169fad079SSanjoy Das //===-- ImplicitNullChecks.cpp - Fold null checks into memory accesses ----===// 269fad079SSanjoy Das // 369fad079SSanjoy Das // The LLVM Compiler Infrastructure 469fad079SSanjoy Das // 569fad079SSanjoy Das // This file is distributed under the University of Illinois Open Source 669fad079SSanjoy Das // License. See LICENSE.TXT for details. 769fad079SSanjoy Das // 869fad079SSanjoy Das //===----------------------------------------------------------------------===// 969fad079SSanjoy Das // 1069fad079SSanjoy Das // This pass turns explicit null checks of the form 1169fad079SSanjoy Das // 1269fad079SSanjoy Das // test %r10, %r10 1369fad079SSanjoy Das // je throw_npe 1469fad079SSanjoy Das // movl (%r10), %esi 1569fad079SSanjoy Das // ... 1669fad079SSanjoy Das // 1769fad079SSanjoy Das // to 1869fad079SSanjoy Das // 1969fad079SSanjoy Das // faulting_load_op("movl (%r10), %esi", throw_npe) 2069fad079SSanjoy Das // ... 2169fad079SSanjoy Das // 2269fad079SSanjoy Das // With the help of a runtime that understands the .fault_maps section, 2369fad079SSanjoy Das // faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs 2469fad079SSanjoy Das // a page fault. 25*2f63cbccSSanjoy Das // Store is also supported. 2669fad079SSanjoy Das // 2769fad079SSanjoy Das //===----------------------------------------------------------------------===// 2869fad079SSanjoy Das 29b7718454SSanjoy Das #include "llvm/ADT/DenseSet.h" 3069fad079SSanjoy Das #include "llvm/ADT/SmallVector.h" 318ee6a30bSSanjoy Das #include "llvm/ADT/Statistic.h" 32e57bf680SSanjoy Das #include "llvm/Analysis/AliasAnalysis.h" 33*2f63cbccSSanjoy Das #include "llvm/CodeGen/FaultMaps.h" 3469fad079SSanjoy Das #include "llvm/CodeGen/Passes.h" 3569fad079SSanjoy Das #include "llvm/CodeGen/MachineFunction.h" 36b7718454SSanjoy Das #include "llvm/CodeGen/MachineMemOperand.h" 3769fad079SSanjoy Das #include "llvm/CodeGen/MachineOperand.h" 3869fad079SSanjoy Das #include "llvm/CodeGen/MachineFunctionPass.h" 3969fad079SSanjoy Das #include "llvm/CodeGen/MachineInstrBuilder.h" 4069fad079SSanjoy Das #include "llvm/CodeGen/MachineRegisterInfo.h" 4169fad079SSanjoy Das #include "llvm/CodeGen/MachineModuleInfo.h" 4269fad079SSanjoy Das #include "llvm/IR/BasicBlock.h" 4369fad079SSanjoy Das #include "llvm/IR/Instruction.h" 4400038784SChen Li #include "llvm/IR/LLVMContext.h" 4569fad079SSanjoy Das #include "llvm/Support/CommandLine.h" 4669fad079SSanjoy Das #include "llvm/Support/Debug.h" 4769fad079SSanjoy Das #include "llvm/Target/TargetSubtargetInfo.h" 4869fad079SSanjoy Das #include "llvm/Target/TargetInstrInfo.h" 4969fad079SSanjoy Das 5069fad079SSanjoy Das using namespace llvm; 5169fad079SSanjoy Das 52c27a18f3SChad Rosier static cl::opt<int> PageSize("imp-null-check-page-size", 53c27a18f3SChad Rosier cl::desc("The page size of the target in bytes"), 5469fad079SSanjoy Das cl::init(4096)); 5569fad079SSanjoy Das 569a129807SSanjoy Das static cl::opt<unsigned> MaxInstsToConsider( 579a129807SSanjoy Das "imp-null-max-insts-to-consider", 589a129807SSanjoy Das cl::desc("The max number of instructions to consider hoisting loads over " 599a129807SSanjoy Das "(the algorithm is quadratic over this number)"), 609a129807SSanjoy Das cl::init(8)); 619a129807SSanjoy Das 628ee6a30bSSanjoy Das #define DEBUG_TYPE "implicit-null-checks" 638ee6a30bSSanjoy Das 648ee6a30bSSanjoy Das STATISTIC(NumImplicitNullChecks, 658ee6a30bSSanjoy Das "Number of explicit null checks made implicit"); 668ee6a30bSSanjoy Das 6769fad079SSanjoy Das namespace { 6869fad079SSanjoy Das 6969fad079SSanjoy Das class ImplicitNullChecks : public MachineFunctionPass { 709a129807SSanjoy Das /// Return true if \c computeDependence can process \p MI. 719a129807SSanjoy Das static bool canHandle(const MachineInstr *MI); 729a129807SSanjoy Das 739a129807SSanjoy Das /// Helper function for \c computeDependence. Return true if \p A 749a129807SSanjoy Das /// and \p B do not have any dependences between them, and can be 759a129807SSanjoy Das /// re-ordered without changing program semantics. 769a129807SSanjoy Das bool canReorder(const MachineInstr *A, const MachineInstr *B); 779a129807SSanjoy Das 789a129807SSanjoy Das /// A data type for representing the result computed by \c 799a129807SSanjoy Das /// computeDependence. States whether it is okay to reorder the 809a129807SSanjoy Das /// instruction passed to \c computeDependence with at most one 819a129807SSanjoy Das /// depednency. 