lib/CodeGen/ImplicitNullChecks.cpp

69fad079SSanjoy Das//===-- ImplicitNullChecks.cpp - Fold null checks into memory accesses ----===//
69fad079SSanjoy Das//
69fad079SSanjoy Das//                     The LLVM Compiler Infrastructure
69fad079SSanjoy Das//
69fad079SSanjoy Das// This file is distributed under the University of Illinois Open Source
69fad079SSanjoy Das// License. See LICENSE.TXT for details.
69fad079SSanjoy Das//
69fad079SSanjoy Das//===----------------------------------------------------------------------===//
69fad079SSanjoy Das//
69fad079SSanjoy Das// This pass turns explicit null checks of the form
69fad079SSanjoy Das//
69fad079SSanjoy Das//   test %r10, %r10
69fad079SSanjoy Das//   je throw_npe
69fad079SSanjoy Das//   movl (%r10), %esi
69fad079SSanjoy Das//   ...
69fad079SSanjoy Das//
69fad079SSanjoy Das// to
69fad079SSanjoy Das//
69fad079SSanjoy Das//   faulting_load_op("movl (%r10), %esi", throw_npe)
69fad079SSanjoy Das//   ...
69fad079SSanjoy Das//
69fad079SSanjoy Das// With the help of a runtime that understands the .fault_maps section,
69fad079SSanjoy Das// faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs
69fad079SSanjoy Das// a page fault.
69fad079SSanjoy Das//
69fad079SSanjoy Das//===----------------------------------------------------------------------===//
69fad079SSanjoy Das
b7718454SSanjoy Das#include "llvm/ADT/DenseSet.h"
69fad079SSanjoy Das#include "llvm/ADT/SmallVector.h"
8ee6a30bSSanjoy Das#include "llvm/ADT/Statistic.h"
*e57bf680SSanjoy Das#include "llvm/Analysis/AliasAnalysis.h"
69fad079SSanjoy Das#include "llvm/CodeGen/Passes.h"
69fad079SSanjoy Das#include "llvm/CodeGen/MachineFunction.h"
b7718454SSanjoy Das#include "llvm/CodeGen/MachineMemOperand.h"
69fad079SSanjoy Das#include "llvm/CodeGen/MachineOperand.h"
69fad079SSanjoy Das#include "llvm/CodeGen/MachineFunctionPass.h"
69fad079SSanjoy Das#include "llvm/CodeGen/MachineInstrBuilder.h"
69fad079SSanjoy Das#include "llvm/CodeGen/MachineRegisterInfo.h"
69fad079SSanjoy Das#include "llvm/CodeGen/MachineModuleInfo.h"
69fad079SSanjoy Das#include "llvm/IR/BasicBlock.h"
69fad079SSanjoy Das#include "llvm/IR/Instruction.h"
00038784SChen Li#include "llvm/IR/LLVMContext.h"
69fad079SSanjoy Das#include "llvm/Support/CommandLine.h"
69fad079SSanjoy Das#include "llvm/Support/Debug.h"
69fad079SSanjoy Das#include "llvm/Target/TargetSubtargetInfo.h"
69fad079SSanjoy Das#include "llvm/Target/TargetInstrInfo.h"
69fad079SSanjoy Das
69fad079SSanjoy Dasusing namespace llvm;
69fad079SSanjoy Das
c27a18f3SChad Rosierstatic cl::opt<int> PageSize("imp-null-check-page-size",
c27a18f3SChad Rosier                             cl::desc("The page size of the target in bytes"),
69fad079SSanjoy Das                             cl::init(4096));
69fad079SSanjoy Das
8ee6a30bSSanjoy Das#define DEBUG_TYPE "implicit-null-checks"
8ee6a30bSSanjoy Das
8ee6a30bSSanjoy DasSTATISTIC(NumImplicitNullChecks,
8ee6a30bSSanjoy Das          "Number of explicit null checks made implicit");
8ee6a30bSSanjoy Das
69fad079SSanjoy Dasnamespace {
69fad079SSanjoy Das
69fad079SSanjoy Dasclass ImplicitNullChecks : public MachineFunctionPass {
69fad079SSanjoy Das  /// Represents one null check that can be made implicit.
e173b9aeSSanjoy Das  class NullCheck {
69fad079SSanjoy Das    // The memory operation the null check can be folded into.
69fad079SSanjoy Das    MachineInstr *MemOperation;
69fad079SSanjoy Das
69fad079SSanjoy Das    // The instruction actually doing the null check (Ptr != 0).
69fad079SSanjoy Das    MachineInstr *CheckOperation;
69fad079SSanjoy Das
69fad079SSanjoy Das    // The block the check resides in.
69fad079SSanjoy Das    MachineBasicBlock *CheckBlock;
69fad079SSanjoy Das
572e03a3SEric Christopher    // The block branched to if the pointer is non-null.
