1 //===- CFLAndersAliasAnalysis.cpp - Unification-based Alias Analysis ------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file implements a CFL-based, summary-based alias analysis algorithm. It
11 // differs from CFLSteensAliasAnalysis in its inclusion-based nature while
12 // CFLSteensAliasAnalysis is unification-based. This pass has worse performance
13 // than CFLSteensAliasAnalysis (the worst case complexity of
14 // CFLAndersAliasAnalysis is cubic, while the worst case complexity of
15 // CFLSteensAliasAnalysis is almost linear), but it is able to yield more
16 // precise analysis result. The precision of this analysis is roughly the same
17 // as that of an one level context-sensitive Andersen's algorithm.
18 //
19 // The algorithm used here is based on recursive state machine matching scheme
20 // proposed in "Demand-driven alias analysis for C" by Xin Zheng and Radu
21 // Rugina. The general idea is to extend the traditional transitive closure
22 // algorithm to perform CFL matching along the way: instead of recording
23 // "whether X is reachable from Y", we keep track of "whether X is reachable
24 // from Y at state Z", where the "state" field indicates where we are in the CFL
25 // matching process. To understand the matching better, it is advisable to have
26 // the state machine shown in Figure 3 of the paper available when reading the
27 // codes: all we do here is to selectively expand the transitive closure by
28 // discarding edges that are not recognized by the state machine.
29 //
30 // There are two differences between our current implementation and the one
31 // described in the paper:
32 // - Our algorithm eagerly computes all alias pairs after the CFLGraph is built,
33 // while in the paper the authors did the computation in a demand-driven
34 // fashion. We did not implement the demand-driven algorithm due to the
35 // additional coding complexity and higher memory profile, but if we found it
36 // necessary we may switch to it eventually.
37 // - In the paper the authors use a state machine that does not distinguish
38 // value reads from value writes. For example, if Y is reachable from X at state
39 // S3, it may be the case that X is written into Y, or it may be the case that
40 // there's a third value Z that writes into both X and Y. To make that
41 // distinction (which is crucial in building function summary as well as
42 // retrieving mod-ref info), we choose to duplicate some of the states in the
43 // paper's proposed state machine. The duplication does not change the set the
44 // machine accepts. Given a pair of reachable values, it only provides more
45 // detailed information on which value is being written into and which is being
46 // read from.
47 //
48 //===----------------------------------------------------------------------===//
49
50 // N.B. AliasAnalysis as a whole is phrased as a FunctionPass at the moment, and
51 // CFLAndersAA is interprocedural. This is *technically* A Bad Thing, because
52 // FunctionPasses are only allowed to inspect the Function that they're being
53 // run on. Realistically, this likely isn't a problem until we allow
54 // FunctionPasses to run concurrently.
55
56 #include "llvm/Analysis/CFLAndersAliasAnalysis.h"
57 #include "AliasAnalysisSummary.h"
58 #include "CFLGraph.h"
59 #include "llvm/ADT/DenseMap.h"
60 #include "llvm/ADT/DenseMapInfo.h"
61 #include "llvm/ADT/DenseSet.h"
62 #include "llvm/ADT/None.h"
63 #include "llvm/ADT/Optional.h"
64 #include "llvm/ADT/STLExtras.h"
65 #include "llvm/ADT/SmallVector.h"
66 #include "llvm/ADT/iterator_range.h"
67 #include "llvm/Analysis/AliasAnalysis.h"
68 #include "llvm/Analysis/MemoryLocation.h"
69 #include "llvm/IR/Argument.h"
70 #include "llvm/IR/Function.h"
71 #include "llvm/IR/PassManager.h"
72 #include "llvm/IR/Type.h"
73 #include "llvm/Pass.h"
74 #include "llvm/Support/Casting.h"
75 #include "llvm/Support/Compiler.h"
76 #include "llvm/Support/Debug.h"
77 #include "llvm/Support/raw_ostream.h"
78 #include <algorithm>
79 #include <bitset>
80 #include <cassert>
81 #include <cstddef>
82 #include <cstdint>
83 #include <functional>
84 #include <utility>
85 #include <vector>
86
87 using namespace llvm;
88 using namespace llvm::cflaa;
89
90 #define DEBUG_TYPE "cfl-anders-aa"
91
CFLAndersAAResult(const TargetLibraryInfo & TLI)92 CFLAndersAAResult::CFLAndersAAResult(const TargetLibraryInfo &TLI) : TLI(TLI) {}
CFLAndersAAResult(CFLAndersAAResult && RHS)93 CFLAndersAAResult::CFLAndersAAResult(CFLAndersAAResult &&RHS)
94 : AAResultBase(std::move(RHS)), TLI(RHS.TLI) {}
95 CFLAndersAAResult::~CFLAndersAAResult() = default;
96
97 namespace {
98
99 enum class MatchState : uint8_t {
100 // The following state represents S1 in the paper.
101 FlowFromReadOnly = 0,
102 // The following two states together represent S2 in the paper.
103 // The 'NoReadWrite' suffix indicates that there exists an alias path that
104 // does not contain assignment and reverse assignment edges.
105 // The 'ReadOnly' suffix indicates that there exists an alias path that
106 // contains reverse assignment edges only.
107 FlowFromMemAliasNoReadWrite,
108 FlowFromMemAliasReadOnly,
109 // The following two states together represent S3 in the paper.
110 // The 'WriteOnly' suffix indicates that there exists an alias path that
111 // contains assignment edges only.
