| blob | ec8ac53217aaae22dc723c4eec5bddf84d277a47 |
2 /*--------------------------------------------------------------------*/
3 /*--- Instrument IR to perform memory checking operations. ---*/
4 /*--- mc_translate.c ---*/
5 /*--------------------------------------------------------------------*/
7 /*
8 This file is part of MemCheck, a heavyweight Valgrind tool for
9 detecting memory errors.
11 Copyright (C) 2000-2017 Julian Seward
12 jseward@acm.org
14 This program is free software; you can redistribute it and/or
15 modify it under the terms of the GNU General Public License as
16 published by the Free Software Foundation; either version 2 of the
17 License, or (at your option) any later version.
19 This program is distributed in the hope that it will be useful, but
20 WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, see <http://www.gnu.org/licenses/>.
27 The GNU General Public License is contained in the file COPYING.
28 */
44 /* FIXMEs JRS 2011-June-16.
46 Check the interpretation for vector narrowing and widening ops,
47 particularly the saturating ones. I suspect they are either overly
48 pessimistic and/or wrong.
50 Iop_QandSQsh64x2 and friends (vector-by-vector bidirectional
51 saturating shifts): the interpretation is overly pessimistic.
52 See comments on the relevant cases below for details.
54 Iop_Sh64Sx2 and friends (vector-by-vector bidirectional shifts,
55 both rounding and non-rounding variants): ditto
56 */
58 /* This file implements the Memcheck instrumentation, and in
59 particular contains the core of its undefined value detection
60 machinery. For a comprehensive background of the terminology,
61 algorithms and rationale used herein, read:
63 Using Valgrind to detect undefined value errors with
64 bit-precision
66 Julian Seward and Nicholas Nethercote
68 2005 USENIX Annual Technical Conference (General Track),
69 Anaheim, CA, USA, April 10-15, 2005.
71 ----
73 Here is as good a place as any to record exactly when V bits are and
74 should be checked, why, and what function is responsible.
77 Memcheck complains when an undefined value is used:
79 1. In the condition of a conditional branch. Because it could cause
80 incorrect control flow, and thus cause incorrect externally-visible
81 behaviour. [mc_translate.c:complainIfUndefined]
83 2. As an argument to a system call, or as the value that specifies
84 the system call number. Because it could cause an incorrect
85 externally-visible side effect. [mc_translate.c:mc_pre_reg_read]
87 3. As the address in a load or store. Because it could cause an
88 incorrect value to be used later, which could cause externally-visible
89 behaviour (eg. via incorrect control flow or an incorrect system call
90 argument) [complainIfUndefined]
92 4. As the target address of a branch. Because it could cause incorrect
93 control flow. [complainIfUndefined]
95 5. As an argument to setenv, unsetenv, or putenv. Because it could put
96 an incorrect value into the external environment.
97 [mc_replace_strmem.c:VG_WRAP_FUNCTION_ZU(*, *env)]
99 6. As the index in a GETI or PUTI operation. I'm not sure why... (njn).
100 [complainIfUndefined]
102 7. As an argument to the VALGRIND_CHECK_MEM_IS_DEFINED and
103 VALGRIND_CHECK_VALUE_IS_DEFINED client requests. Because the user
104 requested it. [in memcheck.h]
107 Memcheck also complains, but should not, when an undefined value is used:
109 8. As the shift value in certain SIMD shift operations (but not in the
110 standard integer shift operations). This inconsistency is due to
111 historical reasons.) [complainIfUndefined]
114 Memcheck does not complain, but should, when an undefined value is used:
116 9. As an input to a client request. Because the client request may
117 affect the visible behaviour -- see bug #144362 for an example
118 involving the malloc replacements in vg_replace_malloc.c and
119 VALGRIND_NON_SIMD_CALL* requests, where an uninitialised argument
120 isn't identified. That bug report also has some info on how to solve
121 the problem. [valgrind.h:VALGRIND_DO_CLIENT_REQUEST]
124 In practice, 1 and 2 account for the vast majority of cases.
125 */
127 /* Generation of addr-definedness, addr-validity and
128 guard-definedness checks pertaining to loads and stores (Iex_Load,
129 Ist_Store, IRLoadG, IRStoreG, LLSC, CAS and Dirty memory
130 loads/stores) was re-checked 11 May 2013. */
133 /*------------------------------------------------------------*/
134 /*--- Forward decls ---*/
135 /*------------------------------------------------------------*/
139 // See below for comments explaining what this is for.
140 typedef
142 HowUsed;
152 /*------------------------------------------------------------*/
153 /*--- Memcheck running state, and tmp management. ---*/
154 /*------------------------------------------------------------*/
156 /* For a few (maybe 1%) IROps, we have both a cheaper, less exact vbit
157 propagation scheme, and a more expensive, more precise vbit propagation
158 scheme. This enum describes, for such an IROp, which scheme to use. */
159 typedef
161 // Use the cheaper, less-exact variant.
163 // Choose between cheap and expensive based on analysis of the block
164 // to be instrumented. Note that the choice may be done on a
165 // per-instance basis of the IROp that this DetailLevel describes.
166 DLauto,
167 // Use the more expensive, more-exact variant.
168 DLexpensive
169 }
170 DetailLevel;
173 /* A readonly part of the running state. For IROps that have both a
174 less-exact and more-exact interpretation, records which interpretation is
175 to be used. */
176 typedef
178 // For Add32/64 and Sub32/64, all 3 settings are allowed. For the
179 // DLauto case, a per-instance decision is to be made by inspecting
180 // the associated tmp's entry in MCEnv.tmpHowUsed.
181 DetailLevel dl_Add32;
182 DetailLevel dl_Add64;
183 DetailLevel dl_Sub32;
184 DetailLevel dl_Sub64;
185 // For Cmp{EQ,NE}{64,32,16,8}, only DLcheap and DLexpensive are
186 // allowed.
187 DetailLevel dl_CmpEQ64_CmpNE64;
188 DetailLevel dl_CmpEQ32_CmpNE32;
189 DetailLevel dl_CmpEQ16_CmpNE16;
190 DetailLevel dl_CmpEQ8_CmpNE8;
191 }
192 DetailLevelByOp;
195 DetailLevel dl )
196 {
205 }
208 {
221 }
224 DetailLevel dl )
225 {
236 }
239 /* Carries info about a particular tmp. The tmp's number is not
240 recorded, as this is implied by (equal to) its index in the tmpMap
241 in MCEnv. The tmp's type is also not recorded, as this is present
242 in MCEnv.sb->tyenv.
244 When .kind is Orig, .shadowV and .shadowB may give the identities
245 of the temps currently holding the associated definedness (shadowV)
246 and origin (shadowB) values, or these may be IRTemp_INVALID if code
247 to compute such values has not yet been emitted.
249 When .kind is VSh or BSh then the tmp is holds a V- or B- value,
250 and so .shadowV and .shadowB must be IRTemp_INVALID, since it is
251 illogical for a shadow tmp itself to be shadowed.
252 */
253 typedef
255 TempKind;
257 typedef
259 TempKind kind;
260 IRTemp shadowV;
261 IRTemp shadowB;
262 }
263 TempMapEnt;
266 /* A |HowUsed| value carries analysis results about how values are used,
267 pertaining to whether we need to instrument integer adds expensively or
268 not. The running state carries a (readonly) mapping from original tmp to
269 a HowUsed value for it. A usage value can be one of three values,
270 forming a 3-point chain lattice.
272 HuOth ("Other") used in some arbitrary way
273 |
274 HuPCa ("PCast") used *only* in effectively a PCast, in which all
275 | we care about is the all-defined vs not-all-defined distinction
276 |
277 HuUnU ("Unused") not used at all.
279 The "safe" (don't-know) end of the lattice is "HuOth". See comments
280 below in |preInstrumentationAnalysis| for further details.
281 */
282 /* DECLARED ABOVE:
283 typedef
284 enum __attribute__((packed)) { HuUnU=0, HuPCa=1, HuOth=2 }
285 HowUsed;
286 */
288 // Not actually necessary, but we don't want to waste D1 space.
292 /* Carries around state during memcheck instrumentation. */
293 typedef
295 /* MODIFIED: the superblock being constructed. IRStmts are
296 added. */
298 Bool trace;
300 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
301 current kind and possibly shadow temps for each temp in the
302 IRSB being constructed. Note that it does not contain the
303 type of each tmp. If you want to know the type, look at the
304 relevant entry in sb->tyenv. It follows that at all times
305 during the instrumentation process, the valid indices for
306 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
307 total number of Orig, V- and B- temps allocated so far.
309 The reason for this strange split (types in one place, all
310 other info in another) is that we need the types to be
311 attached to sb so as to make it possible to do
312 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
313 instrumentation process. */
316 /* READONLY: contains details of which ops should be expensively
317 instrumented. */
318 DetailLevelByOp dlbo;
320 /* READONLY: for each original tmp, how the tmp is used. This is
321 computed by |preInstrumentationAnalysis|. Valid indices are
322 0 .. #temps_in_sb-1 (same as for tmpMap). */
325 /* READONLY: the guest layout. This indicates which parts of
326 the guest state should be regarded as 'always defined'. */
329 /* READONLY: the host word type. Needed for constructing
330 arguments of type 'HWord' to be passed to helper functions.
331 Ity_I32 or Ity_I64 only. */
332 IRType hWordTy;
333 }
334 MCEnv;
337 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
338 demand), as they are encountered. This is for two reasons.
340 (1) (less important reason): Many original tmps are unused due to
341 initial IR optimisation, and we do not want to spaces in tables
342 tracking them.
344 Shadow IRTemps are therefore allocated on demand. mce.tmpMap is a
345 table indexed [0 .. n_types-1], which gives the current shadow for
346 each original tmp, or INVALID_IRTEMP if none is so far assigned.
347 It is necessary to support making multiple assignments to a shadow
348 -- specifically, after testing a shadow for definedness, it needs
349 to be made defined. But IR's SSA property disallows this.
351 (2) (more important reason): Therefore, when a shadow needs to get
352 a new value, a new temporary is created, the value is assigned to
353 that, and the tmpMap is updated to reflect the new binding.
355 A corollary is that if the tmpMap maps a given tmp to
356 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
357 there's a read-before-write error in the original tmps. The IR
358 sanity checker should catch all such anomalies, however.
359 */
361 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
362 both the table in mce->sb and to our auxiliary mapping. Note that
363 newTemp may cause mce->tmpMap to resize, hence previous results
364 from VG_(indexXA)(mce->tmpMap) are invalidated. */
366 {
367 Word newIx;
368 TempMapEnt ent;
376 }
379 /* Find the tmp currently shadowing the given original tmp. If none
380 so far exists, allocate one. */
382 {
384 /* VG_(indexXA) range-checks 'orig', hence no need to check
385 here. */
389 IRTemp tmpV
391 /* newTemp may cause mce->tmpMap to resize, hence previous results
392 from VG_(indexXA) are invalid. */
397 }
399 }
401 /* Allocate a new shadow for the given original tmp. This means any
402 previous shadow is abandoned. This is needed because it is
403 necessary to give a new value to a shadow once it has been tested
404 for undefinedness, but unfortunately IR's SSA property disallows
405 this. Instead we must abandon the old shadow, allocate a new one
406 and use that instead.
408 This is the same as findShadowTmpV, except we don't bother to see
409 if a shadow temp already existed -- we simply allocate a new one
410 regardless. */
412 {
414 /* VG_(indexXA) range-checks 'orig', hence no need to check
415 here. */
419 IRTemp tmpV
421 /* newTemp may cause mce->tmpMap to resize, hence previous results
422 from VG_(indexXA) are invalid. */
426 }
427 }
430 /*------------------------------------------------------------*/
431 /*--- IRAtoms -- a subset of IRExprs ---*/
432 /*------------------------------------------------------------*/
434 /* An atom is either an IRExpr_Const or an IRExpr_Tmp, as defined by
435 isIRAtom() in libvex_ir.h. Because this instrumenter expects flat
436 input, most of this code deals in atoms. Usefully, a value atom
437 always has a V-value which is also an atom: constants are shadowed
438 by constants, and temps are shadowed by the corresponding shadow
439 temporary. */
443 /* (used for sanity checks only): is this an atom which looks
444 like it's from original code? */
446 {
452 }
454 }
456 /* (used for sanity checks only): is this an atom which looks
457 like it's from shadow code? */
459 {
465 }
467 }
469 /* (used for sanity checks only): check that both args are atoms and
470 are identically-kinded. */
472 {
478 }
481 /*------------------------------------------------------------*/
482 /*--- Type management ---*/
483 /*------------------------------------------------------------*/
485 /* Shadow state is always accessed using integer types. This returns
486 an integer type with the same size (as per sizeofIRType) as the
487 given type. The only valid shadow types are Bit, I8, I16, I32,
488 I64, I128, V128, V256. */
491 {
510 }
511 }
513 /* Produce a 'defined' value of the given shadow type. Should only be
514 supplied shadow types (Bit/I8/I16/I32/UI64). */
526 }
527 }
530 /*------------------------------------------------------------*/
531 /*--- Constructing IR fragments ---*/
532 /*------------------------------------------------------------*/
534 /* add stmt to a bb */
540 }
542 }
544 /* assign value to tmp */
548 }
550 /* build various kinds of expressions */
551 #define triop(_op, _arg1, _arg2, _arg3) \
552 IRExpr_Triop((_op),(_arg1),(_arg2),(_arg3))
553 #define binop(_op, _arg1, _arg2) IRExpr_Binop((_op),(_arg1),(_arg2))
554 #define unop(_op, _arg) IRExpr_Unop((_op),(_arg))
555 #define mkU1(_n) IRExpr_Const(IRConst_U1(_n))
556 #define mkU8(_n) IRExpr_Const(IRConst_U8(_n))
557 #define mkU16(_n) IRExpr_Const(IRConst_U16(_n))
558 #define mkU32(_n) IRExpr_Const(IRConst_U32(_n))
559 #define mkU64(_n) IRExpr_Const(IRConst_U64(_n))
560 #define mkV128(_n) IRExpr_Const(IRConst_V128(_n))
561 #define mkexpr(_tmp) IRExpr_RdTmp((_tmp))
563 /* Bind the given expression to a new temporary, and return the
564 temporary. This effectively converts an arbitrary expression into
565 an atom.