69fad079SSanjoy Das    MachineBasicBlock *NotNullSucc;
69fad079SSanjoy Das
572e03a3SEric Christopher    // The block branched to if the pointer is null.
69fad079SSanjoy Das    MachineBasicBlock *NullSucc;
69fad079SSanjoy Das
*e57bf680SSanjoy Das    // If this is non-null, then MemOperation has a dependency on on this
*e57bf680SSanjoy Das    // instruction; and it needs to be hoisted to execute before MemOperation.
*e57bf680SSanjoy Das    MachineInstr *OnlyDependency;
*e57bf680SSanjoy Das
e173b9aeSSanjoy Das  public:
69fad079SSanjoy Das    explicit NullCheck(MachineInstr *memOperation, MachineInstr *checkOperation,
69fad079SSanjoy Das                       MachineBasicBlock *checkBlock,
69fad079SSanjoy Das                       MachineBasicBlock *notNullSucc,
*e57bf680SSanjoy Das                       MachineBasicBlock *nullSucc,
*e57bf680SSanjoy Das                       MachineInstr *onlyDependency)
69fad079SSanjoy Das        : MemOperation(memOperation), CheckOperation(checkOperation),
*e57bf680SSanjoy Das          CheckBlock(checkBlock), NotNullSucc(notNullSucc), NullSucc(nullSucc),
*e57bf680SSanjoy Das          OnlyDependency(onlyDependency) {}
e173b9aeSSanjoy Das
e173b9aeSSanjoy Das    MachineInstr *getMemOperation() const { return MemOperation; }
e173b9aeSSanjoy Das
e173b9aeSSanjoy Das    MachineInstr *getCheckOperation() const { return CheckOperation; }
e173b9aeSSanjoy Das
e173b9aeSSanjoy Das    MachineBasicBlock *getCheckBlock() const { return CheckBlock; }
e173b9aeSSanjoy Das
e173b9aeSSanjoy Das    MachineBasicBlock *getNotNullSucc() const { return NotNullSucc; }
e173b9aeSSanjoy Das
e173b9aeSSanjoy Das    MachineBasicBlock *getNullSucc() const { return NullSucc; }
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das    MachineInstr *getOnlyDependency() const { return OnlyDependency; }
69fad079SSanjoy Das  };
69fad079SSanjoy Das
69fad079SSanjoy Das  const TargetInstrInfo *TII = nullptr;
69fad079SSanjoy Das  const TargetRegisterInfo *TRI = nullptr;
*e57bf680SSanjoy Das  AliasAnalysis *AA = nullptr;
69fad079SSanjoy Das  MachineModuleInfo *MMI = nullptr;
69fad079SSanjoy Das
69fad079SSanjoy Das  bool analyzeBlockForNullChecks(MachineBasicBlock &MBB,
69fad079SSanjoy Das                                 SmallVectorImpl<NullCheck> &NullCheckList);
69fad079SSanjoy Das  MachineInstr *insertFaultingLoad(MachineInstr *LoadMI, MachineBasicBlock *MBB,
4e1d389aSQuentin Colombet                                   MachineBasicBlock *HandlerMBB);
69fad079SSanjoy Das  void rewriteNullChecks(ArrayRef<NullCheck> NullCheckList);
69fad079SSanjoy Das
69fad079SSanjoy Daspublic:
69fad079SSanjoy Das  static char ID;
69fad079SSanjoy Das
69fad079SSanjoy Das  ImplicitNullChecks() : MachineFunctionPass(ID) {
69fad079SSanjoy Das    initializeImplicitNullChecksPass(*PassRegistry::getPassRegistry());
69fad079SSanjoy Das  }
69fad079SSanjoy Das
69fad079SSanjoy Das  bool runOnMachineFunction(MachineFunction &MF) override;
*e57bf680SSanjoy Das  void getAnalysisUsage(AnalysisUsage &AU) const override {
*e57bf680SSanjoy Das    AU.addRequired<AAResultsWrapperPass>();
*e57bf680SSanjoy Das    MachineFunctionPass::getAnalysisUsage(AU);
*e57bf680SSanjoy Das  }
ad154c83SDerek Schuff
ad154c83SDerek Schuff  MachineFunctionProperties getRequiredProperties() const override {
ad154c83SDerek Schuff    return MachineFunctionProperties().set(
ad154c83SDerek Schuff        MachineFunctionProperties::Property::AllVRegsAllocated);
ad154c83SDerek Schuff  }
69fad079SSanjoy Das};
edc394f1SSanjoy Das
edc394f1SSanjoy Das/// \brief Detect re-ordering hazards and dependencies.
edc394f1SSanjoy Das///
edc394f1SSanjoy Das/// This class keeps track of defs and uses, and can be queried if a given
edc394f1SSanjoy Das/// machine instruction can be re-ordered from after the machine instructions
edc394f1SSanjoy Das/// seen so far to before them.
edc394f1SSanjoy Dasclass HazardDetector {
*e57bf680SSanjoy Das  static MachineInstr *getUnknownMI() {
*e57bf680SSanjoy Das    return DenseMapInfo<MachineInstr *>::getTombstoneKey();
*e57bf680SSanjoy Das  }
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das  // Maps physical registers to the instruction defining them.  If there has
*e57bf680SSanjoy Das  // been more than one def of an specific register, that register is mapped to
*e57bf680SSanjoy Das  // getUnknownMI().
