1 //===------ MemoryBuiltins.cpp - Identify calls to memory builtins --------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This family of functions identifies calls to builtin functions that allocate 11 // or free memory. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "llvm/Analysis/MemoryBuiltins.h" 16 #include "llvm/ADT/STLExtras.h" 17 #include "llvm/ADT/Statistic.h" 18 #include "llvm/Analysis/TargetLibraryInfo.h" 19 #include "llvm/Analysis/ValueTracking.h" 20 #include "llvm/IR/DataLayout.h" 21 #include "llvm/IR/GlobalVariable.h" 22 #include "llvm/IR/Instructions.h" 23 #include "llvm/IR/Intrinsics.h" 24 #include "llvm/IR/Metadata.h" 25 #include "llvm/IR/Module.h" 26 #include "llvm/Support/Debug.h" 27 #include "llvm/Support/MathExtras.h" 28 #include "llvm/Support/raw_ostream.h" 29 #include "llvm/Transforms/Utils/Local.h" 30 using namespace llvm; 31 32 #define DEBUG_TYPE "memory-builtins" 33 34 enum AllocType : uint8_t { 35 OpNewLike = 1<<0, // allocates; never returns null 36 MallocLike = 1<<1 | OpNewLike, // allocates; may return null 37 CallocLike = 1<<2, // allocates + bzero 38 ReallocLike = 1<<3, // reallocates 39 StrDupLike = 1<<4, 40 AllocLike = MallocLike | CallocLike | StrDupLike, 41 AnyAlloc = AllocLike | ReallocLike 42 }; 43 44 struct AllocFnsTy { 45 AllocType AllocTy; 46 unsigned NumParams; 47 // First and Second size parameters (or -1 if unused) 48 int FstParam, SndParam; 49 }; 50 51 // FIXME: certain users need more information. E.g., SimplifyLibCalls needs to 52 // know which functions are nounwind, noalias, nocapture parameters, etc. 53 static const std::pair<LibFunc::Func, AllocFnsTy> AllocationFnData[] = { 54 {LibFunc::malloc, {MallocLike, 1, 0, -1}}, 55 {LibFunc::valloc, {MallocLike, 1, 0, -1}}, 56 {LibFunc::Znwj, {OpNewLike, 1, 0, -1}}, // new(unsigned int) 57 {LibFunc::ZnwjRKSt9nothrow_t, {MallocLike, 2, 0, -1}}, // new(unsigned int, nothrow) 58 {LibFunc::Znwm, {OpNewLike, 1, 0, -1}}, // new(unsigned long) 59 {LibFunc::ZnwmRKSt9nothrow_t, {MallocLike, 2, 0, -1}}, // new(unsigned long, nothrow) 60 {LibFunc::Znaj, {OpNewLike, 1, 0, -1}}, // new[](unsigned int) 61 {LibFunc::ZnajRKSt9nothrow_t, {MallocLike, 2, 0, -1}}, // new[](unsigned int, nothrow) 62 {LibFunc::Znam, {OpNewLike, 1, 0, -1}}, // new[](unsigned long) 63 {LibFunc::ZnamRKSt9nothrow_t, {MallocLike, 2, 0, -1}}, // new[](unsigned long, nothrow) 64 {LibFunc::msvc_new_int, {OpNewLike, 1, 0, -1}}, // new(unsigned int) 65 {LibFunc::msvc_new_int_nothrow, {MallocLike, 2, 0, -1}}, // new(unsigned int, nothrow) 66 {LibFunc::msvc_new_longlong, {OpNewLike, 1, 0, -1}}, // new(unsigned long long) 67 {LibFunc::msvc_new_longlong_nothrow, {MallocLike, 2, 0, -1}}, // new(unsigned long long, nothrow) 68 {LibFunc::msvc_new_array_int, {OpNewLike, 1, 0, -1}}, // new[](unsigned int) 69 {LibFunc::msvc_new_array_int_nothrow, {MallocLike, 2, 0, -1}}, // new[](unsigned int, nothrow) 70 {LibFunc::msvc_new_array_longlong, {OpNewLike, 1, 0, -1}}, // new[](unsigned long long) 71 {LibFunc::msvc_new_array_longlong_nothrow, {MallocLike, 2, 0, -1}}, // new[](unsigned long long, nothrow) 72 {LibFunc::calloc, {CallocLike, 2, 0, 1}}, 73 {LibFunc::realloc, {ReallocLike, 2, 1, -1}}, 74 {LibFunc::reallocf, {ReallocLike, 2, 1, -1}}, 75 {LibFunc::strdup, {StrDupLike, 1, -1, -1}}, 76 {LibFunc::strndup, {StrDupLike, 2, 1, -1}} 77 // TODO: Handle "int posix_memalign(void **, size_t, size_t)" 78 }; 79 80 81 static Function *getCalledFunction(const Value *V, bool LookThroughBitCast) { 82 if (LookThroughBitCast) 83 V = V->stripPointerCasts(); 84 85 CallSite CS(const_cast<Value*>(V)); 86 if (!CS.getInstruction()) 87 return nullptr; 88 89 if (CS.isNoBuiltin()) 90 return nullptr; 91 92 Function *Callee = CS.getCalledFunction(); 93 if (!Callee || !Callee->isDeclaration()) 94 return nullptr; 95 return Callee; 96 } 97 98 /// Returns the allocation data for the given value if it's either a call to a 99 /// known allocation function, or a call to a function with the allocsize 100 /// attribute. 