567 'ty' is the type of 'e' and hence the type that the new temporary
568 needs to be. But passing it in is redundant, since we can deduce
569 the type merely by inspecting 'e'. So at least use that fact to
570 assert that the two types agree. */
572 {
573 TempKind k;
574 IRTemp t;
582 /* happens when we are making up new "orig"
583 expressions, for IRCAS handling */
585 }
589 }
592 /*------------------------------------------------------------*/
593 /*--- Helper functions for 128-bit ops ---*/
594 /*------------------------------------------------------------*/
597 {
600 }
602 /* There are no I128-bit loads and/or stores [as generated by any
603 current front ends]. So we do not need to worry about that in
604 expr2vbits_Load */
607 /*------------------------------------------------------------*/
608 /*--- Constructing definedness primitive ops ---*/
609 /*------------------------------------------------------------*/
611 /* --------- Defined-if-either-defined --------- */
617 }
623 }
629 }
635 }
641 }
647 }
653 }
655 /* --------- Undefined-if-either-undefined --------- */
661 }
667 }
673 }
679 }
685 }
699 }
705 }
711 }
725 }
726 }
728 /* --------- The Left-family of operations. --------- */
733 }
738 }
743 }
748 }
750 /* --------- The Right-family of operations. --------- */
752 /* Unfortunately these are a lot more expensive then their Left
753 counterparts. Fortunately they are only very rarely used -- only for
754 count-leading-zeroes instrumentation. */
757 {
759 // a1 |= (a1 >>u i)
760 IRAtom* tmp
763 }
765 }
768 {
770 // a1 |= (a1 >>u i)
771 IRAtom* tmp
774 }
776 }
778 /* --------- 'Improvement' functions for AND/OR. --------- */
780 /* ImproveAND(data, vbits) = data OR vbits. Defined (0) data 0s give
781 defined (0); all other -> undefined (1).
782 */
784 {
789 }
792 {
797 }
800 {
805 }
808 {
813 }
816 {
821 }
824 {
829 }
832 {
837 }
839 /* ImproveOR(data, vbits) = ~data OR vbits. Defined (0) data 1s give
840 defined (0); all other -> undefined (1).
841 */
843 {
851 vbits) );
852 }
855 {
863 vbits) );
864 }
867 {
875 vbits) );
876 }
879 {
887 vbits) );
888 }
891 {
899 vbits) );
900 }
903 {
911 vbits) );
912 }
915 {
923 vbits) );
924 }
926 /* --------- Pessimising casts. --------- */
928 /* The function returns an expression of type DST_TY. If any of the VBITS
929 is undefined (value == 1) the resulting expression has all bits set to
930 1. Otherwise, all bits are 0. */
933 {
934 IRType src_ty;
937 /* Note, dst_ty is a shadow type, not an original type. */
941 /* Fast-track some common cases */
949 /* PCast the arg, then clone it. */
952 }
955 /* PCast the arg, then clone it 4 times. */
959 }
962 /* PCast the arg, then clone it 8 times. */
967 }
970 /* PCast the arg. This gives all 0s or all 1s. Then throw away
971 the top half. */
974 }
977 /* Use InterleaveHI64x2 to copy the top half of the vector into
978 the bottom half. Then we can UifU it with the original, throw
979 away the upper half of the result, and PCast-I64-to-I64
980 the lower half. */
981 // Generates vbits[127:64] : vbits[127:64]
982 IRAtom* hi64hi64
985 // Generates
986 // UifU(vbits[127:64],vbits[127:64]) : UifU(vbits[127:64],vbits[63:0])
987 // == vbits[127:64] : UifU(vbits[127:64],vbits[63:0])
988 IRAtom* lohi64
990 // Generates UifU(vbits[127:64],vbits[63:0])
991 IRAtom* lo64
993 // Generates
994 // PCast-to-I64( UifU(vbits[127:64], vbits[63:0] )
995 // == PCast-to-I64( vbits[127:0] )
996 IRAtom* res
999 }
1001 /* Else do it the slow way .. */
1002 /* First of all, collapse vbits down to a single bit. */
1021 /* Gah. Chop it in half, OR the halves together, and compare
1022 that with zero. */
1029 }
1031 /* Chop it in half, OR the halves together, and compare that
1032 * with zero.
1033 */
1040 }
1044 }
1046 /* Now widen up to the dst type. */
1076 }
1077 }
1079 /* This is a minor variant. It takes an arg of some type and returns
1080 a value of the same type. The result consists entirely of Defined
1081 (zero) bits except its least significant bit, which is a PCast of
1082 the entire argument down to a single bit. */
1084 {
1086 /* --- Case for V128 --- */
1088 // generates: PCast-to-I64(varg128)
1090 // Now introduce zeros (defined bits) in the top 63 places
1091 // generates: Def--(63)--Def PCast-to-I1(varg128)
1092 IRAtom* d63pc
1094 // generates: Def--(64)--Def
1095 IRAtom* d64
1097 // generates: Def--(127)--Def PCast-to-I1(varg128)
1098 IRAtom* res
1101 }
1103 /* --- Case for I64 --- */
1104 // PCast to 64
1106 // Zero (Def) out the top 63 bits
1107 IRAtom* res
1110 }
1111 /*NOTREACHED*/
1113 }
1115 /* --------- Optimistic casts. --------- */
1117 /* The function takes and returns an expression of type TY. If any of the
1118 VBITS indicate defined (value == 0) the resulting expression has all bits
1119 set to 0. Otherwise, all bits are 1. In words, if any bits are defined
1120 then all bits are made to be defined.
1122 In short we compute (vbits - (vbits >>u 1)) >>s (bitsize(vbits)-1).
1123 */
1125 {
1127 UInt sh;
1145 }
1152 }
1155 /* --------- Accurate interpretation of CmpEQ/CmpNE. --------- */
1156 /*
1157 Normally, we can do CmpEQ/CmpNE by doing UifU on the arguments, and
1158 PCasting to Ity_U1. However, sometimes it is necessary to be more
1159 accurate. The insight is that the result is defined if two
1160 corresponding bits can be found, one from each argument, so that
1161 both bits are defined but are different -- that makes EQ say "No"
1162 and NE say "Yes". Hence, we compute an improvement term and DifD
1163 it onto the "normal" (UifU) result.
1165 The result is:
1167 PCastTo<1> (
1168 -- naive version
1169 UifU<sz>(vxx, vyy)
1171 `DifD<sz>`
1173 -- improvement term
1174 OCast<sz>(vec)
1175 )
1177 where
1178 vec contains 0 (defined) bits where the corresponding arg bits
1179 are defined but different, and 1 bits otherwise.
1181 vec = Or<sz>( vxx, // 0 iff bit defined
1182 vyy, // 0 iff bit defined
1183 Not<sz>(Xor<sz>( xx, yy )) // 0 iff bits different
1184 )
1186 If any bit of vec is 0, the result is defined and so the
1187 improvement term should produce 0...0, else it should produce
1188 1...1.
1190 Hence require for the improvement term:
1192 OCast(vec) = if vec == 1...1 then 1...1 else 0...0
1194 which you can think of as an "optimistic cast" (OCast, the opposite of
1195 the normal "pessimistic cast" (PCast) family. An OCast says all bits
1196 are defined if any bit is defined.
1198 It is possible to show that
1200 if vec == 1...1 then 1...1 else 0...0
1202 can be implemented in straight-line code as
1204 (vec - (vec >>u 1)) >>s (word-size-in-bits - 1)
1206 We note that vec contains the sub-term Or<sz>(vxx, vyy). Since UifU is
1207 implemented with Or (since 1 signifies undefinedness), this is a
1208 duplicate of the UifU<sz>(vxx, vyy) term and so we can CSE it out, giving
1209 a final version of:
1211 let naive = UifU<sz>(vxx, vyy)
1212 vec = Or<sz>(naive, Not<sz>(Xor<sz)(xx, yy))
1213 in
1214 PCastTo<1>( DifD<sz>(naive, OCast<sz>(vec)) )
1216 This was extensively re-analysed and checked on 6 July 05 and again
1217 in July 2017.
1218 */
1220 IRType ty,
1223 {
1265 }
1267 naive
1270 vec
1274 naive,
1280 improved
1284 final_cast
1288 }
1290 /* Check if we can know, despite the uncertain bits, that xx is greater than yy.
1291 Notice that it's xx > yy and not the other way around. This is Intel syntax
1292 with destination first. It will appear reversed in gdb disassembly (AT&T
1293 syntax).
1294 */
1296 IROp opGT,
1299 {
1301 IRType ty;
1303 Bool is_signed;
1335 }
1352 }
1362 // For unsigned it's easy to make the min and max: Just set the unknown
1363 // bits all to 0s or 1s. For signed it's harder because having a 1 in the
1364 // MSB makes a number smaller, not larger! We can work around this by
1365 // flipping the MSB before and after computing the min and max values.
1370 // From here on out, we're dealing with MSB-flipped integers.
1371 }
1372 // We can combine xx and vxx to create two values: the largest that xx could
1373 // possibly be and the smallest that xx could possibly be. Likewise, we can
1374 // do the same for yy. We'll call those max_xx and min_xx and max_yy and
1375 // min_yy.
1383 // Unflip the MSBs.
1388 }
1391 // If min_xx is greater than max_yy then xx is surely greater than yy so we know
1392 // our answer for sure. If max_xx is not greater than min_yy then xx can't
1393 // possible be greater than yy so again we know the answer for sure. For all
1394 // other cases, we can't know.
1395 //
1396 // So the result is defined if:
1397 //
1398 // min_xx_gt_max_yy | ~max_xx_gt_min_yy
1399 //
1400 // Because defined in vbits is 0s and not 1s, we need to invert that:
1401 //
1402 // ~(min_xx_gt_max_yy | ~max_xx_gt_min_yy)
1403 //
1404 // We can use DeMorgan's Law to simplify the above:
1405 //
1406 // ~min_xx_gt_max_yy & max_xx_gt_min_yy
1409 }
1411 /* --------- Semi-accurate interpretation of CmpORD. --------- */
1413 /* CmpORD32{S,U} does PowerPC-style 3-way comparisons:
1415 CmpORD32S(x,y) = 1<<3 if x <s y
1416 = 1<<2 if x >s y
1417 = 1<<1 if x == y
1419 and similarly the unsigned variant. The default interpretation is:
1421 CmpORD32{S,U}#(x,y,x#,y#) = PCast(x# `UifU` y#)
1422 & (7<<1)
1424 The "& (7<<1)" reflects the fact that all result bits except 3,2,1
1425 are zero and therefore defined (viz, zero).
1427 Also deal with a special case better:
1429 CmpORD32S(x,0)
1431 Here, bit 3 (LT) of the result is a copy of the top bit of x and
1432 will be defined even if the rest of x isn't. In which case we do:
1434 CmpORD32S#(x,x#,0,{impliedly 0}#)
1435 = PCast(x#) & (3<<1) -- standard interp for GT#,EQ#
1436 | (x# >>u 31) << 3 -- LT# = x#[31]
1438 Analogous handling for CmpORD64{S,U}.
1439 */
1441 {
1442 return
1446 }
1449 {
1450 return
1454 }
1457 IROp cmp_op,
1460 {
1485 }
1488 /* fancy interpretation */
1489 /* if yy is zero, then it must be fully defined (zero#). */
1491 // This is still inaccurate, but I don't think it matters, since
1492 // nobody writes code of the form
1493 // "is <partially-undefined-value> signedly greater than zero?".
1494 // We therefore simply declare "x >s 0" to be undefined if any bit in
1495 // x is undefined. That's clearly suboptimal in some cases. Eg, if
1496 // the highest order bit is a defined 1 then x is negative so it
1497 // doesn't matter whether the remaining bits are defined or not.
1498 IRAtom* t_0_gt_0_0
1502 opAND,
1505 ));
1506 // For "x <s 0", we can just copy the definedness of the top bit of x
1507 // and we have a precise result.
1508 IRAtom* t_lt_0_0_0
1512 opSHL,
1517 ));
1518 // For "x == 0" we can hand the problem off to expensiveCmpEQorNE.
1519 IRAtom* t_0_0_eq_0
1523 opSHL,
1526 op1UtoWS,
1528 ),
1530 ));
1531 return
1533 opOR,
1535 t_0_0_eq_0
1536 );
1538 /* standard interpretation */
1540 return
1542 opAND,
1545 sevenLeft1
1546 );
1547 }
1548 }
1551 /*------------------------------------------------------------*/
1552 /*--- Emit a test and complaint if something is undefined. ---*/
1553 /*------------------------------------------------------------*/
1558 /* Set the annotations on a dirty helper to indicate that the stack
1559 pointer and instruction pointers might be read. This is the
1560 behaviour of all 'emit-a-complaint' style functions we might
1561 call. */
1575 }
1578 /* Check the supplied *original* |atom| for undefinedness, and emit a
1579 complaint if so. Once that happens, mark it as defined. This is
1580 possible because the atom is either a tmp or literal. If it's a
1581 tmp, it will be shadowed by a tmp, and so we can set the shadow to
1582 be defined. In fact as mentioned above, we will have to allocate a
1583 new tmp to carry the new 'defined' shadow value, and update the
1584 original->tmp mapping accordingly; we cannot simply assign a new
1585 value to an existing shadow tmp as this breaks SSAness.
1587 The checks are performed, any resulting complaint emitted, and
1588 |atom|'s shadow temp set to 'defined', ONLY in the case that
1589 |guard| evaluates to True at run-time. If it evaluates to False
1590 then no action is performed. If |guard| is NULL (the usual case)
1591 then it is assumed to be always-true, and hence these actions are
1592 performed unconditionally.
1594 This routine does not generate code to check the definedness of
1595 |guard|. The caller is assumed to have taken care of that already.
1596 */
1598 {
1600 IRType ty;
1601 Int sz;
1608 Int nargs;
1610 // Don't do V bit tests if we're not reporting undefined value errors.