*e57bf680SSanjoy Das  DenseMap<unsigned, MachineInstr *> RegDefs;
edc394f1SSanjoy Das  DenseSet<unsigned> RegUses;
edc394f1SSanjoy Das  const TargetRegisterInfo &TRI;
edc394f1SSanjoy Das  bool hasSeenClobber;
*e57bf680SSanjoy Das  AliasAnalysis &AA;
edc394f1SSanjoy Das
edc394f1SSanjoy Daspublic:
*e57bf680SSanjoy Das  explicit HazardDetector(const TargetRegisterInfo &TRI, AliasAnalysis &AA)
*e57bf680SSanjoy Das      : TRI(TRI), hasSeenClobber(false), AA(AA) {}
edc394f1SSanjoy Das
edc394f1SSanjoy Das  /// \brief Make a note of \p MI for later queries to isSafeToHoist.
edc394f1SSanjoy Das  ///
edc394f1SSanjoy Das  /// May clobber this HazardDetector instance.  \see isClobbered.
edc394f1SSanjoy Das  void rememberInstruction(MachineInstr *MI);
edc394f1SSanjoy Das
edc394f1SSanjoy Das  /// \brief Return true if it is safe to hoist \p MI from after all the
*e57bf680SSanjoy Das  /// instructions seen so far (via rememberInstruction) to before it.  If \p MI
*e57bf680SSanjoy Das  /// has one and only one transitive dependency, set \p Dependency to that
*e57bf680SSanjoy Das  /// instruction.  If there are more dependencies, return false.
*e57bf680SSanjoy Das  bool isSafeToHoist(MachineInstr *MI, MachineInstr *&Dependency);
edc394f1SSanjoy Das
edc394f1SSanjoy Das  /// \brief Return true if this instance of HazardDetector has been clobbered
edc394f1SSanjoy Das  /// (i.e. has no more useful information).
edc394f1SSanjoy Das  ///
edc394f1SSanjoy Das  /// A HazardDetecter is clobbered when it sees a construct it cannot
edc394f1SSanjoy Das  /// understand, and it would have to return a conservative answer for all
edc394f1SSanjoy Das  /// future queries.  Having a separate clobbered state lets the client code
edc394f1SSanjoy Das  /// bail early, without making queries about all of the future instructions
edc394f1SSanjoy Das  /// (which would have returned the most conservative answer anyway).
edc394f1SSanjoy Das  ///
edc394f1SSanjoy Das  /// Calling rememberInstruction or isSafeToHoist on a clobbered HazardDetector
edc394f1SSanjoy Das  /// is an error.
edc394f1SSanjoy Das  bool isClobbered() { return hasSeenClobber; }
edc394f1SSanjoy Das};
edc394f1SSanjoy Das}
edc394f1SSanjoy Das
edc394f1SSanjoy Das
edc394f1SSanjoy Dasvoid HazardDetector::rememberInstruction(MachineInstr *MI) {
edc394f1SSanjoy Das  assert(!isClobbered() &&
edc394f1SSanjoy Das         "Don't add instructions to a clobbered hazard detector");
edc394f1SSanjoy Das
edc394f1SSanjoy Das  if (MI->mayStore() || MI->hasUnmodeledSideEffects()) {
edc394f1SSanjoy Das    hasSeenClobber = true;
edc394f1SSanjoy Das    return;
edc394f1SSanjoy Das  }
edc394f1SSanjoy Das
edc394f1SSanjoy Das  for (auto *MMO : MI->memoperands()) {
edc394f1SSanjoy Das    // Right now we don't want to worry about LLVM's memory model.
edc394f1SSanjoy Das    if (!MMO->isUnordered()) {
edc394f1SSanjoy Das      hasSeenClobber = true;
edc394f1SSanjoy Das      return;
edc394f1SSanjoy Das    }
edc394f1SSanjoy Das  }
edc394f1SSanjoy Das
edc394f1SSanjoy Das  for (auto &MO : MI->operands()) {
edc394f1SSanjoy Das    if (!MO.isReg() || !MO.getReg())
edc394f1SSanjoy Das      continue;
edc394f1SSanjoy Das
*e57bf680SSanjoy Das    if (MO.isDef()) {
*e57bf680SSanjoy Das      auto It = RegDefs.find(MO.getReg());
*e57bf680SSanjoy Das      if (It == RegDefs.end())
*e57bf680SSanjoy Das        RegDefs.insert({MO.getReg(), MI});
*e57bf680SSanjoy Das      else {
*e57bf680SSanjoy Das        assert(It->second && "Found null MI?");
*e57bf680SSanjoy Das        It->second = getUnknownMI();
*e57bf680SSanjoy Das      }
*e57bf680SSanjoy Das    } else
edc394f1SSanjoy Das      RegUses.insert(MO.getReg());
edc394f1SSanjoy Das  }
edc394f1SSanjoy Das}
edc394f1SSanjoy Das
*e57bf680SSanjoy Dasbool HazardDetector::isSafeToHoist(MachineInstr *MI,
*e57bf680SSanjoy Das                                   MachineInstr *&Dependency) {
edc394f1SSanjoy Das  assert(!isClobbered() && "isSafeToHoist cannot do anything useful!");
*e57bf680SSanjoy Das  Dependency = nullptr;
edc394f1SSanjoy Das
edc394f1SSanjoy Das  // Right now we don't want to worry about LLVM's memory model.  This can be
edc394f1SSanjoy Das  // made more precise later.