112 // The 'ReadWrite' suffix indicates that there exists an alias path that
113 // contains both assignment and reverse assignment edges. Note that if X and Y
114 // are reachable at 'ReadWrite' state, it does NOT mean X is both read from
115 // and written to Y. Instead, it means that a third value Z is written to both
116 // X and Y.
117 FlowToWriteOnly,
118 FlowToReadWrite,
119 // The following two states together represent S4 in the paper.
120 FlowToMemAliasWriteOnly,
121 FlowToMemAliasReadWrite,
122 };
123
124 using StateSet = std::bitset<7>;
125
126 const unsigned ReadOnlyStateMask =
127 (1U << static_cast<uint8_t>(MatchState::FlowFromReadOnly)) |
128 (1U << static_cast<uint8_t>(MatchState::FlowFromMemAliasReadOnly));
129 const unsigned WriteOnlyStateMask =
130 (1U << static_cast<uint8_t>(MatchState::FlowToWriteOnly)) |
131 (1U << static_cast<uint8_t>(MatchState::FlowToMemAliasWriteOnly));
132
133 // A pair that consists of a value and an offset
134 struct OffsetValue {
135 const Value *Val;
136 int64_t Offset;
137 };
138
operator ==(OffsetValue LHS,OffsetValue RHS)139 bool operator==(OffsetValue LHS, OffsetValue RHS) {
140 return LHS.Val == RHS.Val && LHS.Offset == RHS.Offset;
141 }
operator <(OffsetValue LHS,OffsetValue RHS)142 bool operator<(OffsetValue LHS, OffsetValue RHS) {
143 return std::less<const Value *>()(LHS.Val, RHS.Val) ||
144 (LHS.Val == RHS.Val && LHS.Offset < RHS.Offset);
145 }
146
147 // A pair that consists of an InstantiatedValue and an offset
148 struct OffsetInstantiatedValue {
149 InstantiatedValue IVal;
150 int64_t Offset;
151 };
152
operator ==(OffsetInstantiatedValue LHS,OffsetInstantiatedValue RHS)153 bool operator==(OffsetInstantiatedValue LHS, OffsetInstantiatedValue RHS) {
154 return LHS.IVal == RHS.IVal && LHS.Offset == RHS.Offset;
155 }
156
157 // We use ReachabilitySet to keep track of value aliases (The nonterminal "V" in
158 // the paper) during the analysis.
159 class ReachabilitySet {
160 using ValueStateMap = DenseMap<InstantiatedValue, StateSet>;
161 using ValueReachMap = DenseMap<InstantiatedValue, ValueStateMap>;
162
163 ValueReachMap ReachMap;
164
165 public:
166 using const_valuestate_iterator = ValueStateMap::const_iterator;
167 using const_value_iterator = ValueReachMap::const_iterator;
168
169 // Insert edge 'From->To' at state 'State'
insert(InstantiatedValue From,InstantiatedValue To,MatchState State)170 bool insert(InstantiatedValue From, InstantiatedValue To, MatchState State) {
171 assert(From != To);
172 auto &States = ReachMap[To][From];
173 auto Idx = static_cast<size_t>(State);
174 if (!States.test(Idx)) {
175 States.set(Idx);
176 return true;
177 }
178 return false;
179 }
180
181 // Return the set of all ('From', 'State') pair for a given node 'To'
182 iterator_range<const_valuestate_iterator>
reachableValueAliases(InstantiatedValue V) const183 reachableValueAliases(InstantiatedValue V) const {
184 auto Itr = ReachMap.find(V);
185 if (Itr == ReachMap.end())
186 return make_range<const_valuestate_iterator>(const_valuestate_iterator(),
187 const_valuestate_iterator());
188 return make_range<const_valuestate_iterator>(Itr->second.begin(),
189 Itr->second.end());
190 }
191
value_mappings() const192 iterator_range<const_value_iterator> value_mappings() const {
193 return make_range<const_value_iterator>(ReachMap.begin(), ReachMap.end());
194 }
195 };
196
197 // We use AliasMemSet to keep track of all memory aliases (the nonterminal "M"
198 // in the paper) during the analysis.
199 class AliasMemSet {
200 using MemSet = DenseSet<InstantiatedValue>;
201 using MemMapType = DenseMap<InstantiatedValue, MemSet>;
202
203 MemMapType MemMap;
204
205 public:
206 using const_mem_iterator = MemSet::const_iterator;
207
insert(InstantiatedValue LHS,InstantiatedValue RHS)208 bool insert(InstantiatedValue LHS, InstantiatedValue RHS) {
209 // Top-level values can never be memory aliases because one cannot take the
210 // addresses of them
211 assert(LHS.DerefLevel > 0 && RHS.DerefLevel > 0);
212 return MemMap[LHS].insert(RHS).second;
213 }
214
getMemoryAliases(InstantiatedValue V) const215 const MemSet *getMemoryAliases(InstantiatedValue V) const {
216 auto Itr = MemMap.find(V);
217 if (Itr == MemMap.end())
218 return nullptr;
219 return &Itr->second;
220 }
221 };
222
223 // We use AliasAttrMap to keep track of the AliasAttr of each node.