1617 /* Since the original expression is atomic, there's no duplicated
1618 work generated by making multiple V-expressions for it. So we
1619 don't really care about the possibility that someone else may
1620 also create a V-interpretion for it. */
1628 /* sz is only used for constructing the error message */
1632 /* cond will be 0 if all defined, and 1 if any not defined. */
1634 /* Get the origin info for the value we are about to check. At
1635 least, if we are doing origin tracking. If not, use a dummy
1636 zero origin. */
1641 }
1644 }
1663 }
1676 }
1689 }
1702 }
1716 }
1720 }
1733 /* If the complaint is to be issued under a guard condition, AND
1734 that into the guard condition for the helper call. */
1740 }
1745 /* If |atom| is shadowed by an IRTemp, set the shadow tmp to be
1746 defined -- but only in the case where the guard evaluates to
1747 True at run-time. Do the update by setting the orig->shadow
1748 mapping for tmp to reflect the fact that this shadow is getting
1749 a new value. */
1751 /* sameKindedAtoms ... */
1755 // guard is 'always True', hence update unconditionally
1760 // update the temp only conditionally. Do this by copying
1761 // its old value when the guard is False.
1762 // The old value ..
1765 IRAtom* new_tmpV
1770 }
1771 }
1772 }
1775 /*------------------------------------------------------------*/
1776 /*--- Shadowing PUTs/GETs, and indexed variants thereof ---*/
1777 /*------------------------------------------------------------*/
1779 /* Examine the always-defined sections declared in layout to see if
1780 the (offset,size) section is within one. Note, is is an error to
1781 partially fall into such a region: (offset,size) should either be
1782 completely in such a region or completely not-in such a region.
1783 */
1785 {
1804 }
1806 }
1809 /* Generate into bb suitable actions to shadow this Put. If the state
1810 slice is marked 'always defined', do nothing. Otherwise, write the
1811 supplied V bits to the shadow state. We can pass in either an
1812 original atom or a V-atom, but not both. In the former case the
1813 relevant V-bits are then generated from the original.
1814 We assume here, that the definedness of GUARD has already been checked.
1815 */
1816 static
1819 {
1820 IRType ty;
1822 // Don't do shadow PUTs if we're not doing undefined value checking.
1823 // Their absence lets Vex's optimiser remove all the shadow computation
1824 // that they depend on, which includes GETs of the shadow registers.
1835 }
1840 /* later: no ... */
1841 /* emit code to emit a complaint if any of the vbits are 1. */
1842 /* complainIfUndefined(mce, atom); */
1844 /* Do a plain shadow Put. */
1846 /* If the guard expression evaluates to false we simply Put the value
1847 that is already stored in the guest state slot */
1854 }
1856 }
1857 }
1860 /* Return an expression which contains the V bits corresponding to the
1861 given GETI (passed in in pieces).
1862 */
1863 static
1865 {
1868 Int arrSize;;
1874 // Don't do shadow PUTIs if we're not doing undefined value checking.
1875 // Their absence lets Vex's optimiser remove all the shadow computation
1876 // that they depend on, which includes GETIs of the shadow registers.
1890 /* later: no ... */
1891 /* emit code to emit a complaint if any of the vbits are 1. */
1892 /* complainIfUndefined(mce, atom); */
1894 /* Do a cloned version of the Put that refers to the shadow
1895 area. */
1896 IRRegArray* new_descr
1900 }
1901 }
1904 /* Return an expression which contains the V bits corresponding to the
1905 given GET (passed in in pieces).
1906 */
1907 static
1909 {
1914 /* Always defined, return all zeroes of the relevant type */
1917 /* return a cloned version of the Get that refers to the shadow
1918 area. */
1919 /* FIXME: this isn't an atom! */
1921 }
1922 }
1925 /* Return an expression which contains the V bits corresponding to the
1926 given GETI (passed in in pieces).
1927 */
1928 static
1931 {
1939 /* Always defined, return all zeroes of the relevant type */
1942 /* return a cloned version of the Get that refers to the shadow
1943 area. */
1944 IRRegArray* new_descr
1948 }
1949 }
1952 /*------------------------------------------------------------*/
1953 /*--- Generating approximations for unknown operations, ---*/
1954 /*--- using lazy-propagate semantics ---*/
1955 /*------------------------------------------------------------*/
1957 /* Lazy propagation of undefinedness from two values, resulting in the
1958 specified shadow type.
1959 */
1960 static
1962 {
1969 /* The general case is inefficient because PCast is an expensive
1970 operation. Here are some special cases which use PCast only
1971 once rather than twice. */
1973 /* I64 x I64 -> I64 */
1979 }
1981 /* I64 x I64 -> I32 */
1987 }
1989 /* I32 x I32 -> I32 */
1995 }
2005 }
2007 /* General case: force everything via 32-bit intermediaries. */
2012 }
2015 /* 3-arg version of the above. */
2016 static
2019 {
2028 /* The general case is inefficient because PCast is an expensive
2029 operation. Here are some special cases which use PCast only
2030 twice rather than three times. */
2032 /* I32 x I64 x I64 -> I64 */
2033 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2037 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
2038 mode indication which is fully defined, this should get
2039 folded out later. */
2041 /* Now fold in 2nd and 3rd args. */
2044 /* and PCast once again. */
2047 }
2049 /* I32 x I8 x I64 -> I64 */
2053 /* Widen 1st and 2nd args to I64. Since 1st arg is typically a
2054 * rounding mode indication which is fully defined, this should
2055 * get folded out later.
2056 */
2061 /* and PCast once again. */
2064 }
2066 /* I32 x I64 x I64 -> I32 */
2075 }
2077 /* I32 x I32 x I32 -> I32 */
2078 /* 32-bit FP idiom, as (eg) happens on ARM */
2087 }
2089 /* I32 x I16 x I16 -> I16 */
2090 /* 16-bit half-precision FP idiom, as (eg) happens on arm64 v8.2 onwards */
2099 }
2101 /* I32 x I128 x I128 -> I128 */
2102 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2106 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
2107 mode indication which is fully defined, this should get
2108 folded out later. */
2110 /* Now fold in 2nd and 3rd args. */
2113 /* and PCast once again. */
2116 }
2118 /* I32 x I8 x I128 -> I128 */
2119 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
2123 /* Use I64 as an intermediate type, which means PCasting all 3
2124 args to I64 to start with. 1st arg is typically a rounding
2125 mode indication which is fully defined, so we hope that it
2126 will get folded out later. */
2130 /* Now UifU all three together. */
2133 /* and PCast once again. */
2136 }
2147 }
2150 /* General case: force everything via 32-bit intermediaries. */
2151 /*
2152 at = mkPCastTo(mce, Ity_I32, va1);
2153 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va2));
2154 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va3));
2155 at = mkPCastTo(mce, finalVty, at);
2156 return at;
2157 */
2158 }
2161 /* 4-arg version of the above. */
2162 static
2165 {
2176 /* The general case is inefficient because PCast is an expensive
2177 operation. Here are some special cases which use PCast only
2178 twice rather than three times. */
2180 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2185 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
2186 mode indication which is fully defined, this should get
2187 folded out later. */
2189 /* Now fold in 2nd, 3rd, 4th args. */
2193 /* and PCast once again. */
2196 }
2198 /* I32 x I64 x I64 x I64 -> I64 */
2202 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
2203 mode indication which is fully defined, this should get
2204 folded out later. */
2206 /* Now fold in 2nd, 3rd, 4th args. */
2210 /* and PCast once again. */
2213 }
2214 /* I32 x I32 x I32 x I32 -> I32 */
2215 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2220 /* Now fold in 2nd, 3rd, 4th args. */
2226 }
2232 /* Now fold in 2nd, 3rd, 4th args. */
2238 }
2244 /* Now fold in 2nd, 3rd, 4th args. */
2250 }
2264 }
2267 }
2270 /* Do the lazy propagation game from a null-terminated vector of
2271 atoms. This is presumably the arguments to a helper call, so the
2272 IRCallee info is also supplied in order that we can know which
2273 arguments should be ignored (via the .mcx_mask field).
2274 */
2275 static
2278 {
2279 Int i;
2282 IRType mergeTy;
2285 /* Decide on the type of the merge intermediary. If all relevant
2286 args are I64, then it's I64. In all other circumstances, use
2287 I32. */
2295 }
2303 /* Only take notice of this arg if the callee's mc-exclusion
2304 mask does not say it is to be excluded. */
2306 /* the arg is to be excluded from definedness checking. Do
2307 nothing. */
2310 /* calculate the arg's definedness, and pessimistically merge
2311 it in. */
2313 curr = mergeTy64
2316 }
2317 }
2319 }
2322 /*------------------------------------------------------------*/
2323 /*--- Generating expensive sequences for exact carry-chain ---*/
2324 /*--- propagation in add/sub and related operations. ---*/
2325 /*------------------------------------------------------------*/
2327 static
2329 Bool add,
2330 IRType ty,
2333 {
2363 }
2365 // a_min = aa & ~qaa
2370 // b_min = bb & ~qbb
2375 // a_max = aa | qaa
2378 // b_max = bb | qbb
2382 // result = (qaa | qbb) | ((a_min + b_min) ^ (a_max + b_max))
2383 return
2391 )
2392 )
2393 )
2394 );
2396 // result = (qaa | qbb) | ((a_min - b_max) ^ (a_max - b_min))
2397 return
2405 )
2406 )
2407 )
2408 );
2409 }
2411 }
2414 static
2417 {
2418 IRType ty;
2444 }
2446 // improver = atom ^ (atom - 1)
2447 //
2448 // That is, improver has its low ctz(atom)+1 bits equal to one;
2449 // higher bits (if any) equal to zero. So it's exactly the right
2450 // mask to use to remove the irrelevant undefined input bits.
2451 /* Here are some examples:
2452 atom = U...U 1 0...0
2453 atom-1 = U...U 0 1...1
2454 ^ed = 0...0 1 11111, which correctly describes which bits of |atom|
2455 actually influence the result
2456 A boundary case
2457 atom = 0...0
2458 atom-1 = 1...1
2459 ^ed = 11111, also a correct mask for the input: all input bits
2460 are relevant
2461 Another boundary case
2462 atom = 1..1 1
2463 atom-1 = 1..1 0
2464 ^ed = 0..0 1, also a correct mask: only the rightmost input bit
2465 is relevant
2466 Now with misc U bits interspersed:
2467 atom = U...U 1 0 U...U 0 1 0...0
2468 atom-1 = U...U 1 0 U...U 0 0 1...1
2469 ^ed = 0...0 0 0 0...0 0 1 1...1, also correct
2470 (Per re-check/analysis of 14 Nov 2018)
2471 */
2474 atom,
2478 // improved = vatom & improver
2479 //
2480 // That is, treat any V bits to the left of the rightmost ctz(atom)+1
2481 // bits as "defined".
2485 // Return pessimizing cast of improved.
2487 }
2489 static
2492 {
2493 IRType ty;
2519 }
2521 // This is in principle very similar to how expensiveCountTrailingZeroes
2522 // works. That function computed an "improver", which it used to mask
2523 // off all but the rightmost 1-bit and the zeroes to the right of it,
2524 // hence removing irrelevant bits from the input. Here, we play the
2525 // exact same game but with the left-vs-right roles interchanged.
2526 // Unfortunately calculation of the improver in this case is
2527 // significantly more expensive.
2528 //
2529 // improver = ~(RIGHT(atom) >>u 1)
2530 //
2531 // That is, improver has its upper clz(atom)+1 bits equal to one;
2532 // lower bits (if any) equal to zero. So it's exactly the right
2533 // mask to use to remove the irrelevant undefined input bits.
2534 /* Here are some examples:
2535 atom = 0...0 1 U...U
2536 R(atom) = 0...0 1 1...1
2537 R(atom) >>u 1 = 0...0 0 1...1
2538 ~(R(atom) >>u 1) = 1...1 1 0...0
2539 which correctly describes which bits of |atom|
2540 actually influence the result
2541 A boundary case
2542 atom = 0...0
2543 R(atom) = 0...0
2544 R(atom) >>u 1 = 0...0
2545 ~(R(atom) >>u 1) = 1...1
2546 also a correct mask for the input: all input bits
2547 are relevant
2548 Another boundary case
2549 atom = 1 1..1
2550 R(atom) = 1 1..1
2551 R(atom) >>u 1 = 0 1..1
2552 ~(R(atom) >>u 1) = 1 0..0
2553 also a correct mask: only the leftmost input bit
2554 is relevant
2555 Now with misc U bits interspersed:
2556 atom = 0...0 1 U...U 0 1 U...U
2557 R(atom) = 0...0 1 1...1 1 1 1...1
2558 R(atom) >>u 1 = 0...0 0 1...1 1 1 1...1
2559 ~(R(atom) >>u 1) = 1...1 1 0...0 0 0 0...0, also correct
2560 (Per initial implementation of 15 Nov 2018)
2561 */
2566 // improved = vatom & improver
2567 //
2568 // That is, treat any V bits to the right of the leftmost clz(atom)+1
2569 // bits as "defined".
2573 // Return pessimizing cast of improved.
2575 }
2578 /*------------------------------------------------------------*/
2579 /*--- Scalar shifts. ---*/
2580 /*------------------------------------------------------------*/
2582 /* Produce an interpretation for (aa << bb) (or >>s, >>u). The basic
2583 idea is to shift the definedness bits by the original shift amount.
2584 This introduces 0s ("defined") in new positions for left shifts and
2585 unsigned right shifts, and copies the top definedness bit for
2586 signed right shifts. So, conveniently, applying the original shift
2587 operator to the definedness bits for the left arg is exactly the
2588 right thing to do:
2590 (qaa << bb)
2592 However if the shift amount is undefined then the whole result
2593 is undefined. Hence need:
2595 (qaa << bb) `UifU` PCast(qbb)
2597 If the shift amount bb is a literal than qbb will say 'all defined'
2598 and the UifU and PCast will get folded out by post-instrumentation
2599 optimisation.