edc394f1SSanjoy Das  for (auto *MMO : MI->memoperands())
edc394f1SSanjoy Das    if (!MMO->isUnordered())
edc394f1SSanjoy Das      return false;
edc394f1SSanjoy Das
edc394f1SSanjoy Das  for (auto &MO : MI->operands()) {
edc394f1SSanjoy Das    if (MO.isReg() && MO.getReg()) {
*e57bf680SSanjoy Das      for (auto &RegDef : RegDefs) {
*e57bf680SSanjoy Das        unsigned Reg = RegDef.first;
*e57bf680SSanjoy Das        MachineInstr *MI = RegDef.second;
*e57bf680SSanjoy Das        if (!TRI.regsOverlap(Reg, MO.getReg()))
*e57bf680SSanjoy Das          continue;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        // We found a write-after-write or read-after-write, see if the
*e57bf680SSanjoy Das        // instruction causing this dependency can be hoisted too.
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        if (MI == getUnknownMI())
*e57bf680SSanjoy Das          // We don't have precise dependency information.
*e57bf680SSanjoy Das          return false;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        if (Dependency) {
*e57bf680SSanjoy Das          if (Dependency == MI)
*e57bf680SSanjoy Das            continue;
*e57bf680SSanjoy Das          // We already have one dependency, and we can track only one.
*e57bf680SSanjoy Das          return false;
*e57bf680SSanjoy Das        }
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        // Now check if MI is actually a dependency that can be hoisted.
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        // We don't want to track transitive dependencies.  We already know that
*e57bf680SSanjoy Das        // MI is the only instruction that defines Reg, but we need to be sure
*e57bf680SSanjoy Das        // that it does not use any registers that have been defined (trivially
*e57bf680SSanjoy Das        // checked below by ensuring that there are no register uses), and that
*e57bf680SSanjoy Das        // it is the only def for every register it defines (otherwise we could
*e57bf680SSanjoy Das        // violate a write after write hazard).
*e57bf680SSanjoy Das        auto IsMIOperandSafe = [&](MachineOperand &MO) {
*e57bf680SSanjoy Das          if (!MO.isReg() || !MO.getReg())
*e57bf680SSanjoy Das            return true;
*e57bf680SSanjoy Das          if (MO.isUse())
*e57bf680SSanjoy Das            return false;
*e57bf680SSanjoy Das          assert((!MO.isDef() || RegDefs.count(MO.getReg())) &&
*e57bf680SSanjoy Das                 "All defs must be tracked in RegDefs by now!");
*e57bf680SSanjoy Das          return !MO.isDef() || RegDefs.find(MO.getReg())->second == MI;
*e57bf680SSanjoy Das        };
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        if (!all_of(MI->operands(), IsMIOperandSafe))
*e57bf680SSanjoy Das          return false;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        // Now check for speculation safety:
*e57bf680SSanjoy Das        bool SawStore = true;
*e57bf680SSanjoy Das        if (!MI->isSafeToMove(&AA, SawStore) || MI->mayLoad())
*e57bf680SSanjoy Das          return false;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        Dependency = MI;
*e57bf680SSanjoy Das      }
edc394f1SSanjoy Das
edc394f1SSanjoy Das      if (MO.isDef())
edc394f1SSanjoy Das        for (unsigned Reg : RegUses)
edc394f1SSanjoy Das          if (TRI.regsOverlap(Reg, MO.getReg()))
edc394f1SSanjoy Das            return false;  // We found a write-after-read
edc394f1SSanjoy Das    }
edc394f1SSanjoy Das  }
edc394f1SSanjoy Das
edc394f1SSanjoy Das  return true;
f00654e3SAlexander Kornienko}
69fad079SSanjoy Das
69fad079SSanjoy Dasbool ImplicitNullChecks::runOnMachineFunction(MachineFunction &MF) {
69fad079SSanjoy Das  TII = MF.getSubtarget().getInstrInfo();
69fad079SSanjoy Das  TRI = MF.getRegInfo().getTargetRegisterInfo();
69fad079SSanjoy Das  MMI = &MF.getMMI();
*e57bf680SSanjoy Das  AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
69fad079SSanjoy Das
69fad079SSanjoy Das  SmallVector<NullCheck, 16> NullCheckList;
69fad079SSanjoy Das
69fad079SSanjoy Das  for (auto &MBB : MF)
69fad079SSanjoy Das    analyzeBlockForNullChecks(MBB, NullCheckList);
69fad079SSanjoy Das
69fad079SSanjoy Das  if (!NullCheckList.empty())
69fad079SSanjoy Das    rewriteNullChecks(NullCheckList);
69fad079SSanjoy Das
69fad079SSanjoy Das  return !NullCheckList.empty();
69fad079SSanjoy Das}
69fad079SSanjoy Das
*e57bf680SSanjoy Das// Return true if any register aliasing \p Reg is live-in into \p MBB.