829a129807SSanjoy Das struct DependenceResult { 839a129807SSanjoy Das /// Can we actually re-order \p MI with \p Insts (see \c 849a129807SSanjoy Das /// computeDependence). 859a129807SSanjoy Das bool CanReorder; 869a129807SSanjoy Das 879a129807SSanjoy Das /// If non-None, then an instruction in \p Insts that also must be 889a129807SSanjoy Das /// hoisted. 899a129807SSanjoy Das Optional<ArrayRef<MachineInstr *>::iterator> PotentialDependence; 909a129807SSanjoy Das 919a129807SSanjoy Das /*implicit*/ DependenceResult( 929a129807SSanjoy Das bool CanReorder, 939a129807SSanjoy Das Optional<ArrayRef<MachineInstr *>::iterator> PotentialDependence) 949a129807SSanjoy Das : CanReorder(CanReorder), PotentialDependence(PotentialDependence) { 959a129807SSanjoy Das assert((!PotentialDependence || CanReorder) && 969a129807SSanjoy Das "!CanReorder && PotentialDependence.hasValue() not allowed!"); 979a129807SSanjoy Das } 989a129807SSanjoy Das }; 999a129807SSanjoy Das 1009a129807SSanjoy Das /// Compute a result for the following question: can \p MI be 1019a129807SSanjoy Das /// re-ordered from after \p Insts to before it. 1029a129807SSanjoy Das /// 1039a129807SSanjoy Das /// \c canHandle should return true for all instructions in \p 1049a129807SSanjoy Das /// Insts. 1059a129807SSanjoy Das DependenceResult computeDependence(const MachineInstr *MI, 1069a129807SSanjoy Das ArrayRef<MachineInstr *> Insts); 1079a129807SSanjoy Das 10869fad079SSanjoy Das /// Represents one null check that can be made implicit. 109e173b9aeSSanjoy Das class NullCheck { 11069fad079SSanjoy Das // The memory operation the null check can be folded into. 11169fad079SSanjoy Das MachineInstr *MemOperation; 11269fad079SSanjoy Das 11369fad079SSanjoy Das // The instruction actually doing the null check (Ptr != 0). 11469fad079SSanjoy Das MachineInstr *CheckOperation; 11569fad079SSanjoy Das 11669fad079SSanjoy Das // The block the check resides in. 11769fad079SSanjoy Das MachineBasicBlock *CheckBlock; 11869fad079SSanjoy Das 119572e03a3SEric Christopher // The block branched to if the pointer is non-null. 12069fad079SSanjoy Das MachineBasicBlock *NotNullSucc; 12169fad079SSanjoy Das 122572e03a3SEric Christopher // The block branched to if the pointer is null. 12369fad079SSanjoy Das MachineBasicBlock *NullSucc; 12469fad079SSanjoy Das 125e57bf680SSanjoy Das // If this is non-null, then MemOperation has a dependency on on this 126e57bf680SSanjoy Das // instruction; and it needs to be hoisted to execute before MemOperation. 127e57bf680SSanjoy Das MachineInstr *OnlyDependency; 128e57bf680SSanjoy Das 129e173b9aeSSanjoy Das public: 13069fad079SSanjoy Das explicit NullCheck(MachineInstr *memOperation, MachineInstr *checkOperation, 13169fad079SSanjoy Das MachineBasicBlock *checkBlock, 13269fad079SSanjoy Das MachineBasicBlock *notNullSucc, 133e57bf680SSanjoy Das MachineBasicBlock *nullSucc, 134e57bf680SSanjoy Das MachineInstr *onlyDependency) 13569fad079SSanjoy Das : MemOperation(memOperation), CheckOperation(checkOperation), 136e57bf680SSanjoy Das CheckBlock(checkBlock), NotNullSucc(notNullSucc), NullSucc(nullSucc), 137e57bf680SSanjoy Das OnlyDependency(onlyDependency) {} 138e173b9aeSSanjoy Das 139e173b9aeSSanjoy Das MachineInstr *getMemOperation() const { return MemOperation; } 140e173b9aeSSanjoy Das 141e173b9aeSSanjoy Das MachineInstr *getCheckOperation() const { return CheckOperation; } 142e173b9aeSSanjoy Das 143e173b9aeSSanjoy Das MachineBasicBlock *getCheckBlock() const { return CheckBlock; } 144e173b9aeSSanjoy Das 145e173b9aeSSanjoy Das MachineBasicBlock *getNotNullSucc() const { return NotNullSucc; } 146e173b9aeSSanjoy Das 147e173b9aeSSanjoy Das MachineBasicBlock *getNullSucc() const { return NullSucc; } 148e57bf680SSanjoy Das 149e57bf680SSanjoy Das MachineInstr *getOnlyDependency() const { return OnlyDependency; } 15069fad079SSanjoy Das }; 15169fad079SSanjoy Das 15269fad079SSanjoy Das const TargetInstrInfo *TII = nullptr; 15369fad079SSanjoy Das const TargetRegisterInfo *TRI = nullptr; 154e57bf680SSanjoy Das AliasAnalysis *AA = nullptr; 15569fad079SSanjoy Das MachineModuleInfo *MMI = nullptr; 15669fad079SSanjoy Das 15769fad079SSanjoy Das bool analyzeBlockForNullChecks(MachineBasicBlock &MBB, 15869fad079SSanjoy Das