2600 */
2602 IRType ty,
2603 IROp original_op,
2606 {
2613 return
2619 )
2620 );
2621 }
2624 /*------------------------------------------------------------*/
2625 /*--- Helpers for dealing with vector primops. ---*/
2626 /*------------------------------------------------------------*/
2628 /* Vector pessimisation -- pessimise within each lane individually. */
2631 {
2633 }
2636 {
2638 }
2641 {
2643 }
2646 {
2648 }
2651 {
2653 }
2656 {
2658 }
2661 {
2663 }
2666 {
2668 }
2671 {
2673 }
2676 {
2678 }
2681 {
2683 }
2686 {
2688 }
2691 {
2693 }
2696 {
2698 }
2701 /* Here's a simple scheme capable of handling ops derived from SSE1
2702 code and while only generating ops that can be efficiently
2703 implemented in SSE1. */
2705 /* All-lanes versions are straightforward:
2707 binary32Fx4(x,y) ==> PCast32x4(UifUV128(x#,y#))
2709 unary32Fx4(x,y) ==> PCast32x4(x#)
2711 Lowest-lane-only versions are more complex:
2713 binary32F0x4(x,y) ==> SetV128lo32(
2714 x#,
2715 PCast32(V128to32(UifUV128(x#,y#)))
2716 )
2718 This is perhaps not so obvious. In particular, it's faster to
2719 do a V128-bit UifU and then take the bottom 32 bits than the more
2720 obvious scheme of taking the bottom 32 bits of each operand
2721 and doing a 32-bit UifU. Basically since UifU is fast and
2722 chopping lanes off vector values is slow.
2724 Finally:
2726 unary32F0x4(x) ==> SetV128lo32(
2727 x#,
2728 PCast32(V128to32(x#))
2729 )
2731 Where:
2733 PCast32(v#) = 1Sto32(CmpNE32(v#,0))
2734 PCast32x4(v#) = CmpNEZ32x4(v#)
2735 */
2737 static
2739 {
2746 }
2748 static
2750 {
2755 }
2757 static
2759 {
2768 }
2770 static
2772 {
2779 }
2781 /* --- ... and ... 64Fx2 versions of the same ... --- */
2783 static
2785 {
2792 }
2794 static
2796 {
2801 }
2803 static
2805 {
2814 }
2816 static
2818 {
2825 }
2827 /* --- --- ... and ... 16Fx8 versions of the same --- --- */
2829 static
2831 {
2838 }
2840 static
2842 {
2847 }
2849 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision IR is
2850 implemented.
2851 */
2853 /* --- --- ... and ... 32Fx2 versions of the same --- --- */
2855 static
2857 {
2864 }
2866 static
2868 {
2873 }
2875 /* --- ... and ... 64Fx4 versions of the same ... --- */
2877 static
2879 {
2886 }
2888 static
2890 {
2895 }
2897 /* --- ... and ... 32Fx8 versions of the same ... --- */
2899 static
2901 {
2908 }
2910 static
2912 {
2917 }
2919 /* --- 64Fx2 binary FP ops, with rounding mode --- */
2921 static
2924 {
2925 /* This is the same as binary64Fx2, except that we subsequently
2926 pessimise vRM (definedness of the rounding mode), widen to 128
2927 bits and UifU it into the result. As with the scalar cases, if
2928 the RM is a constant then it is defined and so this extra bit
2929 will get constant-folded out later. */
2930 // "do" the vector args
2932 // PCast the RM, and widen it to 128 bits
2934 // Roll it into the result
2937 }
2939 /* --- ... and ... 32Fx4 versions of the same --- */
2941 static
2944 {
2946 // PCast the RM, and widen it to 128 bits
2948 // Roll it into the result
2951 }
2953 /* --- ... and ... 64Fx4 versions of the same --- */
2955 static
2958 {
2960 // PCast the RM, and widen it to 256 bits
2962 // Roll it into the result
2965 }
2967 /* --- ... and ... 16Fx8 versions of the same --- */
2969 static
2972 {
2974 // PCast the RM, and widen it to 128 bits
2976 // Roll it into the result
2979 }
2981 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision IR is
2982 implemented.
2983 */
2985 /* --- ... and ... 32Fx8 versions of the same --- */
2987 static
2990 {
2992 // PCast the RM, and widen it to 256 bits
2994 // Roll it into the result
2997 }
2999 /* --- 64Fx2 unary FP ops, with rounding mode --- */
3001 static
3003 {
3004 /* Same scheme as binary64Fx2_w_rm. */
3005 // "do" the vector arg
3007 // PCast the RM, and widen it to 128 bits
3009 // Roll it into the result
3012 }
3014 /* --- ... and ... 32Fx4 versions of the same --- */
3016 static
3018 {
3019 /* Same scheme as binaryFx4_w_rm. */
3021 // PCast the RM, and widen it to 128 bits
3023 // Roll it into the result
3026 }
3028 /* --- ... and ... 16Fx8 versions of the same --- */
3030 static
3032 {
3033 /* Same scheme as binaryFx4_w_rm. */
3035 // PCast the RM, and widen it to 128 bits
3037 // Roll it into the result
3040 }
3042 /* --- ... and ... 32Fx8 versions of the same --- */
3044 static
3046 {
3047 /* Same scheme as unary32Fx8_w_rm. */
3049 // PCast the RM, and widen it to 256 bits
3051 // Roll it into the result
3054 }
3057 /* --- --- Vector saturated narrowing --- --- */
3059 /* We used to do something very clever here, but on closer inspection
3060 (2011-Jun-15), and in particular bug #279698, it turns out to be
3061 wrong. Part of the problem came from the fact that for a long
3062 time, the IR primops to do with saturated narrowing were
3063 underspecified and managed to confuse multiple cases which needed
3064 to be separate: the op names had a signedness qualifier, but in
3065 fact the source and destination signednesses needed to be specified
3066 independently, so the op names really need two independent
3067 signedness specifiers.
3069 As of 2011-Jun-15 (ish) the underspecification was sorted out
3070 properly. The incorrect instrumentation remained, though. That
3071 has now (2011-Oct-22) been fixed.
3073 What we now do is simple:
3075 Let the original narrowing op be QNarrowBinXtoYxZ, where Z is a
3076 number of lanes, X is the source lane width and signedness, and Y
3077 is the destination lane width and signedness. In all cases the
3078 destination lane width is half the source lane width, so the names
3079 have a bit of redundancy, but are at least easy to read.
3081 For example, Iop_QNarrowBin32Sto16Ux8 narrows 8 lanes of signed 32s
3082 to unsigned 16s.
3084 Let Vanilla(OP) be a function that takes OP, one of these
3085 saturating narrowing ops, and produces the same "shaped" narrowing
3086 op which is not saturating, but merely dumps the most significant
3087 bits. "same shape" means that the lane numbers and widths are the
3088 same as with OP.
3090 For example, Vanilla(Iop_QNarrowBin32Sto16Ux8)
3091 = Iop_NarrowBin32to16x8,
3092 that is, narrow 8 lanes of 32 bits to 8 lanes of 16 bits, by
3093 dumping the top half of each lane.
3095 So, with that in place, the scheme is simple, and it is simple to
3096 pessimise each lane individually and then apply Vanilla(OP) so as
3097 to get the result in the right "shape". If the original OP is
3098 QNarrowBinXtoYxZ then we produce
3100 Vanilla(OP)( PCast-X-to-X-x-Z(vatom1), PCast-X-to-X-x-Z(vatom2) )
3102 or for the case when OP is unary (Iop_QNarrowUn*)
3104 Vanilla(OP)( PCast-X-to-X-x-Z(vatom) )
3105 */
3106 static
3108 {
3110 /* Binary: (128, 128) -> 128 */
3121 /* Binary: (64, 64) -> 64 */
3127 /* Unary: 128 -> 64 */
3144 }
3145 }
3147 static
3150 {
3163 }
3171 }
3173 static
3176 {
3184 }
3192 }
3194 static
3197 {
3201 /* For vanilla narrowing (non-saturating), we can just apply
3202 the op directly to the V bits. */
3212 }
3213 /* Plan B: for ops that involve a saturation operation on the args,
3214 we must PCast before the vanilla narrow. */
3226 }
3231 }
3233 static
3236 {
3248 }
3253 }
3256 /* --- --- Vector integer arithmetic --- --- */
3258 /* Simple ... UifU the args and per-lane pessimise the results. */
3260 /* --- V256-bit versions --- */
3262 static
3264 {
3269 }
3271 static
3273 {
3278 }
3280 static
3282 {
3287 }
3289 static
3291 {
3296 }
3298 /* --- V128-bit versions --- */
3300 static
3302 {
3307 }
3309 static
3311 {
3316 }
3318 static
3320 {
3325 }
3327 static
3329 {
3334 }
3336 static
3338 {
3343 }
3345 /* --- 64-bit versions --- */
3347 static
3349 {
3354 }
3356 static
3358 {
3363 }
3365 static
3367 {
3372 }
3374 static
3376 {
3381 }
3383 /* --- 32-bit versions --- */
3385 static
3387 {
3392 }
3394 static
3396 {
3401 }
3404 /*------------------------------------------------------------*/
3405 /*--- Generate shadow values from all kinds of IRExprs. ---*/
3406 /*------------------------------------------------------------*/
3408 static
3410 IROp op,
3413 {
3436 /* I32(rm) x F64 x F64 x F64 -> F64 */
3441 /* I32(rm) x F32 x F32 x F32 -> F32 */
3448 /* I32(rm) x F128 x F128 x F128 -> F128 */
3451 /* V256-bit data-steering */
3456 /* I32/I64 x I8 x I8 x I8 -> I32/I64 */
3464 }
3465 }
3468 static
3470 IROp op,
3472 {
3496 /* I32(rm) x F128/D128 x F128/D128 -> F128/D128 */
3517 /* I32(rm) x F64/D64 x F64/D64 -> F64/D64 */
3521 /* I32(rm) x F64 x F64 -> I32 */
3527 /* I32(rm) x F32 x F32 -> I32 */
3531 /* I32(rm) x F16 x F16 -> I16 */
3534 /* IRRoundingMode(I32) x I8 x D64 -> D64 */
3537 /* IRRoundingMode(I32) x I8 x D128 -> D128 */
3540 /* (V128, V128, I8) -> V128 */
3544 /* (I64, I64, I8) -> I64 */
3560 /* Int 128-bit Integer three arg */
3563 /* (V128, V128, V128) -> V128 */
3566 mce,
3569 );
3571 /* Vector FP with rounding mode as the first arg */
3592 /* TODO: remaining versions of 16x4 FP ops when more of the half-precision
3593 IR is implemented.
3594 */
3619 }
3620 }
3623 static
3625 IROp op,
3628 {
3645 /* 32-bit SIMD */
3671 /* 64-bit SIMD */
3682 /* Same scheme as with all other shifts. */
3843 );
3852 );
3861 );
3863 /* 64-bit data-steering */
3890 /* Perm8x8: rearrange values in left arg using steering values from
3891 right arg. So rearrange the vbits in the same way but pessimise wrt
3892 steering values. We assume that unused bits in the steering value
3893 are defined zeros, so we can safely PCast within each lane of the the
3894 steering value without having to take precautions to avoid a
3895 dependency on those unused bits.
3897 This is also correct for PermOrZero8x8, but it is a bit subtle. For
3898 each lane, if bit 7 of the steering value is zero, then we'll steer
3899 the shadow value exactly as per Perm8x8. If that bit is one, then
3900 the operation will set the resulting (concrete) value to zero. That
3901 means it is defined, and should have a shadow value of zero. Hence
3902 in both cases (bit 7 is 0 or 1) we can self-shadow (in the same way
3903 as Perm8x8) and then pessimise against the steering values. */
3907 mce,
3910 );
3912 /* V128-bit SIMD */
3935 /* Same scheme as with all other shifts. Note: 22 Oct 05:
3936 this is wrong now, scalar shifts are done properly lazily.
3937 Vector shifts should be fixed too. */
3941 /* V x V shifts/rotates are done using the standard lazy scheme. */
3942 /* For the non-rounding variants of bi-di vector x vector
3943 shifts (the Iop_Sh.. ops, that is) we use the lazy scheme.
3944 But note that this is overly pessimistic, because in fact only
3945 the bottom 8 bits of each lane of the second argument are taken
3946 into account when shifting. So really we ought to ignore
3947 undefinedness in bits 8 and above of each lane in the
3948 second argument. */
3959 );
3971 );
3983 );
3995 );
3997 /* For the rounding variants of bi-di vector x vector shifts, the
3998 rounding adjustment can cause undefinedness to propagate through
3999 the entire lane, in the worst case. Too complex to handle
4000 properly .. just UifU the arguments and then PCast them.
4001 Suboptimal but safe. */
4076 /* PwExtUSMulQAdd8x16 is a bit subtle. The effect of it is that each
4077 16-bit chunk of the output is formed from corresponding 16-bit chunks
4078 of the input args, so we can treat it like an other binary 16x8
4079 operation. That's despite it having '8x16' in its name. */
4155 /* I128 x I128 -> I128 */
4255 /* Q-and-Qshift-by-imm-and-narrow of the form (V128, I8) -> V128.
4256 To make this simpler, do the following:
4257 * complain if the shift amount (the I8) is undefined
4258 * pcast each lane at the wide width
4259 * truncate each lane to half width
4260 * pcast the resulting 64-bit value to a single bit and use
4261 that as the least significant bit of the upper half of the
4262 result. */
4281 {
4314 }
4316 // Pessimised shift result
4317 IRAtom* shV
4319 // Narrowed, pessimised shift result
4320 IRAtom* shVnarrowed
4322 // Generates: Def--(63)--Def PCast-to-I1(narrowed)
4324 // and assemble the result
4327 }
4362 /* V128-bit data-steering */
4407 /* Perm8x16: rearrange values in left arg using steering values
4408 from right arg. So rearrange the vbits in the same way but
4409 pessimise wrt steering values. Perm32x4 ditto. */
4410 /* PermOrZero8x16: see comments above for PermOrZero8x8. */
4414 mce,
4417 );
4420 mce,
4423 );
4425 /* These two take the lower half of each 16-bit lane, sign/zero
4426 extend it to 32, and multiply together, producing a 32x4
4427 result (and implicitly ignoring half the operand bits). So
4428 treat it as a bunch of independent 16x8 operations, but then
4429 do 32-bit shifts left-right to copy the lower half results
4430 (which are all 0s or all 1s due to PCasting in binary16Ix8)
4431 into the upper half of each result lane. */
4439 }
4441 /* Same deal as Iop_MullEven16{S,U}x8 */
4449 }
4451 /* Same deal as Iop_MullEven16{S,U}x8 */
4459 }
4461 /* narrow 2xV128 into 1xV128, hi half from left arg, in a 2 x
4462 32x4 -> 16x8 laneage, discarding the upper half of each lane.
