| blob | 72ccb3c8c6b5f4b3bf2a8dcd7182f655538b7afa |
2 /*--------------------------------------------------------------------*/
3 /*--- Instrument IR to perform memory checking operations. ---*/
4 /*--- mc_translate.c ---*/
5 /*--------------------------------------------------------------------*/
7 /*
8 This file is part of MemCheck, a heavyweight Valgrind tool for
9 detecting memory errors.
11 Copyright (C) 2000-2017 Julian Seward
12 jseward@acm.org
14 This program is free software; you can redistribute it and/or
15 modify it under the terms of the GNU General Public License as
16 published by the Free Software Foundation; either version 2 of the
17 License, or (at your option) any later version.
19 This program is distributed in the hope that it will be useful, but
20 WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, see <http://www.gnu.org/licenses/>.
27 The GNU General Public License is contained in the file COPYING.
28 */
44 /* FIXMEs JRS 2011-June-16.
46 Check the interpretation for vector narrowing and widening ops,
47 particularly the saturating ones. I suspect they are either overly
48 pessimistic and/or wrong.
50 Iop_QandSQsh64x2 and friends (vector-by-vector bidirectional
51 saturating shifts): the interpretation is overly pessimistic.
52 See comments on the relevant cases below for details.
54 Iop_Sh64Sx2 and friends (vector-by-vector bidirectional shifts,
55 both rounding and non-rounding variants): ditto
56 */
58 /* This file implements the Memcheck instrumentation, and in
59 particular contains the core of its undefined value detection
60 machinery. For a comprehensive background of the terminology,
61 algorithms and rationale used herein, read:
63 Using Valgrind to detect undefined value errors with
64 bit-precision
66 Julian Seward and Nicholas Nethercote
68 2005 USENIX Annual Technical Conference (General Track),
69 Anaheim, CA, USA, April 10-15, 2005.
71 ----
73 Here is as good a place as any to record exactly when V bits are and
74 should be checked, why, and what function is responsible.
77 Memcheck complains when an undefined value is used:
79 1. In the condition of a conditional branch. Because it could cause
80 incorrect control flow, and thus cause incorrect externally-visible
81 behaviour. [mc_translate.c:complainIfUndefined]
83 2. As an argument to a system call, or as the value that specifies
84 the system call number. Because it could cause an incorrect
85 externally-visible side effect. [mc_translate.c:mc_pre_reg_read]
87 3. As the address in a load or store. Because it could cause an
88 incorrect value to be used later, which could cause externally-visible
89 behaviour (eg. via incorrect control flow or an incorrect system call
90 argument) [complainIfUndefined]
92 4. As the target address of a branch. Because it could cause incorrect
93 control flow. [complainIfUndefined]
95 5. As an argument to setenv, unsetenv, or putenv. Because it could put
96 an incorrect value into the external environment.
97 [mc_replace_strmem.c:VG_WRAP_FUNCTION_ZU(*, *env)]
99 6. As the index in a GETI or PUTI operation. I'm not sure why... (njn).
100 [complainIfUndefined]
102 7. As an argument to the VALGRIND_CHECK_MEM_IS_DEFINED and
103 VALGRIND_CHECK_VALUE_IS_DEFINED client requests. Because the user
104 requested it. [in memcheck.h]
107 Memcheck also complains, but should not, when an undefined value is used:
109 8. As the shift value in certain SIMD shift operations (but not in the
110 standard integer shift operations). This inconsistency is due to
111 historical reasons.) [complainIfUndefined]
114 Memcheck does not complain, but should, when an undefined value is used:
116 9. As an input to a client request. Because the client request may
117 affect the visible behaviour -- see bug #144362 for an example
118 involving the malloc replacements in vg_replace_malloc.c and
119 VALGRIND_NON_SIMD_CALL* requests, where an uninitialised argument
120 isn't identified. That bug report also has some info on how to solve
121 the problem. [valgrind.h:VALGRIND_DO_CLIENT_REQUEST]
124 In practice, 1 and 2 account for the vast majority of cases.
125 */
127 /* Generation of addr-definedness, addr-validity and
128 guard-definedness checks pertaining to loads and stores (Iex_Load,
129 Ist_Store, IRLoadG, IRStoreG, LLSC, CAS and Dirty memory
130 loads/stores) was re-checked 11 May 2013. */
133 /*------------------------------------------------------------*/
134 /*--- Forward decls ---*/
135 /*------------------------------------------------------------*/
139 // See below for comments explaining what this is for.
140 typedef
142 HowUsed;
152 /*------------------------------------------------------------*/
153 /*--- Memcheck running state, and tmp management. ---*/
154 /*------------------------------------------------------------*/
156 /* For a few (maybe 1%) IROps, we have both a cheaper, less exact vbit
157 propagation scheme, and a more expensive, more precise vbit propagation
158 scheme. This enum describes, for such an IROp, which scheme to use. */
159 typedef
161 // Use the cheaper, less-exact variant.
163 // Choose between cheap and expensive based on analysis of the block
164 // to be instrumented. Note that the choice may be done on a
165 // per-instance basis of the IROp that this DetailLevel describes.
166 DLauto,
167 // Use the more expensive, more-exact variant.
168 DLexpensive
169 }
170 DetailLevel;
173 /* A readonly part of the running state. For IROps that have both a
174 less-exact and more-exact interpretation, records which interpretation is
175 to be used. */
176 typedef
178 // For Add32/64 and Sub32/64, all 3 settings are allowed. For the
179 // DLauto case, a per-instance decision is to be made by inspecting
180 // the associated tmp's entry in MCEnv.tmpHowUsed.
181 DetailLevel dl_Add32;
182 DetailLevel dl_Add64;
183 DetailLevel dl_Sub32;
184 DetailLevel dl_Sub64;
185 // For Cmp{EQ,NE}{64,32,16,8}, only DLcheap and DLexpensive are
186 // allowed.
187 DetailLevel dl_CmpEQ64_CmpNE64;
188 DetailLevel dl_CmpEQ32_CmpNE32;
189 DetailLevel dl_CmpEQ16_CmpNE16;
190 DetailLevel dl_CmpEQ8_CmpNE8;
191 }
192 DetailLevelByOp;
195 DetailLevel dl )
196 {
205 }
208 {
221 }
224 DetailLevel dl )
225 {
236 }
239 /* Carries info about a particular tmp. The tmp's number is not
240 recorded, as this is implied by (equal to) its index in the tmpMap
241 in MCEnv. The tmp's type is also not recorded, as this is present
242 in MCEnv.sb->tyenv.
244 When .kind is Orig, .shadowV and .shadowB may give the identities
245 of the temps currently holding the associated definedness (shadowV)
246 and origin (shadowB) values, or these may be IRTemp_INVALID if code
247 to compute such values has not yet been emitted.
249 When .kind is VSh or BSh then the tmp is holds a V- or B- value,
250 and so .shadowV and .shadowB must be IRTemp_INVALID, since it is
251 illogical for a shadow tmp itself to be shadowed.
252 */
253 typedef
255 TempKind;
257 typedef
259 TempKind kind;
260 IRTemp shadowV;
261 IRTemp shadowB;
262 }
263 TempMapEnt;
266 /* A |HowUsed| value carries analysis results about how values are used,
267 pertaining to whether we need to instrument integer adds expensively or
268 not. The running state carries a (readonly) mapping from original tmp to
269 a HowUsed value for it. A usage value can be one of three values,
270 forming a 3-point chain lattice.
272 HuOth ("Other") used in some arbitrary way
273 |
274 HuPCa ("PCast") used *only* in effectively a PCast, in which all
275 | we care about is the all-defined vs not-all-defined distinction
276 |
277 HuUnU ("Unused") not used at all.
279 The "safe" (don't-know) end of the lattice is "HuOth". See comments
280 below in |preInstrumentationAnalysis| for further details.
281 */
282 /* DECLARED ABOVE:
283 typedef
284 enum __attribute__((packed)) { HuUnU=0, HuPCa=1, HuOth=2 }
285 HowUsed;
286 */
288 // Not actually necessary, but we don't want to waste D1 space.
292 /* Carries around state during memcheck instrumentation. */
293 typedef
295 /* MODIFIED: the superblock being constructed. IRStmts are
296 added. */
298 Bool trace;
300 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
301 current kind and possibly shadow temps for each temp in the
302 IRSB being constructed. Note that it does not contain the
303 type of each tmp. If you want to know the type, look at the
304 relevant entry in sb->tyenv. It follows that at all times
305 during the instrumentation process, the valid indices for
306 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
307 total number of Orig, V- and B- temps allocated so far.
309 The reason for this strange split (types in one place, all
310 other info in another) is that we need the types to be
311 attached to sb so as to make it possible to do
312 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
313 instrumentation process. */
316 /* READONLY: contains details of which ops should be expensively
317 instrumented. */
318 DetailLevelByOp dlbo;
320 /* READONLY: for each original tmp, how the tmp is used. This is
321 computed by |preInstrumentationAnalysis|. Valid indices are
322 0 .. #temps_in_sb-1 (same as for tmpMap). */
325 /* READONLY: the guest layout. This indicates which parts of
326 the guest state should be regarded as 'always defined'. */
329 /* READONLY: the host word type. Needed for constructing
330 arguments of type 'HWord' to be passed to helper functions.
331 Ity_I32 or Ity_I64 only. */
332 IRType hWordTy;
333 }
334 MCEnv;
337 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
338 demand), as they are encountered. This is for two reasons.
340 (1) (less important reason): Many original tmps are unused due to
341 initial IR optimisation, and we do not want to spaces in tables
342 tracking them.
344 Shadow IRTemps are therefore allocated on demand. mce.tmpMap is a
345 table indexed [0 .. n_types-1], which gives the current shadow for
346 each original tmp, or INVALID_IRTEMP if none is so far assigned.
347 It is necessary to support making multiple assignments to a shadow
348 -- specifically, after testing a shadow for definedness, it needs
349 to be made defined. But IR's SSA property disallows this.
351 (2) (more important reason): Therefore, when a shadow needs to get
352 a new value, a new temporary is created, the value is assigned to
353 that, and the tmpMap is updated to reflect the new binding.
355 A corollary is that if the tmpMap maps a given tmp to
356 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
357 there's a read-before-write error in the original tmps. The IR
358 sanity checker should catch all such anomalies, however.
359 */
361 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
362 both the table in mce->sb and to our auxiliary mapping. Note that
363 newTemp may cause mce->tmpMap to resize, hence previous results
364 from VG_(indexXA)(mce->tmpMap) are invalidated. */
366 {
367 Word newIx;
368 TempMapEnt ent;
376 }
379 /* Find the tmp currently shadowing the given original tmp. If none
380 so far exists, allocate one. */
382 {
384 /* VG_(indexXA) range-checks 'orig', hence no need to check
385 here. */
389 IRTemp tmpV
391 /* newTemp may cause mce->tmpMap to resize, hence previous results
392 from VG_(indexXA) are invalid. */
397 }
399 }
401 /* Allocate a new shadow for the given original tmp. This means any
402 previous shadow is abandoned. This is needed because it is
403 necessary to give a new value to a shadow once it has been tested
404 for undefinedness, but unfortunately IR's SSA property disallows
405 this. Instead we must abandon the old shadow, allocate a new one
406 and use that instead.
408 This is the same as findShadowTmpV, except we don't bother to see
409 if a shadow temp already existed -- we simply allocate a new one
410 regardless. */
412 {
414 /* VG_(indexXA) range-checks 'orig', hence no need to check
415 here. */
419 IRTemp tmpV
421 /* newTemp may cause mce->tmpMap to resize, hence previous results
422 from VG_(indexXA) are invalid. */
426 }
427 }
430 /*------------------------------------------------------------*/
431 /*--- IRAtoms -- a subset of IRExprs ---*/
432 /*------------------------------------------------------------*/
434 /* An atom is either an IRExpr_Const or an IRExpr_Tmp, as defined by
435 isIRAtom() in libvex_ir.h. Because this instrumenter expects flat
436 input, most of this code deals in atoms. Usefully, a value atom
437 always has a V-value which is also an atom: constants are shadowed
438 by constants, and temps are shadowed by the corresponding shadow
439 temporary. */
443 /* (used for sanity checks only): is this an atom which looks
444 like it's from original code? */
446 {
452 }
454 }
456 /* (used for sanity checks only): is this an atom which looks
457 like it's from shadow code? */
459 {
465 }
467 }
469 /* (used for sanity checks only): check that both args are atoms and
470 are identically-kinded. */
472 {
478 }
481 /*------------------------------------------------------------*/
482 /*--- Type management ---*/
483 /*------------------------------------------------------------*/
485 /* Shadow state is always accessed using integer types. This returns
486 an integer type with the same size (as per sizeofIRType) as the
487 given type. The only valid shadow types are Bit, I8, I16, I32,
488 I64, I128, V128, V256. */
491 {
510 }
511 }
513 /* Produce a 'defined' value of the given shadow type. Should only be
514 supplied shadow types (Bit/I8/I16/I32/UI64). */
526 }
527 }
530 /*------------------------------------------------------------*/
531 /*--- Constructing IR fragments ---*/
532 /*------------------------------------------------------------*/
534 /* add stmt to a bb */
540 }
542 }
544 /* assign value to tmp */
548 }
550 /* build various kinds of expressions */
551 #define triop(_op, _arg1, _arg2, _arg3) \
552 IRExpr_Triop((_op),(_arg1),(_arg2),(_arg3))
553 #define binop(_op, _arg1, _arg2) IRExpr_Binop((_op),(_arg1),(_arg2))
554 #define unop(_op, _arg) IRExpr_Unop((_op),(_arg))
555 #define mkU1(_n) IRExpr_Const(IRConst_U1(_n))
556 #define mkU8(_n) IRExpr_Const(IRConst_U8(_n))
557 #define mkU16(_n) IRExpr_Const(IRConst_U16(_n))
558 #define mkU32(_n) IRExpr_Const(IRConst_U32(_n))
559 #define mkU64(_n) IRExpr_Const(IRConst_U64(_n))
560 #define mkV128(_n) IRExpr_Const(IRConst_V128(_n))
561 #define mkexpr(_tmp) IRExpr_RdTmp((_tmp))
563 /* Bind the given expression to a new temporary, and return the
564 temporary. This effectively converts an arbitrary expression into
565 an atom.
