1 //===-- Lint.cpp - Check for common errors in LLVM IR ---------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This pass statically checks for common and easily-identified constructs 11 // which produce undefined or likely unintended behavior in LLVM IR. 12 // 13 // It is not a guarantee of correctness, in two ways. First, it isn't 14 // comprehensive. There are checks which could be done statically which are 15 // not yet implemented. Some of these are indicated by TODO comments, but 16 // those aren't comprehensive either. Second, many conditions cannot be 17 // checked statically. This pass does no dynamic instrumentation, so it 18 // can't check for all possible problems. 19 // 20 // Another limitation is that it assumes all code will be executed. A store 21 // through a null pointer in a basic block which is never reached is harmless, 22 // but this pass will warn about it anyway. This is the main reason why most 23 // of these checks live here instead of in the Verifier pass. 24 // 25 // Optimization passes may make conditions that this pass checks for more or 26 // less obvious. If an optimization pass appears to be introducing a warning, 27 // it may be that the optimization pass is merely exposing an existing 28 // condition in the code. 29 // 30 // This code may be run before instcombine. In many cases, instcombine checks 31 // for the same kinds of things and turns instructions with undefined behavior 32 // into unreachable (or equivalent). Because of this, this pass makes some 33 // effort to look through bitcasts and so on. 34 // 35 //===----------------------------------------------------------------------===// 36 37 #include "llvm/Analysis/Lint.h" 38 #include "llvm/ADT/APInt.h" 39 #include "llvm/ADT/ArrayRef.h" 40 #include "llvm/ADT/SmallPtrSet.h" 41 #include "llvm/ADT/Twine.h" 42 #include "llvm/Analysis/AliasAnalysis.h" 43 #include "llvm/Analysis/AssumptionCache.h" 44 #include "llvm/Analysis/ConstantFolding.h" 45 #include "llvm/Analysis/InstructionSimplify.h" 46 #include "llvm/Analysis/Loads.h" 47 #include "llvm/Analysis/MemoryLocation.h" 48 #include "llvm/Analysis/Passes.h" 49 #include "llvm/Analysis/TargetLibraryInfo.h" 50 #include "llvm/Analysis/ValueTracking.h" 51 #include "llvm/IR/Argument.h" 52 #include "llvm/IR/BasicBlock.h" 53 #include "llvm/IR/CallSite.h" 54 #include "llvm/IR/Constant.h" 55 #include "llvm/IR/Constants.h" 56 #include "llvm/IR/DataLayout.h" 57 #include "llvm/IR/DerivedTypes.h" 58 #include "llvm/IR/Dominators.h" 59 #include "llvm/IR/Function.h" 60 #include "llvm/IR/GlobalVariable.h" 61 #include "llvm/IR/Module.h" 62 #include "llvm/IR/InstVisitor.h" 63 #include "llvm/IR/InstrTypes.h" 64 #include "llvm/IR/Instruction.h" 65 #include "llvm/IR/Instructions.h" 66 #include "llvm/IR/IntrinsicInst.h" 67 #include "llvm/IR/LegacyPassManager.h" 68 #include "llvm/IR/Type.h" 69 #include "llvm/IR/Value.h" 70 #include "llvm/Pass.h" 71 #include "llvm/Support/Casting.h" 72 #include "llvm/Support/Debug.h" 73 #include "llvm/Support/MathExtras.h" 74 #include "llvm/Support/raw_ostream.h" 75 #include <cassert> 76 #include <cstdint> 77 #include <iterator> 78 #include <string> 79 80 using namespace llvm; 81 82 namespace { 83 namespace MemRef { 84 static const unsigned Read = 1; 85 static const unsigned Write = 2; 86 static const unsigned Callee = 4; 87 static const unsigned Branchee = 8; 88 } // end namespace MemRef 89 90 class Lint : public FunctionPass, public