101 static Optional<AllocFnsTy> getAllocationData(const Value *V, AllocType AllocTy, 102 const TargetLibraryInfo *TLI, 103 bool LookThroughBitCast = false) { 104 // Skip intrinsics 105 if (isa<IntrinsicInst>(V)) 106 return None; 107 108 const Function *Callee = getCalledFunction(V, LookThroughBitCast); 109 if (!Callee) 110 return None; 111 112 // If it has allocsize, we can skip checking if it's a known function. 113 // 114 // MallocLike is chosen here because allocsize makes no guarantees about the 115 // nullness of the result of the function, nor does it deal with strings, nor 116 // does it require that the memory returned is zeroed out. 117 const AllocType AllocSizeAllocTy = MallocLike; 118 if ((AllocTy & AllocSizeAllocTy) == AllocSizeAllocTy && 119 Callee->hasFnAttribute(Attribute::AllocSize)) { 120 Attribute Attr = Callee->getFnAttribute(Attribute::AllocSize); 121 std::pair<unsigned, Optional<unsigned>> Args = Attr.getAllocSizeArgs(); 122 123 AllocFnsTy Result; 124 Result.AllocTy = AllocSizeAllocTy; 125 Result.NumParams = Callee->getNumOperands(); 126 Result.FstParam = Args.first; 127 Result.SndParam = Args.second.getValueOr(-1); 128 return Result; 129 } 130 131 // Make sure that the function is available. 132 StringRef FnName = Callee->getName(); 133 LibFunc::Func TLIFn; 134 if (!TLI || !TLI->getLibFunc(FnName, TLIFn) || !TLI->has(TLIFn)) 135 return None; 136 137 const auto *Iter = find_if( 138 AllocationFnData, [TLIFn](const std::pair<LibFunc::Func, AllocFnsTy> &P) { 139 return P.first == TLIFn; 140 }); 141 142 if (Iter == std::end(AllocationFnData)) 143 return None; 144 145 const AllocFnsTy *FnData = &Iter->second; 146 if ((FnData->AllocTy & AllocTy) != FnData->AllocTy) 147 return None; 148 149 // Check function prototype. 150 int FstParam = FnData->FstParam; 151 int SndParam = FnData->SndParam; 152 FunctionType *FTy = Callee->getFunctionType(); 153 154 if (FTy->getReturnType() == Type::getInt8PtrTy(FTy->getContext()) && 155 FTy->getNumParams() == FnData->NumParams && 156 (FstParam < 0 || 157 (FTy->getParamType(FstParam)->isIntegerTy(32) || 158 FTy->getParamType(FstParam)->isIntegerTy(64))) && 159 (SndParam < 0 || 160 FTy->getParamType(SndParam)->isIntegerTy(32) || 161 FTy->getParamType(SndParam)->isIntegerTy(64))) 162 return *FnData; 163 return None; 164 } 165 166 static bool hasNoAliasAttr(const Value *V, bool LookThroughBitCast) { 167 ImmutableCallSite CS(LookThroughBitCast ? V->stripPointerCasts() : V); 168 return CS && CS.paramHasAttr(AttributeSet::ReturnIndex, Attribute::NoAlias); 169 } 170 171 172 /// \brief Tests if a value is a call or invoke to a library function that 173 /// allocates or reallocates memory (either malloc, calloc, realloc, or strdup 174 /// like). 175 bool llvm::isAllocationFn(const Value *V, const TargetLibraryInfo *TLI, 176 bool LookThroughBitCast) { 177 return getAllocationData(V, AnyAlloc, TLI, LookThroughBitCast).hasValue(); 178 } 179 180 /// \brief Tests if a value is a call or invoke to a function that returns a 181 /// NoAlias pointer (including malloc/calloc/realloc/strdup-like functions). 182 bool llvm::isNoAliasFn(const Value *V, const TargetLibraryInfo *TLI, 183 bool LookThroughBitCast) { 184 // it's safe to consider realloc as noalias since accessing the original 185 // pointer is undefined behavior 186 return isAllocationFn(V, TLI, LookThroughBitCast) || 187 hasNoAliasAttr(V, LookThroughBitCast); 188 } 189 190 /// \brief Tests if a value is a call or invoke to a library function that 191 /// allocates uninitialized memory (such as malloc). 192 bool llvm::isMallocLikeFn(const Value *V, const TargetLibraryInfo *TLI, 193 bool LookThroughBitCast) { 194 return getAllocationData(V, MallocLike, TLI, LookThroughBitCast).hasValue(); 195 } 196 197 /// \brief Tests if a value is a call or invoke to a library function that 198 /// allocates zero-filled memory (such as calloc). 199 bool llvm::isCallocLikeFn(const Value *V, const TargetLibraryInfo *TLI, 200 bool LookThroughBitCast) { 201 return getAllocationData(V, CallocLike, TLI, LookThroughBitCast).hasValue(); 202 } 203 204 /// \brief Tests if a value is a call or invoke to a library function that 205 /// allocates memory (either malloc, calloc, or strdup like). 