1 //===-- Lint.cpp - Check for common errors in LLVM IR ---------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This pass statically checks for common and easily-identified constructs 11 // which produce undefined or likely unintended behavior in LLVM IR. 12 // 13 // It is not a guarantee of correctness, in two ways. First, it isn't 14 // comprehensive. There are checks which could be done statically which are 15 // not yet implemented. Some of these are indicated by TODO comments, but 16 // those aren't comprehensive either. Second, many conditions cannot be 17 // checked statically. This pass does no dynamic instrumentation, so it 18 // can't check for all possible problems. 19 // 20 // Another limitation is that it assumes all code will be executed. A store 21 // through a null pointer in a basic block which is never reached is harmless, 22 // but this pass will warn about it anyway. This is the main reason why most 23 // of these checks live here instead of in the Verifier pass. 24 // 25 // Optimization passes may make conditions that this pass checks for more or 26 // less obvious. If an optimization pass appears to be introducing a warning, 27 // it may be that the optimization pass is merely exposing an existing 28 // condition in the code. 29 // 30 // This code may be run before instcombine. In many cases, instcombine checks 31 // for the same kinds of things and turns instructions with undefined behavior 32 // into unreachable (or equivalent). Because of this, this pass makes some 33 // effort to look through bitcasts and so on. 34 // 35 //===----------------------------------------------------------------------===// 36 37 #include "llvm/Analysis/Lint.h" 38 #include "llvm/ADT/STLExtras.h" 39 #include "llvm/Analysis/AliasAnalysis.h" 40 #include "llvm/Analysis/ConstantFolding.h" 41 #include "llvm/Analysis/InstructionSimplify.h" 42 #include "llvm/Analysis/Loads.h" 43 #include "llvm/Analysis/Passes.h" 44 #include "llvm/Analysis/ValueTracking.h" 45 #include "llvm/IR/CallSite.h" 46 #include "llvm/IR/DataLayout.h" 47 #include "llvm/IR/Dominators.h" 48 #include "llvm/IR/Function.h" 49 #include "llvm/IR/InstVisitor.h" 50 #include "llvm/IR/IntrinsicInst.h" 51 #include "llvm/Pass.h" 52 #include "llvm/PassManager.h" 53 #include "llvm/Support/Debug.h" 54 #include "llvm/Support/raw_ostream.h" 55 #include "llvm/Target/TargetLibraryInfo.h" 56 using namespace llvm; 57 58 namespace { 59 namespace MemRef { 60 static unsigned Read = 1; 61 static unsigned Write = 2; 62 static unsigned Callee = 4; 63 static unsigned Branchee = 8; 64 } 65 66 class Lint : public FunctionPass, public InstVisitor<Lint> { 67 friend class InstVisitor<Lint>; 68 69 void visitFunction(Function &F); 70 71 void visitCallSite(CallSite CS); 72 void visitMemoryReference(Instruction &I, Value *Ptr, 73 uint64_t Size, unsigned Align, 74 Type *Ty, unsigned Flags); 75 76 void visitCallInst(CallInst &I); 77 void visitInvokeInst(InvokeInst &I); 78 void visitReturnInst(ReturnInst &I); 79 void visitLoadInst(LoadInst &I); 80 void visitStoreInst(StoreInst &I); 81 void visitXor(BinaryOperator &I); 82 void visitSub(BinaryOperator &I); 83 void visitLShr(BinaryOperator &I); 84 void visitAShr(BinaryOperator &I); 85 void visitShl(BinaryOperator &I); 86 void visitSDiv(BinaryOperator &I); 87 void visitUDiv(BinaryOperator &I); 