567 'ty' is the type of 'e' and hence the type that the new temporary
568 needs to be. But passing it in is redundant, since we can deduce
569 the type merely by inspecting 'e'. So at least use that fact to
570 assert that the two types agree. */
572 {
573 TempKind k;
574 IRTemp t;
582 /* happens when we are making up new "orig"
583 expressions, for IRCAS handling */
585 }
589 }
592 /*------------------------------------------------------------*/
593 /*--- Helper functions for 128-bit ops ---*/
594 /*------------------------------------------------------------*/
597 {
600 }
602 /* There are no I128-bit loads and/or stores [as generated by any
603 current front ends]. So we do not need to worry about that in
604 expr2vbits_Load */
607 /*------------------------------------------------------------*/
608 /*--- Constructing definedness primitive ops ---*/
609 /*------------------------------------------------------------*/
611 /* --------- Defined-if-either-defined --------- */
617 }
623 }
629 }
635 }
641 }
647 }
653 }
655 /* --------- Undefined-if-either-undefined --------- */
661 }
667 }
673 }
679 }
685 }
699 }
705 }
711 }
725 }
726 }
728 /* --------- The Left-family of operations. --------- */
733 }
738 }
743 }
748 }
750 /* --------- The Right-family of operations. --------- */
752 /* Unfortunately these are a lot more expensive then their Left
753 counterparts. Fortunately they are only very rarely used -- only for
754 count-leading-zeroes instrumentation. */
757 {
759 // a1 |= (a1 >>u i)
760 IRAtom* tmp
763 }
765 }
768 {
770 // a1 |= (a1 >>u i)
771 IRAtom* tmp
774 }
776 }
778 /* --------- 'Improvement' functions for AND/OR. --------- */
780 /* ImproveAND(data, vbits) = data OR vbits. Defined (0) data 0s give
781 defined (0); all other -> undefined (1).
782 */
784 {
789 }
792 {
797 }
800 {
805 }
808 {
813 }
816 {
821 }
824 {
829 }
832 {
837 }
839 /* ImproveOR(data, vbits) = ~data OR vbits. Defined (0) data 1s give
840 defined (0); all other -> undefined (1).
841 */
843 {
851 vbits) );
852 }
855 {
863 vbits) );
864 }
867 {
875 vbits) );
876 }
879 {
887 vbits) );
888 }
891 {
899 vbits) );
900 }
903 {
911 vbits) );
912 }
915 {
923 vbits) );
924 }
926 /* --------- Pessimising casts. --------- */
928 /* The function returns an expression of type DST_TY. If any of the VBITS
929 is undefined (value == 1) the resulting expression has all bits set to
930 1. Otherwise, all bits are 0. */
933 {
934 IRType src_ty;
937 /* Note, dst_ty is a shadow type, not an original type. */
941 /* Fast-track some common cases */
949 /* PCast the arg, then clone it. */
952 }
955 /* PCast the arg, then clone it 4 times. */
959 }
962 /* PCast the arg, then clone it 8 times. */
967 }
970 /* PCast the arg. This gives all 0s or all 1s. Then throw away
971 the top half. */
974 }
977 /* Use InterleaveHI64x2 to copy the top half of the vector into
978 the bottom half. Then we can UifU it with the original, throw
979 away the upper half of the result, and PCast-I64-to-I64
980 the lower half. */
981 // Generates vbits[127:64] : vbits[127:64]
982 IRAtom* hi64hi64
985 // Generates
986 // UifU(vbits[127:64],vbits[127:64]) : UifU(vbits[127:64],vbits[63:0])
987 // == vbits[127:64] : UifU(vbits[127:64],vbits[63:0])
988 IRAtom* lohi64
990 // Generates UifU(vbits[127:64],vbits[63:0])
991 IRAtom* lo64
993 // Generates
994 // PCast-to-I64( UifU(vbits[127:64], vbits[63:0] )
995 // == PCast-to-I64( vbits[127:0] )
996 IRAtom* res
999 }
1001 /* Else do it the slow way .. */
1002 /* First of all, collapse vbits down to a single bit. */
1021 /* Gah. Chop it in half, OR the halves together, and compare
1022 that with zero. */
1029 }
1031 /* Chop it in half, OR the halves together, and compare that
1032 * with zero.
1033 */
1040 }
1044 }
1046 /* Now widen up to the dst type. */
1076 }
1077 }
1079 /* This is a minor variant. It takes an arg of some type and returns
1080 a value of the same type. The result consists entirely of Defined
1081 (zero) bits except its least significant bit, which is a PCast of
1082 the entire argument down to a single bit. */
1084 {
1086 /* --- Case for V128 --- */
1088 // generates: PCast-to-I64(varg128)
1090 // Now introduce zeros (defined bits) in the top 63 places
1091 // generates: Def--(63)--Def PCast-to-I1(varg128)
1092 IRAtom* d63pc
1094 // generates: Def--(64)--Def
1095 IRAtom* d64
1097 // generates: Def--(127)--Def PCast-to-I1(varg128)
1098 IRAtom* res
1101 }
1103 /* --- Case for I64 --- */
1104 // PCast to 64
1106 // Zero (Def) out the top 63 bits
1107 IRAtom* res
1110 }
1111 /*NOTREACHED*/
1113 }
1115 /* --------- Optimistic casts. --------- */
1117 /* The function takes and returns an expression of type TY. If any of the
1118 VBITS indicate defined (value == 0) the resulting expression has all bits
1119 set to 0. Otherwise, all bits are 1. In words, if any bits are defined
1120 then all bits are made to be defined.
1122 In short we compute (vbits - (vbits >>u 1)) >>s (bitsize(vbits)-1).
1123 */
1125 {
1127 UInt sh;
1145 }
1152 }
1155 /* --------- Accurate interpretation of CmpEQ/CmpNE. --------- */
1156 /*
1157 Normally, we can do CmpEQ/CmpNE by doing UifU on the arguments, and
1158 PCasting to Ity_U1. However, sometimes it is necessary to be more
1159 accurate. The insight is that the result is defined if two
1160 corresponding bits can be found, one from each argument, so that
1161 both bits are defined but are different -- that makes EQ say "No"
1162 and NE say "Yes". Hence, we compute an improvement term and DifD
1163 it onto the "normal" (UifU) result.
1165 The result is:
1167 PCastTo<1> (
1168 -- naive version
1169 UifU<sz>(vxx, vyy)
1171 `DifD<sz>`
1173 -- improvement term
1174 OCast<sz>(vec)
1175 )
1177 where
1178 vec contains 0 (defined) bits where the corresponding arg bits
1179 are defined but different, and 1 bits otherwise.
1181 vec = Or<sz>( vxx, // 0 iff bit defined
1182 vyy, // 0 iff bit defined
1183 Not<sz>(Xor<sz>( xx, yy )) // 0 iff bits different
1184 )
1186 If any bit of vec is 0, the result is defined and so the
1187 improvement term should produce 0...0, else it should produce
1188 1...1.
1190 Hence require for the improvement term:
1192 OCast(vec) = if vec == 1...1 then 1...1 else 0...0
1194 which you can think of as an "optimistic cast" (OCast, the opposite of
1195 the normal "pessimistic cast" (PCast) family. An OCast says all bits
1196 are defined if any bit is defined.
1198 It is possible to show that
1200 if vec == 1...1 then 1...1 else 0...0
1202 can be implemented in straight-line code as
1204 (vec - (vec >>u 1)) >>s (word-size-in-bits - 1)
1206 We note that vec contains the sub-term Or<sz>(vxx, vyy). Since UifU is
1207 implemented with Or (since 1 signifies undefinedness), this is a
1208 duplicate of the UifU<sz>(vxx, vyy) term and so we can CSE it out, giving
1209 a final version of:
1211 let naive = UifU<sz>(vxx, vyy)
1212 vec = Or<sz>(naive, Not<sz>(Xor<sz)(xx, yy))
1213 in
1214 PCastTo<1>( DifD<sz>(naive, OCast<sz>(vec)) )
1216 This was extensively re-analysed and checked on 6 July 05 and again
1217 in July 2017.
1218 */
1220 IRType ty,
1223 {
1265 }
1267 naive
1270 vec
1274 naive,
1280 improved
1284 final_cast
1288 }
1291 /* --------- Semi-accurate interpretation of CmpORD. --------- */
1293 /* CmpORD32{S,U} does PowerPC-style 3-way comparisons:
1295 CmpORD32S(x,y) = 1<<3 if x <s y
1296 = 1<<2 if x >s y
1297 = 1<<1 if x == y
1299 and similarly the unsigned variant. The default interpretation is:
1301 CmpORD32{S,U}#(x,y,x#,y#) = PCast(x# `UifU` y#)
1302 & (7<<1)
1304 The "& (7<<1)" reflects the fact that all result bits except 3,2,1
1305 are zero and therefore defined (viz, zero).
1307 Also deal with a special case better:
1309 CmpORD32S(x,0)
1311 Here, bit 3 (LT) of the result is a copy of the top bit of x and
1312 will be defined even if the rest of x isn't. In which case we do:
1314 CmpORD32S#(x,x#,0,{impliedly 0}#)
1315 = PCast(x#) & (3<<1) -- standard interp for GT#,EQ#
1316 | (x# >>u 31) << 3 -- LT# = x#[31]
1318 Analogous handling for CmpORD64{S,U}.
1319 */
1321 {
1322 return
1326 }
1329 {
1330 return
1334 }
1337 IROp cmp_op,
1340 {
1365 }
1368 /* fancy interpretation */
1369 /* if yy is zero, then it must be fully defined (zero#). */
1371 // This is still inaccurate, but I don't think it matters, since
1372 // nobody writes code of the form
1373 // "is <partially-undefined-value> signedly greater than zero?".
1374 // We therefore simply declare "x >s 0" to be undefined if any bit in
1375 // x is undefined. That's clearly suboptimal in some cases. Eg, if
1376 // the highest order bit is a defined 1 then x is negative so it
1377 // doesn't matter whether the remaining bits are defined or not.
1378 IRAtom* t_0_gt_0_0
1382 opAND,
1385 ));
1386 // For "x <s 0", we can just copy the definedness of the top bit of x
1387 // and we have a precise result.
1388 IRAtom* t_lt_0_0_0
1392 opSHL,
1397 ));
1398 // For "x == 0" we can hand the problem off to expensiveCmpEQorNE.
1399 IRAtom* t_0_0_eq_0
1403 opSHL,
1406 op1UtoWS,
1408 ),
1410 ));
1411 return
1413 opOR,
1415 t_0_0_eq_0
1416 );
1418 /* standard interpretation */
1420 return
1422 opAND,
1425 sevenLeft1
1426 );
1427 }
1428 }
1431 /*------------------------------------------------------------*/
1432 /*--- Emit a test and complaint if something is undefined. ---*/
1433 /*------------------------------------------------------------*/
1438 /* Set the annotations on a dirty helper to indicate that the stack
1439 pointer and instruction pointers might be read. This is the
1440 behaviour of all 'emit-a-complaint' style functions we might
1441 call. */
1455 }
1458 /* Check the supplied *original* |atom| for undefinedness, and emit a
1459 complaint if so. Once that happens, mark it as defined. This is
1460 possible because the atom is either a tmp or literal. If it's a
1461 tmp, it will be shadowed by a tmp, and so we can set the shadow to
1462 be defined. In fact as mentioned above, we will have to allocate a
1463 new tmp to carry the new 'defined' shadow value, and update the
1464 original->tmp mapping accordingly; we cannot simply assign a new
1465 value to an existing shadow tmp as this breaks SSAness.
1467 The checks are performed, any resulting complaint emitted, and
1468 |atom|'s shadow temp set to 'defined', ONLY in the case that
1469 |guard| evaluates to True at run-time. If it evaluates to False
1470 then no action is performed. If |guard| is NULL (the usual case)
1471 then it is assumed to be always-true, and hence these actions are
1472 performed unconditionally.
1474 This routine does not generate code to check the definedness of
1475 |guard|. The caller is assumed to have taken care of that already.
1476 */
1478 {
1480 IRType ty;
1481 Int sz;
1488 Int nargs;
1490 // Don't do V bit tests if we're not reporting undefined value errors.
1497 /* Since the original expression is atomic, there's no duplicated
1498 work generated by making multiple V-expressions for it. So we
1499 don't really care about the possibility that someone else may
1500 also create a V-interpretion for it. */
1508 /* sz is only used for constructing the error message */
1512 /* cond will be 0 if all defined, and 1 if any not defined. */
1514 /* Get the origin info for the value we are about to check. At
1515 least, if we are doing origin tracking. If not, use a dummy
1516 zero origin. */
1521 }
1524 }
1543 }
1556 }
1569 }
1582 }
1596 }
1600 }
1613 /* If the complaint is to be issued under a guard condition, AND
1614 that into the guard condition for the helper call. */
1620 }
1625 /* If |atom| is shadowed by an IRTemp, set the shadow tmp to be
1626 defined -- but only in the case where the guard evaluates to
1627 True at run-time. Do the update by setting the orig->shadow
1628 mapping for tmp to reflect the fact that this shadow is getting
1629 a new value. */
1631 /* sameKindedAtoms ... */
1635 // guard is 'always True', hence update unconditionally
1640 // update the temp only conditionally. Do this by copying
1641 // its old value when the guard is False.
1642 // The old value ..
1645 IRAtom* new_tmpV
1650 }
1651 }
1652 }
1655 /*------------------------------------------------------------*/
1656 /*--- Shadowing PUTs/GETs, and indexed variants thereof ---*/
1657 /*------------------------------------------------------------*/
1659 /* Examine the always-defined sections declared in layout to see if
1660 the (offset,size) section is within one. Note, is is an error to
1661 partially fall into such a region: (offset,size) should either be
1662 completely in such a region or completely not-in such a region.