206 bool llvm::isAllocLikeFn(const Value *V, const TargetLibraryInfo *TLI, 207 bool LookThroughBitCast) { 208 return getAllocationData(V, AllocLike, TLI, LookThroughBitCast).hasValue(); 209 } 210 211 /// extractMallocCall - Returns the corresponding CallInst if the instruction 212 /// is a malloc call. Since CallInst::CreateMalloc() only creates calls, we 213 /// ignore InvokeInst here. 214 const CallInst *llvm::extractMallocCall(const Value *I, 215 const TargetLibraryInfo *TLI) { 216 return isMallocLikeFn(I, TLI) ? dyn_cast<CallInst>(I) : nullptr; 217 } 218 219 static Value *computeArraySize(const CallInst *CI, const DataLayout &DL, 220 const TargetLibraryInfo *TLI, 221 bool LookThroughSExt = false) { 222 if (!CI) 223 return nullptr; 224 225 // The size of the malloc's result type must be known to determine array size. 226 Type *T = getMallocAllocatedType(CI, TLI); 227 if (!T || !T->isSized()) 228 return nullptr; 229 230 unsigned ElementSize = DL.getTypeAllocSize(T); 231 if (StructType *ST = dyn_cast<StructType>(T)) 232 ElementSize = DL.getStructLayout(ST)->getSizeInBytes(); 233 234 // If malloc call's arg can be determined to be a multiple of ElementSize, 235 // return the multiple. Otherwise, return NULL. 236 Value *MallocArg = CI->getArgOperand(0); 237 Value *Multiple = nullptr; 238 if (ComputeMultiple(MallocArg, ElementSize, Multiple, LookThroughSExt)) 239 return Multiple; 240 241 return nullptr; 242 } 243 244 /// getMallocType - Returns the PointerType resulting from the malloc call. 245 /// The PointerType depends on the number of bitcast uses of the malloc call: 246 /// 0: PointerType is the calls' return type. 247 /// 1: PointerType is the bitcast's result type. 248 /// >1: Unique PointerType cannot be determined, return NULL. 249 PointerType *llvm::getMallocType(const CallInst *CI, 250 const TargetLibraryInfo *TLI) { 251 assert(isMallocLikeFn(CI, TLI) && "getMallocType and not malloc call"); 252 253 PointerType *MallocType = nullptr; 254 unsigned NumOfBitCastUses = 0; 255 256 // Determine if CallInst has a bitcast use. 257 for (Value::const_user_iterator UI = CI->user_begin(), E = CI->user_end(); 258 UI != E;) 259 if (const BitCastInst *BCI = dyn_cast<BitCastInst>(*UI++)) { 260 MallocType = cast<PointerType>(BCI->getDestTy()); 261 NumOfBitCastUses++; 262 } 263 264 // Malloc call has 1 bitcast use, so type is the bitcast's destination type. 265 if (NumOfBitCastUses == 1) 266 return MallocType; 267 268 // Malloc call was not bitcast, so type is the malloc function's return type. 269 if (NumOfBitCastUses == 0) 270 return cast<PointerType>(CI->getType()); 271 272 // Type could not be determined. 273 return nullptr; 274 } 275 276 /// getMallocAllocatedType - Returns the Type allocated by malloc call. 277 /// The Type depends on the number of bitcast uses of the malloc call: 278 /// 0: PointerType is the malloc calls' return type. 279 /// 1: PointerType is the bitcast's result type. 280 /// >1: Unique PointerType cannot be determined, return NULL. 281 Type *llvm::getMallocAllocatedType(const CallInst *CI, 282 const TargetLibraryInfo *TLI) { 283 PointerType *PT = getMallocType(CI, TLI); 284 return PT ? PT->getElementType() : nullptr; 285 } 286 287 /// getMallocArraySize - Returns the array size of a malloc call. If the 288 /// argument passed to malloc is a multiple of the size of the malloced type, 289 /// then return that multiple. For non-array mallocs, the multiple is 290 /// constant 1. Otherwise, return NULL for mallocs whose array size cannot be 291 /// determined. 292 Value *llvm::getMallocArraySize(CallInst *CI, const DataLayout &DL, 293 const TargetLibraryInfo *TLI, 294 bool LookThroughSExt) { 295 assert(isMallocLikeFn(CI, TLI) && "getMallocArraySize and not malloc call"); 296 return computeArraySize(CI, DL, TLI, LookThroughSExt); 297 } 298 299 300 /// extractCallocCall - Returns the corresponding CallInst if the instruction 301 /// is a calloc call. 302 const CallInst *llvm::extractCallocCall(const Value *I, 303 const TargetLibraryInfo *TLI) { 304 return isCallocLikeFn(I, TLI) ? cast<CallInst>(I) : nullptr; 305 } 306 307 308 /// isFreeCall - Returns non-null if the value is a call to the builtin