InstVisitor<Lint> { 91 friend class InstVisitor<Lint>; 92 93 void visitFunction(Function &F); 94 95 void visitCallSite(CallSite CS); 96 void visitMemoryReference(Instruction &I, Value *Ptr, 97 uint64_t Size, unsigned Align, 98 Type *Ty, unsigned Flags); 99 void visitEHBeginCatch(IntrinsicInst *II); 100 void visitEHEndCatch(IntrinsicInst *II); 101 102 void visitCallInst(CallInst &I); 103 void visitInvokeInst(InvokeInst &I); 104 void visitReturnInst(ReturnInst &I); 105 void visitLoadInst(LoadInst &I); 106 void visitStoreInst(StoreInst &I); 107 void visitXor(BinaryOperator &I); 108 void visitSub(BinaryOperator &I); 109 void visitLShr(BinaryOperator &I); 110 void visitAShr(BinaryOperator &I); 111 void visitShl(BinaryOperator &I); 112 void visitSDiv(BinaryOperator &I); 113 void visitUDiv(BinaryOperator &I); 114 void visitSRem(BinaryOperator &I); 115 void visitURem(BinaryOperator &I); 116 void visitAllocaInst(AllocaInst &I); 117 void visitVAArgInst(VAArgInst &I); 118 void visitIndirectBrInst(IndirectBrInst &I); 119 void visitExtractElementInst(ExtractElementInst &I); 120 void visitInsertElementInst(InsertElementInst &I); 121 void visitUnreachableInst(UnreachableInst &I); 122 123 Value *findValue(Value *V, bool OffsetOk) const; 124 Value *findValueImpl(Value *V, bool OffsetOk, 125 SmallPtrSetImpl<Value *> &Visited) const; 126 127 public: 128 Module *Mod; 129 const DataLayout *DL; 130 AliasAnalysis *AA; 131 AssumptionCache *AC; 132 DominatorTree *DT; 133 TargetLibraryInfo *TLI; 134 135 std::string Messages; 136 raw_string_ostream MessagesStr; 137 138 static char ID; // Pass identification, replacement for typeid 139 Lint() : FunctionPass(ID), MessagesStr(Messages) { 140 initializeLintPass(*PassRegistry::getPassRegistry()); 141 } 142 143 bool runOnFunction(Function &F) override; 144 145 void getAnalysisUsage(AnalysisUsage &AU) const override { 146 AU.setPreservesAll(); 147 AU.addRequired<AAResultsWrapperPass>(); 148 AU.addRequired<AssumptionCacheTracker>(); 149 AU.addRequired<TargetLibraryInfoWrapperPass>(); 150 AU.addRequired<DominatorTreeWrapperPass>(); 151 } 152 void print(raw_ostream &O, const Module *M) const override {} 153 154 void WriteValues(ArrayRef<const Value *> Vs) { 155 for (const Value *V : Vs) { 156 if (!V) 157 continue; 158 if (isa<Instruction>(V)) { 159 MessagesStr << *V << '\n'; 160 } else { 161 V->printAsOperand(MessagesStr, true, Mod); 162 MessagesStr << '\n'; 163 } 164 } 165 } 166 167 /// \brief A check failed, so printout out the condition and the message. 168 /// 169 /// This provides a nice place to put a breakpoint if you want to see why 170 /// something is not correct. 171 void CheckFailed(const Twine &Message) { MessagesStr << Message << '\n'; } 172 173 /// \brief A check failed (with values to print). 174 /// 175 /// This calls the Message-only version so that the above is easier to set 176 /// a breakpoint on. 177 template <typename T1, typename... Ts> 178 void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) { 179 CheckFailed(Message); 180 WriteValues({V1, Vs...}); 181 } 182 }; 183 } // end anonymous namespace 184 185 char Lint::ID = 0; 186 INITIALIZE_PASS_BEGIN(Lint, "lint", "Statically lint-checks LLVM IR", 187 false, true) 188 INITIALIZE_PASS_DEPENDENCY(AssumptionCacheTracker) 189 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass) 190 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 191 INITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass) 192 INITIALIZE_PASS_END(Lint, "lint", "Statically lint-checks LLVM IR", 193 false, true) 194 195 // Assert - We know that cond should be true, if not print an error message. 