| blob | 87b8ac6886cec5b4902128c3d01d3f8104bddf40 |
2 /*--------------------------------------------------------------------*/
3 /*--- Instrument IR to perform memory checking operations. ---*/
4 /*--- mc_translate.c ---*/
5 /*--------------------------------------------------------------------*/
7 /*
8 This file is part of MemCheck, a heavyweight Valgrind tool for
9 detecting memory errors.
11 Copyright (C) 2000-2017 Julian Seward
12 jseward@acm.org
14 This program is free software; you can redistribute it and/or
15 modify it under the terms of the GNU General Public License as
16 published by the Free Software Foundation; either version 2 of the
17 License, or (at your option) any later version.
19 This program is distributed in the hope that it will be useful, but
20 WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, see <http://www.gnu.org/licenses/>.
27 The GNU General Public License is contained in the file COPYING.
28 */
44 /* FIXMEs JRS 2011-June-16.
46 Check the interpretation for vector narrowing and widening ops,
47 particularly the saturating ones. I suspect they are either overly
48 pessimistic and/or wrong.
50 Iop_QandSQsh64x2 and friends (vector-by-vector bidirectional
51 saturating shifts): the interpretation is overly pessimistic.
52 See comments on the relevant cases below for details.
54 Iop_Sh64Sx2 and friends (vector-by-vector bidirectional shifts,
55 both rounding and non-rounding variants): ditto
56 */
58 /* This file implements the Memcheck instrumentation, and in
59 particular contains the core of its undefined value detection
60 machinery. For a comprehensive background of the terminology,
61 algorithms and rationale used herein, read:
63 Using Valgrind to detect undefined value errors with
64 bit-precision
66 Julian Seward and Nicholas Nethercote
68 2005 USENIX Annual Technical Conference (General Track),
69 Anaheim, CA, USA, April 10-15, 2005.
71 ----
73 Here is as good a place as any to record exactly when V bits are and
74 should be checked, why, and what function is responsible.
77 Memcheck complains when an undefined value is used:
79 1. In the condition of a conditional branch. Because it could cause
80 incorrect control flow, and thus cause incorrect externally-visible
81 behaviour. [mc_translate.c:complainIfUndefined]
83 2. As an argument to a system call, or as the value that specifies
84 the system call number. Because it could cause an incorrect
85 externally-visible side effect. [mc_translate.c:mc_pre_reg_read]
87 3. As the address in a load or store. Because it could cause an
88 incorrect value to be used later, which could cause externally-visible
89 behaviour (eg. via incorrect control flow or an incorrect system call
90 argument) [complainIfUndefined]
92 4. As the target address of a branch. Because it could cause incorrect
93 control flow. [complainIfUndefined]
95 5. As an argument to setenv, unsetenv, or putenv. Because it could put
96 an incorrect value into the external environment.
97 [mc_replace_strmem.c:VG_WRAP_FUNCTION_ZU(*, *env)]
99 6. As the index in a GETI or PUTI operation. I'm not sure why... (njn).
100 [complainIfUndefined]
102 7. As an argument to the VALGRIND_CHECK_MEM_IS_DEFINED and
103 VALGRIND_CHECK_VALUE_IS_DEFINED client requests. Because the user
104 requested it. [in memcheck.h]
107 Memcheck also complains, but should not, when an undefined value is used:
109 8. As the shift value in certain SIMD shift operations (but not in the
110 standard integer shift operations). This inconsistency is due to
111 historical reasons.) [complainIfUndefined]
114 Memcheck does not complain, but should, when an undefined value is used:
116 9. As an input to a client request. Because the client request may
117 affect the visible behaviour -- see bug #144362 for an example
118 involving the malloc replacements in vg_replace_malloc.c and
119 VALGRIND_NON_SIMD_CALL* requests, where an uninitialised argument
120 isn't identified. That bug report also has some info on how to solve
121 the problem. [valgrind.h:VALGRIND_DO_CLIENT_REQUEST]
124 In practice, 1 and 2 account for the vast majority of cases.
125 */
127 /* Generation of addr-definedness, addr-validity and
128 guard-definedness checks pertaining to loads and stores (Iex_Load,
129 Ist_Store, IRLoadG, IRStoreG, LLSC, CAS and Dirty memory
130 loads/stores) was re-checked 11 May 2013. */
133 /*------------------------------------------------------------*/
134 /*--- Forward decls ---*/
135 /*------------------------------------------------------------*/
139 // See below for comments explaining what this is for.
140 typedef
142 HowUsed;
152 /*------------------------------------------------------------*/
153 /*--- Memcheck running state, and tmp management. ---*/
154 /*------------------------------------------------------------*/
156 /* For a few (maybe 1%) IROps, we have both a cheaper, less exact vbit
157 propagation scheme, and a more expensive, more precise vbit propagation
158 scheme. This enum describes, for such an IROp, which scheme to use. */
159 typedef
161 // Use the cheaper, less-exact variant.
163 // Choose between cheap and expensive based on analysis of the block
164 // to be instrumented. Note that the choice may be done on a
165 // per-instance basis of the IROp that this DetailLevel describes.
166 DLauto,
167 // Use the more expensive, more-exact variant.
168 DLexpensive
169 }
170 DetailLevel;
173 /* A readonly part of the running state. For IROps that have both a
174 less-exact and more-exact interpretation, records which interpretation is
175 to be used. */
176 typedef
178 // For Add32/64 and Sub32/64, all 3 settings are allowed. For the
179 // DLauto case, a per-instance decision is to be made by inspecting
180 // the associated tmp's entry in MCEnv.tmpHowUsed.