224 class AliasAttrMap {
225 using MapType = DenseMap<InstantiatedValue, AliasAttrs>;
226
227 MapType AttrMap;
228
229 public:
230 using const_iterator = MapType::const_iterator;
231
add(InstantiatedValue V,AliasAttrs Attr)232 bool add(InstantiatedValue V, AliasAttrs Attr) {
233 auto &OldAttr = AttrMap[V];
234 auto NewAttr = OldAttr | Attr;
235 if (OldAttr == NewAttr)
236 return false;
237 OldAttr = NewAttr;
238 return true;
239 }
240
getAttrs(InstantiatedValue V) const241 AliasAttrs getAttrs(InstantiatedValue V) const {
242 AliasAttrs Attr;
243 auto Itr = AttrMap.find(V);
244 if (Itr != AttrMap.end())
245 Attr = Itr->second;
246 return Attr;
247 }
248
mappings() const249 iterator_range<const_iterator> mappings() const {
250 return make_range<const_iterator>(AttrMap.begin(), AttrMap.end());
251 }
252 };
253
254 struct WorkListItem {
255 InstantiatedValue From;
256 InstantiatedValue To;
257 MatchState State;
258 };
259
260 struct ValueSummary {
261 struct Record {
262 InterfaceValue IValue;
263 unsigned DerefLevel;
264 };
265 SmallVector<Record, 4> FromRecords, ToRecords;
266 };
267
268 } // end anonymous namespace
269
270 namespace llvm {
271
272 // Specialize DenseMapInfo for OffsetValue.
273 template <> struct DenseMapInfo<OffsetValue> {
getEmptyKeyllvm::DenseMapInfo274 static OffsetValue getEmptyKey() {
275 return OffsetValue{DenseMapInfo<const Value *>::getEmptyKey(),
276 DenseMapInfo<int64_t>::getEmptyKey()};
277 }
278
getTombstoneKeyllvm::DenseMapInfo279 static OffsetValue getTombstoneKey() {
280 return OffsetValue{DenseMapInfo<const Value *>::getTombstoneKey(),
281 DenseMapInfo<int64_t>::getEmptyKey()};
282 }
283
getHashValuellvm::DenseMapInfo284 static unsigned getHashValue(const OffsetValue &OVal) {
285 return DenseMapInfo<std::pair<const Value *, int64_t>>::getHashValue(
286 std::make_pair(OVal.Val, OVal.Offset));
287 }
288
isEqualllvm::DenseMapInfo289 static bool isEqual(const OffsetValue &LHS, const OffsetValue &RHS) {
290 return LHS == RHS;
291 }
292 };
293
294 // Specialize DenseMapInfo for OffsetInstantiatedValue.
295 template <> struct DenseMapInfo<OffsetInstantiatedValue> {
getEmptyKeyllvm::DenseMapInfo296 static OffsetInstantiatedValue getEmptyKey() {
297 return OffsetInstantiatedValue{
298 DenseMapInfo<InstantiatedValue>::getEmptyKey(),
299 DenseMapInfo<int64_t>::getEmptyKey()};
300 }
301
getTombstoneKeyllvm::DenseMapInfo302 static OffsetInstantiatedValue getTombstoneKey() {
303 return OffsetInstantiatedValue{
304 DenseMapInfo<InstantiatedValue>::getTombstoneKey(),
305 DenseMapInfo<int64_t>::getEmptyKey()};
306 }
307
getHashValuellvm::DenseMapInfo308 static unsigned getHashValue(const OffsetInstantiatedValue &OVal) {
309 return DenseMapInfo<std::pair<InstantiatedValue, int64_t>>::getHashValue(
310 std::make_pair(OVal.IVal, OVal.Offset));
311 }
312
isEqualllvm::DenseMapInfo313 static bool isEqual(const OffsetInstantiatedValue &LHS,
314 const OffsetInstantiatedValue &RHS) {
315 return LHS == RHS;
316 }
317 };
318
319 } // end namespace llvm
320
321 class CFLAndersAAResult::FunctionInfo {
322 /// Map a value to other values that may alias it
323 /// Since the alias relation is symmetric, to save some space we assume values
324 /// are properly ordered: if a and b alias each other, and a < b, then b is in
325 /// AliasMap[a] but not vice versa.
326 DenseMap<const Value *, std::vector<OffsetValue>> AliasMap;
327
328 /// Map a value to its corresponding AliasAttrs
329 DenseMap<const Value *, AliasAttrs> AttrMap;
330
331 /// Summary of externally visible effects.