1663 */
1665 {
1684 }
1686 }
1689 /* Generate into bb suitable actions to shadow this Put. If the state
1690 slice is marked 'always defined', do nothing. Otherwise, write the
1691 supplied V bits to the shadow state. We can pass in either an
1692 original atom or a V-atom, but not both. In the former case the
1693 relevant V-bits are then generated from the original.
1694 We assume here, that the definedness of GUARD has already been checked.
1695 */
1696 static
1699 {
1700 IRType ty;
1702 // Don't do shadow PUTs if we're not doing undefined value checking.
1703 // Their absence lets Vex's optimiser remove all the shadow computation
1704 // that they depend on, which includes GETs of the shadow registers.
1715 }
1720 /* later: no ... */
1721 /* emit code to emit a complaint if any of the vbits are 1. */
1722 /* complainIfUndefined(mce, atom); */
1724 /* Do a plain shadow Put. */
1726 /* If the guard expression evaluates to false we simply Put the value
1727 that is already stored in the guest state slot */
1734 }
1736 }
1737 }
1740 /* Return an expression which contains the V bits corresponding to the
1741 given GETI (passed in in pieces).
1742 */
1743 static
1745 {
1748 Int arrSize;;
1754 // Don't do shadow PUTIs if we're not doing undefined value checking.
1755 // Their absence lets Vex's optimiser remove all the shadow computation
1756 // that they depend on, which includes GETIs of the shadow registers.
1770 /* later: no ... */
1771 /* emit code to emit a complaint if any of the vbits are 1. */
1772 /* complainIfUndefined(mce, atom); */
1774 /* Do a cloned version of the Put that refers to the shadow
1775 area. */
1776 IRRegArray* new_descr
1780 }
1781 }
1784 /* Return an expression which contains the V bits corresponding to the
1785 given GET (passed in in pieces).
1786 */
1787 static
1789 {
1794 /* Always defined, return all zeroes of the relevant type */
1797 /* return a cloned version of the Get that refers to the shadow
1798 area. */
1799 /* FIXME: this isn't an atom! */
1801 }
1802 }
1805 /* Return an expression which contains the V bits corresponding to the
1806 given GETI (passed in in pieces).
1807 */
1808 static
1811 {
1819 /* Always defined, return all zeroes of the relevant type */
1822 /* return a cloned version of the Get that refers to the shadow
1823 area. */
1824 IRRegArray* new_descr
1828 }
1829 }
1832 /*------------------------------------------------------------*/
1833 /*--- Generating approximations for unknown operations, ---*/
1834 /*--- using lazy-propagate semantics ---*/
1835 /*------------------------------------------------------------*/
1837 /* Lazy propagation of undefinedness from two values, resulting in the
1838 specified shadow type.
1839 */
1840 static
1842 {
1849 /* The general case is inefficient because PCast is an expensive
1850 operation. Here are some special cases which use PCast only
1851 once rather than twice. */
1853 /* I64 x I64 -> I64 */
1859 }
1861 /* I64 x I64 -> I32 */
1867 }
1869 /* I32 x I32 -> I32 */
1875 }
1885 }
1887 /* General case: force everything via 32-bit intermediaries. */
1892 }
1895 /* 3-arg version of the above. */
1896 static
1899 {
1908 /* The general case is inefficient because PCast is an expensive
1909 operation. Here are some special cases which use PCast only
1910 twice rather than three times. */
1912 /* I32 x I64 x I64 -> I64 */
1913 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1917 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
1918 mode indication which is fully defined, this should get
1919 folded out later. */
1921 /* Now fold in 2nd and 3rd args. */
1924 /* and PCast once again. */
1927 }
1929 /* I32 x I8 x I64 -> I64 */
1933 /* Widen 1st and 2nd args to I64. Since 1st arg is typically a
1934 * rounding mode indication which is fully defined, this should
1935 * get folded out later.
1936 */
1941 /* and PCast once again. */
1944 }
1946 /* I32 x I64 x I64 -> I32 */
1955 }
1957 /* I32 x I32 x I32 -> I32 */
1958 /* 32-bit FP idiom, as (eg) happens on ARM */
1967 }
1969 /* I32 x I16 x I16 -> I16 */
1970 /* 16-bit half-precision FP idiom, as (eg) happens on arm64 v8.2 onwards */
1979 }
1981 /* I32 x I128 x I128 -> I128 */
1982 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1986 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
1987 mode indication which is fully defined, this should get
1988 folded out later. */
1990 /* Now fold in 2nd and 3rd args. */
1993 /* and PCast once again. */
1996 }
1998 /* I32 x I8 x I128 -> I128 */
1999 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2003 /* Use I64 as an intermediate type, which means PCasting all 3
2004 args to I64 to start with. 1st arg is typically a rounding
2005 mode indication which is fully defined, so we hope that it
2006 will get folded out later. */
2010 /* Now UifU all three together. */
2013 /* and PCast once again. */
2016 }
2027 }
2030 /* General case: force everything via 32-bit intermediaries. */
2031 /*
2032 at = mkPCastTo(mce, Ity_I32, va1);
2033 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va2));
2034 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va3));
2035 at = mkPCastTo(mce, finalVty, at);
2036 return at;
2037 */
2038 }
2041 /* 4-arg version of the above. */
2042 static
2045 {
2056 /* The general case is inefficient because PCast is an expensive
2057 operation. Here are some special cases which use PCast only
2058 twice rather than three times. */
2060 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2065 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
2066 mode indication which is fully defined, this should get
2067 folded out later. */
2069 /* Now fold in 2nd, 3rd, 4th args. */
2073 /* and PCast once again. */
2076 }
2078 /* I32 x I64 x I64 x I64 -> I64 */
2082 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
2083 mode indication which is fully defined, this should get
2084 folded out later. */
2086 /* Now fold in 2nd, 3rd, 4th args. */
2090 /* and PCast once again. */
2093 }
2094 /* I32 x I32 x I32 x I32 -> I32 */
2095 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2100 /* Now fold in 2nd, 3rd, 4th args. */
2106 }
2112 /* Now fold in 2nd, 3rd, 4th args. */
2118 }
2124 /* Now fold in 2nd, 3rd, 4th args. */
2130 }
2144 }
2147 }
2150 /* Do the lazy propagation game from a null-terminated vector of
2151 atoms. This is presumably the arguments to a helper call, so the
2152 IRCallee info is also supplied in order that we can know which
2153 arguments should be ignored (via the .mcx_mask field).
2154 */
2155 static
2158 {
2159 Int i;
2162 IRType mergeTy;
2165 /* Decide on the type of the merge intermediary. If all relevant
2166 args are I64, then it's I64. In all other circumstances, use
2167 I32. */
2175 }
2183 /* Only take notice of this arg if the callee's mc-exclusion
2184 mask does not say it is to be excluded. */
2186 /* the arg is to be excluded from definedness checking. Do
2187 nothing. */
2190 /* calculate the arg's definedness, and pessimistically merge
2191 it in. */
2193 curr = mergeTy64
2196 }
2197 }
2199 }
2202 /*------------------------------------------------------------*/
2203 /*--- Generating expensive sequences for exact carry-chain ---*/
2204 /*--- propagation in add/sub and related operations. ---*/
2205 /*------------------------------------------------------------*/
2207 static
2209 Bool add,
2210 IRType ty,
2213 {
2243 }
2245 // a_min = aa & ~qaa
2250 // b_min = bb & ~qbb
2255 // a_max = aa | qaa
2258 // b_max = bb | qbb
2262 // result = (qaa | qbb) | ((a_min + b_min) ^ (a_max + b_max))
2263 return
2271 )
2272 )
2273 )
2274 );
2276 // result = (qaa | qbb) | ((a_min - b_max) ^ (a_max - b_min))
2277 return
2285 )
2286 )
2287 )
2288 );
2289 }
2291 }
2294 static
2297 {
2298 IRType ty;
2324 }
2326 // improver = atom ^ (atom - 1)
2327 //
2328 // That is, improver has its low ctz(atom)+1 bits equal to one;
2329 // higher bits (if any) equal to zero. So it's exactly the right
2330 // mask to use to remove the irrelevant undefined input bits.
2331 /* Here are some examples:
2332 atom = U...U 1 0...0
2333 atom-1 = U...U 0 1...1
2334 ^ed = 0...0 1 11111, which correctly describes which bits of |atom|
2335 actually influence the result
2336 A boundary case
2337 atom = 0...0
2338 atom-1 = 1...1
2339 ^ed = 11111, also a correct mask for the input: all input bits
2340 are relevant
2341 Another boundary case
2342 atom = 1..1 1
2343 atom-1 = 1..1 0
2344 ^ed = 0..0 1, also a correct mask: only the rightmost input bit
2345 is relevant
2346 Now with misc U bits interspersed:
2347 atom = U...U 1 0 U...U 0 1 0...0
2348 atom-1 = U...U 1 0 U...U 0 0 1...1
2349 ^ed = 0...0 0 0 0...0 0 1 1...1, also correct
2350 (Per re-check/analysis of 14 Nov 2018)
2351 */
2354 atom,
2358 // improved = vatom & improver
2359 //
2360 // That is, treat any V bits to the left of the rightmost ctz(atom)+1
2361 // bits as "defined".
2365 // Return pessimizing cast of improved.
2367 }
2369 static
2372 {
2373 IRType ty;
2399 }
2401 // This is in principle very similar to how expensiveCountTrailingZeroes
2402 // works. That function computed an "improver", which it used to mask
2403 // off all but the rightmost 1-bit and the zeroes to the right of it,
2404 // hence removing irrelevant bits from the input. Here, we play the
2405 // exact same game but with the left-vs-right roles interchanged.
2406 // Unfortunately calculation of the improver in this case is
2407 // significantly more expensive.
2408 //
2409 // improver = ~(RIGHT(atom) >>u 1)
2410 //
2411 // That is, improver has its upper clz(atom)+1 bits equal to one;
2412 // lower bits (if any) equal to zero. So it's exactly the right
2413 // mask to use to remove the irrelevant undefined input bits.
2414 /* Here are some examples:
2415 atom = 0...0 1 U...U
2416 R(atom) = 0...0 1 1...1
2417 R(atom) >>u 1 = 0...0 0 1...1
2418 ~(R(atom) >>u 1) = 1...1 1 0...0
2419 which correctly describes which bits of |atom|
2420 actually influence the result
2421 A boundary case
2422 atom = 0...0
2423 R(atom) = 0...0
2424 R(atom) >>u 1 = 0...0
2425 ~(R(atom) >>u 1) = 1...1
2426 also a correct mask for the input: all input bits
2427 are relevant
2428 Another boundary case
2429 atom = 1 1..1
2430 R(atom) = 1 1..1
2431 R(atom) >>u 1 = 0 1..1
2432 ~(R(atom) >>u 1) = 1 0..0
2433 also a correct mask: only the leftmost input bit
2434 is relevant
2435 Now with misc U bits interspersed:
2436 atom = 0...0 1 U...U 0 1 U...U
2437 R(atom) = 0...0 1 1...1 1 1 1...1
2438 R(atom) >>u 1 = 0...0 0 1...1 1 1 1...1
2439 ~(R(atom) >>u 1) = 1...1 1 0...0 0 0 0...0, also correct
2440 (Per initial implementation of 15 Nov 2018)
2441 */
2446 // improved = vatom & improver
2447 //
2448 // That is, treat any V bits to the right of the leftmost clz(atom)+1
2449 // bits as "defined".
2453 // Return pessimizing cast of improved.
2455 }
2458 /*------------------------------------------------------------*/
2459 /*--- Scalar shifts. ---*/
2460 /*------------------------------------------------------------*/
2462 /* Produce an interpretation for (aa << bb) (or >>s, >>u). The basic
2463 idea is to shift the definedness bits by the original shift amount.
2464 This introduces 0s ("defined") in new positions for left shifts and
2465 unsigned right shifts, and copies the top definedness bit for
2466 signed right shifts. So, conveniently, applying the original shift
2467 operator to the definedness bits for the left arg is exactly the
2468 right thing to do:
2470 (qaa << bb)
2472 However if the shift amount is undefined then the whole result
2473 is undefined. Hence need:
2475 (qaa << bb) `UifU` PCast(qbb)
2477 If the shift amount bb is a literal than qbb will say 'all defined'
2478 and the UifU and PCast will get folded out by post-instrumentation
2479 optimisation.
2480 */
2482 IRType ty,
2483 IROp original_op,
2486 {
2493 return
2499 )
2500 );
2501 }
2504 /*------------------------------------------------------------*/
2505 /*--- Helpers for dealing with vector primops. ---*/
2506 /*------------------------------------------------------------*/
2508 /* Vector pessimisation -- pessimise within each lane individually. */
2511 {
2513 }
2516 {
2518 }
2521 {
2523 }
2526 {
2528 }
2531 {
2533 }
2536 {
2538 }
2541 {
2543 }
2546 {
2548 }
2551 {
2553 }
2556 {
2558 }
2561 {
2563 }
2566 {
2568 }
2571 {
2573 }
2576 {
2578 }
2581 /* Here's a simple scheme capable of handling ops derived from SSE1
2582 code and while only generating ops that can be efficiently
2583 implemented in SSE1. */
2585 /* All-lanes versions are straightforward:
2587 binary32Fx4(x,y) ==> PCast32x4(UifUV128(x#,y#))
2589 unary32Fx4(x,y) ==> PCast32x4(x#)
2591 Lowest-lane-only versions are more complex:
2593 binary32F0x4(x,y) ==> SetV128lo32(
2594 x#,
2595 PCast32(V128to32(UifUV128(x#,y#)))
2596 )
2598 This is perhaps not so obvious. In particular, it's faster to
2599 do a V128-bit UifU and then take the bottom 32 bits than the more
2600 obvious scheme of taking the bottom 32 bits of each operand
2601 and doing a 32-bit UifU. Basically since UifU is fast and
2602 chopping lanes off vector values is slow.