88 void visitSRem(BinaryOperator &I); 89 void visitURem(BinaryOperator &I); 90 void visitAllocaInst(AllocaInst &I); 91 void visitVAArgInst(VAArgInst &I); 92 void visitIndirectBrInst(IndirectBrInst &I); 93 void visitExtractElementInst(ExtractElementInst &I); 94 void visitInsertElementInst(InsertElementInst &I); 95 void visitUnreachableInst(UnreachableInst &I); 96 97 Value *findValue(Value *V, bool OffsetOk) const; 98 Value *findValueImpl(Value *V, bool OffsetOk, 99 SmallPtrSet<Value *, 4> &Visited) const; 100 101 public: 102 Module *Mod; 103 AliasAnalysis *AA; 104 DominatorTree *DT; 105 const DataLayout *DL; 106 TargetLibraryInfo *TLI; 107 108 string_ostream MessagesStr; 109 110 static char ID; // Pass identification, replacement for typeid 111 Lint() : FunctionPass(ID) { 112 initializeLintPass(*PassRegistry::getPassRegistry()); 113 } 114 115 bool runOnFunction(Function &F) override; 116 117 void getAnalysisUsage(AnalysisUsage &AU) const override { 118 AU.setPreservesAll(); 119 AU.addRequired<AliasAnalysis>(); 120 AU.addRequired<TargetLibraryInfo>(); 121 AU.addRequired<DominatorTreeWrapperPass>(); 122 } 123 void print(raw_ostream &O, const Module *M) const override {} 124 125 void WriteValue(const Value *V) { 126 if (!V) return; 127 if (isa<Instruction>(V)) { 128 MessagesStr << *V << '\n'; 129 } else { 130 V->printAsOperand(MessagesStr, true, Mod); 131 MessagesStr << '\n'; 132 } 133 } 134 135 // CheckFailed - A check failed, so print out the condition and the message 136 // that failed. This provides a nice place to put a breakpoint if you want 137 // to see why something is not correct. 138 void CheckFailed(const Twine &Message, 139 const Value *V1 = nullptr, const Value *V2 = nullptr, 140 const Value *V3 = nullptr, const Value *V4 = nullptr) { 141 MessagesStr << Message.str() << "\n"; 142 WriteValue(V1); 143 WriteValue(V2); 144 WriteValue(V3); 145 WriteValue(V4); 146 } 147 }; 148 } 149 150 char Lint::ID = 0; 151 INITIALIZE_PASS_BEGIN(Lint, "lint", "Statically lint-checks LLVM IR", 152 false, true) 153 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfo) 154 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) 155 INITIALIZE_AG_DEPENDENCY(AliasAnalysis) 156 INITIALIZE_PASS_END(Lint, "lint", "Statically lint-checks LLVM IR", 157 false, true) 158 159 // Assert - We know that cond should be true, if not print an error message. 160 #define Assert(C, M) \ 161 do { if (!(C)) { CheckFailed(M); return; } } while (0) 162 #define Assert1(C, M, V1) \ 163 do { if (!(C)) { CheckFailed(M, V1); return; } } while (0) 164 #define Assert2(C, M, V1, V2) \ 165 do { if (!(C)) { CheckFailed(M, V1, V2); return; } } while (0) 166 #define Assert3(C, M, V1, V2, V3) \ 167 do { if (!(C)) { CheckFailed(M, V1, V2, V3); return; } } while (0) 168 #define Assert4(C, M, V1, V2, V3, V4) \ 169 do { if (!(C)) { CheckFailed(M, V1, V2, V3, V4); return; } } while (0) 170 171 // Lint::run - This is the main Analysis entry point for a 172 // function. 173 // 174 bool Lint::runOnFunction(Function &F) { 175 Mod = F.getParent(); 176 AA = &getAnalysis<AliasAnalysis>(); 177 DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree(); 178 DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); 179 DL = DLP ? &DLP->getDataLayout() : nullptr; 180 TLI = &getAnalysis<TargetLibraryInfo>(); 181 visit(F); 182 dbgs() << MessagesStr.str(); 183 MessagesStr.clear(); 184 return false; 185 } 186 187 void Lint::visitFunction(Function &F) { 188 // This isn't undefined behavior, it's just a little unusual, and it's a 189 // fairly common mistake to neglect to name a function. 