free() 309 const CallInst *llvm::isFreeCall(const Value *I, const TargetLibraryInfo *TLI) { 310 const CallInst *CI = dyn_cast<CallInst>(I); 311 if (!CI || isa<IntrinsicInst>(CI)) 312 return nullptr; 313 Function *Callee = CI->getCalledFunction(); 314 if (Callee == nullptr) 315 return nullptr; 316 317 StringRef FnName = Callee->getName(); 318 LibFunc::Func TLIFn; 319 if (!TLI || !TLI->getLibFunc(FnName, TLIFn) || !TLI->has(TLIFn)) 320 return nullptr; 321 322 unsigned ExpectedNumParams; 323 if (TLIFn == LibFunc::free || 324 TLIFn == LibFunc::ZdlPv || // operator delete(void*) 325 TLIFn == LibFunc::ZdaPv || // operator delete[](void*) 326 TLIFn == LibFunc::msvc_delete_ptr32 || // operator delete(void*) 327 TLIFn == LibFunc::msvc_delete_ptr64 || // operator delete(void*) 328 TLIFn == LibFunc::msvc_delete_array_ptr32 || // operator delete[](void*) 329 TLIFn == LibFunc::msvc_delete_array_ptr64) // operator delete[](void*) 330 ExpectedNumParams = 1; 331 else if (TLIFn == LibFunc::ZdlPvj || // delete(void*, uint) 332 TLIFn == LibFunc::ZdlPvm || // delete(void*, ulong) 333 TLIFn == LibFunc::ZdlPvRKSt9nothrow_t || // delete(void*, nothrow) 334 TLIFn == LibFunc::ZdaPvj || // delete[](void*, uint) 335 TLIFn == LibFunc::ZdaPvm || // delete[](void*, ulong) 336 TLIFn == LibFunc::ZdaPvRKSt9nothrow_t || // delete[](void*, nothrow) 337 TLIFn == LibFunc::msvc_delete_ptr32_int || // delete(void*, uint) 338 TLIFn == LibFunc::msvc_delete_ptr64_longlong || // delete(void*, ulonglong) 339 TLIFn == LibFunc::msvc_delete_ptr32_nothrow || // delete(void*, nothrow) 340 TLIFn == LibFunc::msvc_delete_ptr64_nothrow || // delete(void*, nothrow) 341 TLIFn == LibFunc::msvc_delete_array_ptr32_int || // delete[](void*, uint) 342 TLIFn == LibFunc::msvc_delete_array_ptr64_longlong || // delete[](void*, ulonglong) 343 TLIFn == LibFunc::msvc_delete_array_ptr32_nothrow || // delete[](void*, nothrow) 344 TLIFn == LibFunc::msvc_delete_array_ptr64_nothrow) // delete[](void*, nothrow) 345 ExpectedNumParams = 2; 346 else 347 return nullptr; 348 349 // Check free prototype. 350 // FIXME: workaround for PR5130, this will be obsolete when a nobuiltin 351 // attribute will exist. 352 FunctionType *FTy = Callee->getFunctionType(); 353 if (!FTy->getReturnType()->isVoidTy()) 354 return nullptr; 355 if (FTy->getNumParams() != ExpectedNumParams) 356 return nullptr; 357 if (FTy->getParamType(0) != Type::getInt8PtrTy(Callee->getContext())) 358 return nullptr; 359 360 return CI; 361 } 362 363 364 365 //===----------------------------------------------------------------------===// 366 // Utility functions to compute size of objects. 367 // 368 static APInt getSizeWithOverflow(const SizeOffsetType &Data) { 369 if (Data.second.isNegative() || Data.first.ult(Data.second)) 370 return APInt(Data.first.getBitWidth(), 0); 371 return Data.first - Data.second; 372 } 373 374 /// \brief Compute the size of the object pointed by Ptr. Returns true and the 375 /// object size in Size if successful, and false otherwise. 376 /// If RoundToAlign is true, then Size is rounded up to the aligment of allocas, 377 /// byval arguments, and global variables. 378 bool llvm::getObjectSize(const Value *Ptr, uint64_t &Size, const DataLayout &DL, 379 const TargetLibraryInfo *TLI, bool RoundToAlign, 380 llvm::ObjSizeMode Mode) { 381 ObjectSizeOffsetVisitor Visitor(DL, TLI, Ptr->getContext(), 382 RoundToAlign, Mode); 383 SizeOffsetType Data = Visitor.compute(const_cast<Value*>(Ptr)); 384 if (!Visitor.bothKnown(Data)) 385 return false; 386 387 Size = getSizeWithOverflow(Data).getZExtValue(); 388 return true; 389 } 390 391 ConstantInt *llvm::lowerObjectSizeCall(IntrinsicInst *ObjectSize, 392 const DataLayout &DL, 393 const TargetLibraryInfo *TLI, 394 bool MustSucceed) { 395 assert(ObjectSize->getIntrinsicID() == Intrinsic::objectsize && 396 "ObjectSize must be a call to llvm.objectsize!"); 397 398 bool MaxVal = cast<ConstantInt>(ObjectSize->getArgOperand(1))->isZero(); 399 ObjSizeMode Mode; 400 // Unless we have to fold this to something, try to be as accurate as 401 // possible. 