2604 Finally:
2606 unary32F0x4(x) ==> SetV128lo32(
2607 x#,
2608 PCast32(V128to32(x#))
2609 )
2611 Where:
2613 PCast32(v#) = 1Sto32(CmpNE32(v#,0))
2614 PCast32x4(v#) = CmpNEZ32x4(v#)
2615 */
2617 static
2619 {
2626 }
2628 static
2630 {
2635 }
2637 static
2639 {
2648 }
2650 static
2652 {
2659 }
2661 /* --- ... and ... 64Fx2 versions of the same ... --- */
2663 static
2665 {
2672 }
2674 static
2676 {
2681 }
2683 static
2685 {
2694 }
2696 static
2698 {
2705 }
2707 /* --- --- ... and ... 16Fx8 versions of the same --- --- */
2709 static
2711 {
2718 }
2720 static
2722 {
2727 }
2729 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision IR is
2730 implemented.
2731 */
2733 /* --- --- ... and ... 32Fx2 versions of the same --- --- */
2735 static
2737 {
2744 }
2746 static
2748 {
2753 }
2755 /* --- ... and ... 64Fx4 versions of the same ... --- */
2757 static
2759 {
2766 }
2768 static
2770 {
2775 }
2777 /* --- ... and ... 32Fx8 versions of the same ... --- */
2779 static
2781 {
2788 }
2790 static
2792 {
2797 }
2799 /* --- 64Fx2 binary FP ops, with rounding mode --- */
2801 static
2804 {
2805 /* This is the same as binary64Fx2, except that we subsequently
2806 pessimise vRM (definedness of the rounding mode), widen to 128
2807 bits and UifU it into the result. As with the scalar cases, if
2808 the RM is a constant then it is defined and so this extra bit
2809 will get constant-folded out later. */
2810 // "do" the vector args
2812 // PCast the RM, and widen it to 128 bits
2814 // Roll it into the result
2817 }
2819 /* --- ... and ... 32Fx4 versions of the same --- */
2821 static
2824 {
2826 // PCast the RM, and widen it to 128 bits
2828 // Roll it into the result
2831 }
2833 /* --- ... and ... 64Fx4 versions of the same --- */
2835 static
2838 {
2840 // PCast the RM, and widen it to 256 bits
2842 // Roll it into the result
2845 }
2847 /* --- ... and ... 16Fx8 versions of the same --- */
2849 static
2852 {
2854 // PCast the RM, and widen it to 128 bits
2856 // Roll it into the result
2859 }
2861 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision IR is
2862 implemented.
2863 */
2865 /* --- ... and ... 32Fx8 versions of the same --- */
2867 static
2870 {
2872 // PCast the RM, and widen it to 256 bits
2874 // Roll it into the result
2877 }
2879 /* --- 64Fx2 unary FP ops, with rounding mode --- */
2881 static
2883 {
2884 /* Same scheme as binary64Fx2_w_rm. */
2885 // "do" the vector arg
2887 // PCast the RM, and widen it to 128 bits
2889 // Roll it into the result
2892 }
2894 /* --- ... and ... 32Fx4 versions of the same --- */
2896 static
2898 {
2899 /* Same scheme as binaryFx4_w_rm. */
2901 // PCast the RM, and widen it to 128 bits
2903 // Roll it into the result
2906 }
2908 /* --- ... and ... 16Fx8 versions of the same --- */
2910 static
2912 {
2913 /* Same scheme as binaryFx4_w_rm. */
2915 // PCast the RM, and widen it to 128 bits
2917 // Roll it into the result
2920 }
2922 /* --- ... and ... 32Fx8 versions of the same --- */
2924 static
2926 {
2927 /* Same scheme as unary32Fx8_w_rm. */
2929 // PCast the RM, and widen it to 256 bits
2931 // Roll it into the result
2934 }
2937 /* --- --- Vector saturated narrowing --- --- */
2939 /* We used to do something very clever here, but on closer inspection
2940 (2011-Jun-15), and in particular bug #279698, it turns out to be
2941 wrong. Part of the problem came from the fact that for a long
2942 time, the IR primops to do with saturated narrowing were
2943 underspecified and managed to confuse multiple cases which needed
2944 to be separate: the op names had a signedness qualifier, but in
2945 fact the source and destination signednesses needed to be specified
2946 independently, so the op names really need two independent
2947 signedness specifiers.
2949 As of 2011-Jun-15 (ish) the underspecification was sorted out
2950 properly. The incorrect instrumentation remained, though. That
2951 has now (2011-Oct-22) been fixed.
2953 What we now do is simple:
2955 Let the original narrowing op be QNarrowBinXtoYxZ, where Z is a
2956 number of lanes, X is the source lane width and signedness, and Y
2957 is the destination lane width and signedness. In all cases the
2958 destination lane width is half the source lane width, so the names
2959 have a bit of redundancy, but are at least easy to read.
2961 For example, Iop_QNarrowBin32Sto16Ux8 narrows 8 lanes of signed 32s
2962 to unsigned 16s.
2964 Let Vanilla(OP) be a function that takes OP, one of these
2965 saturating narrowing ops, and produces the same "shaped" narrowing
2966 op which is not saturating, but merely dumps the most significant
2967 bits. "same shape" means that the lane numbers and widths are the
2968 same as with OP.
2970 For example, Vanilla(Iop_QNarrowBin32Sto16Ux8)
2971 = Iop_NarrowBin32to16x8,
2972 that is, narrow 8 lanes of 32 bits to 8 lanes of 16 bits, by
2973 dumping the top half of each lane.
2975 So, with that in place, the scheme is simple, and it is simple to
2976 pessimise each lane individually and then apply Vanilla(OP) so as
2977 to get the result in the right "shape". If the original OP is
2978 QNarrowBinXtoYxZ then we produce
2980 Vanilla(OP)( PCast-X-to-X-x-Z(vatom1), PCast-X-to-X-x-Z(vatom2) )
2982 or for the case when OP is unary (Iop_QNarrowUn*)
2984 Vanilla(OP)( PCast-X-to-X-x-Z(vatom) )
2985 */
2986 static
2988 {
2990 /* Binary: (128, 128) -> 128 */
3001 /* Binary: (64, 64) -> 64 */
3007 /* Unary: 128 -> 64 */
3024 }
3025 }
3027 static
3030 {
3043 }
3051 }
3053 static
3056 {
3064 }
3072 }
3074 static
3077 {
3081 /* For vanilla narrowing (non-saturating), we can just apply
3082 the op directly to the V bits. */
3092 }
3093 /* Plan B: for ops that involve a saturation operation on the args,
3094 we must PCast before the vanilla narrow. */
3106 }
3111 }
3113 static
3116 {
3128 }
3133 }
3136 /* --- --- Vector integer arithmetic --- --- */
3138 /* Simple ... UifU the args and per-lane pessimise the results. */
3140 /* --- V256-bit versions --- */
3142 static
3144 {
3149 }
3151 static
3153 {
3158 }
3160 static
3162 {
3167 }
3169 static
3171 {
3176 }
3178 /* --- V128-bit versions --- */
3180 static
3182 {
3187 }
3189 static
3191 {
3196 }
3198 static
3200 {
3205 }
3207 static
3209 {
3214 }
3216 static
3218 {
3223 }
3225 /* --- 64-bit versions --- */
3227 static
3229 {
3234 }
3236 static
3238 {
3243 }
3245 static
3247 {
3252 }
3254 static
3256 {
3261 }
3263 /* --- 32-bit versions --- */
3265 static
3267 {
3272 }
3274 static
3276 {
3281 }
3284 /*------------------------------------------------------------*/
3285 /*--- Generate shadow values from all kinds of IRExprs. ---*/
3286 /*------------------------------------------------------------*/
3288 static
3290 IROp op,
3293 {
3316 /* I32(rm) x F64 x F64 x F64 -> F64 */
3321 /* I32(rm) x F32 x F32 x F32 -> F32 */
3328 /* I32(rm) x F128 x F128 x F128 -> F128 */
3331 /* V256-bit data-steering */
3336 /* I32/I64 x I8 x I8 x I8 -> I32/I64 */
3344 }
3345 }
3348 static
3350 IROp op,
3352 {
3376 /* I32(rm) x F128/D128 x F128/D128 -> F128/D128 */
3397 /* I32(rm) x F64/D64 x F64/D64 -> F64/D64 */
3401 /* I32(rm) x F64 x F64 -> I32 */
3407 /* I32(rm) x F32 x F32 -> I32 */
3411 /* I32(rm) x F16 x F16 -> I16 */
3414 /* IRRoundingMode(I32) x I8 x D64 -> D64 */
3417 /* IRRoundingMode(I32) x I8 x D128 -> D128 */
3420 /* (V128, V128, I8) -> V128 */
3424 /* (I64, I64, I8) -> I64 */
3440 /* Int 128-bit Integer three arg */
3443 /* (V128, V128, V128) -> V128 */
3446 mce,
3449 );
3451 /* Vector FP with rounding mode as the first arg */
3472 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision
3473 IR is implemented.
3474 */
3499 }
3500 }
3503 static
3505 IROp op,
3508 {
3525 /* 32-bit SIMD */
3551 /* 64-bit SIMD */
3562 /* Same scheme as with all other shifts. */
3723 );
3732 );
3741 );
3743 /* 64-bit data-steering */
3770 /* Perm8x8: rearrange values in left arg using steering values from
3771 right arg. So rearrange the vbits in the same way but pessimise wrt
3772 steering values. We assume that unused bits in the steering value
3773 are defined zeros, so we can safely PCast within each lane of the the
3774 steering value without having to take precautions to avoid a
3775 dependency on those unused bits.
3777 This is also correct for PermOrZero8x8, but it is a bit subtle. For
3778 each lane, if bit 7 of the steering value is zero, then we'll steer
3779 the shadow value exactly as per Perm8x8. If that bit is one, then
3780 the operation will set the resulting (concrete) value to zero. That
3781 means it is defined, and should have a shadow value of zero. Hence
3782 in both cases (bit 7 is 0 or 1) we can self-shadow (in the same way
3783 as Perm8x8) and then pessimise against the steering values. */
3787 mce,
3790 );
3792 /* V128-bit SIMD */
3815 /* Same scheme as with all other shifts. Note: 22 Oct 05:
3816 this is wrong now, scalar shifts are done properly lazily.
3817 Vector shifts should be fixed too. */
3821 /* V x V shifts/rotates are done using the standard lazy scheme. */
3822 /* For the non-rounding variants of bi-di vector x vector
3823 shifts (the Iop_Sh.. ops, that is) we use the lazy scheme.
3824 But note that this is overly pessimistic, because in fact only
3825 the bottom 8 bits of each lane of the second argument are taken
3826 into account when shifting. So really we ought to ignore
3827 undefinedness in bits 8 and above of each lane in the
3828 second argument. */
3839 );
3851 );
3863 );
3875 );
3877 /* For the rounding variants of bi-di vector x vector shifts, the
3878 rounding adjustment can cause undefinedness to propagate through
3879 the entire lane, in the worst case. Too complex to handle
3880 properly .. just UifU the arguments and then PCast them.
3881 Suboptimal but safe. */
3960 /* PwExtUSMulQAdd8x16 is a bit subtle. The effect of it is that each
3961 16-bit chunk of the output is formed from corresponding 16-bit chunks
3962 of the input args, so we can treat it like an other binary 16x8
3963 operation. That's despite it having '8x16' in its name. */
4033 /* I128 x I128 -> I128 */
4133 /* Q-and-Qshift-by-imm-and-narrow of the form (V128, I8) -> V128.
4134 To make this simpler, do the following:
4135 * complain if the shift amount (the I8) is undefined
4136 * pcast each lane at the wide width
4137 * truncate each lane to half width
4138 * pcast the resulting 64-bit value to a single bit and use
4139 that as the least significant bit of the upper half of the
4140 result. */
4159 {
4192 }
4194 // Pessimised shift result
4195 IRAtom* shV
4197 // Narrowed, pessimised shift result
4198 IRAtom* shVnarrowed
4200 // Generates: Def--(63)--Def PCast-to-I1(narrowed)
4202 // and assemble the result
4205 }
4240 /* V128-bit data-steering */
4285 /* Perm8x16: rearrange values in left arg using steering values
4286 from right arg. So rearrange the vbits in the same way but
4287 pessimise wrt steering values. Perm32x4 ditto. */
4288 /* PermOrZero8x16: see comments above for PermOrZero8x8. */
4292 mce,
4295 );
4298 mce,
4301 );
4303 /* These two take the lower half of each 16-bit lane, sign/zero
4304 extend it to 32, and multiply together, producing a 32x4
4305 result (and implicitly ignoring half the operand bits). So
4306 treat it as a bunch of independent 16x8 operations, but then
4307 do 32-bit shifts left-right to copy the lower half results
4308 (which are all 0s or all 1s due to PCasting in binary16Ix8)
4309 into the upper half of each result lane. */
4317 }
4319 /* Same deal as Iop_MullEven16{S,U}x8 */
4327 }
4329 /* Same deal as Iop_MullEven16{S,U}x8 */
4337 }
4339 /* narrow 2xV128 into 1xV128, hi half from left arg, in a 2 x
4340 32x4 -> 16x8 laneage, discarding the upper half of each lane.
4341 Simply apply same op to the V bits, since this really no more
4342 than a data steering operation. */
4353 /* Same scheme as with all other shifts. Note: 10 Nov 05:
4354 this is wrong now, scalar shifts are done properly lazily.