332 AliasSummary Summary;
333
334 Optional<AliasAttrs> getAttrs(const Value *) const;
335
336 public:
337 FunctionInfo(const Function &, const SmallVectorImpl<Value *> &,
338 const ReachabilitySet &, const AliasAttrMap &);
339
340 bool mayAlias(const Value *, LocationSize, const Value *, LocationSize) const;
getAliasSummary() const341 const AliasSummary &getAliasSummary() const { return Summary; }
342 };
343
hasReadOnlyState(StateSet Set)344 static bool hasReadOnlyState(StateSet Set) {
345 return (Set & StateSet(ReadOnlyStateMask)).any();
346 }
347
hasWriteOnlyState(StateSet Set)348 static bool hasWriteOnlyState(StateSet Set) {
349 return (Set & StateSet(WriteOnlyStateMask)).any();
350 }
351
352 static Optional<InterfaceValue>
getInterfaceValue(InstantiatedValue IValue,const SmallVectorImpl<Value * > & RetVals)353 getInterfaceValue(InstantiatedValue IValue,
354 const SmallVectorImpl<Value *> &RetVals) {
355 auto Val = IValue.Val;
356
357 Optional<unsigned> Index;
358 if (auto Arg = dyn_cast<Argument>(Val))
359 Index = Arg->getArgNo() + 1;
360 else if (is_contained(RetVals, Val))
361 Index = 0;
362
363 if (Index)
364 return InterfaceValue{*Index, IValue.DerefLevel};
365 return None;
366 }
367
populateAttrMap(DenseMap<const Value *,AliasAttrs> & AttrMap,const AliasAttrMap & AMap)368 static void populateAttrMap(DenseMap<const Value *, AliasAttrs> &AttrMap,
369 const AliasAttrMap &AMap) {
370 for (const auto &Mapping : AMap.mappings()) {
371 auto IVal = Mapping.first;
372
373 // Insert IVal into the map
374 auto &Attr = AttrMap[IVal.Val];
375 // AttrMap only cares about top-level values
376 if (IVal.DerefLevel == 0)
377 Attr |= Mapping.second;
378 }
379 }
380
381 static void
populateAliasMap(DenseMap<const Value *,std::vector<OffsetValue>> & AliasMap,const ReachabilitySet & ReachSet)382 populateAliasMap(DenseMap<const Value *, std::vector<OffsetValue>> &AliasMap,
383 const ReachabilitySet &ReachSet) {
384 for (const auto &OuterMapping : ReachSet.value_mappings()) {
385 // AliasMap only cares about top-level values
386 if (OuterMapping.first.DerefLevel > 0)
387 continue;
388
389 auto Val = OuterMapping.first.Val;
390 auto &AliasList = AliasMap[Val];
391 for (const auto &InnerMapping : OuterMapping.second) {
392 // Again, AliasMap only cares about top-level values
393 if (InnerMapping.first.DerefLevel == 0)
394 AliasList.push_back(OffsetValue{InnerMapping.first.Val, UnknownOffset});
395 }
396
397 // Sort AliasList for faster lookup
398 llvm::sort(AliasList);
399 }
400 }
401
populateExternalRelations(SmallVectorImpl<ExternalRelation> & ExtRelations,const Function & Fn,const SmallVectorImpl<Value * > & RetVals,const ReachabilitySet & ReachSet)402 static void populateExternalRelations(
403 SmallVectorImpl<ExternalRelation> &ExtRelations, const Function &Fn,
404 const SmallVectorImpl<Value *> &RetVals, const ReachabilitySet &ReachSet) {
405 // If a function only returns one of its argument X, then X will be both an
406 // argument and a return value at the same time. This is an edge case that
407 // needs special handling here.
408 for (const auto &Arg : Fn.args()) {
409 if (is_contained(RetVals, &Arg)) {
410 auto ArgVal = InterfaceValue{Arg.getArgNo() + 1, 0};
411 auto RetVal = InterfaceValue{0, 0};
412 ExtRelations.push_back(ExternalRelation{ArgVal, RetVal, 0});
413 }
414 }
415
416 // Below is the core summary construction logic.
417 // A naive solution of adding only the value aliases that are parameters or
418 // return values in ReachSet to the summary won't work: It is possible that a
419 // parameter P is written into an intermediate value I, and the function
420 // subsequently returns *I. In that case, *I is does not value alias anything
421 // in ReachSet, and the naive solution will miss a summary edge from (P, 1) to
422 // (I, 1).
423 // To account for the aforementioned case, we need to check each non-parameter
424 // and non-return value for the possibility of acting as an intermediate.
425 // 'ValueMap' here records, for each value, which InterfaceValues read from or
426 // write into it. If both the read list and the write list of a given value
427 // are non-empty, we know that a particular value is an intermidate and we
428 // need to add summary edges from the writes to the reads.
429 DenseMap<Value *, ValueSummary> ValueMap;
430 for (const auto &OuterMapping : ReachSet.value_mappings()) {
431 if (auto Dst = getInterfaceValue(OuterMapping.first, RetVals)) {
432 for (const auto &InnerMapping : OuterMapping.second) {
433 // If Src is a param/return value, we get a same-level assignment.