190 Assert1(F.hasName() || F.hasLocalLinkage(), 191 "Unusual: Unnamed function with non-local linkage", &F); 192 193 // TODO: Check for irreducible control flow. 194 } 195 196 void Lint::visitCallSite(CallSite CS) { 197 Instruction &I = *CS.getInstruction(); 198 Value *Callee = CS.getCalledValue(); 199 200 visitMemoryReference(I, Callee, AliasAnalysis::UnknownSize, 201 0, nullptr, MemRef::Callee); 202 203 if (Function *F = dyn_cast<Function>(findValue(Callee, /*OffsetOk=*/false))) { 204 Assert1(CS.getCallingConv() == F->getCallingConv(), 205 "Undefined behavior: Caller and callee calling convention differ", 206 &I); 207 208 FunctionType *FT = F->getFunctionType(); 209 unsigned NumActualArgs = CS.arg_size(); 210 211 Assert1(FT->isVarArg() ? 212 FT->getNumParams() <= NumActualArgs : 213 FT->getNumParams() == NumActualArgs, 214 "Undefined behavior: Call argument count mismatches callee " 215 "argument count", &I); 216 217 Assert1(FT->getReturnType() == I.getType(), 218 "Undefined behavior: Call return type mismatches " 219 "callee return type", &I); 220 221 // Check argument types (in case the callee was casted) and attributes. 222 // TODO: Verify that caller and callee attributes are compatible. 223 Function::arg_iterator PI = F->arg_begin(), PE = F->arg_end(); 224 CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end(); 225 for (; AI != AE; ++AI) { 226 Value *Actual = *AI; 227 if (PI != PE) { 228 Argument *Formal = PI++; 229 Assert1(Formal->getType() == Actual->getType(), 230 "Undefined behavior: Call argument type mismatches " 231 "callee parameter type", &I); 232 233 // Check that noalias arguments don't alias other arguments. This is 234 // not fully precise because we don't know the sizes of the dereferenced 235 // memory regions. 236 if (Formal->hasNoAliasAttr() && Actual->getType()->isPointerTy()) 237 for (CallSite::arg_iterator BI = CS.arg_begin(); BI != AE; ++BI) 238 if (AI != BI && (*BI)->getType()->isPointerTy()) { 239 AliasAnalysis::AliasResult Result = AA->alias(*AI, *BI); 240 Assert1(Result != AliasAnalysis::MustAlias && 241 Result != AliasAnalysis::PartialAlias, 242 "Unusual: noalias argument aliases another argument", &I); 243 } 244 245 // Check that an sret argument points to valid memory. 246 if (Formal->hasStructRetAttr() && Actual->getType()->isPointerTy()) { 247 Type *Ty = 248 cast<PointerType>(Formal->getType())->getElementType(); 249 visitMemoryReference(I, Actual, AA->getTypeStoreSize(Ty), 250 DL ? DL->getABITypeAlignment(Ty) : 0, 251 Ty, MemRef::Read | MemRef::Write); 252 } 253 } 254 } 255 } 256 257 if (CS.isCall() && cast<CallInst>(CS.getInstruction())->isTailCall()) 258 for (CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end(); 259 AI != AE; ++AI) { 260 Value *Obj = findValue(*AI, /*OffsetOk=*/true); 261 Assert1(!isa<AllocaInst>(Obj), 262 "Undefined behavior: Call with \"tail\" keyword references " 263 "alloca", &I); 264 } 265 266 267 if (IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I)) 268 switch (II->getIntrinsicID()) { 269 default: break; 270 271 // TODO: Check more intrinsics 