402 if (MustSucceed) 403 Mode = MaxVal ? ObjSizeMode::Max : ObjSizeMode::Min; 404 else 405 Mode = ObjSizeMode::Exact; 406 407 // FIXME: Does it make sense to just return a failure value if the size won't 408 // fit in the output and `!MustSucceed`? 409 uint64_t Size; 410 auto *ResultType = cast<IntegerType>(ObjectSize->getType()); 411 if (getObjectSize(ObjectSize->getArgOperand(0), Size, DL, TLI, false, Mode) && 412 isUIntN(ResultType->getBitWidth(), Size)) 413 return ConstantInt::get(ResultType, Size); 414 415 if (!MustSucceed) 416 return nullptr; 417 418 return ConstantInt::get(ResultType, MaxVal ? -1ULL : 0); 419 } 420 421 STATISTIC(ObjectVisitorArgument, 422 "Number of arguments with unsolved size and offset"); 423 STATISTIC(ObjectVisitorLoad, 424 "Number of load instructions with unsolved size and offset"); 425 426 427 APInt ObjectSizeOffsetVisitor::align(APInt Size, uint64_t Align) { 428 if (RoundToAlign && Align) 429 return APInt(IntTyBits, alignTo(Size.getZExtValue(), Align)); 430 return Size; 431 } 432 433 ObjectSizeOffsetVisitor::ObjectSizeOffsetVisitor(const DataLayout &DL, 434 const TargetLibraryInfo *TLI, 435 LLVMContext &Context, 436 bool RoundToAlign, 437 ObjSizeMode Mode) 438 : DL(DL), TLI(TLI), RoundToAlign(RoundToAlign), Mode(Mode) { 439 // Pointer size must be rechecked for each object visited since it could have 440 // a different address space. 441 } 442 443 SizeOffsetType ObjectSizeOffsetVisitor::compute(Value *V) { 444 IntTyBits = DL.getPointerTypeSizeInBits(V->getType()); 445 Zero = APInt::getNullValue(IntTyBits); 446 447 V = V->stripPointerCasts(); 448 if (Instruction *I = dyn_cast<Instruction>(V)) { 449 // If we have already seen this instruction, bail out. Cycles can happen in 450 // unreachable code after constant propagation. 451 if (!SeenInsts.insert(I).second) 452 return unknown(); 453 454 if (GEPOperator *GEP = dyn_cast<GEPOperator>(V)) 455 return visitGEPOperator(*GEP); 456 return visit(*I); 457 } 458 if (Argument *A = dyn_cast<Argument>(V)) 459 return visitArgument(*A); 460 if (ConstantPointerNull *P = dyn_cast<ConstantPointerNull>(V)) 461 return visitConstantPointerNull(*P); 462 if (GlobalAlias *GA = dyn_cast<GlobalAlias>(V)) 463 return visitGlobalAlias(*GA); 464 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(V)) 465 return visitGlobalVariable(*GV); 466 if (UndefValue *UV = dyn_cast<UndefValue>(V)) 467 return visitUndefValue(*UV); 468 if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) { 469 if (CE->getOpcode() == Instruction::IntToPtr) 470 return unknown(); // clueless 471 if (CE->getOpcode() == Instruction::GetElementPtr) 472 return visitGEPOperator(cast<GEPOperator>(*CE)); 473 } 474 475 DEBUG(dbgs() << "ObjectSizeOffsetVisitor::compute() unhandled value: " << *V 476 << '\n'); 477 return unknown(); 478 } 479 480 SizeOffsetType ObjectSizeOffsetVisitor::visitAllocaInst(AllocaInst &I) { 481 if (!I.getAllocatedType()->isSized()) 482 return unknown(); 483 484 APInt Size(IntTyBits, DL.getTypeAllocSize(I.getAllocatedType())); 485 if (!I.isArrayAllocation()) 486 return std::make_pair(align(Size, I.getAlignment()), Zero); 487 488 Value *ArraySize = I.getArraySize(); 489 if (const ConstantInt *C = dyn_cast<ConstantInt>(ArraySize)) { 490 Size *= C->getValue().zextOrSelf(IntTyBits); 491 return std::make_pair(align(Size, I.getAlignment()), Zero); 492 } 493 return unknown(); 494 } 495 496 SizeOffsetType ObjectSizeOffsetVisitor::visitArgument(Argument &A) { 497 // No interprocedural analysis is done at the moment. 498 if (!A.hasByValOrInAllocaAttr()) { 499 ++ObjectVisitorArgument; 500 return unknown(); 501 } 502 PointerType *PT = cast<PointerType>(A.getType()); 503 APInt Size(IntTyBits, DL.getTypeAllocSize(PT->getElementType())); 504 return std::make_pair(align(Size, A.getParamAlignment()), Zero); 505 } 506 507 SizeOffsetType ObjectSizeOffsetVisitor::visitCallSite(CallSite CS) { 508 Optional<AllocFnsTy> FnData = 509 getAllocationData(CS.getInstruction(), AnyAlloc, TLI); 510 if (!FnData) 511 return unknown(); 512 513 // Handle strdup-like functions separately. 514 if (FnData->AllocTy == StrDupLike) { 515 APInt Size(IntTyBits, GetStringLength(CS.getArgument(0))); 516 if (!Size) 517 return unknown(); 518 519 // Strndup limits strlen. 