434 if (auto Src = getInterfaceValue(InnerMapping.first, RetVals)) {
435 // This may happen if both Dst and Src are return values
436 if (*Dst == *Src)
437 continue;
438
439 if (hasReadOnlyState(InnerMapping.second))
440 ExtRelations.push_back(ExternalRelation{*Dst, *Src, UnknownOffset});
441 // No need to check for WriteOnly state, since ReachSet is symmetric
442 } else {
443 // If Src is not a param/return, add it to ValueMap
444 auto SrcIVal = InnerMapping.first;
445 if (hasReadOnlyState(InnerMapping.second))
446 ValueMap[SrcIVal.Val].FromRecords.push_back(
447 ValueSummary::Record{*Dst, SrcIVal.DerefLevel});
448 if (hasWriteOnlyState(InnerMapping.second))
449 ValueMap[SrcIVal.Val].ToRecords.push_back(
450 ValueSummary::Record{*Dst, SrcIVal.DerefLevel});
451 }
452 }
453 }
454 }
455
456 for (const auto &Mapping : ValueMap) {
457 for (const auto &FromRecord : Mapping.second.FromRecords) {
458 for (const auto &ToRecord : Mapping.second.ToRecords) {
459 auto ToLevel = ToRecord.DerefLevel;
460 auto FromLevel = FromRecord.DerefLevel;
461 // Same-level assignments should have already been processed by now
462 if (ToLevel == FromLevel)
463 continue;
464
465 auto SrcIndex = FromRecord.IValue.Index;
466 auto SrcLevel = FromRecord.IValue.DerefLevel;
467 auto DstIndex = ToRecord.IValue.Index;
468 auto DstLevel = ToRecord.IValue.DerefLevel;
469 if (ToLevel > FromLevel)
470 SrcLevel += ToLevel - FromLevel;
471 else
472 DstLevel += FromLevel - ToLevel;
473
474 ExtRelations.push_back(ExternalRelation{
475 InterfaceValue{SrcIndex, SrcLevel},
476 InterfaceValue{DstIndex, DstLevel}, UnknownOffset});
477 }
478 }
479 }
480
481 // Remove duplicates in ExtRelations
482 llvm::sort(ExtRelations);
483 ExtRelations.erase(std::unique(ExtRelations.begin(), ExtRelations.end()),
484 ExtRelations.end());
485 }
486
populateExternalAttributes(SmallVectorImpl<ExternalAttribute> & ExtAttributes,const Function & Fn,const SmallVectorImpl<Value * > & RetVals,const AliasAttrMap & AMap)487 static void populateExternalAttributes(
488 SmallVectorImpl<ExternalAttribute> &ExtAttributes, const Function &Fn,
489 const SmallVectorImpl<Value *> &RetVals, const AliasAttrMap &AMap) {
490 for (const auto &Mapping : AMap.mappings()) {
491 if (auto IVal = getInterfaceValue(Mapping.first, RetVals)) {
492 auto Attr = getExternallyVisibleAttrs(Mapping.second);
493 if (Attr.any())
494 ExtAttributes.push_back(ExternalAttribute{*IVal, Attr});
495 }
496 }
497 }
498
FunctionInfo(const Function & Fn,const SmallVectorImpl<Value * > & RetVals,const ReachabilitySet & ReachSet,const AliasAttrMap & AMap)499 CFLAndersAAResult::FunctionInfo::FunctionInfo(
500 const Function &Fn, const SmallVectorImpl<Value *> &RetVals,
501 const ReachabilitySet &ReachSet, const AliasAttrMap &AMap) {
502 populateAttrMap(AttrMap, AMap);
503 populateExternalAttributes(Summary.RetParamAttributes, Fn, RetVals, AMap);
504 populateAliasMap(AliasMap, ReachSet);
505 populateExternalRelations(Summary.RetParamRelations, Fn, RetVals, ReachSet);
506 }
507
508 Optional<AliasAttrs>
getAttrs(const Value * V) const509 CFLAndersAAResult::FunctionInfo::getAttrs(const Value *V) const {
510 assert(V != nullptr);
511
512 auto Itr = AttrMap.find(V);
513 if (Itr != AttrMap.end())
514 return Itr->second;
515 return None;
516 }
517
mayAlias(const Value * LHS,LocationSize MaybeLHSSize,const Value * RHS,LocationSize MaybeRHSSize) const518 bool CFLAndersAAResult::FunctionInfo::mayAlias(
519 const Value *LHS, LocationSize MaybeLHSSize, const Value *RHS,
520 LocationSize MaybeRHSSize) const {
521 assert(LHS && RHS);
522
523 // Check if we've seen LHS and RHS before. Sometimes LHS or RHS can be created
524 // after the analysis gets executed, and we want to be conservative in those
525 // cases.
526 auto MaybeAttrsA = getAttrs(LHS);
527 auto MaybeAttrsB = getAttrs(RHS);
528 if (!MaybeAttrsA || !MaybeAttrsB)
529 return true;
530
531 // Check AliasAttrs before AliasMap lookup since it's cheaper
532 auto AttrsA = *MaybeAttrsA;
533 auto AttrsB = *MaybeAttrsB;
534 if (hasUnknownOrCallerAttr(AttrsA))
535 return AttrsB.any();
536 if (hasUnknownOrCallerAttr(AttrsB))
537 return AttrsA.any();
538 if (isGlobalOrArgAttr(AttrsA))
539 return isGlobalOrArgAttr(AttrsB);
540 if (isGlobalOrArgAttr(AttrsB))
541 return isGlobalOrArgAttr(AttrsA);
542
543 // At this point both LHS and RHS should point to locally allocated objects
544
545 auto Itr = AliasMap.find(LHS);
546 if (Itr != AliasMap.end()) {
547
548 // Find out all (X, Offset) where X == RHS
549 auto Comparator = [](OffsetValue LHS, OffsetValue RHS) {
550 return std::less<const Value *>()(LHS.Val, RHS.Val);
551 };
552 #ifdef EXPENSIVE_CHECKS
553 assert(std::is_sorted(Itr->second.begin(), Itr->second.end(), Comparator));
554 #endif
555 auto RangePair = std::equal_range(Itr->second.begin(), Itr->second.end(),
556 OffsetValue{RHS, 0}, Comparator);
557
558 if (RangePair.first != RangePair.second) {
559 // Be conservative about unknown sizes
560 if (MaybeLHSSize == LocationSize::unknown() ||
561 MaybeRHSSize == LocationSize::unknown())
562 return true;
563
564 const uint64_t LHSSize = MaybeLHSSize.getValue();
565 const uint64_t RHSSize = MaybeRHSSize.getValue();
566
567 for (const auto &OVal : make_range(RangePair)) {
568 // Be conservative about UnknownOffset
569 if (OVal.Offset == UnknownOffset)
570 return true;
571
572 // We know that LHS aliases (RHS + OVal.Offset) if the control flow
573 // reaches here. The may-alias query essentially becomes integer
574 // range-overlap queries over two ranges [OVal.Offset, OVal.Offset +
575 // LHSSize) and [0, RHSSize).