196 #define Assert(C, ...) \ 197 do { if (!(C)) { CheckFailed(__VA_ARGS__); return; } } while (false) 198 199 // Lint::run - This is the main Analysis entry point for a 200 // function. 201 // 202 bool Lint::runOnFunction(Function &F) { 203 Mod = F.getParent(); 204 DL = &F.getParent()->getDataLayout(); 205 AA = &getAnalysis<AAResultsWrapperPass>().getAAResults(); 206 AC = &getAnalysis<AssumptionCacheTracker>().getAssumptionCache(F); 207 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 208 TLI = &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(); 209 visit(F); 210 dbgs() << MessagesStr.str(); 211 Messages.clear(); 212 return false; 213 } 214 215 void Lint::visitFunction(Function &F) { 216 // This isn't undefined behavior, it's just a little unusual, and it's a 217 // fairly common mistake to neglect to name a function. 218 Assert(F.hasName() || F.hasLocalLinkage(), 219 "Unusual: Unnamed function with non-local linkage", &F); 220 221 // TODO: Check for irreducible control flow. 222 } 223 224 void Lint::visitCallSite(CallSite CS) { 225 Instruction &I = *CS.getInstruction(); 226 Value *Callee = CS.getCalledValue(); 227 228 visitMemoryReference(I, Callee, MemoryLocation::UnknownSize, 0, nullptr, 229 MemRef::Callee); 230 231 if (Function *F = dyn_cast<Function>(findValue(Callee, 232 /*OffsetOk=*/false))) { 233 Assert(CS.getCallingConv() == F->getCallingConv(), 234 "Undefined behavior: Caller and callee calling convention differ", 235 &I); 236 237 FunctionType *FT = F->getFunctionType(); 238 unsigned NumActualArgs = CS.arg_size(); 239 240 Assert(FT->isVarArg() ? FT->getNumParams() <= NumActualArgs 241 : FT->getNumParams() == NumActualArgs, 242 "Undefined behavior: Call argument count mismatches callee " 243 "argument count", 244 &I); 245 246 Assert(FT->getReturnType() == I.getType(), 247 "Undefined behavior: Call return type mismatches " 248 "callee return type", 249 &I); 250 251 // Check argument types (in case the callee was casted) and attributes. 252 // TODO: Verify that caller and callee attributes are compatible. 253 Function::arg_iterator PI = F->arg_begin(), PE = F->arg_end(); 254 CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end(); 255 for (; AI != AE; ++AI) { 256 Value *Actual = *AI; 257 if (PI != PE) { 258 Argument *Formal = &*PI++; 259 Assert(Formal->getType() == Actual->getType(), 260 "Undefined behavior: Call argument type mismatches " 261 "callee parameter type", 262 &I); 263 264 // Check that noalias arguments don't alias other arguments. This is 265 // not fully precise because we don't know the sizes of the dereferenced 266 // memory regions. 267 if (Formal->hasNoAliasAttr() && Actual->getType()->isPointerTy()) 268 for (CallSite::arg_iterator BI = CS.arg_begin(); BI != AE; ++BI) 269 if (AI != BI && (*BI)->getType()->isPointerTy()) { 270 AliasResult Result = AA->alias(*AI, *BI); 271 Assert(Result != MustAlias && Result != PartialAlias, 272 "Unusual: noalias argument aliases another argument", &I); 273 } 274 275 // Check that an sret argument points to valid memory. 