272 273 case Intrinsic::memcpy: { 274 MemCpyInst *MCI = cast<MemCpyInst>(&I); 275 // TODO: If the size is known, use it. 276 visitMemoryReference(I, MCI->getDest(), AliasAnalysis::UnknownSize, 277 MCI->getAlignment(), nullptr, 278 MemRef::Write); 279 visitMemoryReference(I, MCI->getSource(), AliasAnalysis::UnknownSize, 280 MCI->getAlignment(), nullptr, 281 MemRef::Read); 282 283 // Check that the memcpy arguments don't overlap. The AliasAnalysis API 284 // isn't expressive enough for what we really want to do. Known partial 285 // overlap is not distinguished from the case where nothing is known. 286 uint64_t Size = 0; 287 if (const ConstantInt *Len = 288 dyn_cast<ConstantInt>(findValue(MCI->getLength(), 289 /*OffsetOk=*/false))) 290 if (Len->getValue().isIntN(32)) 291 Size = Len->getValue().getZExtValue(); 292 Assert1(AA->alias(MCI->getSource(), Size, MCI->getDest(), Size) != 293 AliasAnalysis::MustAlias, 294 "Undefined behavior: memcpy source and destination overlap", &I); 295 break; 296 } 297 case Intrinsic::memmove: { 298 MemMoveInst *MMI = cast<MemMoveInst>(&I); 299 // TODO: If the size is known, use it. 300 visitMemoryReference(I, MMI->getDest(), AliasAnalysis::UnknownSize, 301 MMI->getAlignment(), nullptr, 302 MemRef::Write); 303 visitMemoryReference(I, MMI->getSource(), AliasAnalysis::UnknownSize, 304 MMI->getAlignment(), nullptr, 305 MemRef::Read); 306 break; 307 } 308 case Intrinsic::memset: { 309 MemSetInst *MSI = cast<MemSetInst>(&I); 310 // TODO: If the size is known, use it. 311 visitMemoryReference(I, MSI->getDest(), AliasAnalysis::UnknownSize, 312 MSI->getAlignment(), nullptr, 313 MemRef::Write); 314 break; 315 } 316 317 case Intrinsic::vastart: 318 Assert1(I.getParent()->getParent()->isVarArg(), 319 "Undefined behavior: va_start called in a non-varargs function", 320 &I); 321 322 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 323 0, nullptr, MemRef::Read | MemRef::Write); 324 break; 325 case Intrinsic::vacopy: 326 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 327 0, nullptr, MemRef::Write); 328 visitMemoryReference(I, CS.getArgument(1), AliasAnalysis::UnknownSize, 329 0, nullptr, MemRef::Read); 330 break; 331 case Intrinsic::vaend: 332 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 333 0, nullptr, MemRef::Read | MemRef::Write); 334 break; 335 336 case Intrinsic::stackrestore: 337 // Stackrestore doesn't read or write memory, but it sets the 338 // stack pointer, which the compiler may read from or write to 339 // at any time, so check it for both readability and writeability. 340 visitMemoryReference(I, CS.getArgument(0), AliasAnalysis::UnknownSize, 341 0, nullptr, MemRef::Read | MemRef::Write); 342 break; 343 } 344 } 345 346 void Lint::visitCallInst(CallInst &I) { 347 return visitCallSite(&I); 348 } 349 350 void Lint::visitInvokeInst(InvokeInst &I) { 351 return visitCallSite(&I); 352 } 353 354 void Lint::visitReturnInst(ReturnInst &I) { 355 Function *F = I.getParent()->getParent(); 356 Assert1(!F->doesNotReturn(), 357 "Unusual: Return statement in function with noreturn attribute", 358 &I); 359 360 if (Value *V = I.getReturnValue()) { 361 Value *Obj = findValue(V, /*OffsetOk=*/true); 362 Assert1(!isa<AllocaInst>(Obj), 363 "Unusual: Returning alloca value", &I); 364 } 365 } 366 367 // TODO: Check that the reference is in bounds. 