4355 Vector shifts should be fixed too. */
4367 /* SHA Iops */
4373 /* I128-bit data-steering */
4377 /* V256-bit SIMD */
4387 /* V256-bit data-steering */
4391 /* Scalar floating point */
4395 /* I32(rm) x F32 -> I64 */
4399 /* I32(rm) x I64 -> F32 */
4414 /* I32(rm) x I64/F64 -> I64/F64 */
4420 /* I32(rm) x D64 -> D64 */
4426 /* I32(rm) x D128 -> D128 */
4430 /* I32(rm) x F128 -> F128 */
4437 /* I32(rm) x I64/D64 -> D64/I64 */
4446 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D32/F32 */
4455 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D64/F64 */
4465 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D128/F128 */
4469 /* I32(rm) x F16 -> F16 */
4475 /* I32(rm) x I32/F32 -> I32/F32 */
4479 /* I32(rm) x F128 -> F128 */
4486 /* First arg is I32 (rounding mode), second is F32/I32 (data). */
4491 /* First arg is I32 (rounding mode), second is F64/F32 (data). */
4525 /* First arg is I32 (rounding mode), second is F64/D64 (data). */
4529 /* First arg is I32 (rounding mode), second is D64 (data). */
4533 /* First arg is I32 (rounding mode), second is F64 (data). */
4537 /* I64 x I64 -> D64 */
4541 /* I64 x I128 -> D128 */
4556 /* F32 x F32 -> F32 */
4561 /* F64 x F64 -> F64 */
4564 /* non-FP after here */
4586 }
4594 }
4601 }
4609 }
4617 }
4624 }
4648 }
4656 }
4658 cheap_AddSub32:
4675 }
4683 }
4685 cheap_AddSub64:
4699 ////---- CmpXX64
4703 else
4706 expensive_cmp64:
4710 cheap_cmp64:
4715 ////---- CmpXX32
4719 else
4722 expensive_cmp32:
4726 cheap_cmp32:
4731 ////---- CmpXX16
4735 else
4738 expensive_cmp16:
4742 cheap_cmp16:
4745 ////---- CmpXX8
4749 else
4752 expensive_cmp8:
4755 cheap_cmp8:
4758 ////---- end CmpXX{64,32,16,8}
4764 /* Just say these all produce a defined result, regardless
4765 of their arguments. See COMMENT_ON_CasCmpEQ in this file. */
4824 do_And_Or:
4825 return
4828 and_or_ty,
4850 /* V256-bit SIMD */
4860 /* Same scheme as with all other shifts. Note: 22 Oct 05:
4861 this is wrong now, scalar shifts are done properly lazily.
4862 Vector shifts should be fixed too. */
4920 /* Perm32x8: rearrange values in left arg using steering values
4921 from right arg. So rearrange the vbits in the same way but
4922 pessimise wrt steering values. */
4925 mce,
4928 );
4930 /* Q-and-Qshift-by-vector of the form (V128, V128) -> V256.
4931 Handle the shifted results in the same way that other
4932 binary Q ops are handled, eg QSub: UifU the two args,
4933 then pessimise -- which is binaryNIxM. But for the upper
4934 V128, we require to generate just 1 bit which is the
4935 pessimised shift result, with 127 defined zeroes above it.
4937 Note that this overly pessimistic in that in fact only the
4938 bottom 8 bits of each lane of the second arg determine the shift
4939 amount. Really we ought to ignore any undefinedness in the
4940 rest of the lanes of the second arg. */
4949 {
4950 // The function to generate the pessimised shift result
4979 }
4981 // Pessimised shift result, shV[127:0]
4983 // Generates: Def--(127)--Def PCast-to-I1(shV)
4985 // and assemble the result
4988 }
4991 // First, PCast the input vector, retaining the 32x4 format.
4993 // Now truncate each 32 bit lane to 16 bits. Since we already PCasted
4994 // the input, we're not going to lose any information.
4995 IRAtom* pcHI64
4997 IRAtom* pcLO64
4999 IRAtom* narrowed
5002 // Finally, roll in any badness from the rounding mode.
5005 }
5008 // Same scheme as for Iop_F32toF16x4.
5010 IRAtom* pcHI128
5013 IRAtom* pcLO128
5016 IRAtom* narrowed
5019 // Finally, roll in any badness from the rounding mode.
5022 }
5027 }
5028 }
5031 static
5033 {
5034 /* For the widening operations {8,16,32}{U,S}to{16,32,64}, the
5035 selection of shadow operation implicitly duplicates the logic in
5036 do_shadow_LoadG and should be kept in sync (in the very unlikely
5037 event that the interpretation of such widening ops changes in
5038 future). See comment in do_shadow_LoadG. */
5096 // These are self-shadowing.
5140 // FIXME JRS 2018-Nov-15. This is surely not correct!
5208 // PopCount32: this is slightly pessimistic. It is true that the
5209 // result depends on all input bits, so that aspect of the PCast is
5210 // correct. However, regardless of the input, only the lowest 5 bits
5211 // out of the output can ever be undefined. So we could actually
5212 // "improve" the results here by marking the top 27 bits of output as
5213 // defined. A similar comment applies for PopCount64.
5219 // These are self-shadowing.
5245 // These are self-shadowing.
5258 // These are self-shadowing.
5268 // These are self-shadowing.
5291 // FIXME JRS 2018-Nov-15. This is surely not correct!
5357 // This is self-shadowing.
5375 // JRS FIXME 2019 Mar 17: per comments on F16toF32x4, this is probably not
5376 // right.
5389 // JRS 2019 Mar 17: this definitely isn't right, but it probably works
5390 // OK by accident if -- as seems likely -- the F16 to F32 conversion
5391 // preserves will generate an output 32 bits with at least one 1 bit
5392 // set if there's one or more 1 bits set in the input 16 bits. More
5393 // correct code for this is just below, but commented out, so as to
5394 // avoid short-term backend failures on targets that can't do
5395 // Iop_Interleave{LO,HI}16x4.
5399 // PCast the input at 16x8. This makes each lane hold either all
5400 // zeroes or all ones.
5402 // Now double the width of each lane to 32 bits. Because the lanes are
5403 // all zeroes or all ones, we can just copy the each lane twice into
5404 // the result. Here's the low half:
5408 // And the high half:
5412 // Glue them back together:
5415 }
5417 // See comment just above, for Iop_F16toF32x4
5418 //case Iop_F16toF32x4: {
5419 // // Same scheme as F16toF32x4
5420 // IRAtom* pcasted = mkPCast16x4(mce, vatom); // :: I16x4
5421 // IRAtom* widenedLO // :: I32x2
5422 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveLO16x4,
5423 // pcasted, pcasted));
5424 // IRAtom* widenedHI // :: I32x4
5425 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveHI16x4,
5426 // pcasted, pcasted));
5427 // // Glue them back together:
5428 // return assignNew('V', mce, Ity_V128, binop(Iop_64HLtoV128,
5429 // widenedHI, widenedLO));
5430 //}
5470 }
5471 }
5474 /* Worker function -- do not call directly. See comments on
5475 expr2vbits_Load for the meaning of |guard|.
5477 Generates IR to (1) perform a definedness test of |addr|, (2)
5478 perform a validity test of |addr|, and (3) return the Vbits for the
5479 location indicated by |addr|. All of this only happens when
5480 |guard| is NULL or |guard| evaluates to True at run time.
5482 If |guard| evaluates to False at run time, the returned value is
5483 the IR-mandated 0x55..55 value, and no checks nor shadow loads are
5484 performed.
5486 The definedness of |guard| itself is not checked. That is assumed
5487 to have been done before this point, by the caller. */
5488 static
5492 {
5496 /* First, emit a definedness test for the address. This also sets
5497 the address (shadow) to 'defined' following the test. */
5500 /* Now cook up a call to the relevant helper function, to read the data V
5501 bits from shadow memory. Note that I128 loads are done by pretending
5502 we're doing a V128 load, and then converting the resulting V128 vbits
5503 word to an I128, right at the end of this function -- see `castedToI128`
5504 below. (It's only a minor hack :-) This pertains to bug 444399. */
5536 }
5561 }
5562 }
5567 /* Generate the actual address into addrAct. */
5572 IROp mkAdd;
5579 }
5581 /* We need to have a place to park the V bits we're just about to
5582 read. */
5585 /* Here's the call. */
5597 }
5602 /* Ideally the didn't-happen return value here would be all-ones
5603 (all-undefined), so it'd be obvious if it got used
5604 inadvertently. We can get by with the IR-mandated default
5605 value (0b01 repeating, 0x55 etc) as that'll still look pretty
5606 undefined if it ever leaks out. */
5607 }
5611 IRAtom* castedToI128
5617 }
5618 }
5621 /* Generate IR to do a shadow load. The helper is expected to check
5622 the validity of the address and return the V bits for that address.
5623 This can optionally be controlled by a guard, which is assumed to
5624 be True if NULL. In the case where the guard is False at runtime,
5625 the helper will return the didn't-do-the-call value of 0x55..55.
5626 Since that means "completely undefined result", the caller of
5627 this function will need to fix up the result somehow in that
5628 case.
5630 Caller of this function is also expected to have checked the
5631 definedness of |guard| before this point.
5632 */
5633 static
5638 {
5651 }
5652 }
5655 /* The most general handler for guarded loads. Assumes the
5656 definedness of GUARD has already been checked by the caller. A
5657 GUARD of NULL is assumed to mean "always True". Generates code to
5658 check the definedness and validity of ADDR.
5660 Generate IR to do a shadow load from ADDR and return the V bits.
5661 The loaded type is TY. The loaded data is then (shadow) widened by
5662 using VWIDEN, which can be Iop_INVALID to denote a no-op. If GUARD
5663 evaluates to False at run time then the returned Vbits are simply
5664 VALT instead. Note therefore that the argument type of VWIDEN must
5665 be TY and the result type of VWIDEN must equal the type of VALT.
5666 */
5667 static
5673 {
5674 /* Sanity check the conversion operation, and also set TYWIDE. */
5685 }
5687 /* If the guard evaluates to True, this will hold the loaded V bits
5688 at TY. If the guard evaluates to False, this will be all
5689 ones, meaning "all undefined", in which case we will have to
5690 replace it using an ITE below. */
5691 IRAtom* iftrue1
5694 /* Now (shadow-) widen the loaded V bits to the desired width. In
5695 the guard-is-False case, the allowable widening operators will
5696 in the worst case (unsigned widening) at least leave the
5697 pre-widened part as being marked all-undefined, and in the best
5698 case (signed widening) mark the whole widened result as
5699 undefined. Anyway, it doesn't matter really, since in this case
5700 we will replace said value with the default value |valt| using an
5701 ITE. */
5702 IRAtom* iftrue2
5704 ? iftrue1
5706 /* These are the V bits we will return if the load doesn't take
5707 place. */
5708 IRAtom* iffalse
5710 /* Prepare the cond for the ITE. Convert a NULL cond into
5711 something that iropt knows how to fold out later. */
5712 IRAtom* cond
5714 /* And assemble the final result. */
5716 }
5719 /* A simpler handler for guarded loads, in which there is no
5720 conversion operation, and the default V bit return (when the guard
5721 evaluates to False at runtime) is "all defined". If there is no
5722 guard expression or the guard is always TRUE this function behaves
5723 like expr2vbits_Load. It is assumed that definedness of GUARD has
5724 already been checked at the call site. */
5725 static
5730 {
5733 );
5734 }
5737 static
5740 {
5742 IRType ty;
5743 /* Given ITE(cond, iftrue, iffalse), generate
5744 ITE(cond, iftrue#, iffalse#) `UifU` PCast(cond#)
5745 That is, steer the V bits like the originals, but trash the
5746 result if the steering value is undefined. This gives
5747 lazy propagation. */
5757 return
5761 }
5763 /* --------- This is the main expression-handling function. --------- */
5765 static
5768 {
5786 mce,
5790 );
5794 mce,
5798 );
5802 mce,
5805 hu
5806 );
5831 }
5832 }
5835 /*------------------------------------------------------------*/
5836 /*--- Generate shadow stmts from all kinds of IRStmts. ---*/
5837 /*------------------------------------------------------------*/
5839 /* Widen a value to the host word size. */
5841 static
5843 {
5846 /* vatom is vbits-value and as such can only have a shadow type. */
5862 }
5876 }
5879 }
5880 unhandled:
5883 }
5886 /* Generate a shadow store. |addr| is always the original address
5887 atom. You can pass in either originals or V-bits for the data
5888 atom, but obviously not both. This function generates a check for
5889 the definedness and (indirectly) the validity of |addr|, but only
5890 when |guard| evaluates to True at run time (or is NULL).
5892 |guard| :: Ity_I1 controls whether the store really happens; NULL
5893 means it unconditionally does. Note that |guard| itself is not
5894 checked for definedness; the caller of this function must do that
5895 if necessary.
5896 */
5897 static
5899 IREndness end,
5903 {
5904 IROp mkAdd;
5922 }
5930 }
5934 // If we're not doing undefined value checking, pretend that this value
5935 // is "all valid". That lets Vex's optimiser remove some of the V bit
5936 // shadow computation ops that precede it.