520 if (FnData->FstParam > 0) { 521 ConstantInt *Arg = 522 dyn_cast<ConstantInt>(CS.getArgument(FnData->FstParam)); 523 if (!Arg) 524 return unknown(); 525 526 APInt MaxSize = Arg->getValue().zextOrSelf(IntTyBits); 527 if (Size.ugt(MaxSize)) 528 Size = MaxSize + 1; 529 } 530 return std::make_pair(Size, Zero); 531 } 532 533 ConstantInt *Arg = dyn_cast<ConstantInt>(CS.getArgument(FnData->FstParam)); 534 if (!Arg) 535 return unknown(); 536 537 // When we're compiling N-bit code, and the user uses parameters that are 538 // greater than N bits (e.g. uint64_t on a 32-bit build), we can run into 539 // trouble with APInt size issues. This function handles resizing + overflow 540 // checks for us. 541 auto CheckedZextOrTrunc = [&](APInt &I) { 542 // More bits than we can handle. Checking the bit width isn't necessary, but 543 // it's faster than checking active bits, and should give `false` in the 544 // vast majority of cases. 545 if (I.getBitWidth() > IntTyBits && I.getActiveBits() > IntTyBits) 546 return false; 547 if (I.getBitWidth() != IntTyBits) 548 I = I.zextOrTrunc(IntTyBits); 549 return true; 550 }; 551 552 APInt Size = Arg->getValue(); 553 if (!CheckedZextOrTrunc(Size)) 554 return unknown(); 555 556 // Size is determined by just 1 parameter. 557 if (FnData->SndParam < 0) 558 return std::make_pair(Size, Zero); 559 560 Arg = dyn_cast<ConstantInt>(CS.getArgument(FnData->SndParam)); 561 if (!Arg) 562 return unknown(); 563 564 APInt NumElems = Arg->getValue(); 565 if (!CheckedZextOrTrunc(NumElems)) 566 return unknown(); 567 568 bool Overflow; 569 Size = Size.umul_ov(NumElems, Overflow); 570 return Overflow ? unknown() : std::make_pair(Size, Zero); 571 572 // TODO: handle more standard functions (+ wchar cousins): 573 // - strdup / strndup 574 // - strcpy / strncpy 575 // - strcat / strncat 576 // - memcpy / memmove 577 // - strcat / strncat 578 // - memset 579 } 580 581 SizeOffsetType 582 ObjectSizeOffsetVisitor::visitConstantPointerNull(ConstantPointerNull&) { 583 return std::make_pair(Zero, Zero); 584 } 585 586 SizeOffsetType 587 ObjectSizeOffsetVisitor::visitExtractElementInst(ExtractElementInst&) { 588 return unknown(); 589 } 590 591 SizeOffsetType 592 ObjectSizeOffsetVisitor::visitExtractValueInst(ExtractValueInst&) { 593 // Easy cases were already folded by previous passes. 594 return unknown(); 595 } 596 597 SizeOffsetType ObjectSizeOffsetVisitor::visitGEPOperator(GEPOperator &GEP) { 598 SizeOffsetType PtrData = compute(GEP.getPointerOperand()); 599 APInt Offset(IntTyBits, 0); 600 if (!bothKnown(PtrData) || !GEP.accumulateConstantOffset(DL, Offset)) 601 return unknown(); 602 603 return std::make_pair(PtrData.first, PtrData.second + Offset); 604 } 605 606 SizeOffsetType ObjectSizeOffsetVisitor::visitGlobalAlias(GlobalAlias &GA) { 607 if (GA.isInterposable()) 608 return unknown(); 609 return compute(GA.getAliasee()); 610 } 611 612 SizeOffsetType ObjectSizeOffsetVisitor::visitGlobalVariable(GlobalVariable &GV){ 613 if (!GV.hasDefinitiveInitializer()) 614 return unknown(); 615 616 APInt Size(IntTyBits, DL.getTypeAllocSize(GV.getType()->getElementType())); 617 return std::make_pair(align(Size, GV.getAlignment()), Zero); 618 } 619 620 SizeOffsetType ObjectSizeOffsetVisitor::visitIntToPtrInst(IntToPtrInst&) { 621 // clueless 622 return unknown(); 623 } 624 625 SizeOffsetType ObjectSizeOffsetVisitor::visitLoadInst(LoadInst&) { 626 ++ObjectVisitorLoad; 627 return unknown(); 628 } 629 630 SizeOffsetType ObjectSizeOffsetVisitor::visitPHINode(PHINode&) { 631 // too complex to analyze statically. 