181 DetailLevel dl_Add32;
182 DetailLevel dl_Add64;
183 DetailLevel dl_Sub32;
184 DetailLevel dl_Sub64;
185 // For Cmp{EQ,NE}{64,32,16,8}, only DLcheap and DLexpensive are
186 // allowed.
187 DetailLevel dl_CmpEQ64_CmpNE64;
188 DetailLevel dl_CmpEQ32_CmpNE32;
189 DetailLevel dl_CmpEQ16_CmpNE16;
190 DetailLevel dl_CmpEQ8_CmpNE8;
191 }
192 DetailLevelByOp;
195 DetailLevel dl )
196 {
205 }
208 {
221 }
224 DetailLevel dl )
225 {
236 }
239 /* Carries info about a particular tmp. The tmp's number is not
240 recorded, as this is implied by (equal to) its index in the tmpMap
241 in MCEnv. The tmp's type is also not recorded, as this is present
242 in MCEnv.sb->tyenv.
244 When .kind is Orig, .shadowV and .shadowB may give the identities
245 of the temps currently holding the associated definedness (shadowV)
246 and origin (shadowB) values, or these may be IRTemp_INVALID if code
247 to compute such values has not yet been emitted.
249 When .kind is VSh or BSh then the tmp is holds a V- or B- value,
250 and so .shadowV and .shadowB must be IRTemp_INVALID, since it is
251 illogical for a shadow tmp itself to be shadowed.
252 */
253 typedef
255 TempKind;
257 typedef
259 TempKind kind;
260 IRTemp shadowV;
261 IRTemp shadowB;
262 }
263 TempMapEnt;
266 /* A |HowUsed| value carries analysis results about how values are used,
267 pertaining to whether we need to instrument integer adds expensively or
268 not. The running state carries a (readonly) mapping from original tmp to
269 a HowUsed value for it. A usage value can be one of three values,
270 forming a 3-point chain lattice.
272 HuOth ("Other") used in some arbitrary way
273 |
274 HuPCa ("PCast") used *only* in effectively a PCast, in which all
275 | we care about is the all-defined vs not-all-defined distinction
276 |
277 HuUnU ("Unused") not used at all.
279 The "safe" (don't-know) end of the lattice is "HuOth". See comments
280 below in |preInstrumentationAnalysis| for further details.
281 */
282 /* DECLARED ABOVE:
283 typedef
284 enum __attribute__((packed)) { HuUnU=0, HuPCa=1, HuOth=2 }
285 HowUsed;
286 */
288 // Not actually necessary, but we don't want to waste D1 space.
292 /* Carries around state during memcheck instrumentation. */
293 typedef
295 /* MODIFIED: the superblock being constructed. IRStmts are
296 added. */
298 Bool trace;
300 /* MODIFIED: a table [0 .. #temps_in_sb-1] which gives the
301 current kind and possibly shadow temps for each temp in the
302 IRSB being constructed. Note that it does not contain the
303 type of each tmp. If you want to know the type, look at the
304 relevant entry in sb->tyenv. It follows that at all times
305 during the instrumentation process, the valid indices for
306 tmpMap and sb->tyenv are identical, being 0 .. N-1 where N is
307 total number of Orig, V- and B- temps allocated so far.
309 The reason for this strange split (types in one place, all
310 other info in another) is that we need the types to be
311 attached to sb so as to make it possible to do
312 "typeOfIRExpr(mce->bb->tyenv, ...)" at various places in the
313 instrumentation process. */
316 /* READONLY: contains details of which ops should be expensively
317 instrumented. */
318 DetailLevelByOp dlbo;
320 /* READONLY: for each original tmp, how the tmp is used. This is
321 computed by |preInstrumentationAnalysis|. Valid indices are
322 0 .. #temps_in_sb-1 (same as for tmpMap). */
325 /* READONLY: the guest layout. This indicates which parts of
326 the guest state should be regarded as 'always defined'. */
329 /* READONLY: the host word type. Needed for constructing
330 arguments of type 'HWord' to be passed to helper functions.
331 Ity_I32 or Ity_I64 only. */
332 IRType hWordTy;
333 }
334 MCEnv;
337 /* SHADOW TMP MANAGEMENT. Shadow tmps are allocated lazily (on
338 demand), as they are encountered. This is for two reasons.
340 (1) (less important reason): Many original tmps are unused due to
341 initial IR optimisation, and we do not want to spaces in tables
342 tracking them.
344 Shadow IRTemps are therefore allocated on demand. mce.tmpMap is a
345 table indexed [0 .. n_types-1], which gives the current shadow for
346 each original tmp, or INVALID_IRTEMP if none is so far assigned.
347 It is necessary to support making multiple assignments to a shadow
348 -- specifically, after testing a shadow for definedness, it needs
349 to be made defined. But IR's SSA property disallows this.
351 (2) (more important reason): Therefore, when a shadow needs to get
352 a new value, a new temporary is created, the value is assigned to
353 that, and the tmpMap is updated to reflect the new binding.
355 A corollary is that if the tmpMap maps a given tmp to
356 IRTemp_INVALID and we are hoping to read that shadow tmp, it means
357 there's a read-before-write error in the original tmps. The IR
358 sanity checker should catch all such anomalies, however.