SmallVectorImpl<NullCheck> &NullCheckList); 159*2f63cbccSSanjoy Das MachineInstr *insertFaultingInstr(MachineInstr *MI, MachineBasicBlock *MBB, 1604e1d389aSQuentin Colombet MachineBasicBlock *HandlerMBB); 16169fad079SSanjoy Das void rewriteNullChecks(ArrayRef<NullCheck> NullCheckList); 16269fad079SSanjoy Das 16315e50b51SSanjoy Das enum SuitabilityResult { SR_Suitable, SR_Unsuitable, SR_Impossible }; 16415e50b51SSanjoy Das 16515e50b51SSanjoy Das /// Return SR_Suitable if \p MI a memory operation that can be used to 16615e50b51SSanjoy Das /// implicitly null check the value in \p PointerReg, SR_Unsuitable if 16715e50b51SSanjoy Das /// \p MI cannot be used to null check and SR_Impossible if there is 16815e50b51SSanjoy Das /// no sense to continue lookup due to any other instruction will not be able 16915e50b51SSanjoy Das /// to be used. \p PrevInsts is the set of instruction seen since 170*2f63cbccSSanjoy Das /// the explicit null check on \p PointerReg. \p SeenLoad means that load 171*2f63cbccSSanjoy Das /// instruction has been observed in \PrevInsts set. 17215e50b51SSanjoy Das SuitabilityResult isSuitableMemoryOp(MachineInstr &MI, unsigned PointerReg, 173*2f63cbccSSanjoy Das ArrayRef<MachineInstr *> PrevInsts, 174*2f63cbccSSanjoy Das bool &SeenLoad); 17550fef432SSanjoy Das 17650fef432SSanjoy Das /// Return true if \p FaultingMI can be hoisted from after the the 17750fef432SSanjoy Das /// instructions in \p InstsSeenSoFar to before them. Set \p Dependence to a 17850fef432SSanjoy Das /// non-null value if we also need to (and legally can) hoist a depedency. 179*2f63cbccSSanjoy Das bool canHoistInst(MachineInstr *FaultingMI, unsigned PointerReg, 18050fef432SSanjoy Das ArrayRef<MachineInstr *> InstsSeenSoFar, 18150fef432SSanjoy Das MachineBasicBlock *NullSucc, MachineInstr *&Dependence); 18250fef432SSanjoy Das 18369fad079SSanjoy Das public: 18469fad079SSanjoy Das static char ID; 18569fad079SSanjoy Das 18669fad079SSanjoy Das ImplicitNullChecks() : MachineFunctionPass(ID) { 18769fad079SSanjoy Das initializeImplicitNullChecksPass(*PassRegistry::getPassRegistry()); 18869fad079SSanjoy Das } 18969fad079SSanjoy Das 19069fad079SSanjoy Das bool runOnMachineFunction(MachineFunction &MF) override; 191e57bf680SSanjoy Das void getAnalysisUsage(AnalysisUsage &AU) const override { 192e57bf680SSanjoy Das AU.addRequired<AAResultsWrapperPass>(); 193e57bf680SSanjoy Das MachineFunctionPass::getAnalysisUsage(AU); 194e57bf680SSanjoy Das } 195ad154c83SDerek Schuff 196ad154c83SDerek Schuff MachineFunctionProperties getRequiredProperties() const override { 197ad154c83SDerek Schuff return MachineFunctionProperties().set( 1981eb47368SMatthias Braun MachineFunctionProperties::Property::NoVRegs); 199ad154c83SDerek Schuff } 20069fad079SSanjoy Das }; 201edc394f1SSanjoy Das 202e57bf680SSanjoy Das } 203e57bf680SSanjoy Das 2049a129807SSanjoy Das bool ImplicitNullChecks::canHandle(const MachineInstr *MI) { 205*2f63cbccSSanjoy Das if (MI->isCall() || MI->hasUnmodeledSideEffects()) 2069a129807SSanjoy Das return false; 2079a129807SSanjoy Das auto IsRegMask = [](const MachineOperand &MO) { return MO.isRegMask(); }; 2089a129807SSanjoy Das (void)IsRegMask; 209edc394f1SSanjoy Das 2109a129807SSanjoy Das assert(!llvm::any_of(MI->operands(), IsRegMask) && 2119a129807SSanjoy Das "Calls were filtered out above!"); 212edc394f1SSanjoy Das 2139a129807SSanjoy Das auto IsUnordered = [](MachineMemOperand *MMO) { return MMO->isUnordered(); }; 2149a129807SSanjoy Das return llvm::all_of(MI->memoperands(), IsUnordered); 215edc394f1SSanjoy Das } 216edc394f1SSanjoy Das 2179a129807SSanjoy Das ImplicitNullChecks::DependenceResult 2189a129807SSanjoy Das ImplicitNullChecks::computeDependence(const MachineInstr *MI, 2199a129807SSanjoy Das ArrayRef<MachineInstr *> Block) { 2209a129807SSanjoy Das assert(llvm::all_of(Block, canHandle) && "Check this first!"); 2219a129807SSanjoy Das assert(!llvm::is_contained(Block, MI) && "Block must be exclusive of MI!"); 222edc394f1SSanjoy Das 2239a129807SSanjoy Das Optional<ArrayRef<MachineInstr *>::iterator> Dep; 224edc394f1SSanjoy Das 2259a129807SSanjoy Das for (auto I = Block.begin(), E = Block.end(); I != E; ++I) { 2269a129807SSanjoy Das if (canReorder(*I, MI)) 227edc394f1SSanjoy Das continue; 228edc394f1SSanjoy Das 2299a129807SSanjoy Das if (Dep == None) { 2309a129807SSanjoy Das // Found one possible dependency, keep