276 if (Formal->hasStructRetAttr() && Actual->getType()->isPointerTy()) { 277 Type *Ty = 278 cast<PointerType>(Formal->getType())->getElementType(); 279 visitMemoryReference(I, Actual, DL->getTypeStoreSize(Ty), 280 DL->getABITypeAlignment(Ty), Ty, 281 MemRef::Read | MemRef::Write); 282 } 283 } 284 } 285 } 286 287 if (CS.isCall() && cast<CallInst>(CS.getInstruction())->isTailCall()) 288 for (CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end(); 289 AI != AE; ++AI) { 290 Value *Obj = findValue(*AI, /*OffsetOk=*/true); 291 Assert(!isa<AllocaInst>(Obj), 292 "Undefined behavior: Call with \"tail\" keyword references " 293 "alloca", 294 &I); 295 } 296 297 298 if (IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I)) 299 switch (II->getIntrinsicID()) { 300 default: break; 301 302 // TODO: Check more intrinsics 303 304 case Intrinsic::memcpy: { 305 MemCpyInst *MCI = cast<MemCpyInst>(&I); 306 // TODO: If the size is known, use it. 307 visitMemoryReference(I, MCI->getDest(), MemoryLocation::UnknownSize, 308 MCI->getAlignment(), nullptr, MemRef::Write); 309 visitMemoryReference(I, MCI->getSource(), MemoryLocation::UnknownSize, 310 MCI->getAlignment(), nullptr, MemRef::Read); 311 312 // Check that the memcpy arguments don't overlap. The AliasAnalysis API 313 // isn't expressive enough for what we really want to do. Known partial 314 // overlap is not distinguished from the case where nothing is known. 315 uint64_t Size = 0; 316 if (const ConstantInt *Len = 317 dyn_cast<ConstantInt>(findValue(MCI->getLength(), 318 /*OffsetOk=*/false))) 319 if (Len->getValue().isIntN(32)) 320 Size = Len->getValue().getZExtValue(); 321 Assert(AA->alias(MCI->getSource(), Size, MCI->getDest(), Size) != 322 MustAlias, 323 "Undefined behavior: memcpy source and destination overlap", &I); 324 break; 325 } 326 case Intrinsic::memmove: { 327 MemMoveInst *MMI = cast<MemMoveInst>(&I); 328 // TODO: If the size is known, use it. 329 visitMemoryReference(I, MMI->getDest(), MemoryLocation::UnknownSize, 330 MMI->getAlignment(), nullptr, MemRef::Write); 331 visitMemoryReference(I, MMI->getSource(), MemoryLocation::UnknownSize, 332 MMI->getAlignment(), nullptr, MemRef::Read); 333 break; 334 } 335 case Intrinsic::memset: { 336 MemSetInst *MSI = cast<MemSetInst>(&I); 337 // TODO: If the size is known, use it. 338 visitMemoryReference(I, MSI->getDest(), MemoryLocation::UnknownSize, 339 MSI->getAlignment(), nullptr, MemRef::Write); 340 break; 341 } 342 343 case Intrinsic::vastart: 344 Assert(I.getParent()->getParent()->isVarArg(), 345 "Undefined behavior: va_start called in a non-varargs function", 346 &I); 347 348 visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0, 349 nullptr, MemRef::Read | MemRef::Write); 350 break; 351 case Intrinsic::vacopy: 352 visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0, 353 nullptr, MemRef::Write); 354 visitMemoryReference(I, CS.getArgument(1), MemoryLocation::UnknownSize, 0, 355 nullptr, MemRef::Read); 356 break; 357 case Intrinsic::vaend: 358 visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0, 359 nullptr, MemRef::Read | MemRef::Write); 360 break; 361 362 case Intrinsic::stackrestore: 363 // Stackrestore doesn't read or write memory, but it sets the 364 // stack pointer, which the compiler may read from or write to 365 // at any time, so check it for both readability and writeability. 