359 */
361 /* Create a new IRTemp of type 'ty' and kind 'kind', and add it to
362 both the table in mce->sb and to our auxiliary mapping. Note that
363 newTemp may cause mce->tmpMap to resize, hence previous results
364 from VG_(indexXA)(mce->tmpMap) are invalidated. */
366 {
367 Word newIx;
368 TempMapEnt ent;
376 }
379 /* Find the tmp currently shadowing the given original tmp. If none
380 so far exists, allocate one. */
382 {
384 /* VG_(indexXA) range-checks 'orig', hence no need to check
385 here. */
389 IRTemp tmpV
391 /* newTemp may cause mce->tmpMap to resize, hence previous results
392 from VG_(indexXA) are invalid. */
397 }
399 }
401 /* Allocate a new shadow for the given original tmp. This means any
402 previous shadow is abandoned. This is needed because it is
403 necessary to give a new value to a shadow once it has been tested
404 for undefinedness, but unfortunately IR's SSA property disallows
405 this. Instead we must abandon the old shadow, allocate a new one
406 and use that instead.
408 This is the same as findShadowTmpV, except we don't bother to see
409 if a shadow temp already existed -- we simply allocate a new one
410 regardless. */
412 {
414 /* VG_(indexXA) range-checks 'orig', hence no need to check
415 here. */
419 IRTemp tmpV
421 /* newTemp may cause mce->tmpMap to resize, hence previous results
422 from VG_(indexXA) are invalid. */
426 }
427 }
430 /*------------------------------------------------------------*/
431 /*--- IRAtoms -- a subset of IRExprs ---*/
432 /*------------------------------------------------------------*/
434 /* An atom is either an IRExpr_Const or an IRExpr_Tmp, as defined by
435 isIRAtom() in libvex_ir.h. Because this instrumenter expects flat
436 input, most of this code deals in atoms. Usefully, a value atom
437 always has a V-value which is also an atom: constants are shadowed
438 by constants, and temps are shadowed by the corresponding shadow
439 temporary. */
443 /* (used for sanity checks only): is this an atom which looks
444 like it's from original code? */
446 {
452 }
454 }
456 /* (used for sanity checks only): is this an atom which looks
457 like it's from shadow code? */
459 {
465 }
467 }
469 /* (used for sanity checks only): check that both args are atoms and
470 are identically-kinded. */
472 {
478 }
481 /*------------------------------------------------------------*/
482 /*--- Type management ---*/
483 /*------------------------------------------------------------*/
485 /* Shadow state is always accessed using integer types. This returns
486 an integer type with the same size (as per sizeofIRType) as the
487 given type. The only valid shadow types are Bit, I8, I16, I32,
488 I64, I128, V128, V256. */
491 {
510 }
511 }
513 /* Produce a 'defined' value of the given shadow type. Should only be
514 supplied shadow types (Bit/I8/I16/I32/UI64). */
526 }
527 }
530 /*------------------------------------------------------------*/
531 /*--- Constructing IR fragments ---*/
532 /*------------------------------------------------------------*/
534 /* add stmt to a bb */
540 }
542 }
544 /* assign value to tmp */
548 }
550 /* build various kinds of expressions */
551 #define triop(_op, _arg1, _arg2, _arg3) \
552 IRExpr_Triop((_op),(_arg1),(_arg2),(_arg3))
553 #define binop(_op, _arg1, _arg2) IRExpr_Binop((_op),(_arg1),(_arg2))
554 #define unop(_op, _arg) IRExpr_Unop((_op),(_arg))
555 #define mkU1(_n) IRExpr_Const(IRConst_U1(_n))
556 #define mkU8(_n) IRExpr_Const(IRConst_U8(_n))
557 #define mkU16(_n) IRExpr_Const(IRConst_U16(_n))
558 #define mkU32(_n) IRExpr_Const(IRConst_U32(_n))
559 #define mkU64(_n) IRExpr_Const(IRConst_U64(_n))
560 #define mkV128(_n) IRExpr_Const(IRConst_V128(_n))
561 #define mkexpr(_tmp) IRExpr_RdTmp((_tmp))
563 /* Bind the given expression to a new temporary, and return the
564 temporary. This effectively converts an arbitrary expression into
565 an atom.
567 'ty' is the type of 'e' and hence the type that the new temporary
568 needs to be. But passing it in is redundant, since we can deduce
569 the type merely by inspecting 'e'. So at least use that fact to
570 assert that the two types agree. */
572 {
573 TempKind k;
574 IRTemp t;
582 /* happens when we are making up new "orig"
583 expressions, for IRCAS handling */
585 }
589 }
592 /*------------------------------------------------------------*/
593 /*--- Helper functions for 128-bit ops ---*/
594 /*------------------------------------------------------------*/
597 {
600 }
602 /* There are no I128-bit loads and/or stores [as generated by any
603 current front ends]. So we do not need to worry about that in
604 expr2vbits_Load */
607 /*------------------------------------------------------------*/
608 /*--- Constructing definedness primitive ops ---*/
609 /*------------------------------------------------------------*/
611 /* --------- Defined-if-either-defined --------- */
617 }
623 }
629 }
635 }
641 }
647 }
653 }
655 /* --------- Undefined-if-either-undefined --------- */
661 }
667 }
673 }
679 }
685 }
699 }
705 }
711 }
725 }
726 }
728 /* --------- The Left-family of operations. --------- */
733 }
738 }
743 }
748 }
750 /* --------- The Right-family of operations. --------- */
752 /* Unfortunately these are a lot more expensive then their Left
753 counterparts. Fortunately they are only very rarely used -- only for
754 count-leading-zeroes instrumentation. */
757 {
759 // a1 |= (a1 >>u i)
760 IRAtom* tmp
763 }
765 }
768 {
770 // a1 |= (a1 >>u i)
771 IRAtom* tmp
774 }
776 }
778 /* --------- 'Improvement' functions for AND/OR. --------- */
780 /* ImproveAND(data, vbits) = data OR vbits. Defined (0) data 0s give
781 defined (0); all other -> undefined (1).