track of it. 2319a129807SSanjoy Das Dep = I; 2329a129807SSanjoy Das } else { 2339a129807SSanjoy Das // We found two dependencies, so bail out. 2349a129807SSanjoy Das return {false, None}; 235edc394f1SSanjoy Das } 236edc394f1SSanjoy Das } 237edc394f1SSanjoy Das 2389a129807SSanjoy Das return {true, Dep}; 2399a129807SSanjoy Das } 240edc394f1SSanjoy Das 2419a129807SSanjoy Das bool ImplicitNullChecks::canReorder(const MachineInstr *A, 2429a129807SSanjoy Das const MachineInstr *B) { 2439a129807SSanjoy Das assert(canHandle(A) && canHandle(B) && "Precondition!"); 244edc394f1SSanjoy Das 2459a129807SSanjoy Das // canHandle makes sure that we _can_ correctly analyze the dependencies 2469a129807SSanjoy Das // between A and B here -- for instance, we should not be dealing with heap 2479a129807SSanjoy Das // load-store dependencies here. 2489a129807SSanjoy Das 2499a129807SSanjoy Das for (auto MOA : A->operands()) { 2509a129807SSanjoy Das if (!(MOA.isReg() && MOA.getReg())) 251e57bf680SSanjoy Das continue; 252e57bf680SSanjoy Das 2539a129807SSanjoy Das unsigned RegA = MOA.getReg(); 2549a129807SSanjoy Das for (auto MOB : B->operands()) { 2559a129807SSanjoy Das if (!(MOB.isReg() && MOB.getReg())) 256e57bf680SSanjoy Das continue; 2579a129807SSanjoy Das 2589a129807SSanjoy Das unsigned RegB = MOB.getReg(); 2599a129807SSanjoy Das 26008da2e28SSanjoy Das if (TRI->regsOverlap(RegA, RegB) && (MOA.isDef() || MOB.isDef())) 261e57bf680SSanjoy Das return false; 262e57bf680SSanjoy Das } 263edc394f1SSanjoy Das } 264edc394f1SSanjoy Das 265edc394f1SSanjoy Das return true; 266f00654e3SAlexander Kornienko } 26769fad079SSanjoy Das 26869fad079SSanjoy Das bool ImplicitNullChecks::runOnMachineFunction(MachineFunction &MF) { 26969fad079SSanjoy Das TII = MF.getSubtarget().getInstrInfo(); 27069fad079SSanjoy Das TRI = MF.getRegInfo().getTargetRegisterInfo(); 27169fad079SSanjoy Das MMI = &MF.getMMI(); 272e57bf680SSanjoy Das AA = &getAnalysis<AAResultsWrapperPass>().getAAResults(); 27369fad079SSanjoy Das 27469fad079SSanjoy Das SmallVector<NullCheck, 16> NullCheckList; 27569fad079SSanjoy Das 27669fad079SSanjoy Das for (auto &MBB : MF) 27769fad079SSanjoy Das analyzeBlockForNullChecks(MBB, NullCheckList); 27869fad079SSanjoy Das 27969fad079SSanjoy Das if (!NullCheckList.empty()) 28069fad079SSanjoy Das rewriteNullChecks(NullCheckList); 28169fad079SSanjoy Das 28269fad079SSanjoy Das return !NullCheckList.empty(); 28369fad079SSanjoy Das } 28469fad079SSanjoy Das 285e57bf680SSanjoy Das // Return true if any register aliasing \p Reg is live-in into \p MBB. 286e57bf680SSanjoy Das static bool AnyAliasLiveIn(const TargetRegisterInfo *TRI, 287e57bf680SSanjoy Das MachineBasicBlock *MBB, unsigned Reg) { 288e57bf680SSanjoy Das for (MCRegAliasIterator AR(Reg, TRI, /*IncludeSelf*/ true); AR.isValid(); 289e57bf680SSanjoy Das ++AR) 290e57bf680SSanjoy Das if (MBB->isLiveIn(*AR)) 291e57bf680SSanjoy Das return true; 292e57bf680SSanjoy Das return false; 293e57bf680SSanjoy Das } 294e57bf680SSanjoy Das 29515e50b51SSanjoy Das ImplicitNullChecks::SuitabilityResult 29615e50b51SSanjoy Das ImplicitNullChecks::isSuitableMemoryOp(MachineInstr &MI, unsigned PointerReg, 297*2f63cbccSSanjoy Das ArrayRef<MachineInstr *> PrevInsts, 298*2f63cbccSSanjoy Das bool &SeenLoad) { 29950fef432SSanjoy Das int64_t Offset; 30050fef432SSanjoy Das unsigned BaseReg; 30150fef432SSanjoy Das 302*2f63cbccSSanjoy Das // First, if it is a store and we saw load before we bail out 303*2f63cbccSSanjoy Das // because we will not be able to re-order load-store without 304*2f63cbccSSanjoy Das // using alias analysis. 305*2f63cbccSSanjoy Das if (SeenLoad && MI.mayStore()) 306*2f63cbccSSanjoy Das return SR_Impossible; 307*2f63cbccSSanjoy Das 308*2f63cbccSSanjoy Das SeenLoad = SeenLoad || MI.mayLoad(); 309*2f63cbccSSanjoy Das 310*2f63cbccSSanjoy Das // Without alias analysis we cannot re-order store with anything. 311*2f63cbccSSanjoy Das // so if this instruction is not a candidate we should stop. 312*2f63cbccSSanjoy Das SuitabilityResult Unsuitable = MI.mayStore() ? SR_Impossible : SR_Unsuitable; 313*2f63cbccSSanjoy Das 31450fef432SSanjoy Das if (!TII->getMemOpBaseRegImmOfs(MI, BaseReg, Offset, TRI) || 31550fef432SSanjoy Das BaseReg != PointerReg) 316*2f63cbccSSanjoy Das return Unsuitable; 31750fef432SSanjoy Das 318*2f63cbccSSanjoy Das // We want the mem access to be issued at a sane offset from PointerReg, 319*2f63cbccSSanjoy Das // so that if PointerReg is null then the access reliably page faults. 