576
577 // Try to be conservative on super large offsets
578 if (LLVM_UNLIKELY(LHSSize > INT64_MAX || RHSSize > INT64_MAX))
579 return true;
580
581 auto LHSStart = OVal.Offset;
582 // FIXME: Do we need to guard against integer overflow?
583 auto LHSEnd = OVal.Offset + static_cast<int64_t>(LHSSize);
584 auto RHSStart = 0;
585 auto RHSEnd = static_cast<int64_t>(RHSSize);
586 if (LHSEnd > RHSStart && LHSStart < RHSEnd)
587 return true;
588 }
589 }
590 }
591
592 return false;
593 }
594
propagate(InstantiatedValue From,InstantiatedValue To,MatchState State,ReachabilitySet & ReachSet,std::vector<WorkListItem> & WorkList)595 static void propagate(InstantiatedValue From, InstantiatedValue To,
596 MatchState State, ReachabilitySet &ReachSet,
597 std::vector<WorkListItem> &WorkList) {
598 if (From == To)
599 return;
600 if (ReachSet.insert(From, To, State))
601 WorkList.push_back(WorkListItem{From, To, State});
602 }
603
initializeWorkList(std::vector<WorkListItem> & WorkList,ReachabilitySet & ReachSet,const CFLGraph & Graph)604 static void initializeWorkList(std::vector<WorkListItem> &WorkList,
605 ReachabilitySet &ReachSet,
606 const CFLGraph &Graph) {
607 for (const auto &Mapping : Graph.value_mappings()) {
608 auto Val = Mapping.first;
609 auto &ValueInfo = Mapping.second;
610 assert(ValueInfo.getNumLevels() > 0);
611
612 // Insert all immediate assignment neighbors to the worklist
613 for (unsigned I = 0, E = ValueInfo.getNumLevels(); I < E; ++I) {
614 auto Src = InstantiatedValue{Val, I};
615 // If there's an assignment edge from X to Y, it means Y is reachable from
616 // X at S2 and X is reachable from Y at S1
617 for (auto &Edge : ValueInfo.getNodeInfoAtLevel(I).Edges) {
618 propagate(Edge.Other, Src, MatchState::FlowFromReadOnly, ReachSet,
619 WorkList);
620 propagate(Src, Edge.Other, MatchState::FlowToWriteOnly, ReachSet,
621 WorkList);
622 }
623 }
624 }
625 }
626
getNodeBelow(const CFLGraph & Graph,InstantiatedValue V)627 static Optional<InstantiatedValue> getNodeBelow(const CFLGraph &Graph,
628 InstantiatedValue V) {
629 auto NodeBelow = InstantiatedValue{V.Val, V.DerefLevel + 1};
630 if (Graph.getNode(NodeBelow))
631 return NodeBelow;
632 return None;
633 }
634
processWorkListItem(const WorkListItem & Item,const CFLGraph & Graph,ReachabilitySet & ReachSet,AliasMemSet & MemSet,std::vector<WorkListItem> & WorkList)635 static void processWorkListItem(const WorkListItem &Item, const CFLGraph &Graph,
636 ReachabilitySet &ReachSet, AliasMemSet &MemSet,
637 std::vector<WorkListItem> &WorkList) {
638 auto FromNode = Item.From;
639 auto ToNode = Item.To;
640
641 auto NodeInfo = Graph.getNode(ToNode);
642 assert(NodeInfo != nullptr);
643
644 // TODO: propagate field offsets
645
646 // FIXME: Here is a neat trick we can do: since both ReachSet and MemSet holds
647 // relations that are symmetric, we could actually cut the storage by half by
648 // sorting FromNode and ToNode before insertion happens.
649
650 // The newly added value alias pair may potentially generate more memory
651 // alias pairs. Check for them here.
652 auto FromNodeBelow = getNodeBelow(Graph, FromNode);
653 auto ToNodeBelow = getNodeBelow(Graph, ToNode);
654 if (FromNodeBelow && ToNodeBelow &&
655 MemSet.insert(*FromNodeBelow, *ToNodeBelow)) {
656 propagate(*FromNodeBelow, *ToNodeBelow,
657 MatchState::FlowFromMemAliasNoReadWrite, ReachSet, WorkList);
658 for (const auto &Mapping : ReachSet.reachableValueAliases(*FromNodeBelow)) {
659 auto Src = Mapping.first;
660 auto MemAliasPropagate = [&](MatchState FromState, MatchState ToState) {
661 if (Mapping.second.test(static_cast<size_t>(FromState)))
662 propagate(Src, *ToNodeBelow, ToState, ReachSet, WorkList);
663 };
664
665 MemAliasPropagate(MatchState::FlowFromReadOnly,
666 MatchState::FlowFromMemAliasReadOnly);
667 MemAliasPropagate(MatchState::FlowToWriteOnly,
668 MatchState::FlowToMemAliasWriteOnly);
669 MemAliasPropagate(MatchState::FlowToReadWrite,
670 MatchState::FlowToMemAliasReadWrite);
671 }
672 }
673
674 // This is the core of the state machine walking algorithm. We expand ReachSet
675 // based on which state we are at (which in turn dictates what edges we
676 // should examine)
677 // From a high-level point of view, the state machine here guarantees two
678 // properties:
679 // - If *X and *Y are memory aliases, then X and Y are value aliases
680 // - If Y is an alias of X, then reverse assignment edges (if there is any)
681 // should precede any assignment edges on the path from X to Y.
