LLVM  10.0.0svn
BoundsChecking.cpp
Go to the documentation of this file.
1 //===- BoundsChecking.cpp - Instrumentation for run-time bounds checking --===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "llvm/Transforms/Instrumentation/BoundsChecking.h"
10 #include "llvm/ADT/Statistic.h"
11 #include "llvm/ADT/Twine.h"
12 #include "llvm/Analysis/MemoryBuiltins.h"
13 #include "llvm/Analysis/ScalarEvolution.h"
14 #include "llvm/Analysis/TargetFolder.h"
15 #include "llvm/Analysis/TargetLibraryInfo.h"
16 #include "llvm/IR/BasicBlock.h"
17 #include "llvm/IR/Constants.h"
18 #include "llvm/IR/DataLayout.h"
19 #include "llvm/IR/Function.h"
20 #include "llvm/IR/IRBuilder.h"
21 #include "llvm/IR/InstIterator.h"
22 #include "llvm/IR/InstrTypes.h"
23 #include "llvm/IR/Instruction.h"
24 #include "llvm/IR/Instructions.h"
25 #include "llvm/IR/Intrinsics.h"
26 #include "llvm/IR/Value.h"
27 #include "llvm/Pass.h"
28 #include "llvm/Support/Casting.h"
29 #include "llvm/Support/CommandLine.h"
30 #include "llvm/Support/Debug.h"
31 #include "llvm/Support/ErrorHandling.h"
32 #include "llvm/Support/raw_ostream.h"
33 #include <cstdint>
34 #include <vector>
35 
36 using namespace llvm;
37 
38 #define DEBUG_TYPE "bounds-checking"
39 
40 static cl::opt<bool> SingleTrapBB("bounds-checking-single-trap",
41  cl::desc("Use one trap block per function"));
42 
43 STATISTIC(ChecksAdded, "Bounds checks added");
44 STATISTIC(ChecksSkipped, "Bounds checks skipped");
45 STATISTIC(ChecksUnable, "Bounds checks unable to add");
46 
47 using BuilderTy = IRBuilder<TargetFolder>;
48 
49 /// Gets the conditions under which memory accessing instructions will overflow.
50 ///
51 /// \p Ptr is the pointer that will be read/written, and \p InstVal is either
52 /// the result from the load or the value being stored. It is used to determine
53 /// the size of memory block that is touched.
54 ///
55 /// Returns the condition under which the access will overflow.
56 static Value *getBoundsCheckCond(Value *Ptr, Value *InstVal,
57  const DataLayout &DL, TargetLibraryInfo &TLI,
58  ObjectSizeOffsetEvaluator &ObjSizeEval,
59  BuilderTy &IRB, ScalarEvolution &SE) {
60  uint64_t NeededSize = DL.getTypeStoreSize(InstVal->getType());
61  LLVM_DEBUG(dbgs() << "Instrument " << *Ptr << " for " << Twine(NeededSize)
62  << " bytes\n");
63 
64  SizeOffsetEvalType SizeOffset = ObjSizeEval.compute(Ptr);
65 
66  if (!ObjSizeEval.bothKnown(SizeOffset)) {
67  ++ChecksUnable;
68  return nullptr;
69  }
70 
71  Value *Size = SizeOffset.first;
72  Value *Offset = SizeOffset.second;
73  ConstantInt *SizeCI = dyn_cast<ConstantInt>(Size);
74 
75  Type *IntTy = DL.getIntPtrType(Ptr->getType());
76  Value *NeededSizeVal = ConstantInt::get(IntTy, NeededSize);
77 
78  auto SizeRange = SE.getUnsignedRange(SE.getSCEV(Size));
79  auto OffsetRange = SE.getUnsignedRange(SE.getSCEV(Offset));
80  auto NeededSizeRange = SE.getUnsignedRange(SE.getSCEV(NeededSizeVal));
81 
82  // three checks are required to ensure safety:
83  // . Offset >= 0 (since the offset is given from the base ptr)
84  // . Size >= Offset (unsigned)
85  // . Size - Offset >= NeededSize (unsigned)
86  //
87  // optimization: if Size >= 0 (signed), skip 1st check
88  // FIXME: add NSW/NUW here? -- we dont care if the subtraction overflows
89  Value *ObjSize = IRB.CreateSub(Size, Offset);