368 // TODO: Check readnone/readonly function attributes. 369 void Lint::visitMemoryReference(Instruction &I, 370 Value *Ptr, uint64_t Size, unsigned Align, 371 Type *Ty, unsigned Flags) { 372 // If no memory is being referenced, it doesn't matter if the pointer 373 // is valid. 374 if (Size == 0) 375 return; 376 377 Value *UnderlyingObject = findValue(Ptr, /*OffsetOk=*/true); 378 Assert1(!isa<ConstantPointerNull>(UnderlyingObject), 379 "Undefined behavior: Null pointer dereference", &I); 380 Assert1(!isa<UndefValue>(UnderlyingObject), 381 "Undefined behavior: Undef pointer dereference", &I); 382 Assert1(!isa<ConstantInt>(UnderlyingObject) || 383 !cast<ConstantInt>(UnderlyingObject)->isAllOnesValue(), 384 "Unusual: All-ones pointer dereference", &I); 385 Assert1(!isa<ConstantInt>(UnderlyingObject) || 386 !cast<ConstantInt>(UnderlyingObject)->isOne(), 387 "Unusual: Address one pointer dereference", &I); 388 389 if (Flags & MemRef::Write) { 390 if (const GlobalVariable *GV = dyn_cast<GlobalVariable>(UnderlyingObject)) 391 Assert1(!GV->isConstant(), 392 "Undefined behavior: Write to read-only memory", &I); 393 Assert1(!isa<Function>(UnderlyingObject) && 394 !isa<BlockAddress>(UnderlyingObject), 395 "Undefined behavior: Write to text section", &I); 396 } 397 if (Flags & MemRef::Read) { 398 Assert1(!isa<Function>(UnderlyingObject), 399 "Unusual: Load from function body", &I); 400 Assert1(!isa<BlockAddress>(UnderlyingObject), 401 "Undefined behavior: Load from block address", &I); 402 } 403 if (Flags & MemRef::Callee) { 404 Assert1(!isa<BlockAddress>(UnderlyingObject), 405 "Undefined behavior: Call to block address", &I); 406 } 407 if (Flags & MemRef::Branchee) { 408 Assert1(!isa<Constant>(UnderlyingObject) || 409 isa<BlockAddress>(UnderlyingObject), 410 "Undefined behavior: Branch to non-blockaddress", &I); 411 } 412 413 // Check for buffer overflows and misalignment. 414 // Only handles memory references that read/write something simple like an 415 // alloca instruction or a global variable. 416 int64_t Offset = 0; 417 if (Value *Base = GetPointerBaseWithConstantOffset(Ptr, Offset, DL)) { 418 // OK, so the access is to a constant offset from Ptr. Check that Ptr is 419 // something we can handle and if so extract the size of this base object 420 // along with its alignment. 421 uint64_t BaseSize = AliasAnalysis::UnknownSize; 422 unsigned BaseAlign = 0; 423 424 if (AllocaInst *AI = dyn_cast<AllocaInst>(Base)) { 425 Type *ATy = AI->getAllocatedType(); 426 if (DL && !AI->isArrayAllocation() && ATy->isSized()) 427 BaseSize = DL->getTypeAllocSize(ATy); 428 BaseAlign = AI->getAlignment(); 429 if (DL && BaseAlign == 0 && ATy->isSized()) 430 BaseAlign = DL->getABITypeAlignment(ATy); 431 } else if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Base)) { 432 // If the global may be defined differently in another compilation unit 433 // then don't warn about funky memory accesses. 434 if (GV->hasDefinitiveInitializer()) { 435 Type *GTy = GV->getType()->getElementType(); 436 if (DL && GTy->isSized()) 437 BaseSize = DL->getTypeAllocSize(GTy); 438 BaseAlign = GV->getAlignment(); 439 if (DL && BaseAlign == 0 && GTy->isSized()) 440 BaseAlign = DL->getABITypeAlignment(GTy); 441 } 442 } 443 444 // Accesses from before the start or after the end of the object are not 445 // defined. 