782 */
784 {
789 }
792 {
797 }
800 {
805 }
808 {
813 }
816 {
821 }
824 {
829 }
832 {
837 }
839 /* ImproveOR(data, vbits) = ~data OR vbits. Defined (0) data 1s give
840 defined (0); all other -> undefined (1).
841 */
843 {
851 vbits) );
852 }
855 {
863 vbits) );
864 }
867 {
875 vbits) );
876 }
879 {
887 vbits) );
888 }
891 {
899 vbits) );
900 }
903 {
911 vbits) );
912 }
915 {
923 vbits) );
924 }
926 /* --------- Pessimising casts. --------- */
928 /* The function returns an expression of type DST_TY. If any of the VBITS
929 is undefined (value == 1) the resulting expression has all bits set to
930 1. Otherwise, all bits are 0. */
933 {
934 IRType src_ty;
937 /* Note, dst_ty is a shadow type, not an original type. */
941 /* Fast-track some common cases */
949 /* PCast the arg, then clone it. */
952 }
955 /* PCast the arg, then clone it 4 times. */
959 }
962 /* PCast the arg, then clone it 8 times. */
967 }
970 /* PCast the arg. This gives all 0s or all 1s. Then throw away
971 the top half. */
974 }
977 /* Use InterleaveHI64x2 to copy the top half of the vector into
978 the bottom half. Then we can UifU it with the original, throw
979 away the upper half of the result, and PCast-I64-to-I64
980 the lower half. */
981 // Generates vbits[127:64] : vbits[127:64]
982 IRAtom* hi64hi64
985 // Generates
986 // UifU(vbits[127:64],vbits[127:64]) : UifU(vbits[127:64],vbits[63:0])
987 // == vbits[127:64] : UifU(vbits[127:64],vbits[63:0])
988 IRAtom* lohi64
990 // Generates UifU(vbits[127:64],vbits[63:0])
991 IRAtom* lo64
993 // Generates
994 // PCast-to-I64( UifU(vbits[127:64], vbits[63:0] )
995 // == PCast-to-I64( vbits[127:0] )
996 IRAtom* res
999 }
1001 /* Else do it the slow way .. */
1002 /* First of all, collapse vbits down to a single bit. */
1021 /* Gah. Chop it in half, OR the halves together, and compare
1022 that with zero. */
1029 }
1031 /* Chop it in half, OR the halves together, and compare that
1032 * with zero.
1033 */
1040 }
1044 }
1046 /* Now widen up to the dst type. */
1076 }
1077 }
1079 /* This is a minor variant. It takes an arg of some type and returns
1080 a value of the same type. The result consists entirely of Defined
1081 (zero) bits except its least significant bit, which is a PCast of
1082 the entire argument down to a single bit. */
1084 {
1086 /* --- Case for V128 --- */
1088 // generates: PCast-to-I64(varg128)
1090 // Now introduce zeros (defined bits) in the top 63 places
1091 // generates: Def--(63)--Def PCast-to-I1(varg128)
1092 IRAtom* d63pc
1094 // generates: Def--(64)--Def
1095 IRAtom* d64
1097 // generates: Def--(127)--Def PCast-to-I1(varg128)
1098 IRAtom* res
1101 }
1103 /* --- Case for I64 --- */
1104 // PCast to 64
1106 // Zero (Def) out the top 63 bits
1107 IRAtom* res
1110 }
1111 /*NOTREACHED*/
1113 }
1115 /* --------- Optimistic casts. --------- */
1117 /* The function takes and returns an expression of type TY. If any of the
1118 VBITS indicate defined (value == 0) the resulting expression has all bits
1119 set to 0. Otherwise, all bits are 1. In words, if any bits are defined
1120 then all bits are made to be defined.
1122 In short we compute (vbits - (vbits >>u 1)) >>s (bitsize(vbits)-1).
1123 */
1125 {
1127 UInt sh;
1145 }
1152 }
1155 /* --------- Accurate interpretation of CmpEQ/CmpNE. --------- */
1156 /*
1157 Normally, we can do CmpEQ/CmpNE by doing UifU on the arguments, and
1158 PCasting to Ity_U1. However, sometimes it is necessary to be more
1159 accurate. The insight is that the result is defined if two
1160 corresponding bits can be found, one from each argument, so that
1161 both bits are defined but are different -- that makes EQ say "No"
1162 and NE say "Yes". Hence, we compute an improvement term and DifD
1163 it onto the "normal" (UifU) result.
1165 The result is:
1167 PCastTo<1> (
1168 -- naive version
1169 UifU<sz>(vxx, vyy)
1171 `DifD<sz>`
1173 -- improvement term
1174 OCast<sz>(vec)
1175 )
1177 where
1178 vec contains 0 (defined) bits where the corresponding arg bits
1179 are defined but different, and 1 bits otherwise.