320*2f63cbccSSanjoy Das if (!((MI.mayLoad() || MI.mayStore()) && !MI.isPredicable() && 321*2f63cbccSSanjoy Das Offset < PageSize)) 322*2f63cbccSSanjoy Das return Unsuitable; 32350fef432SSanjoy Das 324*2f63cbccSSanjoy Das // Finally, we need to make sure that the access instruction actually is 325*2f63cbccSSanjoy Das // accessing from PointerReg, and there isn't some re-definition of PointerReg 326*2f63cbccSSanjoy Das // between the compare and the memory access. 32715e50b51SSanjoy Das // If PointerReg has been redefined before then there is no sense to continue 32815e50b51SSanjoy Das // lookup due to this condition will fail for any further instruction. 32950fef432SSanjoy Das for (auto *PrevMI : PrevInsts) 33050fef432SSanjoy Das for (auto &PrevMO : PrevMI->operands()) 33108da2e28SSanjoy Das if (PrevMO.isReg() && PrevMO.getReg() && PrevMO.isDef() && 33250fef432SSanjoy Das TRI->regsOverlap(PrevMO.getReg(), PointerReg)) 33315e50b51SSanjoy Das return SR_Impossible; 33450fef432SSanjoy Das 33515e50b51SSanjoy Das return SR_Suitable; 33650fef432SSanjoy Das } 33750fef432SSanjoy Das 338*2f63cbccSSanjoy Das bool ImplicitNullChecks::canHoistInst(MachineInstr *FaultingMI, 339*2f63cbccSSanjoy Das unsigned PointerReg, 340*2f63cbccSSanjoy Das ArrayRef<MachineInstr *> InstsSeenSoFar, 341*2f63cbccSSanjoy Das MachineBasicBlock *NullSucc, 34250fef432SSanjoy Das MachineInstr *&Dependence) { 34350fef432SSanjoy Das auto DepResult = computeDependence(FaultingMI, InstsSeenSoFar); 34450fef432SSanjoy Das if (!DepResult.CanReorder) 34550fef432SSanjoy Das return false; 34650fef432SSanjoy Das 34750fef432SSanjoy Das if (!DepResult.PotentialDependence) { 34850fef432SSanjoy Das Dependence = nullptr; 34950fef432SSanjoy Das return true; 35050fef432SSanjoy Das } 35150fef432SSanjoy Das 35250fef432SSanjoy Das auto DependenceItr = *DepResult.PotentialDependence; 35350fef432SSanjoy Das auto *DependenceMI = *DependenceItr; 35450fef432SSanjoy Das 35550fef432SSanjoy Das // We don't want to reason about speculating loads. Note -- at this point 35650fef432SSanjoy Das // we should have already filtered out all of the other non-speculatable 35750fef432SSanjoy Das // things, like calls and stores. 35850fef432SSanjoy Das assert(canHandle(DependenceMI) && "Should never have reached here!"); 35950fef432SSanjoy Das if (DependenceMI->mayLoad()) 36050fef432SSanjoy Das return false; 36150fef432SSanjoy Das 36250fef432SSanjoy Das for (auto &DependenceMO : DependenceMI->operands()) { 36350fef432SSanjoy Das if (!(DependenceMO.isReg() && DependenceMO.getReg())) 36450fef432SSanjoy Das continue; 36550fef432SSanjoy Das 36650fef432SSanjoy Das // Make sure that we won't clobber any live ins to the sibling block by 36750fef432SSanjoy Das // hoisting Dependency. For instance, we can't hoist INST to before the 36850fef432SSanjoy Das // null check (even if it safe, and does not violate any dependencies in 36950fef432SSanjoy Das // the non_null_block) if %rdx is live in to _null_block. 37050fef432SSanjoy Das // 37150fef432SSanjoy Das // test %rcx, %rcx 37250fef432SSanjoy Das // je _null_block 37350fef432SSanjoy Das // _non_null_block: 37450fef432SSanjoy Das // %rdx<def> = INST 37550fef432SSanjoy Das // ... 37650fef432SSanjoy Das // 37750fef432SSanjoy Das // This restriction does not apply to the faulting load inst because in 37850fef432SSanjoy Das // case the pointer loaded from is in the null page, the load will not 37950fef432SSanjoy Das // semantically execute, and affect machine state. That is, if the load 38050fef432SSanjoy Das // was loading into %rax and it faults, the value of %rax should stay the 38150fef432SSanjoy Das // same as it would have been had the load not have executed and we'd have 38250fef432SSanjoy Das // branched to NullSucc directly. 38350fef432SSanjoy Das if (AnyAliasLiveIn(TRI, NullSucc, DependenceMO.getReg())) 38450fef432SSanjoy Das return false; 38550fef432SSanjoy Das 38650fef432SSanjoy Das // The Dependency can't be re-defining the base register -- then we won't 38750fef432SSanjoy Das // get the memory operation on the address we want. This is already 38850fef432SSanjoy Das // checked in \c IsSuitableMemoryOp. 38908da2e28SSanjoy Das assert(!