizes = Sizes.sextOrTrunc(PointerSize);
361ConstantRange SizeRange(APInt::getZero(PointerSize), Sizes.getUpper() - 1);
362return getAccessRange(U, Base, SizeRange);
363}
364
365bool StackSafetyLocalAnalysis::isSafeAccess(const Use &U, AllocaInst *AI,
366Value *V) {
367return isSafeAccess(U, AI, SE.getSCEV(V));
368}
369
370bool StackSafetyLocalAnalysis::isSafeAccess(const Use &U, AllocaInst *AI,
371TypeSize TS) {
372if (TS.isScalable())
373return false;
374auto *CalculationTy = IntegerType::getIntNTy(SE.getContext(), PointerSize);
375const SCEV *SV = SE.getConstant(CalculationTy, TS.getFixedValue());
376return isSafeAccess(U, AI, SV);
377}
378
379bool StackSafetyLocalAnalysis::isSafeAccess(const Use &U, AllocaInst *AI,
380const SCEV *AccessSize) {
381
382if (!AI)
383return true; // This only judges whether it is a safe *stack* access.
384if (isa<SCEVCouldNotCompute>(AccessSize))
385return false;
386
387const auto *I = cast<Instruction>(U.getUser());
388
389const SCEV *AddrExp = getSCEVAsPointer(U.get());
390const SCEV *BaseExp = getSCEVAsPointer(AI);
391if (!AddrExp || !BaseExp)
392return false;
393
394const SCEV *Diff = SE.getMinusSCEV(AddrExp, BaseExp);
395if (isa<SCEVCouldNotCompute>(Diff))
396return false;
397
398auto Size = getStaticAllocaSizeRange(*AI);
399
400auto *CalculationTy = IntegerType::getIntNTy(SE.getContext(), PointerSize);
401auto ToDiffTy = [&](const SCEV *V) {
402return SE.getTruncateOrZeroExtend(V, CalculationTy);
403};
404const SCEV *Min = ToDiffTy(SE.getConstant(Size.getLower()));
405const SCEV *Max = SE.getMinusSCEV(ToDiffTy(SE.getConstant(Size.getUpper())),
406ToDiffTy(AccessSize));
407return SE.evaluatePredicateAt(ICmpInst::Predicate::ICMP_SGE, Diff, Min, I)
408.value_or(false) &&
409SE.evaluatePredicateAt(ICmpInst::Predicate::ICMP_SLE, Diff, Max, I)
410.value_or(false);
411}
412
413/// The function analyzes all local uses of Ptr (alloca or argument) and
414/// calculates local access range and all function calls where it was used.
415void StackSafetyLocalAnalysis::analyzeAllUses(Value *Ptr,
416UseInfo<GlobalValue> &US,
417const StackLifetime &SL) {
418SmallPtrSet<const Value *, 16> Visited;
419SmallVector<const Value *, 8> WorkList;
420WorkList.push_back(Ptr);
421AllocaInst *AI = dyn_cast<AllocaInst>(Ptr);
422
423// A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
424while (!WorkList.empty()) {
425const Value *V = WorkList.pop_back_val();
426for (const Use &UI : V->uses()) {
427const auto *I = cast<Instruction>(UI.getUser());
428if (!SL.isReachable(I))
429continue;
430
431assert(V == UI.get());
432
433auto RecordStore = [&](const Value* StoredVal) {
434if (V == StoredVal) {
435// Stored the pointer - conservatively assume it may be unsafe.
436US.addRange(I, UnknownRange, /*IsSafe=*/false);
437return;
438}
439if (AI && !SL.isAliveAfter(AI, I)) {
440US.addRange(I, UnknownRange, /*IsSafe=*/false);
441return;
442}
443auto TypeSize = DL.getTypeStoreSize(StoredVal->getType());
444auto AccessRange = getAccessRange(UI, Ptr, TypeSize);
445bool Safe = isSafeAccess(UI, AI, TypeSize);
446US.addRange(I, AccessRange, Safe);
447return;
448};
449
450switch (I->getOpcode()) {
451case Instruction::Load: {
452if (AI && !SL.isAliveAfter(AI, I)) {
453US.addRange(I, UnknownRange, /*IsSafe=*/false);
454break;
455}
456auto TypeSize = DL.getTypeStoreSize(I->getType());
457auto AccessRange = getAccessRange(UI, Ptr, TypeSize);
458bool Safe = isSafeAccess(UI, AI, TypeSize);
459US.addRange(I, AccessRange, Safe);
460break;
461}
462
463case Instruction::VAArg:
464// "va-arg" from a pointer is safe.