446 Assert1(Size == AliasAnalysis::UnknownSize || 447 BaseSize == AliasAnalysis::UnknownSize || 448 (Offset >= 0 && Offset + Size <= BaseSize), 449 "Undefined behavior: Buffer overflow", &I); 450 451 // Accesses that say that the memory is more aligned than it is are not 452 // defined. 453 if (DL && Align == 0 && Ty && Ty->isSized()) 454 Align = DL->getABITypeAlignment(Ty); 455 Assert1(!BaseAlign || Align <= MinAlign(BaseAlign, Offset), 456 "Undefined behavior: Memory reference address is misaligned", &I); 457 } 458 } 459 460 void Lint::visitLoadInst(LoadInst &I) { 461 visitMemoryReference(I, I.getPointerOperand(), 462 AA->getTypeStoreSize(I.getType()), I.getAlignment(), 463 I.getType(), MemRef::Read); 464 } 465 466 void Lint::visitStoreInst(StoreInst &I) { 467 visitMemoryReference(I, I.getPointerOperand(), 468 AA->getTypeStoreSize(I.getOperand(0)->getType()), 469 I.getAlignment(), 470 I.getOperand(0)->getType(), MemRef::Write); 471 } 472 473 void Lint::visitXor(BinaryOperator &I) { 474 Assert1(!isa<UndefValue>(I.getOperand(0)) || 475 !isa<UndefValue>(I.getOperand(1)), 476 "Undefined result: xor(undef, undef)", &I); 477 } 478 479 void Lint::visitSub(BinaryOperator &I) { 480 Assert1(!isa<UndefValue>(I.getOperand(0)) || 481 !isa<UndefValue>(I.getOperand(1)), 482 "Undefined result: sub(undef, undef)", &I); 483 } 484 485 void Lint::visitLShr(BinaryOperator &I) { 486 if (ConstantInt *CI = 487 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 488 Assert1(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 489 "Undefined result: Shift count out of range", &I); 490 } 491 492 void Lint::visitAShr(BinaryOperator &I) { 493 if (ConstantInt *CI = 494 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 495 Assert1(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 496 "Undefined result: Shift count out of range", &I); 497 } 498 499 void Lint::visitShl(BinaryOperator &I) { 500 if (ConstantInt *CI = 501 dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false))) 502 Assert1(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()), 503 "Undefined result: Shift count out of range", &I); 504 } 505 506 static bool isZero(Value *V, const DataLayout *DL) { 507 // Assume undef could be zero. 508 if (isa<UndefValue>(V)) 509 return true; 510 511 VectorType *VecTy = dyn_cast<VectorType>(V->getType()); 512 if (!VecTy) { 513 unsigned BitWidth = V->getType()->getIntegerBitWidth(); 514 APInt KnownZero(BitWidth, 0), KnownOne(BitWidth, 0); 515 computeKnownBits(V, KnownZero, KnownOne, DL); 516 return KnownZero.isAllOnesValue(); 517 } 518 519 // Per-component check doesn't work with zeroinitializer 520 Constant *C = dyn_cast<Constant>(V); 521 if (!C) 522 return false; 523 524 if (C->isZeroValue()) 525 return true; 526 527 // For a vector, KnownZero will only be true if all values are zero, so check 528 // this per component 529 unsigned BitWidth = VecTy->getElementType()->getIntegerBitWidth(); 530 for (unsigned I = 0, N = VecTy->getNumElements(); I != N; ++I) { 531 Constant *Elem = C->getAggregateElement(I); 532 if (isa<UndefValue>(Elem)) 533 return true; 534 535 APInt KnownZero(BitWidth, 0), KnownOne(BitWidth, 0); 536 computeKnownBits(Elem, KnownZero, KnownOne, DL); 537 if (KnownZero.isAllOnesValue()) 538 return true; 539 } 540 541 return false; 542 } 543 544 void Lint::visitSDiv(BinaryOperator &I) { 545 Assert1(!isZero(I.getOperand(1), DL), 546 "Undefined behavior: Division by zero", &I); 547 } 548 549 void Lint::visitUDiv(BinaryOperator &I) { 550 Assert1(!isZero(I.getOperand(1), DL), 551 "Undefined behavior: Division by zero", &I); 552 } 553 554 void Lint::visitSRem(BinaryOperator &I) { 555 Assert1(!isZero(I.getOperand(1), DL), 556 "Undefined behavior: Division by zero", &I); 557 } 558 559 void Lint::visitURem(BinaryOperator &I) { 560 Assert1(!isZero(I.getOperand(1), DL), 561 "Undefined behavior: Division by zero", &I); 562 } 563 564 void Lint::visitAllocaInst(AllocaInst &I) { 565 if (isa<ConstantInt>(I.getArraySize())) 566 // This isn't undefined behavior, it's just an obvious pessimization. 567 Assert1(&I.getParent()->getParent()->getEntryBlock() == I.getParent(), 568 "Pessimization: Static alloca outside of entry block", &I); 569 570 // TODO: Check for an unusual size (MSB set?) 571 } 572 573 void Lint::visitVAArgInst(VAArgInst &I) { 574 visitMemoryReference(I, I.getOperand(0), AliasAnalysis::UnknownSize, 0, 575 nullptr, MemRef::Read | MemRef::Write); 576 } 577 578 void Lint::visitIndirectBrInst(IndirectBrInst &I) { 579 visitMemoryReference(I, I.getAddress(), AliasAnalysis::UnknownSize, 0, 580 nullptr, MemRef::Branchee); 581 582 Assert1(I.getNumDestinations() != 0, 583 "Undefined behavior: indirectbr with no destinations", &I); 584 } 585 586 void Lint::visitExtractElementInst(ExtractElementInst &I) { 587 if (ConstantInt *CI = 588 dyn_cast<ConstantInt>(findValue(I.getIndexOperand(), 589 /*OffsetOk=*/false))) 590 Assert1(CI->getValue().ult(I.getVectorOperandType()->getNumElements()), 591 "Undefined result: extractelement index out of range", &I); 592 } 593 594 void Lint::visitInsertElementInst(InsertElementInst &I) { 595 if (ConstantInt *CI = 596 dyn_cast<ConstantInt>(findValue(I.getOperand(2), 597 /*OffsetOk=*/false))) 598 Assert1(CI->getValue().ult(I.getType()->getNumElements()), 599 "Undefined result: insertelement index out of range", &I); 600 } 601 602 void Lint::visitUnreachableInst(UnreachableInst &I) { 603 // This isn't undefined behavior, it's merely suspicious. 604 Assert1(&I == I.getParent()->begin() || 605 std::prev(BasicBlock::iterator(&I))->mayHaveSideEffects(), 606 "Unusual: unreachable immediately preceded by instruction without " 607 "side effects", &I); 608 } 609 610 /// findValue - Look through bitcasts and simple memory reference patterns 611 /// to identify an equivalent, but more informative, value. If OffsetOk 612 /// is true, look through getelementptrs with non-zero offsets too. 613 /// 614 /// Most analysis passes don't require this logic, because instcombine 615 /// will simplify most of these kinds of things away. But it's a goal of 616 /// this Lint pass to be useful even on non-optimized IR. 617 Value *Lint::findValue(Value *V, bool OffsetOk) const { 618 SmallPtrSet<Value *, 4> Visited; 619 return findValueImpl(V, OffsetOk, Visited); 620 } 621 622 /// findValueImpl - Implementation helper for findValue. 623 Value *Lint::findValueImpl(Value *V, bool OffsetOk, 624 SmallPtrSet<Value *, 4> &Visited) const { 625 // Detect self-referential values. 626 if (!Visited.insert(V)) 627 return UndefValue::get(V->getType()); 628 629 // TODO: Look through sext or zext cast, when the result is known to 630 // be interpreted as signed or unsigned, respectively. 