366 visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0, 367 nullptr, MemRef::Read | MemRef::Write); 368 break; 369 } 370 } 371 372 void Lint::visitCallInst(CallInst &I) { 373 return visitCallSite(&I); 374 } 375 376 void Lint::visitInvokeInst(InvokeInst &I) { 377 return visitCallSite(&I); 378 } 379 380 void Lint::visitReturnInst(ReturnInst &I) { 381 Function *F = I.getParent()->getParent(); 382 Assert(!F->doesNotReturn(), 383 "Unusual: Return statement in function with noreturn attribute", &I); 384 385 if (Value *V = I.getReturnValue()) { 386 Value *Obj = findValue(V, /*OffsetOk=*/true); 387 Assert(!isa<AllocaInst>(Obj), "Unusual: Returning alloca value", &I); 388 } 389 } 390 391 // TODO: Check that the reference is in bounds. 392 // TODO: Check readnone/readonly function attributes. 393 void Lint::visitMemoryReference(Instruction &I, 394 Value *Ptr, uint64_t Size, unsigned Align, 395 Type *Ty, unsigned Flags) { 396 // If no memory is being referenced, it doesn't matter if the pointer 397 // is valid. 398 if (Size == 0) 399 return; 400 401 Value *UnderlyingObject = findValue(Ptr, /*OffsetOk=*/true); 402 Assert(!isa<ConstantPointerNull>(UnderlyingObject), 403 "Undefined behavior: Null pointer dereference", &I); 404 Assert(!isa<UndefValue>(UnderlyingObject), 405 "Undefined behavior: Undef pointer dereference", &I); 406 Assert(!isa<ConstantInt>(UnderlyingObject) || 407 !cast<ConstantInt>(UnderlyingObject)->isAllOnesValue(), 408 "Unusual: All-ones pointer dereference", &I); 409 Assert(!isa<ConstantInt>(UnderlyingObject) || 410 !cast<ConstantInt>(UnderlyingObject)->isOne(), 411 "Unusual: Address one pointer dereference", &I); 412 413 if (Flags & MemRef::Write) { 414 if (const GlobalVariable *GV = dyn_cast<GlobalVariable>(UnderlyingObject)) 415 Assert(!GV->isConstant(), "Undefined behavior: Write to read-only memory", 416 &I); 417 Assert(!isa<Function>(UnderlyingObject) && 418 !isa<BlockAddress>(UnderlyingObject), 419 "Undefined behavior: Write to text section", &I); 420 } 421 if (Flags & MemRef::Read) { 422 Assert(!isa<Function>(UnderlyingObject), "Unusual: Load from function body", 423 &I); 424 Assert(!isa<BlockAddress>(UnderlyingObject), 425 "Undefined behavior: Load from block address", &I); 426 } 427 if (Flags & MemRef::Callee) { 428 Assert(!isa<BlockAddress>(UnderlyingObject), 429 "Undefined behavior: Call to block address", &I); 430 } 431 if (Flags & MemRef::Branchee) { 432 Assert(!isa<Constant>(UnderlyingObject) || 433 isa<BlockAddress>(UnderlyingObject), 434 "Undefined behavior: Branch to non-blockaddress", &I); 435 } 436 437 // Check for buffer overflows and misalignment. 438 // Only handles memory references that read/write something simple like an 439 // alloca instruction or a global variable. 440 int64_t Offset = 0; 441 if (Value *Base = GetPointerBaseWithConstantOffset(Ptr, Offset, *DL)) { 442 // OK, so the access is to a constant offset from Ptr. Check that Ptr is 443 // something we can handle and if so extract the size of this base object 444 // along with its alignment. 445 uint64_t BaseSize = MemoryLocation::UnknownSize; 446 unsigned BaseAlign = 0; 447 448 if (AllocaInst *AI = dyn_cast<AllocaInst>(Base)) { 449 Type *ATy = AI->getAllocatedType(); 450 if (!AI->isArrayAllocation() && ATy->isSized()) 451 BaseSize = DL->getTypeAllocSize(ATy); 452 BaseAlign = AI->getAlignment(); 453 if (BaseAlign == 0 && ATy->isSized()) 454 BaseAlign = DL->getABITypeAlignment(ATy); 455 } else if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Base)) { 456 // If the global may be defined differently in another compilation unit 457 // then don't warn about funky memory accesses. 