465break;
466case Instruction::Store:
467RecordStore(cast<StoreInst>(I)->getValueOperand());
468break;
469case Instruction::AtomicCmpXchg:
470RecordStore(cast<AtomicCmpXchgInst>(I)->getNewValOperand());
471break;
472case Instruction::AtomicRMW:
473RecordStore(cast<AtomicRMWInst>(I)->getValOperand());
474break;
475
476case Instruction::Ret:
477// Information leak.
478// FIXME: Process parameters correctly. This is a leak only if we return
479// alloca.
480US.addRange(I, UnknownRange, /*IsSafe=*/false);
481break;
482
483case Instruction::Call:
484case Instruction::Invoke: {
485if (I->isLifetimeStartOrEnd())
486break;
487
488if (AI && !SL.isAliveAfter(AI, I)) {
489US.addRange(I, UnknownRange, /*IsSafe=*/false);
490break;
491}
492if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {
493auto AccessRange = getMemIntrinsicAccessRange(MI, UI, Ptr);
494bool Safe = false;
495if (const auto *MTI = dyn_cast<MemTransferInst>(MI)) {
496if (MTI->getRawSource() != UI && MTI->getRawDest() != UI)
497Safe = true;
498} else if (MI->getRawDest() != UI) {
499Safe = true;
500}
501Safe = Safe || isSafeAccess(UI, AI, MI->getLength());
502US.addRange(I, AccessRange, Safe);
503break;
504}
505
506const auto &CB = cast<CallBase>(*I);
507if (CB.getReturnedArgOperand() == V) {
508if (Visited.insert(I).second)
509WorkList.push_back(cast<const Instruction>(I));
510}
511
512if (!CB.isArgOperand(&UI)) {
513US.addRange(I, UnknownRange, /*IsSafe=*/false);
514break;
515}
516
517unsigned ArgNo = CB.getArgOperandNo(&UI);
518if (CB.isByValArgument(ArgNo)) {
519auto TypeSize = DL.getTypeStoreSize(CB.getParamByValType(ArgNo));
520auto AccessRange = getAccessRange(UI, Ptr, TypeSize);
521bool Safe = isSafeAccess(UI, AI, TypeSize);
522US.addRange(I, AccessRange, Safe);
523break;
524}
525
526// FIXME: consult devirt?
527// Do not follow aliases, otherwise we could inadvertently follow
528// dso_preemptable aliases or aliases with interposable linkage.
529const GlobalValue *Callee =
530dyn_cast<GlobalValue>(CB.getCalledOperand()->stripPointerCasts());
531if (!Callee) {
532US.addRange(I, UnknownRange, /*IsSafe=*/false);
533break;
534}
535
536assert(isa<Function>(Callee) || isa<GlobalAlias>(Callee));
537ConstantRange Offsets = offsetFrom(UI, Ptr);
538auto Insert =
539US.Calls.emplace(CallInfo<GlobalValue>(Callee, ArgNo), Offsets);
540if (!Insert.second)
541Insert.first->second = Insert.first->second.unionWith(Offsets);
542break;
543}
544
545default:
546if (Visited.insert(I).second)
547WorkList.push_back(cast<const Instruction>(I));
548}
549}
550}
551}
552
553FunctionInfo<GlobalValue> StackSafetyLocalAnalysis::run() {
554FunctionInfo<GlobalValue> Info;
555assert(!F.isDeclaration() &&
556"Can't run StackSafety on a function declaration");
557
558LLVM_DEBUG(dbgs() << "[StackSafety] " << F.getName() << "\n");
559
560SmallVector<AllocaInst *, 64> Allocas;
561for (auto &I : instructions(F))
562if (auto *AI = dyn_cast<AllocaInst>(&I))
563Allocas.push_back(AI);
564StackLifetime SL(F, Allocas, StackLifetime::LivenessType::Must);
565SL.run();
566
567for (auto *AI : Allocas) {
568auto &UI = Info.Allocas.emplace(AI, PointerSize).first->second;
569analyzeAllUses(AI, UI, SL);
570}
571
572for (Argument &A : F.args()) {
573// Non pointers and bypass arguments are not going to be used in any global
574// processing.