(DependenceMO.isDef() && 39008da2e28SSanjoy Das TRI->regsOverlap(DependenceMO.getReg(), PointerReg)) && 39150fef432SSanjoy Das "Should have been checked before!"); 39250fef432SSanjoy Das } 39350fef432SSanjoy Das 39450fef432SSanjoy Das auto DepDepResult = 39550fef432SSanjoy Das computeDependence(DependenceMI, {InstsSeenSoFar.begin(), DependenceItr}); 39650fef432SSanjoy Das 39750fef432SSanjoy Das if (!DepDepResult.CanReorder || DepDepResult.PotentialDependence) 39850fef432SSanjoy Das return false; 39950fef432SSanjoy Das 40050fef432SSanjoy Das Dependence = DependenceMI; 40150fef432SSanjoy Das return true; 40250fef432SSanjoy Das } 40350fef432SSanjoy Das 40469fad079SSanjoy Das /// Analyze MBB to check if its terminating branch can be turned into an 40569fad079SSanjoy Das /// implicit null check. If yes, append a description of the said null check to 40669fad079SSanjoy Das /// NullCheckList and return true, else return false. 40769fad079SSanjoy Das bool ImplicitNullChecks::analyzeBlockForNullChecks( 40869fad079SSanjoy Das MachineBasicBlock &MBB, SmallVectorImpl<NullCheck> &NullCheckList) { 40969fad079SSanjoy Das typedef TargetInstrInfo::MachineBranchPredicate MachineBranchPredicate; 41069fad079SSanjoy Das 411e8b81649SSanjoy Das MDNode *BranchMD = nullptr; 412e8b81649SSanjoy Das if (auto *BB = MBB.getBasicBlock()) 413e8b81649SSanjoy Das BranchMD = BB->getTerminator()->getMetadata(LLVMContext::MD_make_implicit); 414e8b81649SSanjoy Das 4159c41a93eSSanjoy Das if (!BranchMD) 4169c41a93eSSanjoy Das return false; 4179c41a93eSSanjoy Das 41869fad079SSanjoy Das MachineBranchPredicate MBP; 41969fad079SSanjoy Das 42071c30a14SJacques Pienaar if (TII->analyzeBranchPredicate(MBB, MBP, true)) 42169fad079SSanjoy Das return false; 42269fad079SSanjoy Das 42369fad079SSanjoy Das // Is the predicate comparing an integer to zero? 42469fad079SSanjoy Das if (!(MBP.LHS.isReg() && MBP.RHS.isImm() && MBP.RHS.getImm() == 0 && 42569fad079SSanjoy Das (MBP.Predicate == MachineBranchPredicate::PRED_NE || 42669fad079SSanjoy Das MBP.Predicate == MachineBranchPredicate::PRED_EQ))) 42769fad079SSanjoy Das return false; 42869fad079SSanjoy Das 42969fad079SSanjoy Das // If we cannot erase the test instruction itself, then making the null check 43069fad079SSanjoy Das // implicit does not buy us much. 43169fad079SSanjoy Das if (!MBP.SingleUseCondition) 43269fad079SSanjoy Das return false; 43369fad079SSanjoy Das 43469fad079SSanjoy Das MachineBasicBlock *NotNullSucc, *NullSucc; 43569fad079SSanjoy Das 43669fad079SSanjoy Das if (MBP.Predicate == MachineBranchPredicate::PRED_NE) { 43769fad079SSanjoy Das NotNullSucc = MBP.TrueDest; 43869fad079SSanjoy Das NullSucc = MBP.FalseDest; 43969fad079SSanjoy Das } else { 44069fad079SSanjoy Das NotNullSucc = MBP.FalseDest; 44169fad079SSanjoy Das NullSucc = MBP.TrueDest; 44269fad079SSanjoy Das } 44369fad079SSanjoy Das 44469fad079SSanjoy Das // We handle the simplest case for now. We can potentially do better by using 44569fad079SSanjoy Das // the machine dominator tree. 44669fad079SSanjoy Das if (NotNullSucc->pred_size() != 1) 44769fad079SSanjoy Das return false; 44869fad079SSanjoy Das 44969fad079SSanjoy Das // Starting with a code fragment like: 45069fad079SSanjoy Das // 45169fad079SSanjoy Das // test %RAX, %RAX 45269fad079SSanjoy Das // jne LblNotNull 45369fad079SSanjoy Das // 45469fad079SSanjoy Das // LblNull: 45569fad079SSanjoy Das // callq throw_NullPointerException 45669fad079SSanjoy Das // 45769fad079SSanjoy Das // LblNotNull: 458b7718454SSanjoy Das // Inst0 459b7718454SSanjoy Das // Inst1 460b7718454SSanjoy Das // ... 46169fad079SSanjoy Das // Def = Load (%RAX + <offset>) 46269fad079SSanjoy Das // ... 46369fad079SSanjoy Das // 46469fad079SSanjoy Das // 46569fad079SSanjoy Das // we want to end up with 46669fad079SSanjoy Das // 467ac9c5b19SSanjoy Das // Def = FaultingLoad (%RAX + <offset>), LblNull 46869fad079SSanjoy Das // jmp LblNotNull ;; explicit or fallthrough 46969fad079SSanjoy Das // 47069fad079SSanjoy Das // LblNotNull: 471b7718454SSanjoy Das // Inst0 472b7718454SSanjoy Das // Inst1 47369fad079SSanjoy Das // ... 47469fad079SSanjoy Das // 47569fad079SSanjoy Das // LblNull: 47669fad079SSanjoy Das // callq throw_NullPointerException 47769fad079SSanjoy Das // 478ac9c5b19SSanjoy Das // 479ac9c5b19SSanjoy Das // To see why this is legal, consider the two possibilities: 480ac9c5b19SSanjoy Das // 481ac9c5b19SSanjoy Das // 1. %RAX is null: since we constrain <offset> to be less than PageSize, the 482ac9c5b19SSanjoy Das // load instruction dereferences the null page, causing a segmentation 483ac9c5b19SSanjoy Das // fault. 