1181 vec = Or<sz>( vxx, // 0 iff bit defined
1182 vyy, // 0 iff bit defined
1183 Not<sz>(Xor<sz>( xx, yy )) // 0 iff bits different
1184 )
1186 If any bit of vec is 0, the result is defined and so the
1187 improvement term should produce 0...0, else it should produce
1188 1...1.
1190 Hence require for the improvement term:
1192 OCast(vec) = if vec == 1...1 then 1...1 else 0...0
1194 which you can think of as an "optimistic cast" (OCast, the opposite of
1195 the normal "pessimistic cast" (PCast) family. An OCast says all bits
1196 are defined if any bit is defined.
1198 It is possible to show that
1200 if vec == 1...1 then 1...1 else 0...0
1202 can be implemented in straight-line code as
1204 (vec - (vec >>u 1)) >>s (word-size-in-bits - 1)
1206 We note that vec contains the sub-term Or<sz>(vxx, vyy). Since UifU is
1207 implemented with Or (since 1 signifies undefinedness), this is a
1208 duplicate of the UifU<sz>(vxx, vyy) term and so we can CSE it out, giving
1209 a final version of:
1211 let naive = UifU<sz>(vxx, vyy)
1212 vec = Or<sz>(naive, Not<sz>(Xor<sz)(xx, yy))
1213 in
1214 PCastTo<1>( DifD<sz>(naive, OCast<sz>(vec)) )
1216 This was extensively re-analysed and checked on 6 July 05 and again
1217 in July 2017.
1218 */
1220 IRType ty,
1223 {
1265 }
1267 naive
1270 vec
1274 naive,
1280 improved
1284 final_cast
1288 }
1291 /* --------- Semi-accurate interpretation of CmpORD. --------- */
1293 /* CmpORD32{S,U} does PowerPC-style 3-way comparisons:
1295 CmpORD32S(x,y) = 1<<3 if x <s y
1296 = 1<<2 if x >s y
1297 = 1<<1 if x == y
1299 and similarly the unsigned variant. The default interpretation is:
1301 CmpORD32{S,U}#(x,y,x#,y#) = PCast(x# `UifU` y#)
1302 & (7<<1)
1304 The "& (7<<1)" reflects the fact that all result bits except 3,2,1
1305 are zero and therefore defined (viz, zero).
1307 Also deal with a special case better:
1309 CmpORD32S(x,0)
1311 Here, bit 3 (LT) of the result is a copy of the top bit of x and
1312 will be defined even if the rest of x isn't. In which case we do:
1314 CmpORD32S#(x,x#,0,{impliedly 0}#)
1315 = PCast(x#) & (3<<1) -- standard interp for GT#,EQ#
1316 | (x# >>u 31) << 3 -- LT# = x#[31]
1318 Analogous handling for CmpORD64{S,U}.
1319 */
1321 {
1322 return
1326 }
1329 {
1330 return
1334 }
1337 IROp cmp_op,
1340 {
1365 }
1368 /* fancy interpretation */
1369 /* if yy is zero, then it must be fully defined (zero#). */
1371 // This is still inaccurate, but I don't think it matters, since
1372 // nobody writes code of the form
1373 // "is <partially-undefined-value> signedly greater than zero?".
1374 // We therefore simply declare "x >s 0" to be undefined if any bit in
1375 // x is undefined. That's clearly suboptimal in some cases. Eg, if
1376 // the highest order bit is a defined 1 then x is negative so it
1377 // doesn't matter whether the remaining bits are defined or not.
1378 IRAtom* t_0_gt_0_0
1382 opAND,
1385 ));
1386 // For "x <s 0", we can just copy the definedness of the top bit of x
1387 // and we have a precise result.
1388 IRAtom* t_lt_0_0_0
1392 opSHL,
1397 ));
1398 // For "x == 0" we can hand the problem off to expensiveCmpEQorNE.
1399 IRAtom* t_0_0_eq_0
1403 opSHL,
1406 op1UtoWS,
1408 ),
1410 ));
1411 return
1413 opOR,
1415 t_0_0_eq_0
1416 );
1418 /* standard interpretation */
1420 return
1422 opAND,
1425 sevenLeft1
1426 );
1427 }
1428 }
1431 /*------------------------------------------------------------*/
1432 /*--- Emit a test and complaint if something is undefined. ---*/
1433 /*------------------------------------------------------------*/
1438 /* Set the annotations on a dirty helper to indicate that the stack
1439 pointer and instruction pointers might be read. This is the
1440 behaviour of all 'emit-a-complaint' style functions we might
1441 call. */
1455 }
1458 /* Check the supplied *original* |atom| for undefinedness, and emit a
1459 complaint if so. Once that happens, mark it as defined. This is
1460 possible because the atom is either a tmp or literal. If it's a
1461 tmp, it will be shadowed by a tmp, and so we can set the shadow to
1462 be defined. In fact as mentioned above, we will have to allocate a
1463 new tmp to carry the new 'defined' shadow value, and update the
1464 original->tmp mapping accordingly; we cannot simply assign a new
1465 value to an existing shadow tmp as this breaks SSAness.