575if (A.getType()->isPointerTy() && !A.hasByValAttr()) {
576auto &UI = Info.Params.emplace(A.getArgNo(), PointerSize).first->second;
577analyzeAllUses(&A, UI, SL);
578}
579}
580
581LLVM_DEBUG(Info.print(dbgs(), F.getName(), &F));
582LLVM_DEBUG(dbgs() << "\n[StackSafety] done\n");
583return Info;
584}
585
586template <typename CalleeTy> class StackSafetyDataFlowAnalysis {
587using FunctionMap = std::map<const CalleeTy *, FunctionInfo<CalleeTy>>;
588
589FunctionMap Functions;
590const ConstantRange UnknownRange;
591
592// Callee-to-Caller multimap.
593DenseMap<const CalleeTy *, SmallVector<const CalleeTy *, 4>> Callers;
594SetVector<const CalleeTy *> WorkList;
595
596bool updateOneUse(UseInfo<CalleeTy> &US, bool UpdateToFullSet);
597void updateOneNode(const CalleeTy *Callee, FunctionInfo<CalleeTy> &FS);
598void updateOneNode(const CalleeTy *Callee) {
599updateOneNode(Callee, Functions.find(Callee)->second);
600}
601void updateAllNodes() {
602for (auto &F : Functions)
603updateOneNode(F.first, F.second);
604}
605void runDataFlow();
606#ifndef NDEBUG
607void verifyFixedPoint();
608#endif
609
610public:
611StackSafetyDataFlowAnalysis(uint32_t PointerBitWidth, FunctionMap Functions)
612: Functions(std::move(Functions)),
613UnknownRange(ConstantRange::getFull(PointerBitWidth)) {}
614
615const FunctionMap &run();
616
617ConstantRange getArgumentAccessRange(const CalleeTy *Callee, unsigned ParamNo,
618const ConstantRange &Offsets) const;
619};
620
621template <typename CalleeTy>
622ConstantRange StackSafetyDataFlowAnalysis<CalleeTy>::getArgumentAccessRange(
623const CalleeTy *Callee, unsigned ParamNo,
624const ConstantRange &Offsets) const {
625auto FnIt = Functions.find(Callee);
626// Unknown callee (outside of LTO domain or an indirect call).
627if (FnIt == Functions.end())
628return UnknownRange;
629auto &FS = FnIt->second;
630auto ParamIt = FS.Params.find(ParamNo);
631if (ParamIt == FS.Params.end())
632return UnknownRange;
633auto &Access = ParamIt->second.Range;
634if (Access.isEmptySet())
635return Access;
636if (Access.isFullSet())
637return UnknownRange;
638return addOverflowNever(Access, Offsets);
639}
640
641template <typename CalleeTy>
642bool StackSafetyDataFlowAnalysis<CalleeTy>::updateOneUse(UseInfo<CalleeTy> &US,
643bool UpdateToFullSet) {
644bool Changed = false;
645for (auto &KV : US.Calls) {
646assert(!KV.second.isEmptySet() &&
647"Param range can't be empty-set, invalid offset range");
648
649ConstantRange CalleeRange =
650getArgumentAccessRange(KV.first.Callee, KV.first.ParamNo, KV.second);
651if (!US.Range.contains(CalleeRange)) {
652Changed = true;
653if (UpdateToFullSet)
654US.Range = UnknownRange;
655else
656US.updateRange(CalleeRange);
657}
658}
659return Changed;
660}
661
662template <typename CalleeTy>
663void StackSafetyDataFlowAnalysis<CalleeTy>::updateOneNode(
664const CalleeTy *Callee, FunctionInfo<CalleeTy> &FS) {
665bool UpdateToFullSet = FS.UpdateCount > StackSafetyMaxIterations;
666bool Changed = false;
667for (auto &KV : FS.Params)
668Changed |= updateOneUse(KV.second, UpdateToFullSet);
669
670if (Changed) {
671LLVM_DEBUG(dbgs() << "=== update [" << FS.UpdateCount
672<< (UpdateToFullSet ? ", full-set" : "") << "] " << &FS
673<< "\n");
674// Callers of this function may need updating.