484ac9c5b19SSanjoy Das // 485ac9c5b19SSanjoy Das // 2. %RAX is not null: in this case we know that the load cannot fault, as 486ac9c5b19SSanjoy Das // otherwise the load would've faulted in the original program too and the 487ac9c5b19SSanjoy Das // original program would've been undefined. 488ac9c5b19SSanjoy Das // 489ac9c5b19SSanjoy Das // This reasoning cannot be extended to justify hoisting through arbitrary 490ac9c5b19SSanjoy Das // control flow. For instance, in the example below (in pseudo-C) 491ac9c5b19SSanjoy Das // 492ac9c5b19SSanjoy Das // if (ptr == null) { throw_npe(); unreachable; } 493ac9c5b19SSanjoy Das // if (some_cond) { return 42; } 494ac9c5b19SSanjoy Das // v = ptr->field; // LD 495ac9c5b19SSanjoy Das // ... 496ac9c5b19SSanjoy Das // 497ac9c5b19SSanjoy Das // we cannot (without code duplication) use the load marked "LD" to null check 498ac9c5b19SSanjoy Das // ptr -- clause (2) above does not apply in this case. In the above program 499ac9c5b19SSanjoy Das // the safety of ptr->field can be dependent on some_cond; and, for instance, 500ac9c5b19SSanjoy Das // ptr could be some non-null invalid reference that never gets loaded from 501ac9c5b19SSanjoy Das // because some_cond is always true. 50269fad079SSanjoy Das 5039a129807SSanjoy Das const unsigned PointerReg = MBP.LHS.getReg(); 504b7718454SSanjoy Das 5059a129807SSanjoy Das SmallVector<MachineInstr *, 8> InstsSeenSoFar; 506*2f63cbccSSanjoy Das bool SeenLoad = false; 507b7718454SSanjoy Das 5089a129807SSanjoy Das for (auto &MI : *NotNullSucc) { 5099a129807SSanjoy Das if (!canHandle(&MI) || InstsSeenSoFar.size() >= MaxInstsToConsider) 5109a129807SSanjoy Das return false; 511e57bf680SSanjoy Das 5129a129807SSanjoy Das MachineInstr *Dependence; 513*2f63cbccSSanjoy Das SuitabilityResult SR = 514*2f63cbccSSanjoy Das isSuitableMemoryOp(MI, PointerReg, InstsSeenSoFar, SeenLoad); 51515e50b51SSanjoy Das if (SR == SR_Impossible) 51615e50b51SSanjoy Das return false; 517*2f63cbccSSanjoy Das if (SR == SR_Suitable && 518*2f63cbccSSanjoy Das canHoistInst(&MI, PointerReg, InstsSeenSoFar, NullSucc, Dependence)) { 5199cfc75c2SDuncan P. N. Exon Smith NullCheckList.emplace_back(&MI, MBP.ConditionDef, &MBB, NotNullSucc, 5209a129807SSanjoy Das NullSucc, Dependence); 521e57bf680SSanjoy Das return true; 522e57bf680SSanjoy Das } 52369fad079SSanjoy Das 5249a129807SSanjoy Das InstsSeenSoFar.push_back(&MI); 525b7718454SSanjoy Das } 526b7718454SSanjoy Das 52769fad079SSanjoy Das return false; 52869fad079SSanjoy Das } 52969fad079SSanjoy Das 530*2f63cbccSSanjoy Das /// Wrap a machine instruction, MI, into a FAULTING machine instruction. 531*2f63cbccSSanjoy Das /// The FAULTING instruction does the same load/store as MI 532*2f63cbccSSanjoy Das /// (defining the same register), and branches to HandlerMBB if the mem access 533*2f63cbccSSanjoy Das /// faults. The FAULTING instruction is inserted at the end of MBB. 534*2f63cbccSSanjoy Das MachineInstr *ImplicitNullChecks::insertFaultingInstr( 535*2f63cbccSSanjoy Das MachineInstr *MI, MachineBasicBlock *MBB, MachineBasicBlock *HandlerMBB) { 53693d608c3SSanjoy Das const unsigned NoRegister = 0; // Guaranteed to be the NoRegister value for 53793d608c3SSanjoy Das // all targets. 53893d608c3SSanjoy Das 53969fad079SSanjoy Das DebugLoc DL; 540*2f63cbccSSanjoy Das unsigned NumDefs = MI->getDesc().getNumDefs(); 54193d608c3SSanjoy Das assert(NumDefs <= 1 && "other cases unhandled!"); 54269fad079SSanjoy Das 54393d608c3SSanjoy Das unsigned DefReg = NoRegister; 54493d608c3SSanjoy Das if (NumDefs != 0) { 545*2f63cbccSSanjoy Das DefReg = MI->defs().begin()->getReg(); 546*2f63cbccSSanjoy Das assert(std::distance(MI->defs().begin(), MI->defs().end()) == 1 && 54769fad079SSanjoy Das "expected exactly one def!"); 54893d608c3SSanjoy Das } 54969fad079SSanjoy Das 550*2f63cbccSSanjoy Das FaultMaps::FaultKind FK; 551*2f63cbccSSanjoy Das if (MI->mayLoad()) 552*2f63cbccSSanjoy Das FK = 553*2f63cbccSSanjoy Das MI->mayStore() ? FaultMaps::FaultingLoadStore : FaultMaps::FaultingLoad; 554*2f63cbccSSanjoy Das else 555*2f63cbccSSanjoy Das FK = FaultMaps::FaultingStore; 55669fad079SSanjoy Das 557*2f63cbccSSanjoy Das auto MIB = BuildMI(MBB, DL, TII->get(TargetOpcode::FAULTING_OP), DefReg) 558*2f63cbccSSanjoy Das .addImm(FK) 559*2f63cbccSSanjoy Das .addMBB(HandlerMBB) 560*2f63cbccSSanjoy Das .addImm(MI->getOpcode()); 561*2f63cbccSSanjoy Das 562*2f63cbccSSanjoy Das for (auto &MO : MI->uses()) 563116bbab4SDiana Picus MIB.add(MO); 56469fad079SSanjoy Das 565*2f63cbccSSanjoy Das MIB.setMemRefs(MI->memoperands_begin(), MI->memoperands_end()); 56669fad079SSanjoy Das 56769fad079SSanjoy Das return MIB; 56869fad079SSanjoy Das } 56969fad079SSanjoy Das 57069fad079SSanjoy Das /// Rewrite the null checks in NullCheckList into implicit null checks. 