1467 The checks are performed, any resulting complaint emitted, and
1468 |atom|'s shadow temp set to 'defined', ONLY in the case that
1469 |guard| evaluates to True at run-time. If it evaluates to False
1470 then no action is performed. If |guard| is NULL (the usual case)
1471 then it is assumed to be always-true, and hence these actions are
1472 performed unconditionally.
1474 This routine does not generate code to check the definedness of
1475 |guard|. The caller is assumed to have taken care of that already.
1476 */
1478 {
1480 IRType ty;
1481 Int sz;
1488 Int nargs;
1490 // Don't do V bit tests if we're not reporting undefined value errors.
1497 /* Since the original expression is atomic, there's no duplicated
1498 work generated by making multiple V-expressions for it. So we
1499 don't really care about the possibility that someone else may
1500 also create a V-interpretion for it. */
1508 /* sz is only used for constructing the error message */
1512 /* cond will be 0 if all defined, and 1 if any not defined. */
1514 /* Get the origin info for the value we are about to check. At
1515 least, if we are doing origin tracking. If not, use a dummy
1516 zero origin. */
1521 }
1524 }
1543 }
1556 }
1569 }
1582 }
1596 }
1600 }
1613 /* If the complaint is to be issued under a guard condition, AND
1614 that into the guard condition for the helper call. */
1620 }
1625 /* If |atom| is shadowed by an IRTemp, set the shadow tmp to be
1626 defined -- but only in the case where the guard evaluates to
1627 True at run-time. Do the update by setting the orig->shadow
1628 mapping for tmp to reflect the fact that this shadow is getting
1629 a new value. */
1631 /* sameKindedAtoms ... */
1635 // guard is 'always True', hence update unconditionally
1640 // update the temp only conditionally. Do this by copying
1641 // its old value when the guard is False.
1642 // The old value ..
1645 IRAtom* new_tmpV
1650 }
1651 }
1652 }
1655 /*------------------------------------------------------------*/
1656 /*--- Shadowing PUTs/GETs, and indexed variants thereof ---*/
1657 /*------------------------------------------------------------*/
1659 /* Examine the always-defined sections declared in layout to see if
1660 the (offset,size) section is within one. Note, is is an error to
1661 partially fall into such a region: (offset,size) should either be
1662 completely in such a region or completely not-in such a region.
1663 */
1665 {
1684 }
1686 }
1689 /* Generate into bb suitable actions to shadow this Put. If the state
1690 slice is marked 'always defined', do nothing. Otherwise, write the
1691 supplied V bits to the shadow state. We can pass in either an
1692 original atom or a V-atom, but not both. In the former case the
1693 relevant V-bits are then generated from the original.
1694 We assume here, that the definedness of GUARD has already been checked.
1695 */
1696 static
1699 {
1700 IRType ty;
1702 // Don't do shadow PUTs if we're not doing undefined value checking.
1703 // Their absence lets Vex's optimiser remove all the shadow computation
1704 // that they depend on, which includes GETs of the shadow registers.
1715 }
1720 /* later: no ... */
1721 /* emit code to emit a complaint if any of the vbits are 1. */
1722 /* complainIfUndefined(mce, atom); */
1724 /* Do a plain shadow Put. */
1726 /* If the guard expression evaluates to false we simply Put the value
1727 that is already stored in the guest state slot */
1734 }
1736 }
1737 }
1740 /* Return an expression which contains the V bits corresponding to the
1741 given GETI (passed in in pieces).
1742 */
1743 static
1745 {
1748 Int arrSize;;
1754 // Don't do shadow PUTIs if we're not doing undefined value checking.
1755 // Their absence lets Vex's optimiser remove all the shadow computation
1756 // that they depend on, which includes GETIs of the shadow registers.
1770 /* later: no ... */
1771 /* emit code to emit a complaint if any of the vbits are 1. */
1772 /* complainIfUndefined(mce, atom); */
1774 /* Do a cloned version of the Put that refers to the shadow
1775 area. */
1776 IRRegArray* new_descr
1780 }
1781 }
1784 /* Return an expression which contains the V bits corresponding to the
1785 given GET (passed in in pieces).
1786 */
1787 static
1789 {
1794 /* Always defined, return all zeroes of the relevant type */
1797 /* return a cloned version of the Get that refers to the shadow
1798 area. */
1799 /* FIXME: this isn't an atom! */
1801 }
1802 }
1805 /* Return an expression which contains the V bits corresponding to the
1806 given GETI (passed in in pieces).
1807 */
1808 static
1811 {
1819 /* Always defined, return all zeroes of the relevant type */
1822 /* return a cloned version of the Get that refers to the shadow
1823 area. */
1824 IRRegArray* new_descr
1828 }
1829 }
1832 /*------------------------------------------------------------*/
1833 /*--- Generating approximations for unknown operations, ---*/
1834 /*--- using lazy-propagate semantics ---*/
1835 /*------------------------------------------------------------*/
1837 /* Lazy propagation of undefinedness from two values, resulting in the
1838 specified shadow type.