675for (auto &CallerID : Callers[Callee])
676WorkList.insert(CallerID);
677
678++FS.UpdateCount;
679}
680}
681
682template <typename CalleeTy>
683void StackSafetyDataFlowAnalysis<CalleeTy>::runDataFlow() {
684SmallVector<const CalleeTy *, 16> Callees;
685for (auto &F : Functions) {
686Callees.clear();
687auto &FS = F.second;
688for (auto &KV : FS.Params)
689for (auto &CS : KV.second.Calls)
690Callees.push_back(CS.first.Callee);
691
692llvm::sort(Callees);
693Callees.erase(llvm::unique(Callees), Callees.end());
694
695for (auto &Callee : Callees)
696Callers[Callee].push_back(F.first);
697}
698
699updateAllNodes();
700
701while (!WorkList.empty()) {
702const CalleeTy *Callee = WorkList.pop_back_val();
703updateOneNode(Callee);
704}
705}
706
707#ifndef NDEBUG
708template <typename CalleeTy>
709void StackSafetyDataFlowAnalysis<CalleeTy>::verifyFixedPoint() {
710WorkList.clear();
711updateAllNodes();
712assert(WorkList.empty());
713}
714#endif
715
716template <typename CalleeTy>
717const typename StackSafetyDataFlowAnalysis<CalleeTy>::FunctionMap &
718StackSafetyDataFlowAnalysis<CalleeTy>::run() {
719runDataFlow();
720LLVM_DEBUG(verifyFixedPoint());
721return Functions;
722}
723
724FunctionSummary *findCalleeFunctionSummary(ValueInfo VI, StringRef ModuleId) {
725if (!VI)
726return nullptr;
727auto SummaryList = VI.getSummaryList();
728GlobalValueSummary* S = nullptr;
729for (const auto& GVS : SummaryList) {
730if (!GVS->isLive())
731continue;
732if (const AliasSummary *AS = dyn_cast<AliasSummary>(GVS.get()))
733if (!AS->hasAliasee())
734continue;
735if (!isa<FunctionSummary>(GVS->getBaseObject()))
736continue;
737if (GlobalValue::isLocalLinkage(GVS->linkage())) {
738if (GVS->modulePath() == ModuleId) {
739S = GVS.get();
740break;
741}
742} else if (GlobalValue::isExternalLinkage(GVS->linkage())) {
743if (S) {
744++NumIndexCalleeMultipleExternal;
745return nullptr;
746}
747S = GVS.get();
748} else if (GlobalValue::isWeakLinkage(GVS->linkage())) {
749if (S) {
750++NumIndexCalleeMultipleWeak;
751return nullptr;
752}
753S = GVS.get();
754} else if (GlobalValue::isAvailableExternallyLinkage(GVS->linkage()) ||
755GlobalValue::isLinkOnceLinkage(GVS->linkage())) {
756if (SummaryList.size() == 1)
757S = GVS.get();
758// According thinLTOResolvePrevailingGUID these are unlikely prevailing.
759} else {
760++NumIndexCalleeUnhandled;
761}
762};
763while (S) {
764if (!S->isLive() || !S->isDSOLocal())
765return nullptr;
766if (FunctionSummary *FS = dyn_cast<FunctionSummary>(S))
767return FS;
768AliasSummary *AS = dyn_cast<AliasSummary>(S);
769if (!AS || !AS->hasAliasee())
770return nullptr;
771S = AS->getBaseObject();
772if (S == AS)
773return nullptr;
774}
775return nullptr;
776}
777
778const Function *findCalleeInModule(const GlobalValue *GV) {
779while (GV) {
780if (GV->isDeclaration() || GV->isInterposable() || !GV->isDSOLocal())
781return nullptr;
782if (const Function *F = dyn_cast<Function>(GV))
783return F;
784const GlobalAlias *A = dyn_cast<GlobalAlias>(GV);
785if (!A)
786return nullptr;
787GV = A->getAliaseeObject();
788if (GV == A)
789return nullptr;
790}
791return nullptr;
792}
793
794const ConstantRange *findParamAccess(const FunctionSummary &FS,
795uint32_t ParamNo) {
796assert(FS.isLive());
797assert(FS.isDSOLocal());
798for (const auto &PS : FS.paramAccesses())
799if (ParamNo == PS.ParamNo)
800return &PS.Use;
801return nullptr;
802}
803
804void resolveAllCalls(UseInfo<GlobalValue> &Use,
805const ModuleSummaryIndex *Index) {
806ConstantRange FullSet(Use.Range.getBitWidth(), true);
807// Move Use.Calls to a temp storage and repopulate - don't use std::move as it
808// leaves Use.Calls in an undefined state.