632 return unknown(); 633 } 634 635 SizeOffsetType ObjectSizeOffsetVisitor::visitSelectInst(SelectInst &I) { 636 SizeOffsetType TrueSide = compute(I.getTrueValue()); 637 SizeOffsetType FalseSide = compute(I.getFalseValue()); 638 if (bothKnown(TrueSide) && bothKnown(FalseSide)) { 639 if (TrueSide == FalseSide) { 640 return TrueSide; 641 } 642 643 APInt TrueResult = getSizeWithOverflow(TrueSide); 644 APInt FalseResult = getSizeWithOverflow(FalseSide); 645 646 if (TrueResult == FalseResult) { 647 return TrueSide; 648 } 649 if (Mode == ObjSizeMode::Min) { 650 if (TrueResult.slt(FalseResult)) 651 return TrueSide; 652 return FalseSide; 653 } 654 if (Mode == ObjSizeMode::Max) { 655 if (TrueResult.sgt(FalseResult)) 656 return TrueSide; 657 return FalseSide; 658 } 659 } 660 return unknown(); 661 } 662 663 SizeOffsetType ObjectSizeOffsetVisitor::visitUndefValue(UndefValue&) { 664 return std::make_pair(Zero, Zero); 665 } 666 667 SizeOffsetType ObjectSizeOffsetVisitor::visitInstruction(Instruction &I) { 668 DEBUG(dbgs() << "ObjectSizeOffsetVisitor unknown instruction:" << I << '\n'); 669 return unknown(); 670 } 671 672 ObjectSizeOffsetEvaluator::ObjectSizeOffsetEvaluator( 673 const DataLayout &DL, const TargetLibraryInfo *TLI, LLVMContext &Context, 674 bool RoundToAlign) 675 : DL(DL), TLI(TLI), Context(Context), Builder(Context, TargetFolder(DL)), 676 RoundToAlign(RoundToAlign) { 677 // IntTy and Zero must be set for each compute() since the address space may 678 // be different for later objects. 679 } 680 681 SizeOffsetEvalType ObjectSizeOffsetEvaluator::compute(Value *V) { 682 // XXX - Are vectors of pointers possible here? 683 IntTy = cast<IntegerType>(DL.getIntPtrType(V->getType())); 684 Zero = ConstantInt::get(IntTy, 0); 685 686 SizeOffsetEvalType Result = compute_(V); 687 688 if (!bothKnown(Result)) { 689 // Erase everything that was computed in this iteration from the cache, so 690 // that no dangling references are left behind. We could be a bit smarter if 691 // we kept a dependency graph. It's probably not worth the complexity. 692 for (const Value *SeenVal : SeenVals) { 693 CacheMapTy::iterator CacheIt = CacheMap.find(SeenVal); 694 // non-computable results can be safely cached 695 if (CacheIt != CacheMap.end() && anyKnown(CacheIt->second)) 696 CacheMap.erase(CacheIt); 697 } 698 } 699 700 SeenVals.clear(); 701 return Result; 702 } 703 704 SizeOffsetEvalType ObjectSizeOffsetEvaluator::compute_(Value *V) { 705 ObjectSizeOffsetVisitor Visitor(DL, TLI, Context, RoundToAlign); 706 SizeOffsetType Const = Visitor.compute(V); 707 if (Visitor.bothKnown(Const)) 708 return std::make_pair(ConstantInt::get(Context, Const.first), 709 ConstantInt::get(Context, Const.second)); 710 711 V = V->stripPointerCasts(); 712 713 // Check cache. 714 CacheMapTy::iterator CacheIt = CacheMap.find(V); 715 if (CacheIt != CacheMap.end()) 716 return CacheIt->second; 717 718 // Always generate code immediately before the instruction being 719 // processed, so that the generated code dominates the same BBs. 720 BuilderTy::InsertPointGuard Guard(Builder); 721 if (Instruction *I = dyn_cast<Instruction>(V)) 722 Builder.SetInsertPoint(I); 723 724 // Now compute the size and offset. 725 SizeOffsetEvalType Result; 726 727 // Record the pointers that were handled in this run, so that they can be 728 // cleaned later if something fails. We also use this set to break cycles that 729 // can occur in dead code. 730 if (!SeenVals.insert(V).second) { 731 Result = unknown(); 732 } else if (GEPOperator *GEP = dyn_cast<GEPOperator>(V)) { 733 Result = visitGEPOperator(*GEP); 734 } else if (Instruction *I = dyn_cast<Instruction>(V)) { 735 Result = visit(*I); 736 } else if (isa<Argument>(V) || 737 (isa<ConstantExpr>(V) && 738 cast<ConstantExpr>(V)->getOpcode() == Instruction::IntToPtr) || 739 isa<GlobalAlias>(V) || 740 isa<GlobalVariable>(V)) { 741 // Ignore values where we cannot do more than ObjectSizeVisitor. 742 Result = unknown(); 743 } else { 744 DEBUG(dbgs() << "ObjectSizeOffsetEvaluator::compute() unhandled value: " 745 << *V << '\n'); 746 Result = unknown(); 747 } 748 749 // Don't reuse CacheIt since it may be invalid at this point. 750 CacheMap[V] = Result; 751 return Result; 752 } 753 754 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitAllocaInst(AllocaInst &I) { 755 if (!I.getAllocatedType()->isSized()) 756 return unknown(); 757 758 // must be a VLA 759 assert(I.isArrayAllocation()); 760 Value *ArraySize = I.getArraySize(); 761 Value *Size = ConstantInt::get(ArraySize->getType(), 762 DL.getTypeAllocSize(I.getAllocatedType())); 763 Size = Builder.CreateMul(Size, ArraySize); 764 return std::make_pair(Size, Zero); 765 } 766 767 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitCallSite(CallSite CS) { 768 Optional<AllocFnsTy> FnData = 769 getAllocationData(CS.getInstruction(), AnyAlloc, TLI); 770 if (!FnData) 771 return unknown(); 772 773 // Handle strdup-like functions separately. 