4463 Simply apply same op to the V bits, since this really no more
4464 than a data steering operation. */
4475 /* Same scheme as with all other shifts. Note: 10 Nov 05:
4476 this is wrong now, scalar shifts are done properly lazily.
4477 Vector shifts should be fixed too. */
4489 /* SHA Iops */
4495 /* I128-bit data-steering */
4499 /* V256-bit SIMD */
4509 /* V256-bit data-steering */
4513 /* Scalar floating point */
4517 /* I32(rm) x F32 -> I64 */
4521 /* I32(rm) x I64 -> F32 */
4536 /* I32(rm) x I64/F64 -> I64/F64 */
4542 /* I32(rm) x D64 -> D64 */
4548 /* I32(rm) x D128 -> D128 */
4552 /* I32(rm) x F128 -> F128 */
4559 /* I32(rm) x I64/D64 -> D64/I64 */
4568 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D32/F32 */
4577 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D64/F64 */
4587 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D128/F128 */
4591 /* I32(rm) x F16 -> F16 */
4597 /* I32(rm) x I32/F32 -> I32/F32 */
4601 /* I32(rm) x F128 -> F128 */
4608 /* First arg is I32 (rounding mode), second is F32/I32 (data). */
4613 /* First arg is I32 (rounding mode), second is F64/F32 (data). */
4647 /* First arg is I32 (rounding mode), second is F64/D64 (data). */
4651 /* First arg is I32 (rounding mode), second is D64 (data). */
4655 /* First arg is I32 (rounding mode), second is F64 (data). */
4659 /* I64 x I64 -> D64 */
4663 /* I64 x I128 -> D128 */
4678 /* F32 x F32 -> F32 */
4683 /* F64 x F64 -> F64 */
4686 /* non-FP after here */
4708 }
4716 }
4723 }
4731 }
4739 }
4746 }
4770 }
4778 }
4780 cheap_AddSub32:
4797 }
4805 }
4807 cheap_AddSub64:
4821 ////---- CmpXX64
4825 else
4828 expensive_cmp64:
4832 cheap_cmp64:
4837 ////---- CmpXX32
4841 else
4844 expensive_cmp32:
4848 cheap_cmp32:
4853 ////---- CmpXX16
4857 else
4860 expensive_cmp16:
4864 cheap_cmp16:
4867 ////---- CmpXX8
4871 else
4874 expensive_cmp8:
4877 cheap_cmp8:
4880 ////---- end CmpXX{64,32,16,8}
4886 /* Just say these all produce a defined result, regardless
4887 of their arguments. See COMMENT_ON_CasCmpEQ in this file. */
4946 do_And_Or:
4965 /* V256-bit SIMD */
4975 /* Same scheme as with all other shifts. Note: 22 Oct 05:
4976 this is wrong now, scalar shifts are done properly lazily.
4977 Vector shifts should be fixed too. */
5035 /* Perm32x8: rearrange values in left arg using steering values
5036 from right arg. So rearrange the vbits in the same way but
5037 pessimise wrt steering values. */
5040 mce,
5043 );
5045 /* Q-and-Qshift-by-vector of the form (V128, V128) -> V256.
5046 Handle the shifted results in the same way that other
5047 binary Q ops are handled, eg QSub: UifU the two args,
5048 then pessimise -- which is binaryNIxM. But for the upper
5049 V128, we require to generate just 1 bit which is the
5050 pessimised shift result, with 127 defined zeroes above it.
5052 Note that this overly pessimistic in that in fact only the
5053 bottom 8 bits of each lane of the second arg determine the shift
5054 amount. Really we ought to ignore any undefinedness in the
5055 rest of the lanes of the second arg. */
5064 {
5065 // The function to generate the pessimised shift result
5094 }
5096 // Pessimised shift result, shV[127:0]
5098 // Generates: Def--(127)--Def PCast-to-I1(shV)
5100 // and assemble the result
5103 }
5106 // First, PCast the input vector, retaining the 32x4 format.
5108 // Now truncate each 32 bit lane to 16 bits. Since we already PCasted
5109 // the input, we're not going to lose any information.
5110 IRAtom* pcHI64
5112 IRAtom* pcLO64
5114 IRAtom* narrowed
5117 // Finally, roll in any badness from the rounding mode.
5120 }
5123 // Same scheme as for Iop_F32toF16x4.
5125 IRAtom* pcHI128
5128 IRAtom* pcLO128
5131 IRAtom* narrowed
5134 // Finally, roll in any badness from the rounding mode.
5137 }
5142 }
5143 }
5146 static
5148 {
5149 /* For the widening operations {8,16,32}{U,S}to{16,32,64}, the
5150 selection of shadow operation implicitly duplicates the logic in
5151 do_shadow_LoadG and should be kept in sync (in the very unlikely
5152 event that the interpretation of such widening ops changes in
5153 future). See comment in do_shadow_LoadG. */
5211 // These are self-shadowing.
5255 // FIXME JRS 2018-Nov-15. This is surely not correct!
5323 // PopCount32: this is slightly pessimistic. It is true that the
5324 // result depends on all input bits, so that aspect of the PCast is
5325 // correct. However, regardless of the input, only the lowest 5 bits
5326 // out of the output can ever be undefined. So we could actually
5327 // "improve" the results here by marking the top 27 bits of output as
5328 // defined. A similar comment applies for PopCount64.
5334 // These are self-shadowing.
5360 // These are self-shadowing.
5373 // These are self-shadowing.
5383 // These are self-shadowing.
5406 // FIXME JRS 2018-Nov-15. This is surely not correct!
5472 // This is self-shadowing.
5490 // JRS FIXME 2019 Mar 17: per comments on F16toF32x4, this is probably not
5491 // right.
5504 // JRS 2019 Mar 17: this definitely isn't right, but it probably works
5505 // OK by accident if -- as seems likely -- the F16 to F32 conversion
5506 // preserves will generate an output 32 bits with at least one 1 bit
5507 // set if there's one or more 1 bits set in the input 16 bits. More
5508 // correct code for this is just below, but commented out, so as to
5509 // avoid short-term backend failures on targets that can't do
5510 // Iop_Interleave{LO,HI}16x4.
5514 // PCast the input at 16x8. This makes each lane hold either all
5515 // zeroes or all ones.
5517 // Now double the width of each lane to 32 bits. Because the lanes are
5518 // all zeroes or all ones, we can just copy the each lane twice into
5519 // the result. Here's the low half:
5523 // And the high half:
5527 // Glue them back together:
5530 }
5532 // See comment just above, for Iop_F16toF32x4
5533 //case Iop_F16toF32x4: {
5534 // // Same scheme as F16toF32x4
5535 // IRAtom* pcasted = mkPCast16x4(mce, vatom); // :: I16x4
5536 // IRAtom* widenedLO // :: I32x2
5537 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveLO16x4,
5538 // pcasted, pcasted));
5539 // IRAtom* widenedHI // :: I32x4
5540 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveHI16x4,
5541 // pcasted, pcasted));
5542 // // Glue them back together:
5543 // return assignNew('V', mce, Ity_V128, binop(Iop_64HLtoV128,
5544 // widenedHI, widenedLO));
5545 //}
5585 }
5586 }
5589 /* Worker function -- do not call directly. See comments on
5590 expr2vbits_Load for the meaning of |guard|.
5592 Generates IR to (1) perform a definedness test of |addr|, (2)
5593 perform a validity test of |addr|, and (3) return the Vbits for the
5594 location indicated by |addr|. All of this only happens when
5595 |guard| is NULL or |guard| evaluates to True at run time.
5597 If |guard| evaluates to False at run time, the returned value is
5598 the IR-mandated 0x55..55 value, and no checks nor shadow loads are
5599 performed.
5601 The definedness of |guard| itself is not checked. That is assumed
5602 to have been done before this point, by the caller. */
5603 static
5607 {
5611 /* First, emit a definedness test for the address. This also sets
5612 the address (shadow) to 'defined' following the test. */
5615 /* Now cook up a call to the relevant helper function, to read the data V
5616 bits from shadow memory. Note that I128 loads are done by pretending
5617 we're doing a V128 load, and then converting the resulting V128 vbits
5618 word to an I128, right at the end of this function -- see `castedToI128`
5619 below. (It's only a minor hack :-) This pertains to bug 444399. */
5651 }
5676 }
5677 }
5682 /* Generate the actual address into addrAct. */
5687 IROp mkAdd;
5694 }
5696 /* We need to have a place to park the V bits we're just about to
5697 read. */
5700 /* Here's the call. */
5712 }
5717 /* Ideally the didn't-happen return value here would be all-ones
5718 (all-undefined), so it'd be obvious if it got used
5719 inadvertently. We can get by with the IR-mandated default
5720 value (0b01 repeating, 0x55 etc) as that'll still look pretty
5721 undefined if it ever leaks out. */
5722 }
5726 IRAtom* castedToI128
5732 }
5733 }
5736 /* Generate IR to do a shadow load. The helper is expected to check
5737 the validity of the address and return the V bits for that address.
5738 This can optionally be controlled by a guard, which is assumed to
5739 be True if NULL. In the case where the guard is False at runtime,
5740 the helper will return the didn't-do-the-call value of 0x55..55.
5741 Since that means "completely undefined result", the caller of
5742 this function will need to fix up the result somehow in that
5743 case.
5745 Caller of this function is also expected to have checked the
5746 definedness of |guard| before this point.
5747 */
5748 static
5753 {
5766 }
5767 }
5770 /* The most general handler for guarded loads. Assumes the
5771 definedness of GUARD has already been checked by the caller. A
5772 GUARD of NULL is assumed to mean "always True". Generates code to
5773 check the definedness and validity of ADDR.
5775 Generate IR to do a shadow load from ADDR and return the V bits.
5776 The loaded type is TY. The loaded data is then (shadow) widened by
5777 using VWIDEN, which can be Iop_INVALID to denote a no-op. If GUARD
5778 evaluates to False at run time then the returned Vbits are simply
5779 VALT instead. Note therefore that the argument type of VWIDEN must
5780 be TY and the result type of VWIDEN must equal the type of VALT.
5781 */
5782 static
5788 {
5789 /* Sanity check the conversion operation, and also set TYWIDE. */
5800 }
5802 /* If the guard evaluates to True, this will hold the loaded V bits
5803 at TY. If the guard evaluates to False, this will be all
5804 ones, meaning "all undefined", in which case we will have to
5805 replace it using an ITE below. */
5806 IRAtom* iftrue1
5809 /* Now (shadow-) widen the loaded V bits to the desired width. In
5810 the guard-is-False case, the allowable widening operators will
5811 in the worst case (unsigned widening) at least leave the
5812 pre-widened part as being marked all-undefined, and in the best
5813 case (signed widening) mark the whole widened result as
5814 undefined. Anyway, it doesn't matter really, since in this case
5815 we will replace said value with the default value |valt| using an
5816 ITE. */
5817 IRAtom* iftrue2
5819 ? iftrue1
5821 /* These are the V bits we will return if the load doesn't take
5822 place. */
5823 IRAtom* iffalse
5825 /* Prepare the cond for the ITE. Convert a NULL cond into
5826 something that iropt knows how to fold out later. */
5827 IRAtom* cond
5829 /* And assemble the final result. */
5831 }
5834 /* A simpler handler for guarded loads, in which there is no
5835 conversion operation, and the default V bit return (when the guard
5836 evaluates to False at runtime) is "all defined". If there is no
5837 guard expression or the guard is always TRUE this function behaves
5838 like expr2vbits_Load. It is assumed that definedness of GUARD has
5839 already been checked at the call site. */
5840 static
5845 {
5848 );
5849 }
5852 static
5855 {
5857 IRType ty;
5858 /* Given ITE(cond, iftrue, iffalse), generate
5859 ITE(cond, iftrue#, iffalse#) `UifU` PCast(cond#)
5860 That is, steer the V bits like the originals, but trash the
5861 result if the steering value is undefined. This gives
5862 lazy propagation. */
5872 return
5876 }
5878 /* --------- This is the main expression-handling function. --------- */
5880 static
5883 {
5901 mce,
5905 );
5909 mce,
5913 );
5917 mce,
5920 hu
5921 );
5946 }
5947 }
5950 /*------------------------------------------------------------*/
5951 /*--- Generate shadow stmts from all kinds of IRStmts. ---*/
5952 /*------------------------------------------------------------*/
5954 /* Widen a value to the host word size. */
5956 static
5958 {
5961 /* vatom is vbits-value and as such can only have a shadow type. */
5977 }
5991 }
5994 }
5995 unhandled:
5998 }
6001 /* Generate a shadow store. |addr| is always the original address
6002 atom. You can pass in either originals or V-bits for the data
6003 atom, but obviously not both. This function generates a check for
6004 the definedness and (indirectly) the validity of |addr|, but only
6005 when |guard| evaluates to True at run time (or is NULL).
6007 |guard| :: Ity_I1 controls whether the store really happens; NULL
6008 means it unconditionally does. Note that |guard| itself is not
6009 checked for definedness; the caller of this function must do that
6010 if necessary.
6011 */
6012 static
6014 IREndness end,
6018 {
6019 IROp mkAdd;
6037 }
6045 }
6049 // If we're not doing undefined value checking, pretend that this value
6050 // is "all valid". That lets Vex's optimiser remove some of the V bit
6051 // shadow computation ops that precede it.