458 if (GV->hasDefinitiveInitializer()) { 459 Type *GTy = GV->getValueType(); 460 if (GTy->isSized()) 461 BaseSize = DL->getTypeAllocSize(GTy); 462 BaseAlign = GV->getAlignment(); 463 if (BaseAlign == 0 && GTy->isSized()) 464 BaseAlign = DL->getABITypeAlignment(GTy); 465 } 466 } 467 468 // Accesses from before the start or after the end of the object are not 469 // defined. 470 Assert(Size == MemoryLocation::UnknownSize || 471 BaseSize == MemoryLocation::UnknownSize || 472 (Offset >= 0 && Offset + Size <= BaseSize), 473 "Undefined behavior: Buffer overflow", &I); 474 475 // Accesses that say that the memory is more aligned than it is are not 476 // defined. 477 if (Align == 0 && Ty && Ty->isSized()) 478 Align = DL->getABITypeAlignment(Ty); 479 Assert(!BaseAlign || Align <= MinAlign(BaseAlign, Offset), 480 "Undefined behavior: Memory reference address is misaligned", &I); 481 } 482 } 483 484 void Lint::visitLoadInst(LoadInst &I) { 485 visitMemoryReference(I, I.getPointerOperand(), 486 DL->getTypeStoreSize(I.getType()), I.getAlignment(), 487 I.getType(), MemRef::Read); 488 } 489 490 void Lint::visitStoreInst(StoreInst &I) { 491 visitMemoryReference(I, I.getPointerOperand(), 492 DL->getTypeStoreSize(I.getOperand(0)->getType()), 493 I.getAlignment(), 494 I.getOperand(0)->getType(), MemRef::Write); 495 } 496 497 void Lint::visitXor(BinaryOperator &I) { 498 Assert(!isa<UndefValue>(I.getOperand(0)) || !isa<UndefValue>(I.getOperand(1)), 499 "Undefined result: xor(undef, undef)", &I); 500 } 501 502 void Lint::visitSub(BinaryOperator &I) { 503 Assert(!isa<UndefValue>(I.getOperand(0)) || !isa<UndefValue>(I.getOperand(1)), 504 "Undefined result: sub(undef, undef)", &I); 505 } 506 507 void Lint::visitLShr(BinaryOperator &I) { 508 if (ConstantInt *CI = dyn_cast<ConstantInt>(findValue(I.getOperand(1), 509 /*OffsetOk=*/false))) 510 Assert(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 511 "Undefined result: Shift count out of range", &I); 512 } 513 514 void Lint::visitAShr(BinaryOperator &I) { 515 if (ConstantInt *CI = 516 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 517 Assert(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 518 "Undefined result: Shift count out of range", &I); 519 } 520 521 void Lint::visitShl(BinaryOperator &I) { 522 if (ConstantInt *CI = 523 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 524 Assert(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 525 "Undefined result: Shift count out of range", &I); 526 } 527 528 static bool isZero(Value *V, const DataLayout &DL, DominatorTree *DT, 529 AssumptionCache *AC) { 530 // Assume undef could be zero. 531 if (isa<UndefValue>(V)) 532 return true; 533 534 VectorType *VecTy = dyn_cast<VectorType>(V->getType()); 535 if (!VecTy) { 536 unsigned BitWidth = V->getType()->getIntegerBitWidth(); 537 APInt KnownZero(BitWidth, 0), KnownOne(BitWidth, 0); 538 computeKnownBits(V, KnownZero, KnownOne, DL, 0, AC, 539 dyn_cast<Instruction>(V), DT); 540 return KnownZero.isAllOnesValue(); 541 } 542 543 // Per-component check doesn't work with zeroinitializer 544 Constant *C = dyn_cast<Constant>(V); 545 if (!C) 546 return false; 547 548 if (C->isZeroValue()) 549 return true; 550 551 // For a vector, KnownZero will only be true if all values are zero, so check 552 // this per component 553 unsigned BitWidth = VecTy->getElementType()->getIntegerBitWidth(); 554 for (unsigned I = 0, N = VecTy->getNumElements(); I != N; ++I) { 555 Constant *Elem = C->getAggregateElement(I); 556 if (isa<UndefValue>(Elem)) 557 return true; 558 559 APInt KnownZero(BitWidth, 0), KnownOne(BitWidth, 