90  Value *Cmp2 = SizeRange.getUnsignedMin().uge(OffsetRange.getUnsignedMax())
91  ? ConstantInt::getFalse(Ptr->getContext())
92  : IRB.CreateICmpULT(Size, Offset);
93  Value *Cmp3 = SizeRange.sub(OffsetRange)
94  .getUnsignedMin()
95  .uge(NeededSizeRange.getUnsignedMax())
96  ? ConstantInt::getFalse(Ptr->getContext())
97  : IRB.CreateICmpULT(ObjSize, NeededSizeVal);
98  Value *Or = IRB.CreateOr(Cmp2, Cmp3);
99  if ((!SizeCI || SizeCI->getValue().slt(0)) &&
100  !SizeRange.getSignedMin().isNonNegative()) {
101  Value *Cmp1 = IRB.CreateICmpSLT(Offset, ConstantInt::get(IntTy, 0));
102  Or = IRB.CreateOr(Cmp1, Or);
103  }
104 
105  return Or;
106 }
107 
108 /// Adds run-time bounds checks to memory accessing instructions.
109 ///
110 /// \p Or is the condition that should guard the trap.
111 ///
112 /// \p GetTrapBB is a callable that returns the trap BB to use on failure.
113 template <typename GetTrapBBT>
114 static void insertBoundsCheck(Value *Or, BuilderTy IRB, GetTrapBBT GetTrapBB) {
115  // check if the comparison is always false
116  ConstantInt *C = dyn_cast_or_null<ConstantInt>(Or);
117  if (C) {
118  ++ChecksSkipped;
119  // If non-zero, nothing to do.
120  if (!C->getZExtValue())
121  return;
122  }
123  ++ChecksAdded;
124 
125  BasicBlock::iterator SplitI = IRB.GetInsertPoint();
126  BasicBlock *OldBB = SplitI->getParent();
127  BasicBlock *Cont = OldBB->splitBasicBlock(SplitI);
128  OldBB->getTerminator()->eraseFromParent();
129 
130  if (C) {
131  // If we have a constant zero, unconditionally branch.
132  // FIXME: We should really handle this differently to bypass the splitting
133  // the block.
134  BranchInst::Create(GetTrapBB(IRB), OldBB);
135  return;
136  }
137 
138  // Create the conditional branch.
139  BranchInst::Create(GetTrapBB(IRB), Cont, Or, OldBB);
140 }
141 
142 static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI,
143  ScalarEvolution &SE) {
144  const DataLayout &DL = F.getParent()->getDataLayout();
145  ObjectSizeOpts EvalOpts;
146  EvalOpts.RoundToAlign = true;
147  ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts);
148 
149  // check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory
150  // touching instructions
151  SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo;
152  for (Instruction &I : instructions(F)) {
153  Value *Or = nullptr;
154  BuilderTy IRB(I.getParent(), BasicBlock::iterator(&I), TargetFolder(DL));
155  if (LoadInst *LI = dyn_cast<LoadInst>(&I)) {
156  Or = getBoundsCheckCond(LI->getPointerOperand(), LI, DL, TLI,
157  ObjSizeEval, IRB, SE);
158  } else if (StoreInst *SI = dyn_cast<StoreInst>(&I)) {
159  Or = getBoundsCheckCond(SI->getPointerOperand(), SI->getValueOperand(),
160  DL, TLI, ObjSizeEval, IRB, SE);
161  } else if (AtomicCmpXchgInst *AI = dyn_cast<AtomicCmpXchgInst>(&I)) {
162  Or = getBoundsCheckCond(AI->getPointerOperand(), AI->getCompareOperand(),
163  DL, TLI, ObjSizeEval, IRB, SE);
164  } else if (AtomicRMWInst *AI = dyn_cast<AtomicRMWInst>(&I)) {
165  Or = getBoundsCheckCond(AI->getPointerOperand(), AI->getValOperand(), DL,
166  TLI, ObjSizeEval, IRB, SE);
167  }
168  if (Or)
169  TrapInfo.push_back(std::make_pair(&I, Or));
170  }
171 
172  // Create a trapping basic block on demand using a callback. Depending on
173  // flags, this will either create a single block for the entire function or
174  // will create a fresh block every time it is called.
