1 //===-- Lint.cpp - Check for common errors in LLVM IR ---------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This pass statically checks for common and easily-identified constructs 11 // which produce undefined or likely unintended behavior in LLVM IR. 12 // 13 // It is not a guarantee of correctness, in two ways. First, it isn't 14 // comprehensive. There are checks which could be done statically which are 15 // not yet implemented. Some of these are indicated by TODO comments, but 16 // those aren't comprehensive either. Second, many conditions cannot be 17 // checked statically. This pass does no dynamic instrumentation, so it 18 // can't check for all possible problems. 19 // 20 // Another limitation is that it assumes all code will be executed. A store 21 // through a null pointer in a basic block which is never reached is harmless, 22 // but this pass will warn about it anyway. This is the main reason why most 23 // of these checks live here instead of in the Verifier pass. 24 // 25 // Optimization passes may make conditions that this pass checks for more or 26 // less obvious. If an optimization pass appears to be introducing a warning, 27 // it may be that the optimization pass is merely exposing an existing 28 // condition in the code. 29 // 30 // This code may be run before instcombine. In many cases, instcombine checks 31 // for the same kinds of things and turns instructions with undefined behavior 32 // into unreachable (or equivalent). Because of this, this pass makes some 33 // effort to look through bitcasts and so on. 34 // 35 //===----------------------------------------------------------------------===// 36 37 #include "llvm/Analysis/Lint.h" 38 #include "llvm/ADT/STLExtras.h" 39 #include "llvm/Analysis/AliasAnalysis.h" 40 #include "llvm/Analysis/AssumptionTracker.h" 41 #include "llvm/Analysis/ConstantFolding.h" 42 #include "llvm/Analysis/InstructionSimplify.h" 43 #include "llvm/Analysis/Loads.h" 44 #include "llvm/Analysis/Passes.h" 45 #include "llvm/Analysis/ValueTracking.h" 46 #include "llvm/IR/CallSite.h" 47 #include "llvm/IR/DataLayout.h" 48 #include "llvm/IR/Dominators.h" 49 #include "llvm/IR/Function.h" 50 #include "llvm/IR/InstVisitor.h" 51 #include "llvm/IR/IntrinsicInst.h" 52 #include "llvm/Pass.h" 53 #include "llvm/PassManager.h" 54 #include "llvm/Support/Debug.h" 55 #include "llvm/Support/raw_ostream.h" 56 #include "llvm/Target/TargetLibraryInfo.h" 57 using namespace llvm; 58 59 namespace { 60 namespace MemRef { 61 static unsigned Read = 1; 62 static unsigned Write = 2; 63 static unsigned Callee = 4; 64 static unsigned Branchee = 8; 65 } 66 67 class Lint : public FunctionPass, public InstVisitor<Lint> { 68 friend class InstVisitor<Lint>; 69 70 void visitFunction(Function &F); 71 72 void visitCallSite(CallSite CS); 73 void visitMemoryReference(Instruction &I, Value *Ptr, 74 uint64_t Size, unsigned Align, 75 Type *Ty, unsigned Flags); 76 77 void visitCallInst(CallInst &I); 78 void visitInvokeInst(InvokeInst &I); 79 void visitReturnInst(ReturnInst &I); 80 void visitLoadInst(LoadInst &I); 81 void visitStoreInst(StoreInst &I); 82 void visitXor(BinaryOperator &I); 83 void visitSub(BinaryOperator &I); 84 void visitLShr(BinaryOperator &I); 85 void visitAShr(BinaryOperator &I); 86 void visitShl(BinaryOperator &I); 87 void visitSDiv(BinaryOperator &I); 88 void visitUDiv(BinaryOperator &I); 89 void visitSRem(BinaryOperator &I); 90 void visitURem(BinaryOperator &I); 91 void visitAllocaInst(AllocaInst &I); 92 void visitVAArgInst(VAArgInst &I); 93 void visitIndirectBrInst(IndirectBrInst &I); 94 void visitExtractElementInst(ExtractElementInst &I); 95 void visitInsertElementInst(InsertElementInst &I); 96 void visitUnreachableInst(UnreachableInst &I); 97 98 Value *findValue(Value *V, bool OffsetOk) const; 99 Value *findValueImpl(Value *V, bool OffsetOk, 100 SmallPtrSetImpl<Value *> &Visited) const; 101 102 public: 103 Module *Mod; 104 AliasAnalysis *AA; 105 AssumptionTracker *AT; 106 DominatorTree *DT; 107 const DataLayout *DL; 108 TargetLibraryInfo *TLI; 109 110 std::string Messages; 111 raw_string_ostream MessagesStr; 112 113 static char ID; // Pass identification, replacement for typeid 114 Lint() : FunctionPass(ID), MessagesStr(Messages) { 115 initializeLintPass(*PassRegistry::getPassRegistry()); 116 } 117 118 bool runOnFunction(Function &F) override; 119 120 void getAnalysisUsage(AnalysisUsage &AU) const override { 121 AU.setPreservesAll(); 122 AU.addRequired<AliasAnalysis>(); 123 AU.addRequired<AssumptionTracker>(); 124 AU.addRequired<TargetLibraryInfo>(); 125 AU.addRequired<DominatorTreeWrapperPass>(); 126 } 127 void print(raw_ostream &O, const Module *M) const override {} 128 129 void WriteValue(const Value *V) { 130 if (!V) return; 131 if (isa<Instruction>(V)) { 132 MessagesStr << *V << '\n'; 133 } else { 134 V->printAsOperand(MessagesStr, true, Mod); 135 MessagesStr << '\n'; 136 } 137 } 138 139 // CheckFailed - A check failed, so print out the condition and the message 140 // that failed. This provides a nice place to put a breakpoint if you want 141 // to see why something is not correct. 142 void CheckFailed(const Twine &Message, 143 const Value *V1 = nullptr, const Value *V2 = nullptr, 144 const Value *V3 = nullptr, const Value *V4 = nullptr) { 145 MessagesStr << Message.str() << "\n"; 146 WriteValue(V1); 147 WriteValue(V2); 148 WriteValue(V3); 149 WriteValue(V4); 150 } 151 }; 152 } 153 154 char Lint::ID = 0; 155 INITIALIZE_PASS_BEGIN(Lint, "lint", "Statically lint-checks LLVM IR", 156 false, true) 157 INITIALIZE_PASS_DEPENDENCY(AssumptionTracker) 158 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfo) 159 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 160 INITIALIZE_AG_DEPENDENCY(AliasAnalysis) 161 INITIALIZE_PASS_END(Lint, "lint", "Statically lint-checks LLVM IR", 162 false, true) 163 164 // Assert - We know that cond should be true, if not print an error message. 165 #define Assert(C, M) \ 166 do { if (!(C)) { CheckFailed(M); return; } } while (0) 167 #define Assert1(C, M, V1) \ 168 do { if (!(C)) { CheckFailed(M, V1); return; } } while (0) 169 #define Assert2(C, M, V1, V2) \ 170 do { if (!(C)) { CheckFailed(M, V1, V2); return; } } while (0) 171 #define Assert3(C, M, V1, V2, V3) \ 172 do { if (!(C)) { CheckFailed(M, V1, V2, V3); return; } } while (0) 173 #define Assert4(C, M, V1, V2, V3, V4) \ 174 do { if (!(C)) { CheckFailed(M, V1, V2, V3, V4); return; } } while (0) 175 176 // Lint::run - This is the main Analysis entry point for a 177 // function. 