809UseInfo<GlobalValue>::CallsTy TmpCalls;
810std::swap(TmpCalls, Use.Calls);
811for (const auto &C : TmpCalls) {
812const Function *F = findCalleeInModule(C.first.Callee);
813if (F) {
814Use.Calls.emplace(CallInfo<GlobalValue>(F, C.first.ParamNo), C.second);
815continue;
816}
817
818if (!Index)
819return Use.updateRange(FullSet);
820FunctionSummary *FS =
821findCalleeFunctionSummary(Index->getValueInfo(C.first.Callee->getGUID()),
822C.first.Callee->getParent()->getModuleIdentifier());
823++NumModuleCalleeLookupTotal;
824if (!FS) {
825++NumModuleCalleeLookupFailed;
826return Use.updateRange(FullSet);
827}
828const ConstantRange *Found = findParamAccess(*FS, C.first.ParamNo);
829if (!Found || Found->isFullSet())
830return Use.updateRange(FullSet);
831ConstantRange Access = Found->sextOrTrunc(Use.Range.getBitWidth());
832if (!Access.isEmptySet())
833Use.updateRange(addOverflowNever(Access, C.second));
834}
835}
836
837GVToSSI createGlobalStackSafetyInfo(
838std::map<const GlobalValue *, FunctionInfo<GlobalValue>> Functions,
839const ModuleSummaryIndex *Index) {
840GVToSSI SSI;
841if (Functions.empty())
842return SSI;
843
844// FIXME: Simplify printing and remove copying here.
845auto Copy = Functions;
846
847for (auto &FnKV : Copy)
848for (auto &KV : FnKV.second.Params) {
849resolveAllCalls(KV.second, Index);
850if (KV.second.Range.isFullSet())
851KV.second.Calls.clear();
852}
853
854uint32_t PointerSize =
855Copy.begin()->first->getDataLayout().getPointerSizeInBits();
856StackSafetyDataFlowAnalysis<GlobalValue> SSDFA(PointerSize, std::move(Copy));
857
858for (const auto &F : SSDFA.run()) {
859auto FI = F.second;
860auto &SrcF = Functions[F.first];
861for (auto &KV : FI.Allocas) {
862auto &A = KV.second;
863resolveAllCalls(A, Index);
864for (auto &C : A.Calls) {
865A.updateRange(SSDFA.getArgumentAccessRange(C.first.Callee,
866C.first.ParamNo, C.second));
867}
868// FIXME: This is needed only to preserve calls in print() results.
869A.Calls = SrcF.Allocas.find(KV.first)->second.Calls;
870}
871for (auto &KV : FI.Params) {
872auto &P = KV.second;
873P.Calls = SrcF.Params.find(KV.first)->second.Calls;
874}
875SSI[F.first] = std::move(FI);
876}
877
878return SSI;
879}
880
881} // end anonymous namespace
882
883StackSafetyInfo::StackSafetyInfo() = default;
884
885StackSafetyInfo::StackSafetyInfo(Function *F,
886std::function<ScalarEvolution &()> GetSE)
887: F(F), GetSE(GetSE) {}
888
889StackSafetyInfo::StackSafetyInfo(StackSafetyInfo &&) = default;
890
891StackSafetyInfo &StackSafetyInfo::operator=(StackSafetyInfo &&) = default;
892
893StackSafetyInfo::~StackSafetyInfo() = default;
894
895const StackSafetyInfo::InfoTy &StackSafetyInfo::getInfo() const {
896if (!Info) {
897StackSafetyLocalAnalysis SSLA(*F, GetSE());
898Info.reset(new InfoTy{SSLA.run()});
899}
900return *Info;
901}
902
903void StackSafetyInfo::print(raw_ostream &O) const {
904getInfo().Info.print(O, F->getName(), dyn_cast<Function>(F));
905O << "\n";
906}
907
908const StackSafetyGlobalInfo::InfoTy &StackSafetyGlobalInfo::getInfo() const {
909if (!Info) {
910std::map<const GlobalValue *, FunctionInfo<GlobalValue>> Functions;
911for (auto &F : M->functions()) {
912if (!F.isDeclaration()) {
913auto FI = GetSSI(F).getInfo().Info;
914Functions.emplace(&F, std::move(FI));
915}
916}
917Info.reset(new InfoTy{
918createGlobalStackSafetyInfo(std::move(Functions), Index), {}, {}});
919
920for (auto &FnKV : Info->Info) {
921for (auto &KV : FnKV.second.Allocas) {
922++NumAllocaTotal;
923const AllocaInst *AI = KV.first;
924auto AIRange = getStaticAllocaSizeRange(*AI);
925if (AIRange.contains(KV.second.Range)) {
926Info->SafeAllocas.insert(AI);
927++NumAllocaStackSafe;
928}
929Info->UnsafeAccesses.insert(KV.second.UnsafeAccesses.begin(),
930KV.second.UnsafeAccesses.end());
931}
932}
933
934if (StackSafetyPrint)
935print(errs());
936}
937return *Info;
938}
939
940std::vector<FunctionSummary::ParamAccess>
941StackSafetyInfo::getParamAccesses(ModuleSummaryIndex &Index) const {
942// Implementation transforms internal representation of parameter information
943// into FunctionSummary format.