6064 }
6066 }
6068 /* First, emit a definedness test for the address. This also sets
6069 the address (shadow) to 'defined' following the test. Both of
6070 those actions are gated on |guard|. */
6073 /* Now decide which helper function to call to write the data V
6074 bits into shadow memory. */
6093 }
6109 /* Note, no V256 case here, because no big-endian target that
6110 we support, has 256 vectors. */
6112 }
6113 }
6117 /* V256-bit case -- phrased in terms of 64 bit units (Qs), with
6118 Q3 being the most significant lane. */
6119 /* These are the offsets of the Qs in memory. */
6122 /* Various bits for constructing the 4 lane helper calls */
6132 }
6141 );
6150 );
6159 );
6168 );
6182 }
6185 /* V128/I128-bit case */
6186 /* See comment in next clause re 64-bit regparms */
6187 /* also, need to be careful about endianness */
6202 }
6210 }
6219 );
6227 );
6240 /* 8/16/32/64-bit cases */
6241 /* Generate the actual address into addrAct. */
6247 }
6250 /* We can't do this with regparm 2 on 32-bit platforms, since
6251 the back ends aren't clever enough to handle 64-bit
6252 regparm args. Therefore be different. */
6257 );
6264 );
6265 }
6269 }
6271 }
6274 /* Do lazy pessimistic propagation through a dirty helper call, by
6275 looking at the annotations on it. This is the most complex part of
6276 Memcheck. */
6279 {
6286 }
6287 }
6289 static
6291 {
6295 IRTemp dst;
6296 IREndness end;
6298 /* What's the native endianness? We need to know this. */
6299 # if defined(VG_BIGENDIAN)
6301 # elif defined(VG_LITTLEENDIAN)
6303 # else
6305 # endif
6307 /* First check the guard. */
6310 /* Now round up all inputs and PCast over them. */
6313 /* Inputs: unmasked args
6314 Note: arguments are evaluated REGARDLESS of the guard expression */
6319 /* ignore this arg */
6323 }
6324 }
6326 /* Inputs: guest state that we read. */
6332 /* Enumerate the described state segments */
6337 /* Ignore any sections marked as 'always defined'. */
6343 }
6345 /* This state element is read or modified. So we need to
6346 consider it. If larger than 8 bytes, deal with it in
6347 8-byte chunks. */
6352 /* update 'curr' with UifU of the state slice
6353 gOff .. gOff+n-1 */
6356 /* Observe the guard expression. If it is false use an
6357 all-bits-defined bit pattern */
6370 }
6371 }
6372 }
6374 /* Inputs: memory. First set up some info needed regardless of
6375 whether we're doing reads or writes. */
6378 /* Because we may do multiple shadow loads/stores from the same
6379 base address, it's best to do a single test of its
6380 definedness right now. Post-instrumentation optimisation
6381 should remove all but this test. */
6382 IRType tyAddr;
6389 }
6391 /* Deal with memory inputs (reads or modifies) */
6394 /* chew off 32-bit chunks. We don't care about the endianness
6395 since it's all going to be condensed down to a single bit,
6396 but nevertheless choose an endianness which is hopefully
6397 native to the platform. */
6403 );
6406 }
6407 /* chew off 16-bit chunks */
6413 );
6416 }
6417 /* chew off the remaining 8-bit chunk, if any */
6423 );
6426 }
6428 }
6430 /* Whew! So curr is a 32-bit V-value summarising pessimistically
6431 all the inputs to the helper. Now we need to re-distribute the
6432 results to all destinations. */
6434 /* Outputs: the destination temporary, if there is one. */
6439 }
6441 /* Outputs: guest state that we write or modify. */
6447 /* Enumerate the described state segments */
6452 /* Ignore any sections marked as 'always defined'. */
6456 /* This state element is written or modified. So we need to
6457 consider it. If larger than 8 bytes, deal with it in
6458 8-byte chunks. */
6463 /* Write suitably-casted 'curr' to the state slice
6464 gOff .. gOff+n-1 */
6471 }
6472 }
6473 }
6475 /* Outputs: memory that we write or modify. Same comments about
6476 endianness as above apply. */
6479 /* chew off 32-bit chunks */
6486 }
6487 /* chew off 16-bit chunks */
6494 }
6495 /* chew off the remaining 8-bit chunk, if any */
6502 }
6504 }
6506 }
6509 /* We have an ABI hint telling us that [base .. base+len-1] is to
6510 become undefined ("writable"). Generate code to call a helper to
6511 notify the A/V bit machinery of this fact.
6513 We call
6514 void MC_(helperc_MAKE_STACK_UNINIT) ( Addr base, UWord len,
6515 Addr nia );
6516 */
6517 static
6519 {
6528 );
6530 /* We ignore the supplied nia, since it is irrelevant. */
6532 /* Special-case the len==128 case, since that is for amd64-ELF,
6533 which is a very common target. */
6540 );
6547 );
6548 }
6549 }
6552 }
6555 /* ------ Dealing with IRCAS (big and complex) ------ */
6557 /* FWDS */
6569 /* Either ORIG and SHADOW are both IRExpr.RdTmps, or they are both
6570 IRExpr.Consts, else this asserts. If they are both Consts, it
6571 doesn't do anything. So that just leaves the RdTmp case.
6573 In which case: this assigns the shadow value SHADOW to the IR
6574 shadow temporary associated with ORIG. That is, ORIG, being an
6575 original temporary, will have a shadow temporary associated with
6576 it. However, in the case envisaged here, there will so far have
6577 been no IR emitted to actually write a shadow value into that
6578 temporary. What this routine does is to (emit IR to) copy the
6579 value in SHADOW into said temporary, so that after this call,
6580 IRExpr.RdTmps of ORIG's shadow temp will correctly pick up the
6581 value in SHADOW.
6583 Point is to allow callers to compute "by hand" a shadow value for
6584 ORIG, and force it to be associated with ORIG.
6586 How do we know that that shadow associated with ORIG has not so far
6587 been assigned to? Well, we don't per se know that, but supposing
6588 it had. Then this routine would create a second assignment to it,
6589 and later the IR sanity checker would barf. But that never
6590 happens. QED.
6591 */
6595 {
6606 shadow);
6610 shadow);
6611 }
6615 }
6616 }
6619 static
6621 {
6622 /* Scheme is (both single- and double- cases):
6624 1. fetch data#,dataB (the proposed new value)
6626 2. fetch expd#,expdB (what we expect to see at the address)
6628 3. check definedness of address
6630 4. load old#,oldB from shadow memory; this also checks
6631 addressibility of the address
6633 5. the CAS itself
6635 6. compute "expected == old". See COMMENT_ON_CasCmpEQ below.
6637 7. if "expected == old" (as computed by (6))
6638 store data#,dataB to shadow memory
6640 Note that 5 reads 'old' but 4 reads 'old#'. Similarly, 5 stores
6641 'data' but 7 stores 'data#'. Hence it is possible for the
6642 shadow data to be incorrectly checked and/or updated:
6644 * 7 is at least gated correctly, since the 'expected == old'
6645 condition is derived from outputs of 5. However, the shadow
6646 write could happen too late: imagine after 5 we are
6647 descheduled, a different thread runs, writes a different
6648 (shadow) value at the address, and then we resume, hence
6649 overwriting the shadow value written by the other thread.
6651 Because the original memory access is atomic, there's no way to
6652 make both the original and shadow accesses into a single atomic
6653 thing, hence this is unavoidable.
6655 At least as Valgrind stands, I don't think it's a problem, since
6656 we're single threaded *and* we guarantee that there are no
6657 context switches during the execution of any specific superblock
6658 -- context switches can only happen at superblock boundaries.
6660 If Valgrind ever becomes MT in the future, then it might be more
6661 of a problem. A possible kludge would be to artificially
6662 associate with the location, a lock, which we must acquire and
6663 release around the transaction as a whole. Hmm, that probably
6664 would't work properly since it only guards us against other
6665 threads doing CASs on the same location, not against other
6666 threads doing normal reads and writes.
6668 ------------------------------------------------------------
6670 COMMENT_ON_CasCmpEQ:
6672 Note two things. Firstly, in the sequence above, we compute
6673 "expected == old", but we don't check definedness of it. Why
6674 not? Also, the x86 and amd64 front ends use
6675 Iop_CasCmp{EQ,NE}{8,16,32,64} comparisons to make the equivalent
6676 determination (expected == old ?) for themselves, and we also
6677 don't check definedness for those primops; we just say that the
6678 result is defined. Why? Details follow.
6680 x86/amd64 contains various forms of locked insns:
6681 * lock prefix before all basic arithmetic insn;
6682 eg lock xorl %reg1,(%reg2)
6683 * atomic exchange reg-mem
6684 * compare-and-swaps
6686 Rather than attempt to represent them all, which would be a
6687 royal PITA, I used a result from Maurice Herlihy
6688 (http://en.wikipedia.org/wiki/Maurice_Herlihy), in which he
6689 demonstrates that compare-and-swap is a primitive more general
6690 than the other two, and so can be used to represent all of them.
6691 So the translation scheme for (eg) lock incl (%reg) is as
6692 follows:
6694 again:
6695 old = * %reg
6696 new = old + 1
6697 atomically { if (* %reg == old) { * %reg = new } else { goto again } }
6699 The "atomically" is the CAS bit. The scheme is always the same:
6700 get old value from memory, compute new value, atomically stuff
6701 new value back in memory iff the old value has not changed (iow,
6702 no other thread modified it in the meantime). If it has changed
6703 then we've been out-raced and we have to start over.
6705 Now that's all very neat, but it has the bad side effect of
6706 introducing an explicit equality test into the translation.
6707 Consider the behaviour of said code on a memory location which
6708 is uninitialised. We will wind up doing a comparison on
6709 uninitialised data, and mc duly complains.
6711 What's difficult about this is, the common case is that the
6712 location is uncontended, and so we're usually comparing the same
6713 value (* %reg) with itself. So we shouldn't complain even if it
6714 is undefined. But mc doesn't know that.
6716 My solution is to mark the == in the IR specially, so as to tell
6717 mc that it almost certainly compares a value with itself, and we
6718 should just regard the result as always defined. Rather than
6719 add a bit to all IROps, I just cloned Iop_CmpEQ{8,16,32,64} into
6720 Iop_CasCmpEQ{8,16,32,64} so as not to disturb anything else.
6722 So there's always the question of, can this give a false
6723 negative? eg, imagine that initially, * %reg is defined; and we
6724 read that; but then in the gap between the read and the CAS, a
6725 different thread writes an undefined (and different) value at
6726 the location. Then the CAS in this thread will fail and we will
6727 go back to "again:", but without knowing that the trip back
6728 there was based on an undefined comparison. No matter; at least
6729 the other thread won the race and the location is correctly
6730 marked as undefined. What if it wrote an uninitialised version
6731 of the same value that was there originally, though?
6733 etc etc. Seems like there's a small corner case in which we
6734 might lose the fact that something's defined -- we're out-raced
6735 in between the "old = * reg" and the "atomically {", _and_ the
6736 other thread is writing in an undefined version of what's
6737 already there. Well, that seems pretty unlikely.
6739 ---
6741 If we ever need to reinstate it .. code which generates a
6742 definedness test for "expected == old" was removed at r10432 of
6743 this file.
6744 */
6749 }
6750 }
6754 {
6759 IROp opCasCmpEQ;
6760 Int elemSzB;
6761 IRType elemTy;
6764 /* single CAS */
6776 }
6778 /* 1. fetch data# (the proposed new value) */
6780 vdataLo
6784 bdataLo
6787 }
6789 /* 2. fetch expected# (what we expect to see at the address) */
6791 vexpdLo
6795 bexpdLo
6798 }
6800 /* 3. check definedness of address */
6801 /* 4. fetch old# from shadow memory; this also checks
6802 addressibility of the address */
6803 voldLo
6807 mce,
6809 NULL/*always happens*/
6810 ));
6813 boldLo
6817 }
6819 /* 5. the CAS itself */
6822 /* 6. compute "expected == old" */
6823 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6824 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6825 tree, but it's not copied from the input block. */
6826 expd_eq_old
6830 /* 7. if "expected == old"
6831 store data# to shadow memory */
6839 }
6840 }
6844 {
6855 IRType elemTy;
6858 /* double CAS */
6883 }
6885 /* 1. fetch data# (the proposed new value) */
6888 vdataHi
6890 vdataLo
6895 bdataHi
6897 bdataLo
6901 }
6903 /* 2. fetch expected# (what we expect to see at the address) */
6906 vexpdHi
6908 vexpdLo
6913 bexpdHi
6915 bexpdLo
6919 }
6921 /* 3. check definedness of address */
6922 /* 4. fetch old# from shadow memory; this also checks
6923 addressibility of the address */
6931 }
6932 voldHi
6936 mce,
6938 NULL/*always happens*/
6939 ));
6940 voldLo
6944 mce,
6946 NULL/*always happens*/
6947 ));
6951 boldHi
6955 boldLo
6961 }
6963 /* 5. the CAS itself */
6966 /* 6. compute "expected == old" */
6967 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6968 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6969 tree, but it's not copied from the input block. */
6970 /*
6971 xHi = oldHi ^ expdHi;
6972 xLo = oldLo ^ expdLo;
6973 xHL = xHi | xLo;
6974 expd_eq_old = xHL == 0;
6975 */
6982 expd_eq_old
6986 /* 7. if "expected == old"
6987 store data# to shadow memory */
7001 }
7002 }
7005 /* ------ Dealing with LL/SC (not difficult) ------ */
7008 IREndness stEnd,
7009 IRTemp stResult,
7012 {
7013 /* In short: treat a load-linked like a normal load followed by an
7014 assignment of the loaded (shadow) data to the result temporary.
7015 Treat a store-conditional like a normal store, and mark the
7016 result temporary as defined. */
7025 /* Load Linked */
7026 /* Just treat this as a normal load, followed by an assignment of
7027 the value to .result. */
7028 /* Stay sane */
7036 /* Store Conditional */
7037 /* Stay sane */
7039 stStoredata);
7044 stStoredata,
7047 /* This is a store conditional, so it writes to .result a value
7048 indicating whether or not the store succeeded. Just claim
7049 this value is always defined. In the PowerPC interpretation
7050 of store-conditional, definedness of the success indication
7051 depends on whether the address of the store matches the
7052 reservation address. But we can't tell that here (and
7053 anyway, we're not being PowerPC-specific). At least we are
7054 guaranteed that the definedness of the store address, and its
7055 addressibility, will be checked as per normal. So it seems
7056 pretty safe to just say that the success indication is always
7057 defined.
7059 In schemeS, for origin tracking, we must correspondingly set
7060 a no-origin value for the origin shadow of .result.
7061 */
7064 }
7065 }
7068 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7071 {
7073 /* do_shadow_Store will generate code to check the definedness and
7074 validity of sg->addr, in the case where sg->guard evaluates to
7075 True at run-time. */
7081 }
7084 {
7086 /* expr2vbits_Load_guarded_General will generate code to check the
7087 definedness and validity of lg->addr, in the case where
7088 lg->guard evaluates to True at run-time. */
7090 /* Look at the LoadG's built-in conversion operation, to determine
7091 the source (actual loaded data) type, and the equivalent IROp.