178 // 179 bool Lint::runOnFunction(Function &F) { 180 Mod = F.getParent(); 181 AA = &getAnalysis<AliasAnalysis>(); 182 AT = &getAnalysis<AssumptionTracker>(); 183 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 184 DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); 185 DL = DLP ? &DLP->getDataLayout() : nullptr; 186 TLI = &getAnalysis<TargetLibraryInfo>(); 187 visit(F); 188 dbgs() << MessagesStr.str(); 189 Messages.clear(); 190 return false; 191 } 192 193 void Lint::visitFunction(Function &F) { 194 // This isn't undefined behavior, it's just a little unusual, and it's a 195 // fairly common mistake to neglect to name a function. 196 Assert1(F.hasName() || F.hasLocalLinkage(), 197 "Unusual: Unnamed function with non-local linkage", &F); 198 199 // TODO: Check for irreducible control flow. 200 } 201 202 void Lint::visitCallSite(CallSite CS) { 203 Instruction &I = *CS.getInstruction(); 204 Value *Callee = CS.getCalledValue(); 205 206 visitMemoryReference(I, Callee, AliasAnalysis::UnknownSize, 207 0, nullptr, MemRef::Callee); 208 209 if (Function *F = dyn_cast<Function>(findValue(Callee, /*OffsetOk=*/false))) { 210 Assert1(CS.getCallingConv() == F->getCallingConv(), 211 "Undefined behavior: Caller and callee calling convention differ", 212 &I); 213 214 FunctionType *FT = F->getFunctionType(); 215 unsigned NumActualArgs = CS.arg_size(); 216 217 Assert1(FT->isVarArg() ? 218 FT->getNumParams() <= NumActualArgs : 219 FT->getNumParams() == NumActualArgs, 220 "Undefined behavior: Call argument count mismatches callee " 221 "argument count", &I); 222 223 Assert1(FT->getReturnType() == I.getType(), 224 "Undefined behavior: Call return type mismatches " 225 "callee return type", &I); 226 227 // Check argument types (in case the callee was casted) and attributes. 228 // TODO: Verify that caller and callee attributes are compatible. 229 Function::arg_iterator PI = F->arg_begin(), PE = F->arg_end(); 230 CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end(); 231 for (; AI != AE; ++AI) { 232 Value *Actual = *AI; 233 if (PI != PE) { 234 Argument *Formal = PI++; 235 Assert1(Formal->getType() == Actual->getType(), 236 "Undefined behavior: Call argument type mismatches " 237 "callee parameter type", &I); 238 239 // Check that noalias arguments don't alias other arguments. This is 240 // not fully precise because we don't know the sizes of the dereferenced 241 // memory regions. 242 if (Formal->hasNoAliasAttr() && Actual->getType()->isPointerTy()) 243 for (CallSite::arg_iterator BI = CS.arg_begin(); BI != AE; ++BI) 244 if (AI != BI && (*BI)->getType()->isPointerTy()) { 245 AliasAnalysis::AliasResult Result = AA->alias(*AI, *BI); 246 Assert1(Result != AliasAnalysis::MustAlias && 247 Result != AliasAnalysis::PartialAlias, 248 "Unusual: noalias argument aliases another argument", &I); 249 } 250 251 // Check that an sret argument points to valid memory. 252 if (Formal->hasStructRetAttr() && Actual->getType()->isPointerTy()) { 253 Type *Ty = 254 cast<PointerType>(Formal->getType())->getElementType(); 255 visitMemoryReference(I, Actual, AA->getTypeStoreSize(Ty), 256 DL ? DL->getABITypeAlignment(Ty) : 0, 257 Ty, MemRef::Read | MemRef::Write); 258 } 259 } 260 } 261 } 262 263 if (CS.isCall() && cast<CallInst>(CS.getInstruction())->isTailCall()) 264 for (CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end(); 265 AI != AE; ++AI) { 266 Value *Obj = findValue(*AI, /*OffsetOk=*/true); 267 Assert1(!isa<AllocaInst>(Obj), 268 "Undefined behavior: Call with \"tail\" keyword references " 269 "alloca", &I); 270 } 271 272 273 if (IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I)) 274 switch (II->getIntrinsicID()) { 275 default: break; 276 277 // TODO: Check more intrinsics 278 279 case Intrinsic::memcpy: { 280 MemCpyInst *MCI = cast<MemCpyInst>(&I); 281 // TODO: If the size is known, use it. 282 visitMemoryReference(I, MCI->getDest(), AliasAnalysis::UnknownSize, 283 MCI->getAlignment(), nullptr, 284 MemRef::Write); 285 visitMemoryReference(I, MCI->getSource(), AliasAnalysis::UnknownSize, 286 MCI->getAlignment(), nullptr, 287 MemRef::Read); 288 289 // Check that the memcpy arguments don't overlap. The AliasAnalysis API 290 // isn't expressive enough for what we really want to do. Known partial 291 // overlap is not distinguished from the case where nothing is known. 292 uint64_t Size = 0; 293 if (const ConstantInt *Len = 294 dyn_cast<ConstantInt>(findValue(MCI->getLength(), 295 /*OffsetOk=*/false))) 296 if (Len->getValue().isIntN(32)) 297 Size = Len->getValue().getZExtValue(); 298 Assert1(AA->alias(MCI->getSource(), Size, MCI->getDest(), Size) != 299 AliasAnalysis::MustAlias, 300 "Undefined behavior: memcpy source and destination overlap", &I); 301 break; 302 } 303 case Intrinsic::memmove: { 304 MemMoveInst *MMI = cast<MemMoveInst>(&I); 305 // TODO: If the size is known, use it. 306 visitMemoryReference(I, MMI->getDest(), AliasAnalysis::UnknownSize, 307 MMI->getAlignment(), nullptr, 308 MemRef::Write); 309 visitMemoryReference(I, MMI->getSource(), AliasAnalysis::UnknownSize, 310 MMI->getAlignment(), nullptr, 311 MemRef::Read); 312 break; 313 } 314 case Intrinsic::memset: { 315 MemSetInst *MSI = cast<MemSetInst>(&I); 316 // TODO: If the size is known, use it. 317 visitMemoryReference(I, MSI->getDest(), AliasAnalysis::UnknownSize, 318 MSI->getAlignment(), nullptr, 319 MemRef::Write); 320 break; 321 } 322 323 case Intrinsic::vastart: 324 Assert1(I.getParent()->getParent()->isVarArg(), 325 "Undefined behavior: va_start called in a non-varargs function", 326 &I); 327 328 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 329 0, nullptr, MemRef::Read | MemRef::Write); 330 break; 331 case Intrinsic::vacopy: 332 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 333 0, nullptr, MemRef::Write); 334 visitMemoryReference(I, CS.getArgument(1), AliasAnalysis::UnknownSize, 335 0, nullptr, MemRef::Read); 336 break; 337 case Intrinsic::vaend: 338 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 339 0, nullptr, MemRef::Read | MemRef::Write); 340 break; 341 342 case Intrinsic::stackrestore: 343 // Stackrestore doesn't read or write memory, but it sets the 344 // stack pointer, which the compiler may read from or write to 345 // at any time, so check it for both readability and writeability. 346 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 347 0, nullptr, MemRef::Read | MemRef::Write); 348 break; 349 } 350 } 351 352 void Lint::visitCallInst(CallInst &I) { 353 return visitCallSite(&I); 354 } 355 356 void Lint::visitInvokeInst(InvokeInst &I) { 357 return visitCallSite(&I); 358 } 359 360 void Lint::visitReturnInst(ReturnInst &I) { 361 Function *F = I.getParent()->getParent(); 362 Assert1(!F->doesNotReturn(), 363 "Unusual: Return statement in function with noreturn attribute", 364 &I); 365 366 if (Value *V = I.getReturnValue()) { 367 Value *Obj = findValue(V, /*OffsetOk=*/true); 368 Assert1(!isa<AllocaInst>(Obj), 369 "Unusual: Returning alloca value", &I); 370 } 371 } 372 373 // TODO: Check that the reference is in bounds. 