175  BasicBlock *TrapBB = nullptr;
176  auto GetTrapBB = [&TrapBB](BuilderTy &IRB) {
177  if (TrapBB && SingleTrapBB)
178  return TrapBB;
179 
180  Function *Fn = IRB.GetInsertBlock()->getParent();
181  // FIXME: This debug location doesn't make a lot of sense in the
182  // `SingleTrapBB` case.
183  auto DebugLoc = IRB.getCurrentDebugLocation();
184  IRBuilder<>::InsertPointGuard Guard(IRB);
185  TrapBB = BasicBlock::Create(Fn->getContext(), "trap", Fn);
186  IRB.SetInsertPoint(TrapBB);
187 
188  auto *F = Intrinsic::getDeclaration(Fn->getParent(), Intrinsic::trap);
189  CallInst *TrapCall = IRB.CreateCall(F, {});
190  TrapCall->setDoesNotReturn();
191  TrapCall->setDoesNotThrow();
192  TrapCall->setDebugLoc(DebugLoc);
193  IRB.CreateUnreachable();
194 
195  return TrapBB;
196  };
197 
198  // Add the checks.
199  for (const auto &Entry : TrapInfo) {
200  Instruction *Inst = Entry.first;
201  BuilderTy IRB(Inst->getParent(), BasicBlock::iterator(Inst), TargetFolder(DL));
202  insertBoundsCheck(Entry.second, IRB, GetTrapBB);
203  }
204 
205  return !TrapInfo.empty();
206 }
207 
208 PreservedAnalyses BoundsCheckingPass::run(Function &F, FunctionAnalysisManager &AM) {
209  auto &TLI = AM.getResult<TargetLibraryAnalysis>(F);
210  auto &SE = AM.getResult<ScalarEvolutionAnalysis>(F);
211 
212  if (!addBoundsChecking(F, TLI, SE))
213  return PreservedAnalyses::all();
214 
215  return PreservedAnalyses::none();
216 }
217 
218 namespace {
219 struct BoundsCheckingLegacyPass : public FunctionPass {
220  static char ID;
221 
222  BoundsCheckingLegacyPass() : FunctionPass(ID) {
223  initializeBoundsCheckingLegacyPassPass(*PassRegistry::getPassRegistry());
224  }
225 
226  bool runOnFunction(Function &F) override {
227  auto &TLI = getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(F);
228  auto &SE = getAnalysis<ScalarEvolutionWrapperPass>().getSE();
229  return addBoundsChecking(F, TLI, SE);
230  }
231 
232  void getAnalysisUsage(AnalysisUsage &AU) const override {
233  AU.addRequired<TargetLibraryInfoWrapperPass>();
234  AU.addRequired<ScalarEvolutionWrapperPass>();
235  }
236 };
237 } // namespace
238 
239 char BoundsCheckingLegacyPass::ID = 0;
240 INITIALIZE_PASS_BEGIN(BoundsCheckingLegacyPass, "bounds-checking",
241  "Run-time bounds checking", false, false)
242 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
243 INITIALIZE_PASS_END(BoundsCheckingLegacyPass, "bounds-checking",
244  "Run-time bounds checking", false, false)
245 
246 FunctionPass *llvm::createBoundsCheckingLegacyPass() {
247  return new BoundsCheckingLegacyPass();
248 }
C
uint64_t CallInst * C
Definition: NVVMIntrRange.cpp:66
llvm::Instruction::eraseFromParent
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks &#39;this&#39; from the containing basic block and deletes it.