*e57bf680SSanjoy Dasstatic bool AnyAliasLiveIn(const TargetRegisterInfo *TRI,
*e57bf680SSanjoy Das                           MachineBasicBlock *MBB, unsigned Reg) {
*e57bf680SSanjoy Das  for (MCRegAliasIterator AR(Reg, TRI, /*IncludeSelf*/ true); AR.isValid();
*e57bf680SSanjoy Das       ++AR)
*e57bf680SSanjoy Das    if (MBB->isLiveIn(*AR))
*e57bf680SSanjoy Das      return true;
*e57bf680SSanjoy Das  return false;
*e57bf680SSanjoy Das}
*e57bf680SSanjoy Das
69fad079SSanjoy Das/// Analyze MBB to check if its terminating branch can be turned into an
69fad079SSanjoy Das/// implicit null check.  If yes, append a description of the said null check to
69fad079SSanjoy Das/// NullCheckList and return true, else return false.
69fad079SSanjoy Dasbool ImplicitNullChecks::analyzeBlockForNullChecks(
69fad079SSanjoy Das    MachineBasicBlock &MBB, SmallVectorImpl<NullCheck> &NullCheckList) {
69fad079SSanjoy Das  typedef TargetInstrInfo::MachineBranchPredicate MachineBranchPredicate;
69fad079SSanjoy Das
e8b81649SSanjoy Das  MDNode *BranchMD = nullptr;
e8b81649SSanjoy Das  if (auto *BB = MBB.getBasicBlock())
e8b81649SSanjoy Das    BranchMD = BB->getTerminator()->getMetadata(LLVMContext::MD_make_implicit);
e8b81649SSanjoy Das
9c41a93eSSanjoy Das  if (!BranchMD)
9c41a93eSSanjoy Das    return false;
9c41a93eSSanjoy Das
69fad079SSanjoy Das  MachineBranchPredicate MBP;
69fad079SSanjoy Das
69fad079SSanjoy Das  if (TII->AnalyzeBranchPredicate(MBB, MBP, true))
69fad079SSanjoy Das    return false;
69fad079SSanjoy Das
69fad079SSanjoy Das  // Is the predicate comparing an integer to zero?
69fad079SSanjoy Das  if (!(MBP.LHS.isReg() && MBP.RHS.isImm() && MBP.RHS.getImm() == 0 &&
69fad079SSanjoy Das        (MBP.Predicate == MachineBranchPredicate::PRED_NE ||
69fad079SSanjoy Das         MBP.Predicate == MachineBranchPredicate::PRED_EQ)))
69fad079SSanjoy Das    return false;
69fad079SSanjoy Das
69fad079SSanjoy Das  // If we cannot erase the test instruction itself, then making the null check
69fad079SSanjoy Das  // implicit does not buy us much.
69fad079SSanjoy Das  if (!MBP.SingleUseCondition)
69fad079SSanjoy Das    return false;
69fad079SSanjoy Das
69fad079SSanjoy Das  MachineBasicBlock *NotNullSucc, *NullSucc;
69fad079SSanjoy Das
69fad079SSanjoy Das  if (MBP.Predicate == MachineBranchPredicate::PRED_NE) {
69fad079SSanjoy Das    NotNullSucc = MBP.TrueDest;
69fad079SSanjoy Das    NullSucc = MBP.FalseDest;
69fad079SSanjoy Das  } else {
69fad079SSanjoy Das    NotNullSucc = MBP.FalseDest;
69fad079SSanjoy Das    NullSucc = MBP.TrueDest;
69fad079SSanjoy Das  }
69fad079SSanjoy Das
69fad079SSanjoy Das  // We handle the simplest case for now.  We can potentially do better by using
69fad079SSanjoy Das  // the machine dominator tree.