374 // TODO: Check readnone/readonly function attributes. 375 void Lint::visitMemoryReference(Instruction &I, 376 Value *Ptr, uint64_t Size, unsigned Align, 377 Type *Ty, unsigned Flags) { 378 // If no memory is being referenced, it doesn't matter if the pointer 379 // is valid. 380 if (Size == 0) 381 return; 382 383 Value *UnderlyingObject = findValue(Ptr, /*OffsetOk=*/true); 384 Assert1(!isa<ConstantPointerNull>(UnderlyingObject), 385 "Undefined behavior: Null pointer dereference", &I); 386 Assert1(!isa<UndefValue>(UnderlyingObject), 387 "Undefined behavior: Undef pointer dereference", &I); 388 Assert1(!isa<ConstantInt>(UnderlyingObject) || 389 !cast<ConstantInt>(UnderlyingObject)->isAllOnesValue(), 390 "Unusual: All-ones pointer dereference", &I); 391 Assert1(!isa<ConstantInt>(UnderlyingObject) || 392 !cast<ConstantInt>(UnderlyingObject)->isOne(), 393 "Unusual: Address one pointer dereference", &I); 394 395 if (Flags & MemRef::Write) { 396 if (const GlobalVariable *GV = dyn_cast<GlobalVariable>(UnderlyingObject)) 397 Assert1(!GV->isConstant(), 398 "Undefined behavior: Write to read-only memory", &I); 399 Assert1(!isa<Function>(UnderlyingObject) && 400 !isa<BlockAddress>(UnderlyingObject), 401 "Undefined behavior: Write to text section", &I); 402 } 403 if (Flags & MemRef::Read) { 404 Assert1(!isa<Function>(UnderlyingObject), 405 "Unusual: Load from function body", &I); 406 Assert1(!isa<BlockAddress>(UnderlyingObject), 407 "Undefined behavior: Load from block address", &I); 408 } 409 if (Flags & MemRef::Callee) { 410 Assert1(!isa<BlockAddress>(UnderlyingObject), 411 "Undefined behavior: Call to block address", &I); 412 } 413 if (Flags & MemRef::Branchee) { 414 Assert1(!isa<Constant>(UnderlyingObject) || 415 isa<BlockAddress>(UnderlyingObject), 416 "Undefined behavior: Branch to non-blockaddress", &I); 417 } 418 419 // Check for buffer overflows and misalignment. 420 // Only handles memory references that read/write something simple like an 421 // alloca instruction or a global variable. 422 int64_t Offset = 0; 423 if (Value *Base = GetPointerBaseWithConstantOffset(Ptr, Offset, DL)) { 424 // OK, so the access is to a constant offset from Ptr. Check that Ptr is 425 // something we can handle and if so extract the size of this base object 426 // along with its alignment. 427 uint64_t BaseSize = AliasAnalysis::UnknownSize; 428 unsigned BaseAlign = 0; 429 430 if (AllocaInst *AI = dyn_cast<AllocaInst>(Base)) { 431 Type *ATy = AI->getAllocatedType(); 432 if (DL && !AI->isArrayAllocation() && ATy->isSized()) 433 BaseSize = DL->getTypeAllocSize(ATy); 434 BaseAlign = AI->getAlignment(); 435 if (DL && BaseAlign == 0 && ATy->isSized()) 436 BaseAlign = DL->getABITypeAlignment(ATy); 437 } else if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Base)) { 438 // If the global may be defined differently in another compilation unit 439 // then don't warn about funky memory accesses. 440 if (GV->hasDefinitiveInitializer()) { 441 Type *GTy = GV->getType()->getElementType(); 442 if (DL && GTy->isSized()) 443 BaseSize = DL->getTypeAllocSize(GTy); 444 BaseAlign = GV->getAlignment(); 445 if (DL && BaseAlign == 0 && GTy->isSized()) 446 BaseAlign = DL->getABITypeAlignment(GTy); 447 } 448 } 449 450 // Accesses from before the start or after the end of the object are not 451 // defined. 