57169fad079SSanjoy Das void ImplicitNullChecks::rewriteNullChecks( 57269fad079SSanjoy Das ArrayRef<ImplicitNullChecks::NullCheck> NullCheckList) { 57369fad079SSanjoy Das DebugLoc DL; 57469fad079SSanjoy Das 57569fad079SSanjoy Das for (auto &NC : NullCheckList) { 57669fad079SSanjoy Das // Remove the conditional branch dependent on the null check. 5771b9fc8edSMatt Arsenault unsigned BranchesRemoved = TII->removeBranch(*NC.getCheckBlock()); 57869fad079SSanjoy Das (void)BranchesRemoved; 57969fad079SSanjoy Das assert(BranchesRemoved > 0 && "expected at least one branch!"); 58069fad079SSanjoy Das 581e57bf680SSanjoy Das if (auto *DepMI = NC.getOnlyDependency()) { 582e57bf680SSanjoy Das DepMI->removeFromParent(); 583e57bf680SSanjoy Das NC.getCheckBlock()->insert(NC.getCheckBlock()->end(), DepMI); 584e57bf680SSanjoy Das } 585e57bf680SSanjoy Das 586*2f63cbccSSanjoy Das // Insert a faulting instruction where the conditional branch was 587*2f63cbccSSanjoy Das // originally. We check earlier ensures that this bit of code motion 588*2f63cbccSSanjoy Das // is legal. We do not touch the successors list for any basic block 589*2f63cbccSSanjoy Das // since we haven't changed control flow, we've just made it implicit. 590*2f63cbccSSanjoy Das MachineInstr *FaultingInstr = insertFaultingInstr( 591e173b9aeSSanjoy Das NC.getMemOperation(), NC.getCheckBlock(), NC.getNullSucc()); 59226dab3a4SQuentin Colombet // Now the values defined by MemOperation, if any, are live-in of 59326dab3a4SQuentin Colombet // the block of MemOperation. 594*2f63cbccSSanjoy Das // The original operation may define implicit-defs alongside 595*2f63cbccSSanjoy Das // the value. 596e173b9aeSSanjoy Das MachineBasicBlock *MBB = NC.getMemOperation()->getParent(); 597*2f63cbccSSanjoy Das for (const MachineOperand &MO : FaultingInstr->operands()) { 59826dab3a4SQuentin Colombet if (!MO.isReg() || !MO.isDef()) 59926dab3a4SQuentin Colombet continue; 60026dab3a4SQuentin Colombet unsigned Reg = MO.getReg(); 60126dab3a4SQuentin Colombet if (!Reg || MBB->isLiveIn(Reg)) 60226dab3a4SQuentin Colombet continue; 60312b69919SQuentin Colombet MBB->addLiveIn(Reg); 60412b69919SQuentin Colombet } 605e57bf680SSanjoy Das 606e57bf680SSanjoy Das if (auto *DepMI = NC.getOnlyDependency()) { 607e57bf680SSanjoy Das for (auto &MO : DepMI->operands()) { 608e57bf680SSanjoy Das if (!MO.isReg() || !MO.getReg() || !MO.isDef()) 609e57bf680SSanjoy Das continue; 610e57bf680SSanjoy Das if (!NC.getNotNullSucc()->isLiveIn(MO.getReg())) 611e57bf680SSanjoy Das NC.getNotNullSucc()->addLiveIn(MO.getReg()); 612e57bf680SSanjoy Das } 613e57bf680SSanjoy Das } 614e57bf680SSanjoy Das 615e173b9aeSSanjoy Das NC.getMemOperation()->eraseFromParent(); 616e173b9aeSSanjoy Das NC.getCheckOperation()->eraseFromParent(); 61769fad079SSanjoy Das 61869fad079SSanjoy Das // Insert an *unconditional* branch to not-null successor. 619e8e0f5caSMatt Arsenault TII->insertBranch(*NC.getCheckBlock(), NC.getNotNullSucc(), nullptr, 620e173b9aeSSanjoy Das /*Cond=*/None, DL); 62169fad079SSanjoy Das 6228ee6a30bSSanjoy Das NumImplicitNullChecks++; 62369fad079SSanjoy Das } 62469fad079SSanjoy Das } 62569fad079SSanjoy Das 6269a129807SSanjoy Das 62769fad079SSanjoy Das char ImplicitNullChecks::ID = 0; 62869fad079SSanjoy Das char &llvm::ImplicitNullChecksID = ImplicitNullChecks::ID; 62969fad079SSanjoy Das INITIALIZE_PASS_BEGIN(ImplicitNullChecks, "implicit-null-checks", 63069fad079SSanjoy Das "Implicit null checks", false, false) 631e57bf680SSanjoy Das INITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass) 63269fad079SSanjoy Das INITIALIZE_PASS_END(ImplicitNullChecks, "implicit-null-checks", 63369fad079SSanjoy Das "Implicit null checks", false, false) 634