774 if (FnData->AllocTy == StrDupLike) { 775 // TODO 776 return unknown(); 777 } 778 779 Value *FirstArg = CS.getArgument(FnData->FstParam); 780 FirstArg = Builder.CreateZExt(FirstArg, IntTy); 781 if (FnData->SndParam < 0) 782 return std::make_pair(FirstArg, Zero); 783 784 Value *SecondArg = CS.getArgument(FnData->SndParam); 785 SecondArg = Builder.CreateZExt(SecondArg, IntTy); 786 Value *Size = Builder.CreateMul(FirstArg, SecondArg); 787 return std::make_pair(Size, Zero); 788 789 // TODO: handle more standard functions (+ wchar cousins): 790 // - strdup / strndup 791 // - strcpy / strncpy 792 // - strcat / strncat 793 // - memcpy / memmove 794 // - strcat / strncat 795 // - memset 796 } 797 798 SizeOffsetEvalType 799 ObjectSizeOffsetEvaluator::visitExtractElementInst(ExtractElementInst&) { 800 return unknown(); 801 } 802 803 SizeOffsetEvalType 804 ObjectSizeOffsetEvaluator::visitExtractValueInst(ExtractValueInst&) { 805 return unknown(); 806 } 807 808 SizeOffsetEvalType 809 ObjectSizeOffsetEvaluator::visitGEPOperator(GEPOperator &GEP) { 810 SizeOffsetEvalType PtrData = compute_(GEP.getPointerOperand()); 811 if (!bothKnown(PtrData)) 812 return unknown(); 813 814 Value *Offset = EmitGEPOffset(&Builder, DL, &GEP, /*NoAssumptions=*/true); 815 Offset = Builder.CreateAdd(PtrData.second, Offset); 816 return std::make_pair(PtrData.first, Offset); 817 } 818 819 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitIntToPtrInst(IntToPtrInst&) { 820 // clueless 821 return unknown(); 822 } 823 824 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitLoadInst(LoadInst&) { 825 return unknown(); 826 } 827 828 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitPHINode(PHINode &PHI) { 829 // Create 2 PHIs: one for size and another for offset. 830 PHINode *SizePHI = Builder.CreatePHI(IntTy, PHI.getNumIncomingValues()); 831 PHINode *OffsetPHI = Builder.CreatePHI(IntTy, PHI.getNumIncomingValues()); 832 833 // Insert right away in the cache to handle recursive PHIs. 834 CacheMap[&PHI] = std::make_pair(SizePHI, OffsetPHI); 835 836 // Compute offset/size for each PHI incoming pointer. 837 for (unsigned i = 0, e = PHI.getNumIncomingValues(); i != e; ++i) { 838 Builder.SetInsertPoint(&*PHI.getIncomingBlock(i)->getFirstInsertionPt()); 839 SizeOffsetEvalType EdgeData = compute_(PHI.getIncomingValue(i)); 840 841 if (!bothKnown(EdgeData)) { 842 OffsetPHI->replaceAllUsesWith(UndefValue::get(IntTy)); 843 OffsetPHI->eraseFromParent(); 844 SizePHI->replaceAllUsesWith(UndefValue::get(IntTy)); 845 SizePHI->eraseFromParent(); 846 return unknown(); 847 } 848 SizePHI->addIncoming(EdgeData.first, PHI.getIncomingBlock(i)); 849 OffsetPHI->addIncoming(EdgeData.second, PHI.getIncomingBlock(i)); 850 } 851 852 Value *Size = SizePHI, *Offset = OffsetPHI, *Tmp; 853 if ((Tmp = SizePHI->hasConstantValue())) { 854 Size = Tmp; 855 SizePHI->replaceAllUsesWith(Size); 856 SizePHI->eraseFromParent(); 857 } 858 if ((Tmp = OffsetPHI->hasConstantValue())) { 859 Offset = Tmp; 860 OffsetPHI->replaceAllUsesWith(Offset); 861 OffsetPHI->eraseFromParent(); 862 } 863 return std::make_pair(Size, Offset); 864 } 865 866 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitSelectInst(SelectInst &I) { 867 SizeOffsetEvalType TrueSide = compute_(I.getTrueValue()); 868 SizeOffsetEvalType FalseSide = compute_(I.getFalseValue()); 869 870 if (!bothKnown(TrueSide) || !bothKnown(FalseSide)) 871 return unknown(); 872 if (TrueSide == FalseSide) 873 return TrueSide; 874 875 Value *Size = Builder.CreateSelect(I.getCondition(), TrueSide.first, 876 FalseSide.first); 877 Value *Offset = Builder.CreateSelect(I.getCondition(), TrueSide.second, 878 FalseSide.second); 879 return std::make_pair(Size, Offset); 880 } 881 882 SizeOffsetEvalType ObjectSizeOffsetEvaluator::visitInstruction(Instruction &I) { 883 DEBUG(dbgs() << "ObjectSizeOffsetEvaluator unknown instruction:" << I <<'\n'); 884 return unknown(); 885 } 886