5949 }
5951 }
5953 /* First, emit a definedness test for the address. This also sets
5954 the address (shadow) to 'defined' following the test. Both of
5955 those actions are gated on |guard|. */
5958 /* Now decide which helper function to call to write the data V
5959 bits into shadow memory. */
5978 }
5994 /* Note, no V256 case here, because no big-endian target that
5995 we support, has 256 vectors. */
5997 }
5998 }
6002 /* V256-bit case -- phrased in terms of 64 bit units (Qs), with
6003 Q3 being the most significant lane. */
6004 /* These are the offsets of the Qs in memory. */
6007 /* Various bits for constructing the 4 lane helper calls */
6017 }
6026 );
6035 );
6044 );
6053 );
6067 }
6070 /* V128/I128-bit case */
6071 /* See comment in next clause re 64-bit regparms */
6072 /* also, need to be careful about endianness */
6087 }
6095 }
6104 );
6112 );
6125 /* 8/16/32/64-bit cases */
6126 /* Generate the actual address into addrAct. */
6132 }
6135 /* We can't do this with regparm 2 on 32-bit platforms, since
6136 the back ends aren't clever enough to handle 64-bit
6137 regparm args. Therefore be different. */
6142 );
6149 );
6150 }
6154 }
6156 }
6159 /* Do lazy pessimistic propagation through a dirty helper call, by
6160 looking at the annotations on it. This is the most complex part of
6161 Memcheck. */
6164 {
6171 }
6172 }
6174 static
6176 {
6180 IRTemp dst;
6181 IREndness end;
6183 /* What's the native endianness? We need to know this. */
6184 # if defined(VG_BIGENDIAN)
6186 # elif defined(VG_LITTLEENDIAN)
6188 # else
6190 # endif
6192 /* First check the guard. */
6195 /* Now round up all inputs and PCast over them. */
6198 /* Inputs: unmasked args
6199 Note: arguments are evaluated REGARDLESS of the guard expression */
6204 /* ignore this arg */
6208 }
6209 }
6211 /* Inputs: guest state that we read. */
6217 /* Enumerate the described state segments */
6222 /* Ignore any sections marked as 'always defined'. */
6228 }
6230 /* This state element is read or modified. So we need to
6231 consider it. If larger than 8 bytes, deal with it in
6232 8-byte chunks. */
6237 /* update 'curr' with UifU of the state slice
6238 gOff .. gOff+n-1 */
6241 /* Observe the guard expression. If it is false use an
6242 all-bits-defined bit pattern */
6255 }
6256 }
6257 }
6259 /* Inputs: memory. First set up some info needed regardless of
6260 whether we're doing reads or writes. */
6263 /* Because we may do multiple shadow loads/stores from the same
6264 base address, it's best to do a single test of its
6265 definedness right now. Post-instrumentation optimisation
6266 should remove all but this test. */
6267 IRType tyAddr;
6274 }
6276 /* Deal with memory inputs (reads or modifies) */
6279 /* chew off 32-bit chunks. We don't care about the endianness
6280 since it's all going to be condensed down to a single bit,
6281 but nevertheless choose an endianness which is hopefully
6282 native to the platform. */
6288 );
6291 }
6292 /* chew off 16-bit chunks */
6298 );
6301 }
6302 /* chew off the remaining 8-bit chunk, if any */
6308 );
6311 }
6313 }
6315 /* Whew! So curr is a 32-bit V-value summarising pessimistically
6316 all the inputs to the helper. Now we need to re-distribute the
6317 results to all destinations. */
6319 /* Outputs: the destination temporary, if there is one. */
6324 }
6326 /* Outputs: guest state that we write or modify. */
6332 /* Enumerate the described state segments */
6337 /* Ignore any sections marked as 'always defined'. */
6341 /* This state element is written or modified. So we need to
6342 consider it. If larger than 8 bytes, deal with it in
6343 8-byte chunks. */
6348 /* Write suitably-casted 'curr' to the state slice
6349 gOff .. gOff+n-1 */
6356 }
6357 }
6358 }
6360 /* Outputs: memory that we write or modify. Same comments about
6361 endianness as above apply. */
6364 /* chew off 32-bit chunks */
6371 }
6372 /* chew off 16-bit chunks */
6379 }
6380 /* chew off the remaining 8-bit chunk, if any */
6387 }
6389 }
6391 }
6394 /* We have an ABI hint telling us that [base .. base+len-1] is to
6395 become undefined ("writable"). Generate code to call a helper to
6396 notify the A/V bit machinery of this fact.
6398 We call
6399 void MC_(helperc_MAKE_STACK_UNINIT) ( Addr base, UWord len,
6400 Addr nia );
6401 */
6402 static
6404 {
6413 );
6415 /* We ignore the supplied nia, since it is irrelevant. */
6417 /* Special-case the len==128 case, since that is for amd64-ELF,
6418 which is a very common target. */
6425 );
6432 );
6433 }
6434 }
6437 }
6440 /* ------ Dealing with IRCAS (big and complex) ------ */
6442 /* FWDS */
6454 /* Either ORIG and SHADOW are both IRExpr.RdTmps, or they are both
6455 IRExpr.Consts, else this asserts. If they are both Consts, it
6456 doesn't do anything. So that just leaves the RdTmp case.
6458 In which case: this assigns the shadow value SHADOW to the IR
6459 shadow temporary associated with ORIG. That is, ORIG, being an
6460 original temporary, will have a shadow temporary associated with
6461 it. However, in the case envisaged here, there will so far have
6462 been no IR emitted to actually write a shadow value into that
6463 temporary. What this routine does is to (emit IR to) copy the
6464 value in SHADOW into said temporary, so that after this call,
6465 IRExpr.RdTmps of ORIG's shadow temp will correctly pick up the
6466 value in SHADOW.
6468 Point is to allow callers to compute "by hand" a shadow value for
6469 ORIG, and force it to be associated with ORIG.
6471 How do we know that that shadow associated with ORIG has not so far
6472 been assigned to? Well, we don't per se know that, but supposing
6473 it had. Then this routine would create a second assignment to it,
6474 and later the IR sanity checker would barf. But that never
6475 happens. QED.
6476 */
6480 {
6491 shadow);
6495 shadow);
6496 }
6500 }
6501 }
6504 static
6506 {
6507 /* Scheme is (both single- and double- cases):
6509 1. fetch data#,dataB (the proposed new value)
6511 2. fetch expd#,expdB (what we expect to see at the address)
6513 3. check definedness of address
6515 4. load old#,oldB from shadow memory; this also checks
6516 addressibility of the address
6518 5. the CAS itself
6520 6. compute "expected == old". See COMMENT_ON_CasCmpEQ below.
6522 7. if "expected == old" (as computed by (6))
6523 store data#,dataB to shadow memory
6525 Note that 5 reads 'old' but 4 reads 'old#'. Similarly, 5 stores
6526 'data' but 7 stores 'data#'. Hence it is possible for the
6527 shadow data to be incorrectly checked and/or updated:
6529 * 7 is at least gated correctly, since the 'expected == old'
6530 condition is derived from outputs of 5. However, the shadow
6531 write could happen too late: imagine after 5 we are
6532 descheduled, a different thread runs, writes a different
6533 (shadow) value at the address, and then we resume, hence
6534 overwriting the shadow value written by the other thread.
6536 Because the original memory access is atomic, there's no way to
6537 make both the original and shadow accesses into a single atomic
6538 thing, hence this is unavoidable.
6540 At least as Valgrind stands, I don't think it's a problem, since
6541 we're single threaded *and* we guarantee that there are no
6542 context switches during the execution of any specific superblock
6543 -- context switches can only happen at superblock boundaries.
6545 If Valgrind ever becomes MT in the future, then it might be more
6546 of a problem. A possible kludge would be to artificially
6547 associate with the location, a lock, which we must acquire and
6548 release around the transaction as a whole. Hmm, that probably
6549 would't work properly since it only guards us against other
6550 threads doing CASs on the same location, not against other
6551 threads doing normal reads and writes.
6553 ------------------------------------------------------------
6555 COMMENT_ON_CasCmpEQ:
6557 Note two things. Firstly, in the sequence above, we compute
6558 "expected == old", but we don't check definedness of it. Why
6559 not? Also, the x86 and amd64 front ends use
6560 Iop_CasCmp{EQ,NE}{8,16,32,64} comparisons to make the equivalent
6561 determination (expected == old ?) for themselves, and we also
6562 don't check definedness for those primops; we just say that the
6563 result is defined. Why? Details follow.
6565 x86/amd64 contains various forms of locked insns:
6566 * lock prefix before all basic arithmetic insn;
6567 eg lock xorl %reg1,(%reg2)
6568 * atomic exchange reg-mem
6569 * compare-and-swaps
6571 Rather than attempt to represent them all, which would be a
6572 royal PITA, I used a result from Maurice Herlihy
6573 (http://en.wikipedia.org/wiki/Maurice_Herlihy), in which he
6574 demonstrates that compare-and-swap is a primitive more general
6575 than the other two, and so can be used to represent all of them.
6576 So the translation scheme for (eg) lock incl (%reg) is as
6577 follows:
6579 again:
6580 old = * %reg
6581 new = old + 1
6582 atomically { if (* %reg == old) { * %reg = new } else { goto again } }
6584 The "atomically" is the CAS bit. The scheme is always the same:
6585 get old value from memory, compute new value, atomically stuff
6586 new value back in memory iff the old value has not changed (iow,
6587 no other thread modified it in the meantime). If it has changed
6588 then we've been out-raced and we have to start over.
6590 Now that's all very neat, but it has the bad side effect of
6591 introducing an explicit equality test into the translation.
6592 Consider the behaviour of said code on a memory location which
6593 is uninitialised. We will wind up doing a comparison on
6594 uninitialised data, and mc duly complains.
6596 What's difficult about this is, the common case is that the
6597 location is uncontended, and so we're usually comparing the same
6598 value (* %reg) with itself. So we shouldn't complain even if it
6599 is undefined. But mc doesn't know that.
6601 My solution is to mark the == in the IR specially, so as to tell
6602 mc that it almost certainly compares a value with itself, and we
6603 should just regard the result as always defined. Rather than
6604 add a bit to all IROps, I just cloned Iop_CmpEQ{8,16,32,64} into
6605 Iop_CasCmpEQ{8,16,32,64} so as not to disturb anything else.
6607 So there's always the question of, can this give a false
6608 negative? eg, imagine that initially, * %reg is defined; and we
6609 read that; but then in the gap between the read and the CAS, a
6610 different thread writes an undefined (and different) value at
6611 the location. Then the CAS in this thread will fail and we will
6612 go back to "again:", but without knowing that the trip back
6613 there was based on an undefined comparison. No matter; at least
6614 the other thread won the race and the location is correctly
6615 marked as undefined. What if it wrote an uninitialised version
6616 of the same value that was there originally, though?
6618 etc etc. Seems like there's a small corner case in which we
6619 might lose the fact that something's defined -- we're out-raced
6620 in between the "old = * reg" and the "atomically {", _and_ the
6621 other thread is writing in an undefined version of what's
6622 already there. Well, that seems pretty unlikely.
6624 ---
6626 If we ever need to reinstate it .. code which generates a
6627 definedness test for "expected == old" was removed at r10432 of
6628 this file.
6629 */
6634 }
6635 }
6639 {
6644 IROp opCasCmpEQ;
6645 Int elemSzB;
6646 IRType elemTy;
6649 /* single CAS */
6661 }
6663 /* 1. fetch data# (the proposed new value) */
6665 vdataLo
6669 bdataLo
6672 }
6674 /* 2. fetch expected# (what we expect to see at the address) */
6676 vexpdLo
6680 bexpdLo
6683 }
6685 /* 3. check definedness of address */
6686 /* 4. fetch old# from shadow memory; this also checks
6687 addressibility of the address */
6688 voldLo
6692 mce,
6694 NULL/*always happens*/
6695 ));
6698 boldLo
6702 }
6704 /* 5. the CAS itself */
6707 /* 6. compute "expected == old" */
6708 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6709 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6710 tree, but it's not copied from the input block. */
6711 expd_eq_old
6715 /* 7. if "expected == old"
6716 store data# to shadow memory */
6724 }
6725 }
6729 {
6740 IRType elemTy;
6743 /* double CAS */
6768 }
6770 /* 1. fetch data# (the proposed new value) */
6773 vdataHi
6775 vdataLo
6780 bdataHi
6782 bdataLo
6786 }
6788 /* 2. fetch expected# (what we expect to see at the address) */
6791 vexpdHi
6793 vexpdLo
6798 bexpdHi
6800 bexpdLo
6804 }
6806 /* 3. check definedness of address */
6807 /* 4. fetch old# from shadow memory; this also checks
6808 addressibility of the address */
6816 }
6817 voldHi
6821 mce,
6823 NULL/*always happens*/
6824 ));
6825 voldLo
6829 mce,
6831 NULL/*always happens*/
6832 ));
6836 boldHi
6840 boldLo
6846 }
6848 /* 5. the CAS itself */
6851 /* 6. compute "expected == old" */
6852 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6853 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6854 tree, but it's not copied from the input block. */
6855 /*
6856 xHi = oldHi ^ expdHi;
6857 xLo = oldLo ^ expdLo;
6858 xHL = xHi | xLo;
6859 expd_eq_old = xHL == 0;
6860 */
6867 expd_eq_old
6871 /* 7. if "expected == old"
6872 store data# to shadow memory */
6886 }
6887 }
6890 /* ------ Dealing with LL/SC (not difficult) ------ */
6893 IREndness stEnd,
6894 IRTemp stResult,
6897 {
6898 /* In short: treat a load-linked like a normal load followed by an
6899 assignment of the loaded (shadow) data to the result temporary.
6900 Treat a store-conditional like a normal store, and mark the
6901 result temporary as defined. */
6910 /* Load Linked */
6911 /* Just treat this as a normal load, followed by an assignment of
6912 the value to .result. */
6913 /* Stay sane */
6921 /* Store Conditional */
6922 /* Stay sane */
6924 stStoredata);
6929 stStoredata,
6932 /* This is a store conditional, so it writes to .result a value
6933 indicating whether or not the store succeeded. Just claim
6934 this value is always defined. In the PowerPC interpretation
6935 of store-conditional, definedness of the success indication
6936 depends on whether the address of the store matches the
6937 reservation address. But we can't tell that here (and
6938 anyway, we're not being PowerPC-specific). At least we are
6939 guaranteed that the definedness of the store address, and its
6940 addressibility, will be checked as per normal. So it seems
6941 pretty safe to just say that the success indication is always
6942 defined.
6944 In schemeS, for origin tracking, we must correspondingly set
6945 a no-origin value for the origin shadow of .result.
6946 */
6949 }
6950 }
6953 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
6956 {
6958 /* do_shadow_Store will generate code to check the definedness and
6959 validity of sg->addr, in the case where sg->guard evaluates to
6960 True at run-time. */
6966 }
6969 {
6971 /* expr2vbits_Load_guarded_General will generate code to check the
6972 definedness and validity of lg->addr, in the case where
6973 lg->guard evaluates to True at run-time. */
6975 /* Look at the LoadG's built-in conversion operation, to determine
6976 the source (actual loaded data) type, and the equivalent IROp.