Definition: Instruction.cpp:67
llvm::DataLayout
A parsed version of the target data layout string in and methods for querying it. ...
Definition: DataLayout.h:111
llvm::ConstantInt::getFalse
static ConstantInt * getFalse(LLVMContext &Context)
Definition: Constants.cpp:616
llvm::PassRegistry::getPassRegistry
static PassRegistry * getPassRegistry()
getPassRegistry - Access the global registry object, which is automatically initialized at applicatio...
Definition: PassRegistry.cpp:31
INITIALIZE_PASS_BEGIN
INITIALIZE_PASS_BEGIN(BoundsCheckingLegacyPass, "bounds-checking", "Run-time bounds checking", false, false) INITIALIZE_PASS_END(BoundsCheckingLegacyPass
llvm::AnalysisManager::getResult
PassT::Result & getResult(IRUnitT &IR, ExtraArgTs... ExtraArgs)
Get the result of an analysis pass for a given IR unit.
Definition: PassManager.h:776
llvm
This class represents lattice values for constants.
Definition: AllocatorList.h:23
llvm::IRBuilder::CreateICmpULT
Value * CreateICmpULT(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2118
llvm::AtomicCmpXchgInst
An instruction that atomically checks whether a specified value is in a memory location, and, if it is, stores a new value there.
Definition: Instructions.h:530
llvm::SizeOffsetEvalType
std::pair< Value *, Value * > SizeOffsetEvalType
Definition: MemoryBuiltins.h:280
llvm::ScalarEvolution
The main scalar evolution driver.
Definition: ScalarEvolution.h:470
llvm::IRBuilder::CreateICmpSLT
Value * CreateICmpSLT(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2134
llvm::APInt::slt
bool slt(const APInt &RHS) const
Signed less than comparison.
Definition: APInt.h:1203
llvm::CallInst
This class represents a function call, abstracting a target machine&#39;s calling convention.
Definition: Instructions.h:1394
llvm::ObjectSizeOpts::RoundToAlign
bool RoundToAlign
Whether to round the result up to the alignment of allocas, byval arguments, and global variables...
Definition: MemoryBuiltins.h:198
llvm::Value::getContext
LLVMContext & getContext() const
All values hold a context through their type.
Definition: Value.cpp:733
llvm::STATISTIC
STATISTIC(NumFunctions, "Total number of functions")
llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33
F
F(f)
llvm::LoadInst
An instruction for reading from memory.
Definition: Instructions.h:167
llvm::AtomicRMWInst
an instruction that atomically reads a memory location, combines it with another value, and then stores the result back.
Definition: Instructions.h:693
llvm::BasicBlock::getTerminator
const Instruction * getTerminator() const LLVM_READONLY
Returns the terminator instruction if the block is well formed or null if the block is not well forme...
Definition: BasicBlock.cpp:144
llvm::createBoundsCheckingLegacyPass
FunctionPass * createBoundsCheckingLegacyPass()
Legacy pass creation function for the above pass.
Definition: BoundsChecking.cpp:246
llvm::AnalysisUsage::addRequired
AnalysisUsage & addRequired()
Definition: PassAnalysisSupport.h:65
INITIALIZE_PASS_DEPENDENCY
#define INITIALIZE_PASS_DEPENDENCY(depName)
Definition: PassSupport.h:50
llvm::Module::getDataLayout
const DataLayout & getDataLayout() const
Get the data layout for the module&#39;s target platform.
Definition: Module.cpp:369
llvm::Twine
Twine - A lightweight data structure for efficiently representing the concatenation of temporary valu...