1839 */
1840 static
1842 {
1849 /* The general case is inefficient because PCast is an expensive
1850 operation. Here are some special cases which use PCast only
1851 once rather than twice. */
1853 /* I64 x I64 -> I64 */
1859 }
1861 /* I64 x I64 -> I32 */
1867 }
1869 /* I32 x I32 -> I32 */
1875 }
1885 }
1887 /* General case: force everything via 32-bit intermediaries. */
1892 }
1895 /* 3-arg version of the above. */
1896 static
1899 {
1908 /* The general case is inefficient because PCast is an expensive
1909 operation. Here are some special cases which use PCast only
1910 twice rather than three times. */
1912 /* I32 x I64 x I64 -> I64 */
1913 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1917 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
1918 mode indication which is fully defined, this should get
1919 folded out later. */
1921 /* Now fold in 2nd and 3rd args. */
1924 /* and PCast once again. */
1927 }
1929 /* I32 x I8 x I64 -> I64 */
1933 /* Widen 1st and 2nd args to I64. Since 1st arg is typically a
1934 * rounding mode indication which is fully defined, this should
1935 * get folded out later.
1936 */
1941 /* and PCast once again. */
1944 }
1946 /* I32 x I64 x I64 -> I32 */
1955 }
1957 /* I32 x I32 x I32 -> I32 */
1958 /* 32-bit FP idiom, as (eg) happens on ARM */
1967 }
1969 /* I32 x I128 x I128 -> I128 */
1970 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1974 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
1975 mode indication which is fully defined, this should get
1976 folded out later. */
1978 /* Now fold in 2nd and 3rd args. */
1981 /* and PCast once again. */
1984 }
1986 /* I32 x I8 x I128 -> I128 */
1987 /* Standard FP idiom: rm x FParg1 x FParg2 -> FPresult */
1991 /* Use I64 as an intermediate type, which means PCasting all 3
1992 args to I64 to start with. 1st arg is typically a rounding
1993 mode indication which is fully defined, so we hope that it
1994 will get folded out later. */
1998 /* Now UifU all three together. */
2001 /* and PCast once again. */
2004 }
2015 }
2018 /* General case: force everything via 32-bit intermediaries. */
2019 /*
2020 at = mkPCastTo(mce, Ity_I32, va1);
2021 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va2));
2022 at = mkUifU(mce, Ity_I32, at, mkPCastTo(mce, Ity_I32, va3));
2023 at = mkPCastTo(mce, finalVty, at);
2024 return at;
2025 */
2026 }
2029 /* 4-arg version of the above. */
2030 static
2033 {
2044 /* The general case is inefficient because PCast is an expensive
2045 operation. Here are some special cases which use PCast only
2046 twice rather than three times. */
2048 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2053 /* Widen 1st arg to I128. Since 1st arg is typically a rounding
2054 mode indication which is fully defined, this should get
2055 folded out later. */
2057 /* Now fold in 2nd, 3rd, 4th args. */
2061 /* and PCast once again. */
2064 }
2066 /* I32 x I64 x I64 x I64 -> I64 */
2070 /* Widen 1st arg to I64. Since 1st arg is typically a rounding
2071 mode indication which is fully defined, this should get
2072 folded out later. */
2074 /* Now fold in 2nd, 3rd, 4th args. */
2078 /* and PCast once again. */
2081 }
2082 /* I32 x I32 x I32 x I32 -> I32 */
2083 /* Standard FP idiom: rm x FParg1 x FParg2 x FParg3 -> FPresult */
2088 /* Now fold in 2nd, 3rd, 4th args. */
2094 }
2100 /* Now fold in 2nd, 3rd, 4th args. */
2106 }
2112 /* Now fold in 2nd, 3rd, 4th args. */
2118 }
2132 }
2135 }
2138 /* Do the lazy propagation game from a null-terminated vector of
2139 atoms. This is presumably the arguments to a helper call, so the
2140 IRCallee info is also supplied in order that we can know which
2141 arguments should be ignored (via the .mcx_mask field).
2142 */
2143 static
2146 {
2147 Int i;
2150 IRType mergeTy;
2153 /* Decide on the type of the merge intermediary. If all relevant
2154 args are I64, then it's I64. In all other circumstances, use
2155 I32. */
2163 }
2171 /* Only take notice of this arg if the callee's mc-exclusion
2172 mask does not say it is to be excluded. */
2174 /* the arg is to be excluded from definedness checking. Do
2175 nothing. */
2178 /* calculate the arg's definedness, and pessimistically merge
2179 it in. */
2181 curr = mergeTy64
2184 }
2185 }
2187 }
2190 /*------------------------------------------------------------*/
2191 /*--- Generating expensive sequences for exact carry-chain ---*/
2192 /*--- propagation in add/sub and related operations. ---*/
2193 /*------------------------------------------------------------*/
2195 static
2197 Bool add,
2198 IRType ty,
2201 {
2231 }
2233 // a_min = aa & ~qaa
2238 // b_min = bb & ~qbb
2243 // a_max = aa | qaa
2246 // b_max = bb | qbb
2250 // result = (qaa | qbb) | ((a_min + b_min) ^ (a_max + b_max))
2251 return
2259 )
2260 )
2261 )
2262 );
2264 // result = (qaa | qbb) | ((a_min - b_max) ^ (a_max - b_min))
2265 return
2273 )
2274 )
2275 )
2276 );
2277 }
2279 }
2282 static
2285 {
2286 IRType ty;
2312 }
2314 // improver = atom ^ (atom - 1)
2315 //
2316 // That is, improver has its low ctz(atom)+1 bits equal to one;
2317 // higher bits (if any) equal to zero. So it's exactly the right
2318 // mask to use to remove the irrelevant undefined input bits.