6977 NOTE that implicitly we are taking a widening operation to be
6978 applied to original atoms and producing one that applies to V
6979 bits. Since signed and unsigned widening are self-shadowing,
6980 this is a straight copy of the op (modulo swapping from the
6981 IRLoadGOp form to the IROp form). Note also therefore that this
6982 implicitly duplicates the logic to do with said widening ops in
6983 expr2vbits_Unop. See comment at the start of expr2vbits_Unop. */
6995 }
6997 IRAtom* vbits_alt
6999 IRAtom* vbits_final
7003 /* And finally, bind the V bits to the destination temporary. */
7005 }
7008 /*------------------------------------------------------------*/
7009 /*--- Origin tracking stuff ---*/
7010 /*------------------------------------------------------------*/
7012 /* Almost identical to findShadowTmpV. */
7014 {
7016 /* VG_(indexXA) range-checks 'orig', hence no need to check
7017 here. */
7021 IRTemp tmpB
7023 /* newTemp may cause mce->tmpMap to resize, hence previous results
7024 from VG_(indexXA) are invalid. */
7029 }
7031 }
7034 {
7036 }
7039 /* Make a guarded origin load, with no special handling in the
7040 didn't-happen case. A GUARD of NULL is assumed to mean "always
7041 True".
7043 Generate IR to do a shadow origins load from BASEADDR+OFFSET and
7044 return the otag. The loaded size is SZB. If GUARD evaluates to
7045 False at run time then the returned otag is zero.
7046 */
7050 {
7053 IRTemp bTmp;
7062 }
7087 }
7091 );
7094 /* Ideally the didn't-happen return value here would be
7095 all-zeroes (unknown-origin), so it'd be harmless if it got
7096 used inadvertently. We slum it out with the IR-mandated
7097 default value (0b01 repeating, 0x55 etc) as that'll probably
7098 trump all legitimate otags via Max32, and it's pretty
7099 obviously bogus. */
7100 }
7101 /* no need to mess with any annotations. This call accesses
7102 neither guest state nor guest memory. */
7105 /* 64-bit host */
7110 /* 32-bit host */
7112 }
7113 }
7116 /* Generate IR to do a shadow origins load from BASEADDR+OFFSET. The
7117 loaded size is SZB. The load is regarded as unconditional (always
7118 happens).
7119 */
7121 Int offset )
7122 {
7124 }
7127 /* The most general handler for guarded origin loads. A GUARD of NULL
7128 is assumed to mean "always True".
7130 Generate IR to do a shadow origin load from ADDR+BIAS and return
7131 the B bits. The loaded type is TY. If GUARD evaluates to False at
7132 run time then the returned B bits are simply BALT instead.
7133 */
7134 static
7136 IRType ty,
7139 {
7140 /* If the guard evaluates to True, this will hold the loaded
7141 origin. If the guard evaluates to False, this will be zero,
7142 meaning "unknown origin", in which case we will have to replace
7143 it using an ITE below. */
7144 IRAtom* iftrue
7148 /* These are the bits we will return if the load doesn't take
7149 place. */
7150 IRAtom* iffalse
7152 /* Prepare the cond for the ITE. Convert a NULL cond into
7153 something that iropt knows how to fold out later. */
7154 IRAtom* cond
7156 /* And assemble the final result. */
7158 }
7161 /* Generate a shadow origins store. guard :: Ity_I1 controls whether
7162 the store really happens; NULL means it unconditionally does. */
7166 {
7176 }
7181 }
7206 }
7210 );
7211 /* no need to mess with any annotations. This call accesses
7212 neither guest state nor guest memory. */
7215 }
7224 }
7232 }
7236 {
7245 IRType equivIntTy
7247 /* If this array is unshadowable for whatever reason, use the
7248 usual approximation. */
7255 /* Do a shadow indexed get of the same size, giving t1. Take
7256 the bottom 32 bits of it, giving t2. Compute into t3 the
7257 origin for the index (almost certainly zero, but there's
7258 no harm in being completely general here, since iropt will
7259 remove any useless code), and fold it in, giving a final
7260 value t4. */
7268 }
7270 Int i;
7277 /* Only take notice of this arg if the callee's
7278 mc-exclusion mask does not say it is to be excluded. */
7280 /* the arg is to be excluded from definedness checking.
7281 Do nothing. */
7285 /* calculate the arg's definedness, and pessimistically
7286 merge it in. */
7289 }
7290 }
7292 }
7294 Int dszB;
7296 /* assert that the B value for the address is already
7297 available (somewhere) */
7301 }
7307 }
7315 }
7321 }
7328 /* Just say these all produce a defined result,
7329 regardless of their arguments. See
7330 COMMENT_ON_CasCmpEQ in this file. */
7336 }
7337 }
7339 /*NOTREACHED*/
7340 }
7344 }
7353 );
7357 /* FIXME: this isn't an atom! */
7359 Ity_I32 );
7360 }
7362 }
7367 }
7368 }
7372 {
7373 // This is a hacked version of do_shadow_Dirty
7376 IRTemp dst;
7378 /* First check the guard. */
7381 /* Now round up all inputs and maxU32 over them. */
7383 /* Inputs: unmasked args
7384 Note: arguments are evaluated REGARDLESS of the guard expression */
7389 /* ignore this arg */
7393 }
7394 }
7396 /* Inputs: guest state that we read. */
7402 /* Enumerate the described state segments */
7407 /* Ignore any sections marked as 'always defined'. */
7413 }
7415 /* This state element is read or modified. So we need to
7416 consider it. If larger than 4 bytes, deal with it in
7417 4-byte chunks. */
7419 Int b_offset;
7423 /* update 'curr' with maxU32 of the state slice
7424 gOff .. gOff+n-1 */
7427 /* Observe the guard expression. If it is false use 0, i.e.
7428 nothing is known about the origin */
7436 Ity_I32));
7440 }
7443 }
7444 }
7445 }
7447 /* Inputs: memory */
7450 /* Because we may do multiple shadow loads/stores from the same
7451 base address, it's best to do a single test of its
7452 definedness right now. Post-instrumentation optimisation
7453 should remove all but this test. */
7457 }
7459 /* Deal with memory inputs (reads or modifies) */
7462 /* chew off 32-bit chunks. We don't care about the endianness
7463 since it's all going to be condensed down to a single bit,
7464 but nevertheless choose an endianness which is hopefully
7465 native to the platform. */
7471 }
7472 /* handle possible 16-bit excess */
7478 }
7479 /* chew off the remaining 8-bit chunk, if any */
7485 }
7487 }
7489 /* Whew! So curr is a 32-bit B-value which should give an origin
7490 of some use if any of the inputs to the helper are undefined.
7491 Now we need to re-distribute the results to all destinations. */
7493 /* Outputs: the destination temporary, if there is one. */
7497 }
7499 /* Outputs: guest state that we write or modify. */
7505 /* Enumerate the described state segments */
7510 /* Ignore any sections marked as 'always defined'. */
7514 /* This state element is written or modified. So we need to
7515 consider it. If larger than 4 bytes, deal with it in
7516 4-byte chunks. */
7518 Int b_offset;
7522 /* Write 'curr' to the state slice gOff .. gOff+n-1 */
7526 /* If the guard expression evaluates to false we simply Put
7527 the value that is already stored in the guest state slot */
7535 Ity_I32));
7541 curr ));
7542 }
7545 }
7546 }
7547 }
7549 /* Outputs: memory that we write or modify. Same comments about
7550 endianness as above apply. */
7553 /* chew off 32-bit chunks */
7558 }
7559 /* handle possible 16-bit excess */
7564 }
7565 /* chew off the remaining 8-bit chunk, if any */
7570 }
7572 }
7573 }
7576 /* Generate IR for origin shadowing for a general guarded store. */
7578 IREndness stEnd,
7582 {
7583 Int dszB;
7585 /* assert that the B value for the address is already available
7586 (somewhere), since the call to schemeE will want to see it.
7587 XXXX how does this actually ensure that?? */
7593 }
7596 /* Generate IR for origin shadowing for a plain store. */
7598 IREndness stEnd,
7601 {
7604 }
7607 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7610 {
7613 }
7616 {
7627 }
7628 IRAtom* ori_alt
7630 IRAtom* ori_final
7634 /* And finally, bind the origin to the destination temporary. */
7636 }
7640 {
7646 /* The value-check instrumenter handles this - by arranging
7647 to pass the address of the next instruction to
7648 MC_(helperc_MAKE_STACK_UNINIT). This is all that needs to
7649 happen for origin tracking w.r.t. AbiHints. So there is
7650 nothing to do here. */
7658 IRType equivIntTy
7660 /* If this array is unshadowable for whatever reason,
7661 generate no code. */
7666 descr_b
7669 /* Compute a value to Put - the conjoinment of the origin for
7670 the data to be Put-ted (obviously) and of the index value
7671 (not so obviously). */
7679 }
7700 /* In short: treat a load-linked like a normal load followed
7701 by an assignment of the loaded (shadow) data the result
7702 temporary. Treat a store-conditional like a normal store,
7703 and mark the result temporary as defined. */
7705 /* Load Linked */
7706 IRType resTy
7708 IRExpr* vanillaLoad
7715 /* Store conditional */
7719 /* For the rationale behind this, see comments at the
7720 place where the V-shadow for .result is constructed, in
7721 do_shadow_LLSC. In short, we regard .result as
7722 always-defined. */
7725 }
7727 }
7730 Int b_offset
7734 );
7736 /* FIXME: this isn't an atom! */
7739 }
7741 }
7758 }
7759 }
7762 /*------------------------------------------------------------*/
7763 /*--- Post-tree-build final tidying ---*/
7764 /*------------------------------------------------------------*/
7766 /* This exploits the observation that Memcheck often produces
7767 repeated conditional calls of the form
7769 Dirty G MC_(helperc_value_check0/1/4/8_fail)(UInt otag)
7771 with the same guard expression G guarding the same helper call.
7772 The second and subsequent calls are redundant. This usually
7773 results from instrumentation of guest code containing multiple
7774 memory references at different constant offsets from the same base
7775 register. After optimisation of the instrumentation, you get a
7776 test for the definedness of the base register for each memory
7777 reference, which is kinda pointless. MC_(final_tidy) therefore
7778 looks for such repeated calls and removes all but the first. */
7781 /* With some testing on perf/bz2.c, on amd64 and x86, compiled with
7782 gcc-5.3.1 -O2, it appears that 16 entries in the array are enough to
7783 get almost all the benefits of this transformation whilst causing
7784 the slide-back case to just often enough to be verifiably
7785 correct. For posterity, the numbers are:
7787 bz2-32
7789 1 4,336 (112,212 -> 1,709,473; ratio 15.2)
7790 2 4,336 (112,194 -> 1,669,895; ratio 14.9)
7791 3 4,336 (112,194 -> 1,660,713; ratio 14.8)
7792 4 4,336 (112,194 -> 1,658,555; ratio 14.8)
7793 5 4,336 (112,194 -> 1,655,447; ratio 14.8)
7794 6 4,336 (112,194 -> 1,655,101; ratio 14.8)
7795 7 4,336 (112,194 -> 1,654,858; ratio 14.7)
7796 8 4,336 (112,194 -> 1,654,810; ratio 14.7)
7797 10 4,336 (112,194 -> 1,654,621; ratio 14.7)
7798 12 4,336 (112,194 -> 1,654,678; ratio 14.7)
7799 16 4,336 (112,194 -> 1,654,494; ratio 14.7)
7800 32 4,336 (112,194 -> 1,654,602; ratio 14.7)
7801 inf 4,336 (112,194 -> 1,654,602; ratio 14.7)
7803 bz2-64
7805 1 4,113 (107,329 -> 1,822,171; ratio 17.0)
7806 2 4,113 (107,329 -> 1,806,443; ratio 16.8)
7807 3 4,113 (107,329 -> 1,803,967; ratio 16.8)
7808 4 4,113 (107,329 -> 1,802,785; ratio 16.8)
7809 5 4,113 (107,329 -> 1,802,412; ratio 16.8)
7810 6 4,113 (107,329 -> 1,802,062; ratio 16.8)
7811 7 4,113 (107,329 -> 1,801,976; ratio 16.8)
7812 8 4,113 (107,329 -> 1,801,886; ratio 16.8)
7813 10 4,113 (107,329 -> 1,801,653; ratio 16.8)
7814 12 4,113 (107,329 -> 1,801,526; ratio 16.8)
7815 16 4,113 (107,329 -> 1,801,298; ratio 16.8)
7816 32 4,113 (107,329 -> 1,800,827; ratio 16.8)
7817 inf 4,113 (107,329 -> 1,800,827; ratio 16.8)
7818 */
7820 /* Structs for recording which (helper, guard) pairs we have already
7821 seen. */
7823 #define N_TIDYING_PAIRS 16
7825 typedef
7827 Pair;
7829 typedef
7832 UInt pairsUsed;
7833 }
7834 Pairs;
7837 /* Return True if e1 and e2 definitely denote the same value (used to
7838 compare guards). Return False if unknown; False is the safe
7839 answer. Since guest registers and guest memory do not have the
7840 SSA property we must return False if any Gets or Loads appear in
7841 the expression. This implicitly assumes that e1 and e2 have the
7842 same IR type, which is always true here -- the type is Ity_I1. */
7845 {
7867 /* be lazy. Could define equality for these, but they never
7868 appear to be used. */
7873 /* be conservative - these may not give the same value each
7874 time */
7877 /* should never see this */
7878 /* fallthrough */
7884 }
7885 }
7887 /* See if 'pairs' already has an entry for (entry, guard). Return
7888 True if so. If not, add an entry. */
7890 static
7892 {
7899 }
7900 /* (guard, entry) wasn't found in the array. Add it at the end.