Definition: Twine.h:80
SingleTrapBB
static cl::opt< bool > SingleTrapBB("bounds-checking-single-trap", cl::desc("Use one trap block per function"))
insertBoundsCheck
static void insertBoundsCheck(Value *Or, BuilderTy IRB, GetTrapBBT GetTrapBB)
Adds run-time bounds checks to memory accessing instructions.
Definition: BoundsChecking.cpp:114
llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:245
llvm::ObjectSizeOffsetEvaluator
Evaluate the size and offset of an object pointed to by a Value*.
Definition: MemoryBuiltins.h:284
llvm::ConstantInt::getValue
const APInt & getValue() const
Return the constant as an APInt value reference.
Definition: Constants.h:137
llvm::TargetFolder
TargetFolder - Create constants with target dependent folding.
Definition: TargetFolder.h:31
llvm::IRBuilder::CreateSub
Value * CreateSub(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1135
llvm::StoreInst
An instruction for storing to memory.
Definition: Instructions.h:320
llvm::Intrinsic::getDeclaration
Function * getDeclaration(Module *M, ID id, ArrayRef< Type *> Tys=None)
Create or insert an LLVM Function declaration for an intrinsic, and return it.
Definition: Function.cpp:1079
llvm::PreservedAnalyses::none
static PreservedAnalyses none()
Convenience factory function for the empty preserved set.
Definition: PassManager.h:156
llvm::IRBuilder::CreateOr
Value * CreateOr(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1294
llvm::DataLayout::getIntPtrType
IntegerType * getIntPtrType(LLVMContext &C, unsigned AddressSpace=0) const
Returns an integer type with size at least as big as that of a pointer in the given address space...
Definition: DataLayout.cpp:774
runOnFunction
static bool runOnFunction(Function &F, bool PostInlining)
Definition: EntryExitInstrumenter.cpp:65
llvm::ConstantInt::getZExtValue
uint64_t getZExtValue() const
Return the constant as a 64-bit unsigned integer value after it has been zero extended as appropriate...
Definition: Constants.h:148
llvm::PreservedAnalyses
A set of analyses that are preserved following a run of a transformation pass.
Definition: PassManager.h:153
llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:57
llvm::Type
The instances of the Type class are immutable: once they are created, they are never changed...
Definition: Type.h:45
Constants.h
This file contains the declarations for the subclasses of Constant, which represent the different fla...
addBoundsChecking
static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI, ScalarEvolution &SE)
Definition: BoundsChecking.cpp:142
llvm::AnalysisUsage
Represent the analysis usage information of a pass.
Definition: PassAnalysisSupport.h:42
getBoundsCheckCond
static Value * getBoundsCheckCond(Value *Ptr, Value *InstVal, const DataLayout &DL, TargetLibraryInfo &TLI, ObjectSizeOffsetEvaluator &ObjSizeEval, BuilderTy &IRB, ScalarEvolution &SE)
Gets the conditions under which memory accessing instructions will overflow.
Definition: BoundsChecking.cpp:56
llvm::FunctionPass
FunctionPass class - This class is used to implement most global optimizations.
Definition: Pass.h:284
checking
bounds checking
Definition: BoundsChecking.cpp:243
llvm::BasicBlock::Create
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:99
llvm::Function::getContext
LLVMContext & getContext() const
getContext - Return a reference to the LLVMContext associated with this function. ...
Definition: Function.cpp:205
llvm::PreservedAnalyses::all
static PreservedAnalyses all()
Construct a special preserved set that preserves all passes.
Definition: PassManager.h:159
INITIALIZE_PASS_END
INITIALIZE_PASS_END(RegBankSelect, DEBUG_TYPE, "Assign register bank of generic virtual registers", false, false) RegBankSelect
Definition: RegBankSelect.cpp:68
llvm::ilist_iterator
Iterator for intrusive lists based on ilist_node.
Definition: ilist_iterator.h:57
llvm::ConstantInt
This is the shared class of boolean and integer constants.
Definition: Constants.h:83
llvm::SmallVector
This is a &#39;vector&#39; (really, a variable-sized array), optimized for the case when the array is small...