452 Assert1(Size == AliasAnalysis::UnknownSize || 453 BaseSize == AliasAnalysis::UnknownSize || 454 (Offset >= 0 && Offset + Size <= BaseSize), 455 "Undefined behavior: Buffer overflow", &I); 456 457 // Accesses that say that the memory is more aligned than it is are not 458 // defined. 459 if (DL && Align == 0 && Ty && Ty->isSized()) 460 Align = DL->getABITypeAlignment(Ty); 461 Assert1(!BaseAlign || Align <= MinAlign(BaseAlign, Offset), 462 "Undefined behavior: Memory reference address is misaligned", &I); 463 } 464 } 465 466 void Lint::visitLoadInst(LoadInst &I) { 467 visitMemoryReference(I, I.getPointerOperand(), 468 AA->getTypeStoreSize(I.getType()), I.getAlignment(), 469 I.getType(), MemRef::Read); 470 } 471 472 void Lint::visitStoreInst(StoreInst &I) { 473 visitMemoryReference(I, I.getPointerOperand(), 474 AA->getTypeStoreSize(I.getOperand(0)->getType()), 475 I.getAlignment(), 476 I.getOperand(0)->getType(), MemRef::Write); 477 } 478 479 void Lint::visitXor(BinaryOperator &I) { 480 Assert1(!isa<UndefValue>(I.getOperand(0)) || 481 !isa<UndefValue>(I.getOperand(1)), 482 "Undefined result: xor(undef, undef)", &I); 483 } 484 485 void Lint::visitSub(BinaryOperator &I) { 486 Assert1(!isa<UndefValue>(I.getOperand(0)) || 487 !isa<UndefValue>(I.getOperand(1)), 488 "Undefined result: sub(undef, undef)", &I); 489 } 490 491 void Lint::visitLShr(BinaryOperator &I) { 492 if (ConstantInt *CI = 493 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 494 Assert1(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 495 "Undefined result: Shift count out of range", &I); 496 } 497 498 void Lint::visitAShr(BinaryOperator &I) { 499 if (ConstantInt *CI = 500 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 501 Assert1(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 502 "Undefined result: Shift count out of range", &I); 503 } 504 505 void Lint::visitShl(BinaryOperator &I) { 506 if (ConstantInt *CI = 507 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 508 Assert1(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 509 "Undefined result: Shift count out of range", &I); 510 } 511 512 static bool isZero(Value *V, const DataLayout *DL, DominatorTree *DT, 513 AssumptionTracker *AT) { 514 // Assume undef could be zero. 515 if (isa<UndefValue>(V)) 516 return true; 517 518 VectorType *VecTy = dyn_cast<VectorType>(V->getType()); 519 if (!VecTy) { 520 unsigned BitWidth = V->getType()->getIntegerBitWidth(); 521 APInt KnownZero(BitWidth, 0), KnownOne(BitWidth, 0); 522 computeKnownBits(V, KnownZero, KnownOne, DL, 523 0, AT, dyn_cast<Instruction>(V), DT); 524 return KnownZero.isAllOnesValue(); 525 } 526 527 // Per-component check doesn't work with zeroinitializer 528 Constant *C = dyn_cast<Constant>(V); 529 if (!C) 530 return false; 531 532 if (C->isZeroValue()) 533 return true; 534 535 // For a vector, KnownZero will only be true if all values are zero, so check 536 // this per component 537 unsigned BitWidth = VecTy->getElementType()->getIntegerBitWidth(); 538 for (unsigned I = 0, N = VecTy->getNumElements(); I != N; ++I) { 539 Constant *Elem = C->getAggregateElement(I); 540 if (isa<UndefValue>(Elem)) 541 return true; 542 543 APInt KnownZero(BitWidth, 0), KnownOne(BitWidth, 0); 544 computeKnownBits(Elem, KnownZero, KnownOne, DL); 545 if (KnownZero.isAllOnesValue()) 546 return true; 547 } 548 549 return false; 