682 auto NextAssignState = [&](MatchState State) {
683 for (const auto &AssignEdge : NodeInfo->Edges)
684 propagate(FromNode, AssignEdge.Other, State, ReachSet, WorkList);
685 };
686 auto NextRevAssignState = [&](MatchState State) {
687 for (const auto &RevAssignEdge : NodeInfo->ReverseEdges)
688 propagate(FromNode, RevAssignEdge.Other, State, ReachSet, WorkList);
689 };
690 auto NextMemState = [&](MatchState State) {
691 if (auto AliasSet = MemSet.getMemoryAliases(ToNode)) {
692 for (const auto &MemAlias : *AliasSet)
693 propagate(FromNode, MemAlias, State, ReachSet, WorkList);
694 }
695 };
696
697 switch (Item.State) {
698 case MatchState::FlowFromReadOnly:
699 NextRevAssignState(MatchState::FlowFromReadOnly);
700 NextAssignState(MatchState::FlowToReadWrite);
701 NextMemState(MatchState::FlowFromMemAliasReadOnly);
702 break;
703
704 case MatchState::FlowFromMemAliasNoReadWrite:
705 NextRevAssignState(MatchState::FlowFromReadOnly);
706 NextAssignState(MatchState::FlowToWriteOnly);
707 break;
708
709 case MatchState::FlowFromMemAliasReadOnly:
710 NextRevAssignState(MatchState::FlowFromReadOnly);
711 NextAssignState(MatchState::FlowToReadWrite);
712 break;
713
714 case MatchState::FlowToWriteOnly:
715 NextAssignState(MatchState::FlowToWriteOnly);
716 NextMemState(MatchState::FlowToMemAliasWriteOnly);
717 break;
718
719 case MatchState::FlowToReadWrite:
720 NextAssignState(MatchState::FlowToReadWrite);
721 NextMemState(MatchState::FlowToMemAliasReadWrite);
722 break;
723
724 case MatchState::FlowToMemAliasWriteOnly:
725 NextAssignState(MatchState::FlowToWriteOnly);
726 break;
727
728 case MatchState::FlowToMemAliasReadWrite:
729 NextAssignState(MatchState::FlowToReadWrite);
730 break;
731 }
732 }
733
buildAttrMap(const CFLGraph & Graph,const ReachabilitySet & ReachSet)734 static AliasAttrMap buildAttrMap(const CFLGraph &Graph,
735 const ReachabilitySet &ReachSet) {
736 AliasAttrMap AttrMap;
737 std::vector<InstantiatedValue> WorkList, NextList;
738
739 // Initialize each node with its original AliasAttrs in CFLGraph
740 for (const auto &Mapping : Graph.value_mappings()) {
741 auto Val = Mapping.first;
742 auto &ValueInfo = Mapping.second;
743 for (unsigned I = 0, E = ValueInfo.getNumLevels(); I < E; ++I) {
744 auto Node = InstantiatedValue{Val, I};
745 AttrMap.add(Node, ValueInfo.getNodeInfoAtLevel(I).Attr);
746 WorkList.push_back(Node);
747 }
748 }
749
750 while (!WorkList.empty()) {
751 for (const auto &Dst : WorkList) {
752 auto DstAttr = AttrMap.getAttrs(Dst);
753 if (DstAttr.none())
754 continue;
755
756 // Propagate attr on the same level
757 for (const auto &Mapping : ReachSet.reachableValueAliases(Dst)) {
758 auto Src = Mapping.first;
759 if (AttrMap.add(Src, DstAttr))
760 NextList.push_back(Src);
761 }
762
763 // Propagate attr to the levels below
764 auto DstBelow = getNodeBelow(Graph, Dst);
765 while (DstBelow) {
766 if (AttrMap.add(*DstBelow, DstAttr)) {
767 NextList.push_back(*DstBelow);
768 break;
769 }
770 DstBelow = getNodeBelow(Graph, *DstBelow);
771 }
772 }
773 WorkList.swap(NextList);
774 NextList.clear();
775 }
776
777 return AttrMap;
778 }
779
780 CFLAndersAAResult::FunctionInfo
buildInfoFrom(const Function & Fn)781 CFLAndersAAResult::buildInfoFrom(const Function &Fn) {
782 CFLGraphBuilder<CFLAndersAAResult> GraphBuilder(
783 *this, TLI,
784 // Cast away the constness here due to GraphBuilder's API requirement
785 const_cast<Function &>(Fn));
786 auto &Graph = GraphBuilder.getCFLGraph();
787
788 ReachabilitySet ReachSet;
789 AliasMemSet MemSet;
790
791 std::vector<WorkListItem> WorkList, NextList;
792 initializeWorkList(WorkList, ReachSet, Graph);
793 // TODO: make sure we don't stop before the fix point is reached
794 while (!WorkList.empty()) {
795 for (const auto &Item : WorkList)
796 processWorkListItem(Item, Graph, ReachSet, MemSet, NextList);
797
798 NextList.swap(WorkList);
799 NextList.clear();
800 }
801
802 // Now that we have all the reachability info, propagate AliasAttrs according
803 // to it
804 auto IValueAttrMap = buildAttrMap(Graph, ReachSet);
805
806 return FunctionInfo(Fn, GraphBuilder.getReturnValues(), ReachSet,
807 std::move(IValueAttrMap));
808 }
809
scan(const Function & Fn)810 void CFLAndersAAResult::scan(const Function &Fn) {