944std::vector<FunctionSummary::ParamAccess> ParamAccesses;
945for (const auto &KV : getInfo().Info.Params) {
946auto &PS = KV.second;
947// Parameter accessed by any or unknown offset, represented as FullSet by
948// StackSafety, is handled as the parameter for which we have no
949// StackSafety info at all. So drop it to reduce summary size.
950if (PS.Range.isFullSet())
951continue;
952
953ParamAccesses.emplace_back(KV.first, PS.Range);
954FunctionSummary::ParamAccess &Param = ParamAccesses.back();
955
956Param.Calls.reserve(PS.Calls.size());
957for (const auto &C : PS.Calls) {
958// Parameter forwarded into another function by any or unknown offset
959// will make ParamAccess::Range as FullSet anyway. So we can drop the
960// entire parameter like we did above.
961// TODO(vitalybuka): Return already filtered parameters from getInfo().
962if (C.second.isFullSet()) {
963ParamAccesses.pop_back();
964break;
965}
966Param.Calls.emplace_back(C.first.ParamNo,
967Index.getOrInsertValueInfo(C.first.Callee),
968C.second);
969}
970}
971for (FunctionSummary::ParamAccess &Param : ParamAccesses) {
972sort(Param.Calls, [](const FunctionSummary::ParamAccess::Call &L,
973const FunctionSummary::ParamAccess::Call &R) {
974return std::tie(L.ParamNo, L.Callee) < std::tie(R.ParamNo, R.Callee);
975});
976}
977return ParamAccesses;
978}
979
980StackSafetyGlobalInfo::StackSafetyGlobalInfo() = default;
981
982StackSafetyGlobalInfo::StackSafetyGlobalInfo(
983Module *M, std::function<const StackSafetyInfo &(Function &F)> GetSSI,
984const ModuleSummaryIndex *Index)
985: M(M), GetSSI(GetSSI), Index(Index) {
986if (StackSafetyRun)
987getInfo();
988}
989
990StackSafetyGlobalInfo::StackSafetyGlobalInfo(StackSafetyGlobalInfo &&) =
991default;
992
993StackSafetyGlobalInfo &
994StackSafetyGlobalInfo::operator=(StackSafetyGlobalInfo &&) = default;
995
996StackSafetyGlobalInfo::~StackSafetyGlobalInfo() = default;
997
998bool StackSafetyGlobalInfo::isSafe(const AllocaInst &AI) const {
999const auto &Info = getInfo();
1000return Info.SafeAllocas.count(&AI);
1001}
1002
1003bool StackSafetyGlobalInfo::stackAccessIsSafe(const Instruction &I) const {
1004const auto &Info = getInfo();
1005return Info.UnsafeAccesses.find(&I) == Info.UnsafeAccesses.end();
1006}
1007
1008void StackSafetyGlobalInfo::print(raw_ostream &O) const {
1009auto &SSI = getInfo().Info;
1010if (SSI.empty())
1011return;
1012const Module &M = *SSI.begin()->first->getParent();
1013for (const auto &F : M.functions()) {
1014if (!F.isDeclaration()) {
1015SSI.find(&F)->second.print(O, F.getName(), &F);
1016O << " safe accesses:"
1017<< "\n";
1018for (const auto &I : instructions(F)) {
1019const CallInst *Call = dyn_cast<CallInst>(&I);
1020if ((isa<StoreInst>(I) || isa<LoadInst>(I) || isa<MemIntrinsic>(I) ||
1021isa<AtomicCmpXchgInst>(I) || isa<AtomicRMWInst>(I) ||
1022(Call && Call->hasByValArgument())) &&
1023stackAccessIsSafe(I)) {
1024O << " " << I << "\n";
1025}
1026}
1027O << "\n";
1028}
1029}
1030}
1031
1032LLVM_DUMP_METHOD void StackSafetyGlobalInfo::dump() const { print(dbgs()); }
1033
1034AnalysisKey StackSafetyAnalysis::Key;
1035
1036StackSafetyInfo StackSafetyAnalysis::run(Function &F,
1037FunctionAnalysisManager &AM) {
1038return StackSafetyInfo(&F, [&AM, &F]() -> ScalarEvolution & {
1039return AM.getResult<ScalarEvolutionAnalysis>(F);