69fad079SSanjoy Das  if (NotNullSucc->pred_size() != 1)
69fad079SSanjoy Das    return false;
69fad079SSanjoy Das
69fad079SSanjoy Das  // Starting with a code fragment like:
69fad079SSanjoy Das  //
69fad079SSanjoy Das  //   test %RAX, %RAX
69fad079SSanjoy Das  //   jne LblNotNull
69fad079SSanjoy Das  //
69fad079SSanjoy Das  //  LblNull:
69fad079SSanjoy Das  //   callq throw_NullPointerException
69fad079SSanjoy Das  //
69fad079SSanjoy Das  //  LblNotNull:
b7718454SSanjoy Das  //   Inst0
b7718454SSanjoy Das  //   Inst1
b7718454SSanjoy Das  //   ...
69fad079SSanjoy Das  //   Def = Load (%RAX + <offset>)
69fad079SSanjoy Das  //   ...
69fad079SSanjoy Das  //
69fad079SSanjoy Das  //
69fad079SSanjoy Das  // we want to end up with
69fad079SSanjoy Das  //
ac9c5b19SSanjoy Das  //   Def = FaultingLoad (%RAX + <offset>), LblNull
69fad079SSanjoy Das  //   jmp LblNotNull ;; explicit or fallthrough
69fad079SSanjoy Das  //
69fad079SSanjoy Das  //  LblNotNull:
b7718454SSanjoy Das  //   Inst0
b7718454SSanjoy Das  //   Inst1
69fad079SSanjoy Das  //   ...
69fad079SSanjoy Das  //
69fad079SSanjoy Das  //  LblNull:
69fad079SSanjoy Das  //   callq throw_NullPointerException
69fad079SSanjoy Das  //
ac9c5b19SSanjoy Das  //
ac9c5b19SSanjoy Das  // To see why this is legal, consider the two possibilities:
ac9c5b19SSanjoy Das  //
ac9c5b19SSanjoy Das  //  1. %RAX is null: since we constrain <offset> to be less than PageSize, the
ac9c5b19SSanjoy Das  //     load instruction dereferences the null page, causing a segmentation
ac9c5b19SSanjoy Das  //     fault.
ac9c5b19SSanjoy Das  //
ac9c5b19SSanjoy Das  //  2. %RAX is not null: in this case we know that the load cannot fault, as
ac9c5b19SSanjoy Das  //     otherwise the load would've faulted in the original program too and the
ac9c5b19SSanjoy Das  //     original program would've been undefined.
ac9c5b19SSanjoy Das  //
ac9c5b19SSanjoy Das  // This reasoning cannot be extended to justify hoisting through arbitrary
ac9c5b19SSanjoy Das  // control flow.  For instance, in the example below (in pseudo-C)
ac9c5b19SSanjoy Das  //
ac9c5b19SSanjoy Das  //    if (ptr == null) { throw_npe(); unreachable; }
ac9c5b19SSanjoy Das  //    if (some_cond) { return 42; }
ac9c5b19SSanjoy Das  //    v = ptr->field;  // LD
ac9c5b19SSanjoy Das  //    ...
ac9c5b19SSanjoy Das  //
ac9c5b19SSanjoy Das  // we cannot (without code duplication) use the load marked "LD" to null check
ac9c5b19SSanjoy Das  // ptr -- clause (2) above does not apply in this case.  In the above program
ac9c5b19SSanjoy Das  // the safety of ptr->field can be dependent on some_cond; and, for instance,
ac9c5b19SSanjoy Das  // ptr could be some non-null invalid reference that never gets loaded from
ac9c5b19SSanjoy Das  // because some_cond is always true.
69fad079SSanjoy Das
69fad079SSanjoy Das  unsigned PointerReg = MBP.LHS.getReg();
b7718454SSanjoy Das
*e57bf680SSanjoy Das  HazardDetector HD(*TRI, *AA);
b7718454SSanjoy Das
b7718454SSanjoy Das  for (auto MII = NotNullSucc->begin(), MIE = NotNullSucc->end(); MII != MIE;
b7718454SSanjoy Das       ++MII) {
b7718454SSanjoy Das    MachineInstr *MI = &*MII;
c27a18f3SChad Rosier    unsigned BaseReg;
c27a18f3SChad Rosier    int64_t Offset;
*e57bf680SSanjoy Das    MachineInstr *Dependency = nullptr;
b7718454SSanjoy Das    if (TII->getMemOpBaseRegImmOfs(MI, BaseReg, Offset, TRI))
b7718454SSanjoy Das      if (MI->mayLoad() && !MI->isPredicable() && BaseReg == PointerReg &&
93d608c3SSanjoy Das          Offset < PageSize && MI->getDesc().getNumDefs() <= 1 &&
*e57bf680SSanjoy Das          HD.isSafeToHoist(MI, Dependency)) {
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        auto DependencyOperandIsOk = [&](MachineOperand &MO) {
*e57bf680SSanjoy Das          assert(!(MO.isReg() && MO.isUse()) &&
*e57bf680SSanjoy Das                 "No transitive dependendencies please!");
*e57bf680SSanjoy Das          if (!MO.isReg() || !MO.getReg() || !MO.isDef())
69fad079SSanjoy Das            return true;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das          // Make sure that we won't clobber any live ins to the sibling block
*e57bf680SSanjoy Das          // by hoisting Dependency.  For instance, we can't hoist INST to
*e57bf680SSanjoy Das          // before the null check (even if it safe, and does not violate any
*e57bf680SSanjoy Das          // dependencies in the non_null_block) if %rdx is live in to
*e57bf680SSanjoy Das          // _null_block.