550 } 551 552 void Lint::visitSDiv(BinaryOperator &I) { 553 Assert1(!isZero(I.getOperand(1), DL, DT, AT), 554 "Undefined behavior: Division by zero", &I); 555 } 556 557 void Lint::visitUDiv(BinaryOperator &I) { 558 Assert1(!isZero(I.getOperand(1), DL, DT, AT), 559 "Undefined behavior: Division by zero", &I); 560 } 561 562 void Lint::visitSRem(BinaryOperator &I) { 563 Assert1(!isZero(I.getOperand(1), DL, DT, AT), 564 "Undefined behavior: Division by zero", &I); 565 } 566 567 void Lint::visitURem(BinaryOperator &I) { 568 Assert1(!isZero(I.getOperand(1), DL, DT, AT), 569 "Undefined behavior: Division by zero", &I); 570 } 571 572 void Lint::visitAllocaInst(AllocaInst &I) { 573 if (isa<ConstantInt>(I.getArraySize())) 574 // This isn't undefined behavior, it's just an obvious pessimization. 575 Assert1(&I.getParent()->getParent()->getEntryBlock() == I.getParent(), 576 "Pessimization: Static alloca outside of entry block", &I); 577 578 // TODO: Check for an unusual size (MSB set?) 579 } 580 581 void Lint::visitVAArgInst(VAArgInst &I) { 582 visitMemoryReference(I, I.getOperand(0), AliasAnalysis::UnknownSize, 0, 583 nullptr, MemRef::Read | MemRef::Write); 584 } 585 586 void Lint::visitIndirectBrInst(IndirectBrInst &I) { 587 visitMemoryReference(I, I.getAddress(), AliasAnalysis::UnknownSize, 0, 588 nullptr, MemRef::Branchee); 589 590 Assert1(I.getNumDestinations() != 0, 591 "Undefined behavior: indirectbr with no destinations", &I); 592 } 593 594 void Lint::visitExtractElementInst(ExtractElementInst &I) { 595 if (ConstantInt *CI = 596 dyn_cast<ConstantInt>(findValue(I.getIndexOperand(), 597 /*OffsetOk=*/false))) 598 Assert1(CI->getValue().ult(I.getVectorOperandType()->getNumElements()), 599 "Undefined result: extractelement index out of range", &I); 600 } 601 602 void Lint::visitInsertElementInst(InsertElementInst &I) { 603 if (ConstantInt *CI = 604 dyn_cast<ConstantInt>(findValue(I.getOperand(2), 605 /*OffsetOk=*/false))) 606 Assert1(CI->getValue().ult(I.getType()->getNumElements()), 607 "Undefined result: insertelement index out of range", &I); 608 } 609 610 void Lint::visitUnreachableInst(UnreachableInst &I) { 611 // This isn't undefined behavior, it's merely suspicious. 612 Assert1(&I == I.getParent()->begin() || 613 std::prev(BasicBlock::iterator(&I))->mayHaveSideEffects(), 614 "Unusual: unreachable immediately preceded by instruction without " 615 "side effects", &I); 616 } 617 618 /// findValue - Look through bitcasts and simple memory reference patterns 619 /// to identify an equivalent, but more informative, value. If OffsetOk 620 /// is true, look through getelementptrs with non-zero offsets too. 621 /// 622 /// Most analysis passes don't require this logic, because instcombine 623 /// will simplify most of these kinds of things away. But it's a goal of 624 /// this Lint pass to be useful even on non-optimized IR. 625 Value *Lint::findValue(Value *V, bool OffsetOk) const { 626 SmallPtrSet<Value *, 4> Visited; 627 return findValueImpl(V, OffsetOk, Visited); 628 } 629 630 /// findValueImpl - Implementation helper for findValue. 631 Value *Lint::findValueImpl(Value *V, bool OffsetOk, 632 SmallPtrSetImpl<Value *> &Visited) const { 633 // Detect self-referential values. 634 if (!Visited.insert(V)) 635 return UndefValue::get(V->getType()); 636 637 // TODO: Look through sext or zext cast, when the result is known to 638 // be interpreted as signed or unsigned, respectively. 