631 // TODO: Look through eliminable cast pairs. 632 // TODO: Look through calls with unique return values. 633 // TODO: Look through vector insert/extract/shuffle. 634 V = OffsetOk ? GetUnderlyingObject(V, DL) : V->stripPointerCasts(); 635 if (LoadInst *L = dyn_cast<LoadInst>(V)) { 636 BasicBlock::iterator BBI = L; 637 BasicBlock *BB = L->getParent(); 638 SmallPtrSet<BasicBlock *, 4> VisitedBlocks; 639 for (;;) { 640 if (!VisitedBlocks.insert(BB)) break; 641 if (Value *U = FindAvailableLoadedValue(L->getPointerOperand(), 642 BB, BBI, 6, AA)) 643 return findValueImpl(U, OffsetOk, Visited); 644 if (BBI != BB->begin()) break; 645 BB = BB->getUniquePredecessor(); 646 if (!BB) break; 647 BBI = BB->end(); 648 } 649 } else if (PHINode *PN = dyn_cast<PHINode>(V)) { 650 if (Value *W = PN->hasConstantValue()) 651 if (W != V) 652 return findValueImpl(W, OffsetOk, Visited); 653 } else if (CastInst *CI = dyn_cast<CastInst>(V)) { 654 if (CI->isNoopCast(DL)) 655 return findValueImpl(CI->getOperand(0), OffsetOk, Visited); 656 } else if (ExtractValueInst *Ex = dyn_cast<ExtractValueInst>(V)) { 657 if (Value *W = FindInsertedValue(Ex->getAggregateOperand(), 658 Ex->getIndices())) 659 if (W != V) 660 return findValueImpl(W, OffsetOk, Visited); 661 } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) { 662 // Same as above, but for ConstantExpr instead of Instruction. 663 if (Instruction::isCast(CE->getOpcode())) { 664 if (CastInst::isNoopCast(Instruction::CastOps(CE->getOpcode()), 665 CE->getOperand(0)->getType(), 666 CE->getType(), 667 DL ? DL->getIntPtrType(V->getType()) : 668 Type::getInt64Ty(V->getContext()))) 669 return findValueImpl(CE->getOperand(0), OffsetOk, Visited); 670 } else if (CE->getOpcode() == Instruction::ExtractValue) { 671 ArrayRef<unsigned> Indices = CE->getIndices(); 672 if (Value *W = FindInsertedValue(CE->getOperand(0), Indices)) 673 if (W != V) 674 return findValueImpl(W, OffsetOk, Visited); 675 } 676 } 677 678 // As a last resort, try SimplifyInstruction or constant folding. 679 if (Instruction *Inst = dyn_cast<Instruction>(V)) { 680 if (Value *W = SimplifyInstruction(Inst, DL, TLI, DT)) 681 return findValueImpl(W, OffsetOk, Visited); 682 } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) { 683 if (Value *W = ConstantFoldConstantExpression(CE, DL, TLI)) 684 if (W != V) 685 return findValueImpl(W, OffsetOk, Visited); 686 } 687 688 return V; 689 } 690 691 //===----------------------------------------------------------------------===// 692 // Implement the public interfaces to this file... 693 //===----------------------------------------------------------------------===// 694 695 FunctionPass *llvm::createLintPass() { 696 return new Lint(); 697 } 698 699 /// lintFunction - Check a function for errors, printing messages on stderr. 700 /// 701 void llvm::lintFunction(const Function &f) { 702 Function &F = const_cast<Function&>(f); 703 assert(!F.isDeclaration() && "Cannot lint external functions"); 704 705 FunctionPassManager FPM(F.getParent()); 706 Lint *V = new Lint(); 707 FPM.add(V); 708 FPM.run(F); 709 } 710 711 /// lintModule - Check a module for errors, printing messages on stderr. 712 /// 713 void llvm::lintModule(const Module &M) { 714 PassManager PM; 715 Lint *V = new Lint(); 716 PM.add(V); 717 PM.run(const_cast<Module&>(M)); 718 } 719