*e57bf680SSanjoy Das          //
*e57bf680SSanjoy Das          //    test %rcx, %rcx
*e57bf680SSanjoy Das          //    je _null_block
*e57bf680SSanjoy Das          //  _non_null_block:
*e57bf680SSanjoy Das          //    %rdx<def> = INST
*e57bf680SSanjoy Das          //    ...
*e57bf680SSanjoy Das          if (AnyAliasLiveIn(TRI, NullSucc, MO.getReg()))
*e57bf680SSanjoy Das            return false;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das          // Make sure Dependency isn't re-defining the base register.  Then we
*e57bf680SSanjoy Das          // won't get the memory operation on the address we want.
*e57bf680SSanjoy Das          if (TRI->regsOverlap(MO.getReg(), BaseReg))
*e57bf680SSanjoy Das            return false;
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das          return true;
*e57bf680SSanjoy Das        };
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        bool DependencyOperandsAreOk =
*e57bf680SSanjoy Das            !Dependency ||
*e57bf680SSanjoy Das            all_of(Dependency->operands(), DependencyOperandIsOk);
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das        if (DependencyOperandsAreOk) {
*e57bf680SSanjoy Das          NullCheckList.emplace_back(MI, MBP.ConditionDef, &MBB, NotNullSucc,
*e57bf680SSanjoy Das                                     NullSucc, Dependency);
*e57bf680SSanjoy Das          return true;
*e57bf680SSanjoy Das        }
69fad079SSanjoy Das      }
69fad079SSanjoy Das
edc394f1SSanjoy Das    HD.rememberInstruction(MI);
edc394f1SSanjoy Das    if (HD.isClobbered())
b7718454SSanjoy Das      return false;
b7718454SSanjoy Das  }
b7718454SSanjoy Das
69fad079SSanjoy Das  return false;
69fad079SSanjoy Das}
69fad079SSanjoy Das
69fad079SSanjoy Das/// Wrap a machine load instruction, LoadMI, into a FAULTING_LOAD_OP machine
69fad079SSanjoy Das/// instruction.  The FAULTING_LOAD_OP instruction does the same load as LoadMI
4e1d389aSQuentin Colombet/// (defining the same register), and branches to HandlerMBB if the load
69fad079SSanjoy Das/// faults.  The FAULTING_LOAD_OP instruction is inserted at the end of MBB.
4e1d389aSQuentin ColombetMachineInstr *
4e1d389aSQuentin ColombetImplicitNullChecks::insertFaultingLoad(MachineInstr *LoadMI,
69fad079SSanjoy Das                                       MachineBasicBlock *MBB,
4e1d389aSQuentin Colombet                                       MachineBasicBlock *HandlerMBB) {
93d608c3SSanjoy Das  const unsigned NoRegister = 0; // Guaranteed to be the NoRegister value for
93d608c3SSanjoy Das                                 // all targets.
93d608c3SSanjoy Das
69fad079SSanjoy Das  DebugLoc DL;
69fad079SSanjoy Das  unsigned NumDefs = LoadMI->getDesc().getNumDefs();
93d608c3SSanjoy Das  assert(NumDefs <= 1 && "other cases unhandled!");
69fad079SSanjoy Das
93d608c3SSanjoy Das  unsigned DefReg = NoRegister;
93d608c3SSanjoy Das  if (NumDefs != 0) {
93d608c3SSanjoy Das    DefReg = LoadMI->defs().begin()->getReg();
69fad079SSanjoy Das    assert(std::distance(LoadMI->defs().begin(), LoadMI->defs().end()) == 1 &&
69fad079SSanjoy Das           "expected exactly one def!");
93d608c3SSanjoy Das  }
69fad079SSanjoy Das
69fad079SSanjoy Das  auto MIB = BuildMI(MBB, DL, TII->get(TargetOpcode::FAULTING_LOAD_OP), DefReg)
4e1d389aSQuentin Colombet                 .addMBB(HandlerMBB)
69fad079SSanjoy Das                 .addImm(LoadMI->getOpcode());
69fad079SSanjoy Das
69fad079SSanjoy Das  for (auto &MO : LoadMI->uses())
69fad079SSanjoy Das    MIB.addOperand(MO);
69fad079SSanjoy Das
69fad079SSanjoy Das  MIB.setMemRefs(LoadMI->memoperands_begin(), LoadMI->memoperands_end());
69fad079SSanjoy Das
69fad079SSanjoy Das  return MIB;
69fad079SSanjoy Das}
69fad079SSanjoy Das
69fad079SSanjoy Das/// Rewrite the null checks in NullCheckList into implicit null checks.