0); 560 computeKnownBits(Elem, KnownZero, KnownOne, DL); 561 if (KnownZero.isAllOnesValue()) 562 return true; 563 } 564 565 return false; 566 } 567 568 void Lint::visitSDiv(BinaryOperator &I) { 569 Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC), 570 "Undefined behavior: Division by zero", &I); 571 } 572 573 void Lint::visitUDiv(BinaryOperator &I) { 574 Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC), 575 "Undefined behavior: Division by zero", &I); 576 } 577 578 void Lint::visitSRem(BinaryOperator &I) { 579 Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC), 580 "Undefined behavior: Division by zero", &I); 581 } 582 583 void Lint::visitURem(BinaryOperator &I) { 584 Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC), 585 "Undefined behavior: Division by zero", &I); 586 } 587 588 void Lint::visitAllocaInst(AllocaInst &I) { 589 if (isa<ConstantInt>(I.getArraySize())) 590 // This isn't undefined behavior, it's just an obvious pessimization. 591 Assert(&I.getParent()->getParent()->getEntryBlock() == I.getParent(), 592 "Pessimization: Static alloca outside of entry block", &I); 593 594 // TODO: Check for an unusual size (MSB set?) 595 } 596 597 void Lint::visitVAArgInst(VAArgInst &I) { 598 visitMemoryReference(I, I.getOperand(0), MemoryLocation::UnknownSize, 0, 599 nullptr, MemRef::Read | MemRef::Write); 600 } 601 602 void Lint::visitIndirectBrInst(IndirectBrInst &I) { 603 visitMemoryReference(I, I.getAddress(), MemoryLocation::UnknownSize, 0, 604 nullptr, MemRef::Branchee); 605 606 Assert(I.getNumDestinations() != 0, 607 "Undefined behavior: indirectbr with no destinations", &I); 608 } 609 610 void Lint::visitExtractElementInst(ExtractElementInst &I) { 611 if (ConstantInt *CI = dyn_cast<ConstantInt>(findValue(I.getIndexOperand(), 612 /*OffsetOk=*/false))) 613 Assert(CI->getValue().ult(I.getVectorOperandType()->getNumElements()), 614 "Undefined result: extractelement index out of range", &I); 615 } 616 617 void Lint::visitInsertElementInst(InsertElementInst &I) { 618 if (ConstantInt *CI = dyn_cast<ConstantInt>(findValue(I.getOperand(2), 619 /*OffsetOk=*/false))) 620 Assert(CI->getValue().ult(I.getType()->getNumElements()), 621 "Undefined result: insertelement index out of range", &I); 622 } 623 624 void Lint::visitUnreachableInst(UnreachableInst &I) { 625 // This isn't undefined behavior, it's merely suspicious. 626 Assert(&I == &I.getParent()->front() || 627 std::prev(I.getIterator())->mayHaveSideEffects(), 628 "Unusual: unreachable immediately preceded by instruction without " 629 "side effects", 630 &I); 631 } 632 633 /// findValue - Look through bitcasts and simple memory reference patterns 634 /// to identify an equivalent, but more informative, value. If OffsetOk 635 /// is true, look through getelementptrs with non-zero offsets too. 636 /// 637 /// Most analysis passes don't require this logic, because instcombine 638 /// will simplify most of these kinds of things away. But it's a goal of 639 /// this Lint pass to be useful even on non-optimized IR. 640 Value *Lint::findValue(Value *V, bool OffsetOk) const { 641 SmallPtrSet<Value *, 4> Visited; 642 return findValueImpl(V, OffsetOk, Visited); 643 } 644 645 /// findValueImpl - Implementation helper for findValue. 646 Value *Lint::findValueImpl(Value *V, bool OffsetOk, 647 SmallPtrSetImpl<Value *> &Visited) const { 648 // Detect self-referential values. 