639 // TODO: Look through eliminable cast pairs. 640 // TODO: Look through calls with unique return values. 641 // TODO: Look through vector insert/extract/shuffle. 642 V = OffsetOk ? GetUnderlyingObject(V, DL) : V->stripPointerCasts(); 643 if (LoadInst *L = dyn_cast<LoadInst>(V)) { 644 BasicBlock::iterator BBI = L; 645 BasicBlock *BB = L->getParent(); 646 SmallPtrSet<BasicBlock *, 4> VisitedBlocks; 647 for (;;) { 648 if (!VisitedBlocks.insert(BB)) break; 649 if (Value *U = FindAvailableLoadedValue(L->getPointerOperand(), 650 BB, BBI, 6, AA)) 651 return findValueImpl(U, OffsetOk, Visited); 652 if (BBI != BB->begin()) break; 653 BB = BB->getUniquePredecessor(); 654 if (!BB) break; 655 BBI = BB->end(); 656 } 657 } else if (PHINode *PN = dyn_cast<PHINode>(V)) { 658 if (Value *W = PN->hasConstantValue()) 659 if (W != V) 660 return findValueImpl(W, OffsetOk, Visited); 661 } else if (CastInst *CI = dyn_cast<CastInst>(V)) { 662 if (CI->isNoopCast(DL)) 663 return findValueImpl(CI->getOperand(0), OffsetOk, Visited); 664 } else if (ExtractValueInst *Ex = dyn_cast<ExtractValueInst>(V)) { 665 if (Value *W = FindInsertedValue(Ex->getAggregateOperand(), 666 Ex->getIndices())) 667 if (W != V) 668 return findValueImpl(W, OffsetOk, Visited); 669 } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) { 670 // Same as above, but for ConstantExpr instead of Instruction. 671 if (Instruction::isCast(CE->getOpcode())) { 672 if (CastInst::isNoopCast(Instruction::CastOps(CE->getOpcode()), 673 CE->getOperand(0)->getType(), 674 CE->getType(), 675 DL ? DL->getIntPtrType(V->getType()) : 676 Type::getInt64Ty(V->getContext()))) 677 return findValueImpl(CE->getOperand(0), OffsetOk, Visited); 678 } else if (CE->getOpcode() == Instruction::ExtractValue) { 679 ArrayRef<unsigned> Indices = CE->getIndices(); 680 if (Value *W = FindInsertedValue(CE->getOperand(0), Indices)) 681 if (W != V) 682 return findValueImpl(W, OffsetOk, Visited); 683 } 684 } 685 686 // As a last resort, try SimplifyInstruction or constant folding. 687 if (Instruction *Inst = dyn_cast<Instruction>(V)) { 688 if (Value *W = SimplifyInstruction(Inst, DL, TLI, DT, AT)) 689 return findValueImpl(W, OffsetOk, Visited); 690 } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) { 691 if (Value *W = ConstantFoldConstantExpression(CE, DL, TLI)) 692 if (W != V) 693 return findValueImpl(W, OffsetOk, Visited); 694 } 695 696 return V; 697 } 698 699 //===----------------------------------------------------------------------===// 700 // Implement the public interfaces to this file... 701 //===----------------------------------------------------------------------===// 702 703 FunctionPass *llvm::createLintPass() { 704 return new Lint(); 705 } 706 707 /// lintFunction - Check a function for errors, printing messages on stderr. 708 /// 709 void llvm::lintFunction(const Function &f) { 710 Function &F = const_cast<Function&>(f); 711 assert(!F.isDeclaration() && "Cannot lint external functions"); 712 713 FunctionPassManager FPM(F.getParent()); 714 Lint *V = new Lint(); 715 FPM.add(V); 716 FPM.run(F); 717 } 718 719 /// lintModule - Check a module for errors, printing messages on stderr. 720 /// 721 void llvm::lintModule(const Module &M) { 722 PassManager PM; 723 Lint *V = new Lint(); 724 PM.add(V); 725 PM.run(const_cast<Module&>(M)); 726 } 727