Definition: SmallVector.h:837
llvm::TargetLibraryInfo
Provides information about what library functions are available for the current target.
Definition: TargetLibraryInfo.h:207
llvm::ConstantInt::get
static Constant * get(Type *Ty, uint64_t V, bool isSigned=false)
If Ty is a vector type, return a Constant with a splat of the given value.
Definition: Constants.cpp:653
llvm::BranchInst::Create
static BranchInst * Create(BasicBlock *IfTrue, Instruction *InsertBefore=nullptr)
Definition: Instructions.h:3025
llvm::dbgs
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:132
llvm::BoundsCheckingPass::run
PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM)
Definition: BoundsChecking.cpp:208
llvm::BasicBlock::iterator
InstListType::iterator iterator
Instruction iterators...
Definition: BasicBlock.h:89
llvm::ScalarEvolutionAnalysis
Analysis pass that exposes the ScalarEvolution for a function.
Definition: ScalarEvolution.h:1919
llvm::ObjectSizeOffsetEvaluator::compute
SizeOffsetEvalType compute(Value *V)
Definition: MemoryBuiltins.cpp:835
I
#define I(x, y, z)
Definition: MD5.cpp:58
llvm::initializeBoundsCheckingLegacyPassPass
void initializeBoundsCheckingLegacyPassPass(PassRegistry &)
llvm::dyn_cast
LLVM_NODISCARD std::enable_if<!is_simple_type< Y >::value, typename cast_retty< X, const Y >::ret_type >::type dyn_cast(const Y &Val)
Definition: Casting.h:332
Size
uint32_t Size
Definition: Profile.cpp:46
llvm::BasicBlock::splitBasicBlock
BasicBlock * splitBasicBlock(iterator I, const Twine &BBName="")
Split the basic block into two basic blocks at the specified instruction.
Definition: BasicBlock.cpp:414
llvm::CallBase::setDoesNotReturn
void setDoesNotReturn()
Definition: InstrTypes.h:1675
llvm::TargetLibraryAnalysis
Analysis pass providing the TargetLibraryInfo.
Definition: TargetLibraryInfo.h:346
llvm::ScalarEvolution::getUnsignedRange
ConstantRange getUnsignedRange(const SCEV *S)
Determine the unsigned range for a particular SCEV.
Definition: ScalarEvolution.h:831
llvm::GlobalValue::getParent
Module * getParent()
Get the module that this global value is contained inside of...
Definition: GlobalValue.h:575
llvm::Value
LLVM Value Representation.
Definition: Value.h:73
llvm::ScalarEvolution::getSCEV
const SCEV * getSCEV(Value *V)
Return a SCEV expression for the full generality of the specified expression.
Definition: ScalarEvolution.cpp:3896
llvm::DataLayout::getTypeStoreSize
uint64_t getTypeStoreSize(Type *Ty) const
Returns the maximum number of bytes that may be overwritten by storing the specified type...
Definition: DataLayout.h:445
llvm::IRBuilderBase::GetInsertPoint
BasicBlock::iterator GetInsertPoint() const
Definition: IRBuilder.h:127
llvm::ObjectSizeOpts
Various options to control the behavior of getObjectSize.
Definition: MemoryBuiltins.h:182
llvm::instructions
inst_range instructions(Function *F)
Definition: InstIterator.h:133
llvm::AnalysisManager
A container for analyses that lazily runs them and caches their results.
Definition: InstructionSimplify.h:41
raw_ostream.h
LLVM_DEBUG
#define LLVM_DEBUG(X)
Definition: Debug.h:122
llvm::ObjectSizeOffsetEvaluator::bothKnown
bool bothKnown(SizeOffsetEvalType SizeOffset)
Definition: MemoryBuiltins.h:326
llvm::Instruction::getParent
const BasicBlock * getParent() const
Definition: Instruction.h:66
Generated on Mon Sep 23 2019 00:39:54 for LLVM by   doxygen 1.8.13