649 if (!Visited.insert(V).second) 650 return UndefValue::get(V->getType()); 651 652 // TODO: Look through sext or zext cast, when the result is known to 653 // be interpreted as signed or unsigned, respectively. 654 // TODO: Look through eliminable cast pairs. 655 // TODO: Look through calls with unique return values. 656 // TODO: Look through vector insert/extract/shuffle. 657 V = OffsetOk ? GetUnderlyingObject(V, *DL) : V->stripPointerCasts(); 658 if (LoadInst *L = dyn_cast<LoadInst>(V)) { 659 BasicBlock::iterator BBI = L->getIterator(); 660 BasicBlock *BB = L->getParent(); 661 SmallPtrSet<BasicBlock *, 4> VisitedBlocks; 662 for (;;) { 663 if (!VisitedBlocks.insert(BB).second) 664 break; 665 if (Value *U = 666 FindAvailableLoadedValue(L, BB, BBI, DefMaxInstsToScan, AA)) 667 return findValueImpl(U, OffsetOk, Visited); 668 if (BBI != BB->begin()) break; 669 BB = BB->getUniquePredecessor(); 670 if (!BB) break; 671 BBI = BB->end(); 672 } 673 } else if (PHINode *PN = dyn_cast<PHINode>(V)) { 674 if (Value *W = PN->hasConstantValue()) 675 if (W != V) 676 return findValueImpl(W, OffsetOk, Visited); 677 } else if (CastInst *CI = dyn_cast<CastInst>(V)) { 678 if (CI->isNoopCast(*DL)) 679 return findValueImpl(CI->getOperand(0), OffsetOk, Visited); 680 } else if (ExtractValueInst *Ex = dyn_cast<ExtractValueInst>(V)) { 681 if (Value *W = FindInsertedValue(Ex->getAggregateOperand(), 682 Ex->getIndices())) 683 if (W != V) 684 return findValueImpl(W, OffsetOk, Visited); 685 } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) { 686 // Same as above, but for ConstantExpr instead of Instruction. 687 if (Instruction::isCast(CE->getOpcode())) { 688 if (CastInst::isNoopCast(Instruction::CastOps(CE->getOpcode()), 689 CE->getOperand(0)->getType(), CE->getType(), 690 DL->getIntPtrType(V->getType()))) 691 return findValueImpl(CE->getOperand(0), OffsetOk, Visited); 692 } else if (CE->getOpcode() == Instruction::ExtractValue) { 693 ArrayRef<unsigned> Indices = CE->getIndices(); 694 if (Value *W = FindInsertedValue(CE->getOperand(0), Indices)) 695 if (W != V) 696 return findValueImpl(W, OffsetOk, Visited); 697 } 698 } 699 700 // As a last resort, try SimplifyInstruction or constant folding. 701 if (Instruction *Inst = dyn_cast<Instruction>(V)) { 702 if (Value *W = SimplifyInstruction(Inst, *DL, TLI, DT, AC)) 703 return findValueImpl(W, OffsetOk, Visited); 704 } else if (auto *C = dyn_cast<Constant>(V)) { 705 if (Value *W = ConstantFoldConstant(C, *DL, TLI)) 706 if (W && W != V) 707 return findValueImpl(W, OffsetOk, Visited); 708 } 709 710 return V; 711 } 712 713 //===----------------------------------------------------------------------===// 714 // Implement the public interfaces to this file... 715 //===----------------------------------------------------------------------===// 716 717 FunctionPass *llvm::createLintPass() { 718 return new Lint(); 719 } 720 721 /// lintFunction - Check a function for errors, printing messages on stderr. 722 /// 723 void llvm::lintFunction(const Function &f) { 724 Function &F = const_cast<Function&>(f); 725 assert(!F.isDeclaration() && "Cannot lint external functions"); 726 727 legacy::FunctionPassManager FPM(F.getParent()); 728 Lint *V = new Lint(); 729 FPM.add(V); 730 FPM.run(F); 731 } 732 733 /// lintModule - Check a module for errors, printing messages on stderr. 734 /// 735 void llvm::lintModule(const Module &M) { 736 legacy::PassManager PM; 737 Lint *V = new Lint(); 738 PM.add(V); 739 PM.run(const_cast<Module&>(M)); 740 } 741