1040});
1041}
1042
1043PreservedAnalyses StackSafetyPrinterPass::run(Function &F,
1044FunctionAnalysisManager &AM) {
1045OS << "'Stack Safety Local Analysis' for function '" << F.getName() << "'\n";
1046AM.getResult<StackSafetyAnalysis>(F).print(OS);
1047return PreservedAnalyses::all();
1048}
1049
1050char StackSafetyInfoWrapperPass::ID = 0;
1051
1052StackSafetyInfoWrapperPass::StackSafetyInfoWrapperPass() : FunctionPass(ID) {
1053initializeStackSafetyInfoWrapperPassPass(*PassRegistry::getPassRegistry());
1054}
1055
1056void StackSafetyInfoWrapperPass::getAnalysisUsage(AnalysisUsage &AU) const {
1057AU.addRequiredTransitive<ScalarEvolutionWrapperPass>();
1058AU.setPreservesAll();
1059}
1060
1061void StackSafetyInfoWrapperPass::print(raw_ostream &O, const Module *M) const {
1062SSI.print(O);
1063}
1064
1065bool StackSafetyInfoWrapperPass::runOnFunction(Function &F) {
1066auto *SE = &getAnalysis<ScalarEvolutionWrapperPass>().getSE();
1067SSI = {&F, [SE]() -> ScalarEvolution & { return *SE; }};
1068return false;
1069}
1070
1071AnalysisKey StackSafetyGlobalAnalysis::Key;
1072
1073StackSafetyGlobalInfo
1074StackSafetyGlobalAnalysis::run(Module &M, ModuleAnalysisManager &AM) {
1075// FIXME: Lookup Module Summary.
1076FunctionAnalysisManager &FAM =
1077AM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager();
1078return {&M,
1079[&FAM](Function &F) -> const StackSafetyInfo & {
1080return FAM.getResult<StackSafetyAnalysis>(F);
1081},
1082nullptr};
1083}
1084
1085PreservedAnalyses StackSafetyGlobalPrinterPass::run(Module &M,
1086ModuleAnalysisManager &AM) {
1087OS << "'Stack Safety Analysis' for module '" << M.getName() << "'\n";
1088AM.getResult<StackSafetyGlobalAnalysis>(M).print(OS);
1089return PreservedAnalyses::all();
1090}
1091
1092char StackSafetyGlobalInfoWrapperPass::ID = 0;
1093
1094StackSafetyGlobalInfoWrapperPass::StackSafetyGlobalInfoWrapperPass()
1095: ModulePass(ID) {
1096initializeStackSafetyGlobalInfoWrapperPassPass(
1097*PassRegistry::getPassRegistry());
1098}
1099
1100StackSafetyGlobalInfoWrapperPass::~StackSafetyGlobalInfoWrapperPass() = default;
1101
1102void StackSafetyGlobalInfoWrapperPass::print(raw_ostream &O,
1103const Module *M) const {
1104SSGI.print(O);
1105}
1106
1107void StackSafetyGlobalInfoWrapperPass::getAnalysisUsage(
1108AnalysisUsage &AU) const {
1109AU.setPreservesAll();
1110AU.addRequired<StackSafetyInfoWrapperPass>();
1111}
1112
1113bool StackSafetyGlobalInfoWrapperPass::runOnModule(Module &M) {
1114const ModuleSummaryIndex *ImportSummary = nullptr;
1115if (auto *IndexWrapperPass =
1116getAnalysisIfAvailable<ImmutableModuleSummaryIndexWrapperPass>())
1117ImportSummary = IndexWrapperPass->getIndex();
1118
1119SSGI = {&M,
1120[this](Function &F) -> const StackSafetyInfo & {
1121return getAnalysis<StackSafetyInfoWrapperPass>(F).getResult();
1122},
1123ImportSummary};
1124return false;
1125}
1126
1127bool llvm::needsParamAccessSummary(const Module &M) {
1128if (StackSafetyRun)
1129return true;
1130for (const auto &F : M.functions())
1131if (F.hasFnAttribute(Attribute::SanitizeMemTag))
1132return true;
1133return false;
1134}
1135
1136void llvm::generateParamAccessSummary(ModuleSummaryIndex &Index) {
1137if (!Index.hasParamAccess())
1138return;
1139const ConstantRange FullSet(FunctionSummary::ParamAccess::RangeWidth, true);