7901 If the array is already full, slide the entries one slot
7902 backwards. This means we will lose to ability to detect
7903 duplicates from the pair in slot zero, but that happens so
7904 rarely that it's unlikely to have much effect on overall code
7905 quality. Also, this strategy loses the check for the oldest
7906 tracked exit (memory reference, basically) and so that is (I'd
7907 guess) least likely to be re-used after this point. */
7912 }
7919 n++;
7921 }
7923 }
7926 {
7927 /* This is expensive because it happens a lot. We are checking to
7928 see whether |name| is one of the following 8 strings:
7930 MC_(helperc_value_check8_fail_no_o)
7931 MC_(helperc_value_check4_fail_no_o)
7932 MC_(helperc_value_check0_fail_no_o)
7933 MC_(helperc_value_check1_fail_no_o)
7934 MC_(helperc_value_check8_fail_w_o)
7935 MC_(helperc_value_check0_fail_w_o)
7936 MC_(helperc_value_check1_fail_w_o)
7937 MC_(helperc_value_check4_fail_w_o)
7939 To speed it up, check the common prefix just once, rather than
7940 all 8 times.
7941 */
7949 /* We still have some prefix to use */
7952 name++;
7953 prefix++;
7954 }
7956 /* Check the part after the prefix. */
7966 }
7969 {
7970 Int i;
7975 Bool alreadyPresent;
7976 Pairs pairs;
7983 /* Scan forwards through the statements. Each time a call to one
7984 of the relevant helpers is seen, check if we have made a
7985 previous call to the same helper using the same guard
7986 expression, and if so, delete the call. */
7999 /* Ok, we have a call to helperc_value_check0/1/4/8_fail with
8000 guard 'guard'. Check if we have already seen a call to this
8001 function with the same guard. If so, delete it. If not,
8002 add it to the set of calls we do know about. */
8007 }
8008 }
8014 }
8016 #undef N_TIDYING_PAIRS
8019 /*------------------------------------------------------------*/
8020 /*--- Startup assertion checking ---*/
8021 /*------------------------------------------------------------*/
8024 {
8025 /* Make a best-effort check to see that is_helperc_value_checkN_fail
8026 is working as we expect. */
8028 # define CHECK(_expected, _string) \
8029 tl_assert((_expected) == is_helperc_value_checkN_fail(_string))
8031 /* It should identify these 8, and no others, as targets. */
8041 /* Ad-hoc selection of other strings gathered via a quick test. */
8071 # undef CHECK
8072 }
8075 /*------------------------------------------------------------*/
8076 /*--- Memcheck main ---*/
8077 /*------------------------------------------------------------*/
8080 {
8100 }
8101 /* VG_(printf)("%llx\n", n); */
8102 /* Shortcuts */
8105 /* The list of bogus atoms is: */
8116 );
8117 }
8120 /* Does 'st' mention any of the literals identified/listed in
8121 isBogusAtom()? */
8123 {
8124 Int i;
8167 }
8175 }
8176 }
8194 }
8199 }
8222 unhandled:
8225 }
8226 }
8229 /* This is the pre-instrumentation analysis. It does a backwards pass over
8230 the stmts in |sb_in| to determine a HowUsed value for each tmp defined in
8231 the block.
8233 Unrelatedly, it also checks all literals in the block with |isBogusAtom|,
8234 as a positive result from that is a strong indication that we need to
8235 expensively instrument add/sub in the block. We do both analyses in one
8236 pass, even though they are independent, so as to avoid the overhead of
8237 having to traverse the whole block twice.
8239 The usage pass proceeds as follows. Let max= be the max operation in the
8240 HowUsed lattice, hence
8242 X max= Y means X = max(X, Y)
8244 then
8246 for t in original tmps . useEnv[t] = HuUnU
8248 for t used in the block's . next field
8249 useEnv[t] max= HuPCa // because jmp targets are PCast-tested
8251 for st iterating *backwards* in the block
8253 match st
8255 case "t1 = load(t2)" // case 1
8256 useEnv[t2] max= HuPCa
8258 case "t1 = add(t2, t3)" // case 2
8259 useEnv[t2] max= useEnv[t1]
8260 useEnv[t3] max= useEnv[t1]
8262 other
8263 for t in st.usedTmps // case 3
8264 useEnv[t] max= HuOth
8265 // same as useEnv[t] = HuOth
8267 The general idea is that we accumulate, in useEnv[], information about
8268 how each tmp is used. That can be updated as we work further back
8269 through the block and find more uses of it, but its HowUsed value can
8270 only ascend the lattice, not descend.
8272 Initially we mark all tmps as unused. In case (1), if a tmp is seen to
8273 be used as a memory address, then its use is at least HuPCa. The point
8274 is that for a memory address we will add instrumentation to check if any
8275 bit of the address is undefined, which means that we won't need expensive
8276 V-bit propagation through an add expression that computed the address --
8277 cheap add instrumentation will be equivalent.
8279 Note in case (1) that if we have previously seen a non-memory-address use
8280 of the tmp, then its use will already be HuOth and will be unchanged by
8281 the max= operation. And if it turns out that the source of the tmp was
8282 an add, then we'll have to expensively instrument the add, because we
8283 can't prove that, for the previous non-memory-address use of the tmp,
8284 cheap and expensive instrumentation will be equivalent.
8286 In case 2, we propagate the usage-mode of the result of an add back
8287 through to its operands. Again, we use max= so as to take account of the
8288 fact that t2 or t3 might later in the block (viz, earlier in the
8289 iteration) have been used in a way that requires expensive add
8290 instrumentation.
8292 In case 3, we deal with all other tmp uses. We assume that we'll need a
8293 result that is as accurate as possible, so we max= HuOth into its use
8294 mode. Since HuOth is the top of the lattice, that's equivalent to just
8295 setting its use to HuOth.
8297 The net result of all this is that:
8299 tmps that are used either
8300 - only as a memory address, or
8301 - only as part of a tree of adds that computes a memory address,
8302 and has no other use
8303 are marked as HuPCa, and so we can instrument their generating Add
8304 nodes cheaply, which is the whole point of this analysis
8306 tmps that are used any other way at all are marked as HuOth
8308 tmps that are unused are marked as HuUnU. We don't expect to see any
8309 since we expect that the incoming IR has had all dead assignments
8310 removed by previous optimisation passes. Nevertheless the analysis is
8311 correct even in the presence of dead tmps.
8313 A final comment on dead tmps. In case 1 and case 2, we could actually
8314 conditionalise the updates thusly:
8316 if (useEnv[t1] > HuUnU) { useEnv[t2] max= HuPCa } // case 1
8318 if (useEnv[t1] > HuUnU) { useEnv[t2] max= useEnv[t1] } // case 2
8319 if (useEnv[t1] > HuUnU) { useEnv[t3] max= useEnv[t1] } // case 2
8321 In other words, if the assigned-to tmp |t1| is never used, then there's
8322 no point in propagating any use through to its operands. That won't
8323 change the final HuPCa-vs-HuOth results, which is what we care about.
8324 Given that we expect to get dead-code-free inputs, there's no point in
8325 adding this extra refinement.
8326 */
8328 /* Helper for |preInstrumentationAnalysis|. */
8330 UInt tyenvUsed,
8332 {
8333 /* For the atom |at|, declare that for any tmp |t| in |at|, we will have
8334 seen a use of |newUse|. So, merge that info into |t|'s accumulated
8335 use info. */
8344 // The "max" operation in the lattice
8347 }
8349 // We should never get here -- it implies non-flat IR
8352 }
8353 /*NOTREACHED*/
8355 }
8361 {
8364 // We've seen no bogus literals so far.
8367 // This is calloc'd, so implicitly all entries are initialised to HuUnU.
8371 // Firstly, roll in contributions from the final dst address.
8375 // Now work backwards through the stmts.
8379 // Deal with literals.
8382 }
8384 // Deal with tmp uses.
8389 // This is the one place where we have to consider all possible
8390 // tags for |rhs|, and can't just assume it is a tmp or a const.
8393 // just propagate demand for |dst| into this tmp use.
8402 // propagate demand for |dst| through to the operands.
8408 // just say that the operands are used in some unknown way.
8413 }
8416 // All operands are used in some unknown way.
8422 }
8424 // All operands are used in some unknown way.
8431 }
8433 // The address will be checked (== PCasted).
8437 // The condition is PCasted, the then- and else-values
8438 // aren't.
8444 // The args are used in unknown ways.
8447 }
8450 // The index will be checked/PCasted (see do_shadow_GETI)
8453 }
8461 }
8463 }
8465 // The address will be checked (== PCasted). The data will be
8466 // used in some unknown way.
8471 // The guard will be checked (== PCasted)
8479 // The index will be checked/PCasted (see do_shadow_PUTI). The
8480 // data will be used in an unknown way.
8484 }
8487 // The guard will be checked (== PCasted)
8489 // The args will be used in unknown ways.
8492 }
8494 }
8497 // Address will be pcasted, everything else used as unknown
8506 }
8508 // Both exprs are used in unknown ways. TODO: can we safely
8509 // just ignore AbiHints?
8514 // We might be able to do better, and use HuPCa for the addr.
8515 // It's not immediately obvious that we can, because the address
8516 // is regarded as "used" only when the guard is true.
8522 }
8524 // Per similar comments to Ist_StoreG .. not sure whether this
8525 // is really optimal.
8531 }
8537 }
8545 }
8546 }
8549 // Return the computed use env and the bogus-atom flag.
8555 }
8564 {
8568 MCEnv mce;
8572 /* We don't currently support this case. */
8574 }
8576 /* Check we're not completely nuts */
8587 /* Set up SB */
8590 /* Set up the running environment. Both .sb and .tmpMap are
8591 modified as we go along. Note that tmps are added to both
8592 .sb->tyenv and .tmpMap together, so the valid index-set for
8593 those two arrays should always be identical. */
8601 /* BEGIN decide on expense levels for instrumentation. */
8603 /* Initially, select the cheap version of everything for which we have an
8604 option. */
8607 /* Take account of the --expensive-definedness-checks= flag. */
8609 /* We just selected 'cheap for everything', so we don't need to do
8610 anything here. mce.tmpHowUsed remains NULL. */
8611 }
8613 /* Select 'expensive for everything'. mce.tmpHowUsed remains NULL. */
8615 }
8618 /* We'll make our own selection, based on known per-target constraints
8619 and also on analysis of the block to be instrumented. First, set
8620 up default values for detail levels.
8622 On x86 and amd64, we'll routinely encounter code optimised by LLVM
8623 5 and above. Enable accurate interpretation of the following.
8624 LLVM uses adds for some bitfield inserts, and we get a lot of false
8625 errors if the cheap interpretation is used, alas. Could solve this
8626 much better if we knew which of such adds came from x86/amd64 LEA
8627 instructions, since these are the only ones really needing the
8628 expensive interpretation, but that would require some way to tag
8629 them in the _toIR.c front ends, which is a lot of faffing around.
8630 So for now we use preInstrumentationAnalysis() to detect adds which
8631 are used only to construct memory addresses, which is an
8632 approximation to the above, and is self-contained.*/
8633 # if defined(VGA_x86)
8637 # elif defined(VGA_amd64)
8643 # elif defined(VGA_ppc64le)
8644 // Needed by (at least) set_AV_CR6() in the front end.
8646 # elif defined(VGA_arm64)
8649 # elif defined(VGA_arm)
8651 # endif
8653 /* preInstrumentationAnalysis() will allocate &mce.tmpHowUsed and then
8654 fill it in. */
8659 /* This happens very rarely. In this case just select expensive
8660 for everything, and throw away the tmp-use analysis results. */
8665 /* Nothing. mce.tmpHowUsed contains tmp-use analysis results,
8666 which will be used for some subset of Iop_{Add,Sub}{32,64},
8667 based on which ones are set to DLauto for this target. */
8668 }
8669 }
8674 // Debug printing: which tmps have been identified as PCast-only use
8680 }
8681 }
8683 }
8685 // Debug printing: number of ops by detail level
8692 }
8693 /* END decide on expense levels for instrumentation. */
8695 /* Initialise the running the tmp environment. */
8701 TempMapEnt ent;
8706 }
8709 /* Finally, begin instrumentation. */
8710 /* Copy verbatim any IR preamble preceding the first IMark */
8723 i++;
8724 }
8726 /* Nasty problem. IR optimisation of the pre-instrumented IR may
8727 cause the IR following the preamble to contain references to IR
8728 temporaries defined in the preamble. Because the preamble isn't
8729 instrumented, these temporaries don't have any shadows.
8730 Nevertheless uses of them following the preamble will cause
8731 memcheck to generate references to their shadows. End effect is
8732 to cause IR sanity check failures, due to references to
8733 non-existent shadows. This is only evident for the complex
8734 preambles used for function wrapping on TOC-afflicted platforms
8735 (ppc64-linux).
8737 The following loop therefore scans the preamble looking for
8738 assignments to temporaries. For each one found it creates an
8739 assignment to the corresponding (V) shadow temp, marking it as
8740 'defined'. This is the same resulting IR as if the main
8741 instrumentation loop before had been applied to the statement
8742 'tmp = CONSTANT'.
8744 Similarly, if origin tracking is enabled, we must generate an
8745 assignment for the corresponding origin (B) shadow, claiming
8746 no-origin, as appropriate for a defined value.
8747 */
8750 /* findShadowTmpV checks its arg is an original tmp;
8751 no need to assert that here. */
8760 }
8765 }
8766 }
8767 }
8769 /* Iterate over the remaining stmts to generate instrumentation. */
8785 }
8788 /* See comments on case Ist_CAS below. */
8791 }
8793 /* Generate instrumentation code for each stmt ... */
8805 }
8857 /* Note, do_shadow_CAS copies the CAS itself to the output
8858 block, because it needs to add instrumentation both
8859 before and after it. Hence skip the copy below. Also
8860 skip the origin-tracking stuff (call to schemeS) above,
8861 since that's all tangled up with it too; do_shadow_CAS
8862 does it all. */
8886 }
8888 }
8890 /* ... and finally copy the stmt itself to the output. Except,
8891 skip the copy of IRCASs; see comments on case Ist_CAS
8892 above. */
8895 }
8897 /* Now we need to complain if the jump target is undefined. */
8904 }
8913 }
8915 }
8917 /* If this fails, there's been some serious snafu with tmp management,
8918 that should be investigated. */
8924 }
8928 }
8931 /*--------------------------------------------------------------------*/
8932 /*--- end mc_translate.c ---*/
8933 /*--------------------------------------------------------------------*/