811 auto InsertPair = Cache.insert(std::make_pair(&Fn, Optional<FunctionInfo>()));
812 (void)InsertPair;
813 assert(InsertPair.second &&
814 "Trying to scan a function that has already been cached");
815
816 // Note that we can't do Cache[Fn] = buildSetsFrom(Fn) here: the function call
817 // may get evaluated after operator[], potentially triggering a DenseMap
818 // resize and invalidating the reference returned by operator[]
819 auto FunInfo = buildInfoFrom(Fn);
820 Cache[&Fn] = std::move(FunInfo);
821 Handles.emplace_front(const_cast<Function *>(&Fn), this);
822 }
823
evict(const Function * Fn)824 void CFLAndersAAResult::evict(const Function *Fn) { Cache.erase(Fn); }
825
826 const Optional<CFLAndersAAResult::FunctionInfo> &
ensureCached(const Function & Fn)827 CFLAndersAAResult::ensureCached(const Function &Fn) {
828 auto Iter = Cache.find(&Fn);
829 if (Iter == Cache.end()) {
830 scan(Fn);
831 Iter = Cache.find(&Fn);
832 assert(Iter != Cache.end());
833 assert(Iter->second.hasValue());
834 }
835 return Iter->second;
836 }
837
getAliasSummary(const Function & Fn)838 const AliasSummary *CFLAndersAAResult::getAliasSummary(const Function &Fn) {
839 auto &FunInfo = ensureCached(Fn);
840 if (FunInfo.hasValue())
841 return &FunInfo->getAliasSummary();
842 else
843 return nullptr;
844 }
845
query(const MemoryLocation & LocA,const MemoryLocation & LocB)846 AliasResult CFLAndersAAResult::query(const MemoryLocation &LocA,
847 const MemoryLocation &LocB) {
848 auto *ValA = LocA.Ptr;
849 auto *ValB = LocB.Ptr;
850
851 if (!ValA->getType()->isPointerTy() || !ValB->getType()->isPointerTy())
852 return NoAlias;
853
854 auto *Fn = parentFunctionOfValue(ValA);
855 if (!Fn) {
856 Fn = parentFunctionOfValue(ValB);
857 if (!Fn) {
858 // The only times this is known to happen are when globals + InlineAsm are
859 // involved
860 LLVM_DEBUG(
861 dbgs()
862 << "CFLAndersAA: could not extract parent function information.\n");
863 return MayAlias;
864 }
865 } else {
866 assert(!parentFunctionOfValue(ValB) || parentFunctionOfValue(ValB) == Fn);
867 }
868
869 assert(Fn != nullptr);
870 auto &FunInfo = ensureCached(*Fn);
871
872 // AliasMap lookup
873 if (FunInfo->mayAlias(ValA, LocA.Size, ValB, LocB.Size))
874 return MayAlias;
875 return NoAlias;
876 }
877
alias(const MemoryLocation & LocA,const MemoryLocation & LocB)878 AliasResult CFLAndersAAResult::alias(const MemoryLocation &LocA,
879 const MemoryLocation &LocB) {
880 if (LocA.Ptr == LocB.Ptr)
881 return MustAlias;
882
883 // Comparisons between global variables and other constants should be
884 // handled by BasicAA.
885 // CFLAndersAA may report NoAlias when comparing a GlobalValue and
886 // ConstantExpr, but every query needs to have at least one Value tied to a
887 // Function, and neither GlobalValues nor ConstantExprs are.
888 if (isa<Constant>(LocA.Ptr) && isa<Constant>(LocB.Ptr))
889 return AAResultBase::alias(LocA, LocB);
890
891 AliasResult QueryResult = query(LocA, LocB);
892 if (QueryResult == MayAlias)
893 return AAResultBase::alias(LocA, LocB);
894
895 return QueryResult;
896 }
897
898 AnalysisKey CFLAndersAA::Key;
899
run(Function & F,FunctionAnalysisManager & AM)900 CFLAndersAAResult CFLAndersAA::run(Function &F, FunctionAnalysisManager &AM) {
901 return CFLAndersAAResult(AM.getResult<TargetLibraryAnalysis>(F));
902 }
903
904 char CFLAndersAAWrapperPass::ID = 0;
905 INITIALIZE_PASS(CFLAndersAAWrapperPass, "cfl-anders-aa",
906 "Inclusion-Based CFL Alias Analysis", false, true)
907
createCFLAndersAAWrapperPass()908 ImmutablePass *llvm::createCFLAndersAAWrapperPass() {
909 return new CFLAndersAAWrapperPass();
910 }
911
CFLAndersAAWrapperPass()912 CFLAndersAAWrapperPass::CFLAndersAAWrapperPass() : ImmutablePass(ID) {
913 initializeCFLAndersAAWrapperPassPass(*PassRegistry::getPassRegistry());
914 }
915
initializePass()916 void CFLAndersAAWrapperPass::initializePass() {
917 auto &TLIWP = getAnalysis<TargetLibraryInfoWrapperPass>();
918 Result.reset(new CFLAndersAAResult(TLIWP.getTLI()));
919 }
920
getAnalysisUsage(AnalysisUsage & AU) const921 void CFLAndersAAWrapperPass::getAnalysisUsage(AnalysisUsage &AU) const {
922 AU.setPreservesAll();
923 AU.addRequired<TargetLibraryInfoWrapperPass>();
924 }
925