7092 NOTE that implicitly we are taking a widening operation to be
7093 applied to original atoms and producing one that applies to V
7094 bits. Since signed and unsigned widening are self-shadowing,
7095 this is a straight copy of the op (modulo swapping from the
7096 IRLoadGOp form to the IROp form). Note also therefore that this
7097 implicitly duplicates the logic to do with said widening ops in
7098 expr2vbits_Unop. See comment at the start of expr2vbits_Unop. */
7110 }
7112 IRAtom* vbits_alt
7114 IRAtom* vbits_final
7118 /* And finally, bind the V bits to the destination temporary. */
7120 }
7123 /*------------------------------------------------------------*/
7124 /*--- Origin tracking stuff ---*/
7125 /*------------------------------------------------------------*/
7127 /* Almost identical to findShadowTmpV. */
7129 {
7131 /* VG_(indexXA) range-checks 'orig', hence no need to check
7132 here. */
7136 IRTemp tmpB
7138 /* newTemp may cause mce->tmpMap to resize, hence previous results
7139 from VG_(indexXA) are invalid. */
7144 }
7146 }
7149 {
7151 }
7154 /* Make a guarded origin load, with no special handling in the
7155 didn't-happen case. A GUARD of NULL is assumed to mean "always
7156 True".
7158 Generate IR to do a shadow origins load from BASEADDR+OFFSET and
7159 return the otag. The loaded size is SZB. If GUARD evaluates to
7160 False at run time then the returned otag is zero.
7161 */
7165 {
7168 IRTemp bTmp;
7177 }
7202 }
7206 );
7209 /* Ideally the didn't-happen return value here would be
7210 all-zeroes (unknown-origin), so it'd be harmless if it got
7211 used inadvertently. We slum it out with the IR-mandated
7212 default value (0b01 repeating, 0x55 etc) as that'll probably
7213 trump all legitimate otags via Max32, and it's pretty
7214 obviously bogus. */
7215 }
7216 /* no need to mess with any annotations. This call accesses
7217 neither guest state nor guest memory. */
7220 /* 64-bit host */
7225 /* 32-bit host */
7227 }
7228 }
7231 /* Generate IR to do a shadow origins load from BASEADDR+OFFSET. The
7232 loaded size is SZB. The load is regarded as unconditional (always
7233 happens).
7234 */
7236 Int offset )
7237 {
7239 }
7242 /* The most general handler for guarded origin loads. A GUARD of NULL
7243 is assumed to mean "always True".
7245 Generate IR to do a shadow origin load from ADDR+BIAS and return
7246 the B bits. The loaded type is TY. If GUARD evaluates to False at
7247 run time then the returned B bits are simply BALT instead.
7248 */
7249 static
7251 IRType ty,
7254 {
7255 /* If the guard evaluates to True, this will hold the loaded
7256 origin. If the guard evaluates to False, this will be zero,
7257 meaning "unknown origin", in which case we will have to replace
7258 it using an ITE below. */
7259 IRAtom* iftrue
7263 /* These are the bits we will return if the load doesn't take
7264 place. */
7265 IRAtom* iffalse
7267 /* Prepare the cond for the ITE. Convert a NULL cond into
7268 something that iropt knows how to fold out later. */
7269 IRAtom* cond
7271 /* And assemble the final result. */
7273 }
7276 /* Generate a shadow origins store. guard :: Ity_I1 controls whether
7277 the store really happens; NULL means it unconditionally does. */
7281 {
7291 }
7296 }
7321 }
7325 );
7326 /* no need to mess with any annotations. This call accesses
7327 neither guest state nor guest memory. */
7330 }
7339 }
7347 }
7351 {
7360 IRType equivIntTy
7362 /* If this array is unshadowable for whatever reason, use the
7363 usual approximation. */
7370 /* Do a shadow indexed get of the same size, giving t1. Take
7371 the bottom 32 bits of it, giving t2. Compute into t3 the
7372 origin for the index (almost certainly zero, but there's
7373 no harm in being completely general here, since iropt will
7374 remove any useless code), and fold it in, giving a final
7375 value t4. */
7383 }
7385 Int i;
7392 /* Only take notice of this arg if the callee's
7393 mc-exclusion mask does not say it is to be excluded. */
7395 /* the arg is to be excluded from definedness checking.
7396 Do nothing. */
7400 /* calculate the arg's definedness, and pessimistically
7401 merge it in. */
7404 }
7405 }
7407 }
7409 Int dszB;
7411 /* assert that the B value for the address is already
7412 available (somewhere) */
7416 }
7422 }
7430 }
7436 }
7443 /* Just say these all produce a defined result,
7444 regardless of their arguments. See
7445 COMMENT_ON_CasCmpEQ in this file. */
7451 }
7452 }
7454 /*NOTREACHED*/
7455 }
7459 }
7468 );
7472 /* FIXME: this isn't an atom! */
7474 Ity_I32 );
7475 }
7477 }
7482 }
7483 }
7487 {
7488 // This is a hacked version of do_shadow_Dirty
7491 IRTemp dst;
7493 /* First check the guard. */
7496 /* Now round up all inputs and maxU32 over them. */
7498 /* Inputs: unmasked args
7499 Note: arguments are evaluated REGARDLESS of the guard expression */
7504 /* ignore this arg */
7508 }
7509 }
7511 /* Inputs: guest state that we read. */
7517 /* Enumerate the described state segments */
7522 /* Ignore any sections marked as 'always defined'. */
7528 }
7530 /* This state element is read or modified. So we need to
7531 consider it. If larger than 4 bytes, deal with it in
7532 4-byte chunks. */
7534 Int b_offset;
7538 /* update 'curr' with maxU32 of the state slice
7539 gOff .. gOff+n-1 */
7542 /* Observe the guard expression. If it is false use 0, i.e.
7543 nothing is known about the origin */
7551 Ity_I32));
7555 }
7558 }
7559 }
7560 }
7562 /* Inputs: memory */
7565 /* Because we may do multiple shadow loads/stores from the same
7566 base address, it's best to do a single test of its
7567 definedness right now. Post-instrumentation optimisation
7568 should remove all but this test. */
7572 }
7574 /* Deal with memory inputs (reads or modifies) */
7577 /* chew off 32-bit chunks. We don't care about the endianness
7578 since it's all going to be condensed down to a single bit,
7579 but nevertheless choose an endianness which is hopefully
7580 native to the platform. */
7586 }
7587 /* handle possible 16-bit excess */
7593 }
7594 /* chew off the remaining 8-bit chunk, if any */
7600 }
7602 }
7604 /* Whew! So curr is a 32-bit B-value which should give an origin
7605 of some use if any of the inputs to the helper are undefined.
7606 Now we need to re-distribute the results to all destinations. */
7608 /* Outputs: the destination temporary, if there is one. */
7612 }
7614 /* Outputs: guest state that we write or modify. */
7620 /* Enumerate the described state segments */
7625 /* Ignore any sections marked as 'always defined'. */
7629 /* This state element is written or modified. So we need to
7630 consider it. If larger than 4 bytes, deal with it in
7631 4-byte chunks. */
7633 Int b_offset;
7637 /* Write 'curr' to the state slice gOff .. gOff+n-1 */
7641 /* If the guard expression evaluates to false we simply Put
7642 the value that is already stored in the guest state slot */
7650 Ity_I32));
7656 curr ));
7657 }
7660 }
7661 }
7662 }
7664 /* Outputs: memory that we write or modify. Same comments about
7665 endianness as above apply. */
7668 /* chew off 32-bit chunks */
7673 }
7674 /* handle possible 16-bit excess */
7679 }
7680 /* chew off the remaining 8-bit chunk, if any */
7685 }
7687 }
7688 }
7691 /* Generate IR for origin shadowing for a general guarded store. */
7693 IREndness stEnd,
7697 {
7698 Int dszB;
7700 /* assert that the B value for the address is already available
7701 (somewhere), since the call to schemeE will want to see it.
7702 XXXX how does this actually ensure that?? */
7708 }
7711 /* Generate IR for origin shadowing for a plain store. */
7713 IREndness stEnd,
7716 {
7719 }
7722 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7725 {
7728 }
7731 {
7742 }
7743 IRAtom* ori_alt
7745 IRAtom* ori_final
7749 /* And finally, bind the origin to the destination temporary. */
7751 }
7755 {
7761 /* The value-check instrumenter handles this - by arranging
7762 to pass the address of the next instruction to
7763 MC_(helperc_MAKE_STACK_UNINIT). This is all that needs to
7764 happen for origin tracking w.r.t. AbiHints. So there is
7765 nothing to do here. */
7773 IRType equivIntTy
7775 /* If this array is unshadowable for whatever reason,
7776 generate no code. */
7781 descr_b
7784 /* Compute a value to Put - the conjoinment of the origin for
7785 the data to be Put-ted (obviously) and of the index value
7786 (not so obviously). */
7794 }
7815 /* In short: treat a load-linked like a normal load followed
7816 by an assignment of the loaded (shadow) data the result
7817 temporary. Treat a store-conditional like a normal store,
7818 and mark the result temporary as defined. */
7820 /* Load Linked */
7821 IRType resTy
7823 IRExpr* vanillaLoad
7830 /* Store conditional */
7834 /* For the rationale behind this, see comments at the
7835 place where the V-shadow for .result is constructed, in
7836 do_shadow_LLSC. In short, we regard .result as
7837 always-defined. */
7840 }
7842 }
7845 Int b_offset
7849 );
7851 /* FIXME: this isn't an atom! */
7854 }
7856 }
7873 }
7874 }
7877 /*------------------------------------------------------------*/
7878 /*--- Post-tree-build final tidying ---*/
7879 /*------------------------------------------------------------*/
7881 /* This exploits the observation that Memcheck often produces
7882 repeated conditional calls of the form
7884 Dirty G MC_(helperc_value_check0/1/4/8_fail)(UInt otag)
7886 with the same guard expression G guarding the same helper call.
7887 The second and subsequent calls are redundant. This usually
7888 results from instrumentation of guest code containing multiple
7889 memory references at different constant offsets from the same base
7890 register. After optimisation of the instrumentation, you get a
7891 test for the definedness of the base register for each memory
7892 reference, which is kinda pointless. MC_(final_tidy) therefore
7893 looks for such repeated calls and removes all but the first. */
7896 /* With some testing on perf/bz2.c, on amd64 and x86, compiled with
7897 gcc-5.3.1 -O2, it appears that 16 entries in the array are enough to
7898 get almost all the benefits of this transformation whilst causing
7899 the slide-back case to just often enough to be verifiably
7900 correct. For posterity, the numbers are:
7902 bz2-32
7904 1 4,336 (112,212 -> 1,709,473; ratio 15.2)
7905 2 4,336 (112,194 -> 1,669,895; ratio 14.9)
7906 3 4,336 (112,194 -> 1,660,713; ratio 14.8)
7907 4 4,336 (112,194 -> 1,658,555; ratio 14.8)
7908 5 4,336 (112,194 -> 1,655,447; ratio 14.8)
7909 6 4,336 (112,194 -> 1,655,101; ratio 14.8)
7910 7 4,336 (112,194 -> 1,654,858; ratio 14.7)
7911 8 4,336 (112,194 -> 1,654,810; ratio 14.7)
7912 10 4,336 (112,194 -> 1,654,621; ratio 14.7)
7913 12 4,336 (112,194 -> 1,654,678; ratio 14.7)
7914 16 4,336 (112,194 -> 1,654,494; ratio 14.7)
7915 32 4,336 (112,194 -> 1,654,602; ratio 14.7)
7916 inf 4,336 (112,194 -> 1,654,602; ratio 14.7)
7918 bz2-64
7920 1 4,113 (107,329 -> 1,822,171; ratio 17.0)
7921 2 4,113 (107,329 -> 1,806,443; ratio 16.8)
7922 3 4,113 (107,329 -> 1,803,967; ratio 16.8)
7923 4 4,113 (107,329 -> 1,802,785; ratio 16.8)
7924 5 4,113 (107,329 -> 1,802,412; ratio 16.8)
7925 6 4,113 (107,329 -> 1,802,062; ratio 16.8)
7926 7 4,113 (107,329 -> 1,801,976; ratio 16.8)
7927 8 4,113 (107,329 -> 1,801,886; ratio 16.8)
7928 10 4,113 (107,329 -> 1,801,653; ratio 16.8)
7929 12 4,113 (107,329 -> 1,801,526; ratio 16.8)
7930 16 4,113 (107,329 -> 1,801,298; ratio 16.8)
7931 32 4,113 (107,329 -> 1,800,827; ratio 16.8)
7932 inf 4,113 (107,329 -> 1,800,827; ratio 16.8)
7933 */
7935 /* Structs for recording which (helper, guard) pairs we have already
7936 seen. */
7938 #define N_TIDYING_PAIRS 16
7940 typedef
7942 Pair;
7944 typedef
7947 UInt pairsUsed;
7948 }
7949 Pairs;
7952 /* Return True if e1 and e2 definitely denote the same value (used to
7953 compare guards). Return False if unknown; False is the safe
7954 answer. Since guest registers and guest memory do not have the
7955 SSA property we must return False if any Gets or Loads appear in
7956 the expression. This implicitly assumes that e1 and e2 have the
7957 same IR type, which is always true here -- the type is Ity_I1. */
7960 {
7982 /* be lazy. Could define equality for these, but they never
7983 appear to be used. */
7988 /* be conservative - these may not give the same value each
7989 time */
7992 /* should never see this */
7993 /* fallthrough */
7999 }
8000 }
8002 /* See if 'pairs' already has an entry for (entry, guard). Return
8003 True if so. If not, add an entry. */
8005 static
8007 {
8014 }
8015 /* (guard, entry) wasn't found in the array. Add it at the end.