1140
1141auto CountParamAccesses = [&](auto &Stat) {
1142if (!AreStatisticsEnabled())
1143return;
1144for (auto &GVS : Index)
1145for (auto &GV : GVS.second.SummaryList)
1146if (FunctionSummary *FS = dyn_cast<FunctionSummary>(GV.get()))
1147Stat += FS->paramAccesses().size();
1148};
1149
1150CountParamAccesses(NumCombinedParamAccessesBefore);
1151
1152std::map<const FunctionSummary *, FunctionInfo<FunctionSummary>> Functions;
1153
1154// Convert the ModuleSummaryIndex to a FunctionMap
1155for (auto &GVS : Index) {
1156for (auto &GV : GVS.second.SummaryList) {
1157FunctionSummary *FS = dyn_cast<FunctionSummary>(GV.get());
1158if (!FS || FS->paramAccesses().empty())
1159continue;
1160if (FS->isLive() && FS->isDSOLocal()) {
1161FunctionInfo<FunctionSummary> FI;
1162for (const auto &PS : FS->paramAccesses()) {
1163auto &US =
1164FI.Params
1165.emplace(PS.ParamNo, FunctionSummary::ParamAccess::RangeWidth)
1166.first->second;
1167US.Range = PS.Use;
1168for (const auto &Call : PS.Calls) {
1169assert(!Call.Offsets.isFullSet());
1170FunctionSummary *S =
1171findCalleeFunctionSummary(Call.Callee, FS->modulePath());
1172++NumCombinedCalleeLookupTotal;
1173if (!S) {
1174++NumCombinedCalleeLookupFailed;
1175US.Range = FullSet;
1176US.Calls.clear();
1177break;
1178}
1179US.Calls.emplace(CallInfo<FunctionSummary>(S, Call.ParamNo),
1180Call.Offsets);
1181}
1182}
1183Functions.emplace(FS, std::move(FI));
1184}
1185// Reset data for all summaries. Alive and DSO local will be set back from
1186// of data flow results below. Anything else will not be accessed
1187// by ThinLTO backend, so we can save on bitcode size.
1188FS->setParamAccesses({});
1189}
1190}
1191NumCombinedDataFlowNodes += Functions.size();
1192StackSafetyDataFlowAnalysis<FunctionSummary> SSDFA(
1193FunctionSummary::ParamAccess::RangeWidth, std::move(Functions));
1194for (const auto &KV : SSDFA.run()) {
1195std::vector<FunctionSummary::ParamAccess> NewParams;
1196NewParams.reserve(KV.second.Params.size());
1197for (const auto &Param : KV.second.Params) {
1198// It's not needed as FullSet is processed the same as a missing value.
1199if (Param.second.Range.isFullSet())
1200continue;
1201NewParams.emplace_back();
1202FunctionSummary::ParamAccess &New = NewParams.back();
1203New.ParamNo = Param.first;
1204New.Use = Param.second.Range; // Only range is needed.
1205}
1206const_cast<FunctionSummary *>(KV.first)->setParamAccesses(
1207std::move(NewParams));
1208}
1209
1210CountParamAccesses(NumCombinedParamAccessesAfter);
1211}
1212
1213static const char LocalPassArg[] = "stack-safety-local";
1214static const char LocalPassName[] = "Stack Safety Local Analysis";
1215INITIALIZE_PASS_BEGIN(StackSafetyInfoWrapperPass, LocalPassArg, LocalPassName,
1216false, true)
1217INITIALIZE_PASS_DEPENDENCY(ScalarEvolutionWrapperPass)
1218INITIALIZE_PASS_END(StackSafetyInfoWrapperPass, LocalPassArg, LocalPassName,
1219false, true)
1220
1221static const char GlobalPassName[] = "Stack Safety Analysis";
1222INITIALIZE_PASS_BEGIN(StackSafetyGlobalInfoWrapperPass, DEBUG_TYPE,
1223GlobalPassName, false, true)
1224INITIALIZE_PASS_DEPENDENCY(StackSafetyInfoWrapperPass)
1225INITIALIZE_PASS_DEPENDENCY(ImmutableModuleSummaryIndexWrapperPass)
1226INITIALIZE_PASS_END(StackSafetyGlobalInfoWrapperPass, DEBUG_TYPE,
1227GlobalPassName, false, true)
1228