69fad079SSanjoy Dasvoid ImplicitNullChecks::rewriteNullChecks(
69fad079SSanjoy Das    ArrayRef<ImplicitNullChecks::NullCheck> NullCheckList) {
69fad079SSanjoy Das  DebugLoc DL;
69fad079SSanjoy Das
69fad079SSanjoy Das  for (auto &NC : NullCheckList) {
69fad079SSanjoy Das    // Remove the conditional branch dependent on the null check.
e173b9aeSSanjoy Das    unsigned BranchesRemoved = TII->RemoveBranch(*NC.getCheckBlock());
69fad079SSanjoy Das    (void)BranchesRemoved;
69fad079SSanjoy Das    assert(BranchesRemoved > 0 && "expected at least one branch!");
69fad079SSanjoy Das
*e57bf680SSanjoy Das    if (auto *DepMI = NC.getOnlyDependency()) {
*e57bf680SSanjoy Das      DepMI->removeFromParent();
*e57bf680SSanjoy Das      NC.getCheckBlock()->insert(NC.getCheckBlock()->end(), DepMI);
*e57bf680SSanjoy Das    }
*e57bf680SSanjoy Das
69fad079SSanjoy Das    // Insert a faulting load where the conditional branch was originally.  We
69fad079SSanjoy Das    // check earlier ensures that this bit of code motion is legal.  We do not
69fad079SSanjoy Das    // touch the successors list for any basic block since we haven't changed
69fad079SSanjoy Das    // control flow, we've just made it implicit.
e173b9aeSSanjoy Das    MachineInstr *FaultingLoad = insertFaultingLoad(
e173b9aeSSanjoy Das        NC.getMemOperation(), NC.getCheckBlock(), NC.getNullSucc());
26dab3a4SQuentin Colombet    // Now the values defined by MemOperation, if any, are live-in of
26dab3a4SQuentin Colombet    // the block of MemOperation.
26dab3a4SQuentin Colombet    // The original load operation may define implicit-defs alongside
26dab3a4SQuentin Colombet    // the loaded value.
e173b9aeSSanjoy Das    MachineBasicBlock *MBB = NC.getMemOperation()->getParent();
26dab3a4SQuentin Colombet    for (const MachineOperand &MO : FaultingLoad->operands()) {
26dab3a4SQuentin Colombet      if (!MO.isReg() || !MO.isDef())
26dab3a4SQuentin Colombet        continue;
26dab3a4SQuentin Colombet      unsigned Reg = MO.getReg();
26dab3a4SQuentin Colombet      if (!Reg || MBB->isLiveIn(Reg))
26dab3a4SQuentin Colombet        continue;
12b69919SQuentin Colombet      MBB->addLiveIn(Reg);
12b69919SQuentin Colombet    }
*e57bf680SSanjoy Das
*e57bf680SSanjoy Das    if (auto *DepMI = NC.getOnlyDependency()) {
*e57bf680SSanjoy Das      for (auto &MO : DepMI->operands()) {
*e57bf680SSanjoy Das        if (!MO.isReg() || !MO.getReg() || !MO.isDef())
*e57bf680SSanjoy Das          continue;
*e57bf680SSanjoy Das        if (!NC.getNotNullSucc()->isLiveIn(MO.getReg()))
*e57bf680SSanjoy Das          NC.getNotNullSucc()->addLiveIn(MO.getReg());
*e57bf680SSanjoy Das      }
*e57bf680SSanjoy Das    }
*e57bf680SSanjoy Das
e173b9aeSSanjoy Das    NC.getMemOperation()->eraseFromParent();
e173b9aeSSanjoy Das    NC.getCheckOperation()->eraseFromParent();
69fad079SSanjoy Das
69fad079SSanjoy Das    // Insert an *unconditional* branch to not-null successor.
e173b9aeSSanjoy Das    TII->InsertBranch(*NC.getCheckBlock(), NC.getNotNullSucc(), nullptr,
e173b9aeSSanjoy Das                      /*Cond=*/None, DL);
69fad079SSanjoy Das
8ee6a30bSSanjoy Das    NumImplicitNullChecks++;
69fad079SSanjoy Das  }
69fad079SSanjoy Das}
69fad079SSanjoy Das
69fad079SSanjoy Daschar ImplicitNullChecks::ID = 0;
69fad079SSanjoy Daschar &llvm::ImplicitNullChecksID = ImplicitNullChecks::ID;
69fad079SSanjoy DasINITIALIZE_PASS_BEGIN(ImplicitNullChecks, "implicit-null-checks",
69fad079SSanjoy Das                      "Implicit null checks", false, false)
*e57bf680SSanjoy DasINITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass)
69fad079SSanjoy DasINITIALIZE_PASS_END(ImplicitNullChecks, "implicit-null-checks",
69fad079SSanjoy Das                    "Implicit null checks", false, false)