8016 If the array is already full, slide the entries one slot
8017 backwards. This means we will lose to ability to detect
8018 duplicates from the pair in slot zero, but that happens so
8019 rarely that it's unlikely to have much effect on overall code
8020 quality. Also, this strategy loses the check for the oldest
8021 tracked exit (memory reference, basically) and so that is (I'd
8022 guess) least likely to be re-used after this point. */
8027 }
8034 n++;
8036 }
8038 }
8041 {
8042 /* This is expensive because it happens a lot. We are checking to
8043 see whether |name| is one of the following 8 strings:
8045 MC_(helperc_value_check8_fail_no_o)
8046 MC_(helperc_value_check4_fail_no_o)
8047 MC_(helperc_value_check0_fail_no_o)
8048 MC_(helperc_value_check1_fail_no_o)
8049 MC_(helperc_value_check8_fail_w_o)
8050 MC_(helperc_value_check0_fail_w_o)
8051 MC_(helperc_value_check1_fail_w_o)
8052 MC_(helperc_value_check4_fail_w_o)
8054 To speed it up, check the common prefix just once, rather than
8055 all 8 times.
8056 */
8064 /* We still have some prefix to use */
8067 name++;
8068 prefix++;
8069 }
8071 /* Check the part after the prefix. */
8081 }
8084 {
8085 Int i;
8090 Bool alreadyPresent;
8091 Pairs pairs;
8098 /* Scan forwards through the statements. Each time a call to one
8099 of the relevant helpers is seen, check if we have made a
8100 previous call to the same helper using the same guard
8101 expression, and if so, delete the call. */
8114 /* Ok, we have a call to helperc_value_check0/1/4/8_fail with
8115 guard 'guard'. Check if we have already seen a call to this
8116 function with the same guard. If so, delete it. If not,
8117 add it to the set of calls we do know about. */
8122 }
8123 }
8129 }
8131 #undef N_TIDYING_PAIRS
8134 /*------------------------------------------------------------*/
8135 /*--- Startup assertion checking ---*/
8136 /*------------------------------------------------------------*/
8139 {
8140 /* Make a best-effort check to see that is_helperc_value_checkN_fail
8141 is working as we expect. */
8143 # define CHECK(_expected, _string) \
8144 tl_assert((_expected) == is_helperc_value_checkN_fail(_string))
8146 /* It should identify these 8, and no others, as targets. */
8156 /* Ad-hoc selection of other strings gathered via a quick test. */
8186 # undef CHECK
8187 }
8190 /*------------------------------------------------------------*/
8191 /*--- Memcheck main ---*/
8192 /*------------------------------------------------------------*/
8195 {
8215 }
8216 /* VG_(printf)("%llx\n", n); */
8217 /* Shortcuts */
8220 /* The list of bogus atoms is: */
8231 );
8232 }
8235 /* Does 'st' mention any of the literals identified/listed in
8236 isBogusAtom()? */
8238 {
8239 Int i;
8282 }
8290 }
8291 }
8309 }
8314 }
8337 unhandled:
8340 }
8341 }
8344 /* This is the pre-instrumentation analysis. It does a backwards pass over
8345 the stmts in |sb_in| to determine a HowUsed value for each tmp defined in
8346 the block.
8348 Unrelatedly, it also checks all literals in the block with |isBogusAtom|,
8349 as a positive result from that is a strong indication that we need to
8350 expensively instrument add/sub in the block. We do both analyses in one
8351 pass, even though they are independent, so as to avoid the overhead of
8352 having to traverse the whole block twice.
8354 The usage pass proceeds as follows. Let max= be the max operation in the
8355 HowUsed lattice, hence
8357 X max= Y means X = max(X, Y)
8359 then
8361 for t in original tmps . useEnv[t] = HuUnU
8363 for t used in the block's . next field
8364 useEnv[t] max= HuPCa // because jmp targets are PCast-tested
8366 for st iterating *backwards* in the block
8368 match st
8370 case "t1 = load(t2)" // case 1
8371 useEnv[t2] max= HuPCa
8373 case "t1 = add(t2, t3)" // case 2
8374 useEnv[t2] max= useEnv[t1]
8375 useEnv[t3] max= useEnv[t1]
8377 other
8378 for t in st.usedTmps // case 3
8379 useEnv[t] max= HuOth
8380 // same as useEnv[t] = HuOth
8382 The general idea is that we accumulate, in useEnv[], information about
8383 how each tmp is used. That can be updated as we work further back
8384 through the block and find more uses of it, but its HowUsed value can
8385 only ascend the lattice, not descend.
8387 Initially we mark all tmps as unused. In case (1), if a tmp is seen to
8388 be used as a memory address, then its use is at least HuPCa. The point
8389 is that for a memory address we will add instrumentation to check if any
8390 bit of the address is undefined, which means that we won't need expensive
8391 V-bit propagation through an add expression that computed the address --
8392 cheap add instrumentation will be equivalent.
8394 Note in case (1) that if we have previously seen a non-memory-address use
8395 of the tmp, then its use will already be HuOth and will be unchanged by
8396 the max= operation. And if it turns out that the source of the tmp was
8397 an add, then we'll have to expensively instrument the add, because we
8398 can't prove that, for the previous non-memory-address use of the tmp,
8399 cheap and expensive instrumentation will be equivalent.
8401 In case 2, we propagate the usage-mode of the result of an add back
8402 through to its operands. Again, we use max= so as to take account of the
8403 fact that t2 or t3 might later in the block (viz, earlier in the
8404 iteration) have been used in a way that requires expensive add
8405 instrumentation.
8407 In case 3, we deal with all other tmp uses. We assume that we'll need a
8408 result that is as accurate as possible, so we max= HuOth into its use
8409 mode. Since HuOth is the top of the lattice, that's equivalent to just
8410 setting its use to HuOth.
8412 The net result of all this is that:
8414 tmps that are used either
8415 - only as a memory address, or
8416 - only as part of a tree of adds that computes a memory address,
8417 and has no other use
8418 are marked as HuPCa, and so we can instrument their generating Add
8419 nodes cheaply, which is the whole point of this analysis
8421 tmps that are used any other way at all are marked as HuOth
8423 tmps that are unused are marked as HuUnU. We don't expect to see any
8424 since we expect that the incoming IR has had all dead assignments
8425 removed by previous optimisation passes. Nevertheless the analysis is
8426 correct even in the presence of dead tmps.
8428 A final comment on dead tmps. In case 1 and case 2, we could actually
8429 conditionalise the updates thusly:
8431 if (useEnv[t1] > HuUnU) { useEnv[t2] max= HuPCa } // case 1
8433 if (useEnv[t1] > HuUnU) { useEnv[t2] max= useEnv[t1] } // case 2
8434 if (useEnv[t1] > HuUnU) { useEnv[t3] max= useEnv[t1] } // case 2
8436 In other words, if the assigned-to tmp |t1| is never used, then there's
8437 no point in propagating any use through to its operands. That won't
8438 change the final HuPCa-vs-HuOth results, which is what we care about.
8439 Given that we expect to get dead-code-free inputs, there's no point in
8440 adding this extra refinement.
8441 */
8443 /* Helper for |preInstrumentationAnalysis|. */
8445 UInt tyenvUsed,
8447 {
8448 /* For the atom |at|, declare that for any tmp |t| in |at|, we will have
8449 seen a use of |newUse|. So, merge that info into |t|'s accumulated
8450 use info. */
8459 // The "max" operation in the lattice
8462 }
8464 // We should never get here -- it implies non-flat IR
8467 }
8468 /*NOTREACHED*/
8470 }
8476 {
8479 // We've seen no bogus literals so far.
8482 // This is calloc'd, so implicitly all entries are initialised to HuUnU.
8486 // Firstly, roll in contributions from the final dst address.
8490 // Now work backwards through the stmts.
8494 // Deal with literals.
8497 }
8499 // Deal with tmp uses.
8504 // This is the one place where we have to consider all possible
8505 // tags for |rhs|, and can't just assume it is a tmp or a const.
8508 // just propagate demand for |dst| into this tmp use.
8517 // propagate demand for |dst| through to the operands.
8523 // just say that the operands are used in some unknown way.
8528 }
8531 // All operands are used in some unknown way.
8537 }
8539 // All operands are used in some unknown way.
8546 }
8548 // The address will be checked (== PCasted).
8552 // The condition is PCasted, the then- and else-values
8553 // aren't.
8559 // The args are used in unknown ways.
8562 }
8565 // The index will be checked/PCasted (see do_shadow_GETI)
8568 }
8576 }
8578 }
8580 // The address will be checked (== PCasted). The data will be
8581 // used in some unknown way.
8586 // The guard will be checked (== PCasted)
8594 // The index will be checked/PCasted (see do_shadow_PUTI). The
8595 // data will be used in an unknown way.
8599 }
8602 // The guard will be checked (== PCasted)
8604 // The args will be used in unknown ways.
8607 }
8609 }
8612 // Address will be pcasted, everything else used as unknown
8621 }
8623 // Both exprs are used in unknown ways. TODO: can we safely
8624 // just ignore AbiHints?
8629 // We might be able to do better, and use HuPCa for the addr.
8630 // It's not immediately obvious that we can, because the address
8631 // is regarded as "used" only when the guard is true.
8637 }
8639 // Per similar comments to Ist_StoreG .. not sure whether this
8640 // is really optimal.
8646 }
8652 }
8660 }
8661 }
8664 // Return the computed use env and the bogus-atom flag.
8670 }
8679 {
8683 MCEnv mce;
8687 /* We don't currently support this case. */
8689 }
8691 /* Check we're not completely nuts */
8702 /* Set up SB */
8705 /* Set up the running environment. Both .sb and .tmpMap are
8706 modified as we go along. Note that tmps are added to both
8707 .sb->tyenv and .tmpMap together, so the valid index-set for
8708 those two arrays should always be identical. */
8716 /* BEGIN decide on expense levels for instrumentation. */
8718 /* Initially, select the cheap version of everything for which we have an
8719 option. */
8722 /* Take account of the --expensive-definedness-checks= flag. */
8724 /* We just selected 'cheap for everything', so we don't need to do
8725 anything here. mce.tmpHowUsed remains NULL. */
8726 }
8728 /* Select 'expensive for everything'. mce.tmpHowUsed remains NULL. */
8730 }
8733 /* We'll make our own selection, based on known per-target constraints
8734 and also on analysis of the block to be instrumented. First, set
8735 up default values for detail levels.
8737 On x86 and amd64, we'll routinely encounter code optimised by LLVM
8738 5 and above. Enable accurate interpretation of the following.
8739 LLVM uses adds for some bitfield inserts, and we get a lot of false
8740 errors if the cheap interpretation is used, alas. Could solve this
8741 much better if we knew which of such adds came from x86/amd64 LEA
8742 instructions, since these are the only ones really needing the
8743 expensive interpretation, but that would require some way to tag
8744 them in the _toIR.c front ends, which is a lot of faffing around.
8745 So for now we use preInstrumentationAnalysis() to detect adds which
8746 are used only to construct memory addresses, which is an
8747 approximation to the above, and is self-contained.*/
8748 # if defined(VGA_x86)
8752 # elif defined(VGA_amd64)
8758 # elif defined(VGA_ppc64le)
8759 // Needed by (at least) set_AV_CR6() in the front end.
8761 # elif defined(VGA_arm64)
8764 # elif defined(VGA_arm)
8766 # endif
8768 /* preInstrumentationAnalysis() will allocate &mce.tmpHowUsed and then
8769 fill it in. */
8774 /* This happens very rarely. In this case just select expensive
8775 for everything, and throw away the tmp-use analysis results. */
8780 /* Nothing. mce.tmpHowUsed contains tmp-use analysis results,
8781 which will be used for some subset of Iop_{Add,Sub}{32,64},
8782 based on which ones are set to DLauto for this target. */
8783 }
8784 }
8789 // Debug printing: which tmps have been identified as PCast-only use
8795 }
8796 }
8798 }
8800 // Debug printing: number of ops by detail level
8807 }
8808 /* END decide on expense levels for instrumentation. */
8810 /* Initialise the running the tmp environment. */
8816 TempMapEnt ent;
8821 }
8824 /* Finally, begin instrumentation. */
8825 /* Copy verbatim any IR preamble preceding the first IMark */
8838 i++;
8839 }
8841 /* Nasty problem. IR optimisation of the pre-instrumented IR may
8842 cause the IR following the preamble to contain references to IR
8843 temporaries defined in the preamble. Because the preamble isn't
8844 instrumented, these temporaries don't have any shadows.
8845 Nevertheless uses of them following the preamble will cause
8846 memcheck to generate references to their shadows. End effect is
8847 to cause IR sanity check failures, due to references to
8848 non-existent shadows. This is only evident for the complex
8849 preambles used for function wrapping on TOC-afflicted platforms
8850 (ppc64-linux).
8852 The following loop therefore scans the preamble looking for
8853 assignments to temporaries. For each one found it creates an
8854 assignment to the corresponding (V) shadow temp, marking it as
8855 'defined'. This is the same resulting IR as if the main
8856 instrumentation loop before had been applied to the statement
8857 'tmp = CONSTANT'.
8859 Similarly, if origin tracking is enabled, we must generate an
8860 assignment for the corresponding origin (B) shadow, claiming
8861 no-origin, as appropriate for a defined value.
8862 */
8865 /* findShadowTmpV checks its arg is an original tmp;
8866 no need to assert that here. */
8875 }
8880 }
8881 }
8882 }
8884 /* Iterate over the remaining stmts to generate instrumentation. */
8900 }
8903 /* See comments on case Ist_CAS below. */
8906 }
8908 /* Generate instrumentation code for each stmt ... */
8920 }
8972 /* Note, do_shadow_CAS copies the CAS itself to the output
8973 block, because it needs to add instrumentation both
8974 before and after it. Hence skip the copy below. Also
8975 skip the origin-tracking stuff (call to schemeS) above,
8976 since that's all tangled up with it too; do_shadow_CAS
8977 does it all. */
9001 }
9003 }
9005 /* ... and finally copy the stmt itself to the output. Except,
9006 skip the copy of IRCASs; see comments on case Ist_CAS
9007 above. */
9010 }
9012 /* Now we need to complain if the jump target is undefined. */
9019 }
9028 }
9030 }
9032 /* If this fails, there's been some serious snafu with tmp management,
9033 that should be investigated. */
9039 }
9043 }
9046 /*--------------------------------------------------------------------*/
9047 /*--- end mc_translate.c ---*/
9048 /*--------------------------------------------------------------------*/