2319 /* Here are some examples:
2320 atom = U...U 1 0...0
2321 atom-1 = U...U 0 1...1
2322 ^ed = 0...0 1 11111, which correctly describes which bits of |atom|
2323 actually influence the result
2324 A boundary case
2325 atom = 0...0
2326 atom-1 = 1...1
2327 ^ed = 11111, also a correct mask for the input: all input bits
2328 are relevant
2329 Another boundary case
2330 atom = 1..1 1
2331 atom-1 = 1..1 0
2332 ^ed = 0..0 1, also a correct mask: only the rightmost input bit
2333 is relevant
2334 Now with misc U bits interspersed:
2335 atom = U...U 1 0 U...U 0 1 0...0
2336 atom-1 = U...U 1 0 U...U 0 0 1...1
2337 ^ed = 0...0 0 0 0...0 0 1 1...1, also correct
2338 (Per re-check/analysis of 14 Nov 2018)
2339 */
2342 atom,
2346 // improved = vatom & improver
2347 //
2348 // That is, treat any V bits to the left of the rightmost ctz(atom)+1
2349 // bits as "defined".
2353 // Return pessimizing cast of improved.
2355 }
2357 static
2360 {
2361 IRType ty;
2387 }
2389 // This is in principle very similar to how expensiveCountTrailingZeroes
2390 // works. That function computed an "improver", which it used to mask
2391 // off all but the rightmost 1-bit and the zeroes to the right of it,
2392 // hence removing irrelevant bits from the input. Here, we play the
2393 // exact same game but with the left-vs-right roles interchanged.
2394 // Unfortunately calculation of the improver in this case is
2395 // significantly more expensive.
2396 //
2397 // improver = ~(RIGHT(atom) >>u 1)
2398 //
2399 // That is, improver has its upper clz(atom)+1 bits equal to one;
2400 // lower bits (if any) equal to zero. So it's exactly the right
2401 // mask to use to remove the irrelevant undefined input bits.
2402 /* Here are some examples:
2403 atom = 0...0 1 U...U
2404 R(atom) = 0...0 1 1...1
2405 R(atom) >>u 1 = 0...0 0 1...1
2406 ~(R(atom) >>u 1) = 1...1 1 0...0
2407 which correctly describes which bits of |atom|
2408 actually influence the result
2409 A boundary case
2410 atom = 0...0
2411 R(atom) = 0...0
2412 R(atom) >>u 1 = 0...0
2413 ~(R(atom) >>u 1) = 1...1
2414 also a correct mask for the input: all input bits
2415 are relevant
2416 Another boundary case
2417 atom = 1 1..1
2418 R(atom) = 1 1..1
2419 R(atom) >>u 1 = 0 1..1
2420 ~(R(atom) >>u 1) = 1 0..0
2421 also a correct mask: only the leftmost input bit
2422 is relevant
2423 Now with misc U bits interspersed:
2424 atom = 0...0 1 U...U 0 1 U...U
2425 R(atom) = 0...0 1 1...1 1 1 1...1
2426 R(atom) >>u 1 = 0...0 0 1...1 1 1 1...1
2427 ~(R(atom) >>u 1) = 1...1 1 0...0 0 0 0...0, also correct
2428 (Per initial implementation of 15 Nov 2018)
2429 */
2434 // improved = vatom & improver
2435 //
2436 // That is, treat any V bits to the right of the leftmost clz(atom)+1
2437 // bits as "defined".
2441 // Return pessimizing cast of improved.
2443 }
2446 /*------------------------------------------------------------*/
2447 /*--- Scalar shifts. ---*/
2448 /*------------------------------------------------------------*/
2450 /* Produce an interpretation for (aa << bb) (or >>s, >>u). The basic
2451 idea is to shift the definedness bits by the original shift amount.
2452 This introduces 0s ("defined") in new positions for left shifts and
2453 unsigned right shifts, and copies the top definedness bit for
2454 signed right shifts. So, conveniently, applying the original shift
2455 operator to the definedness bits for the left arg is exactly the
2456 right thing to do:
2458 (qaa << bb)
2460 However if the shift amount is undefined then the whole result
2461 is undefined. Hence need:
2463 (qaa << bb) `UifU` PCast(qbb)
2465 If the shift amount bb is a literal than qbb will say 'all defined'
2466 and the UifU and PCast will get folded out by post-instrumentation
2467 optimisation.
2468 */
2470 IRType ty,
2471 IROp original_op,
2474 {
2481 return
2487 )
2488 );
2489 }
2492 /*------------------------------------------------------------*/
2493 /*--- Helpers for dealing with vector primops. ---*/
2494 /*------------------------------------------------------------*/
2496 /* Vector pessimisation -- pessimise within each lane individually. */
2499 {
2501 }
2504 {
2506 }
2509 {
2511 }
2514 {
2516 }
2519 {
2521 }
2524 {
2526 }
2529 {
2531 }
2534 {
2536 }
2539 {
2541 }
2544 {
2546 }
2549 {
2551 }
2554 {
2556 }
2559 {
2561 }
2564 {
2566 }
2569 /* Here's a simple scheme capable of handling ops derived from SSE1
2570 code and while only generating ops that can be efficiently
2571 implemented in SSE1. */
2573 /* All-lanes versions are straightforward:
2575 binary32Fx4(x,y) ==> PCast32x4(UifUV128(x#,y#))
2577 unary32Fx4(x,y) ==> PCast32x4(x#)
2579 Lowest-lane-only versions are more complex:
2581 binary32F0x4(x,y) ==> SetV128lo32(
2582 x#,
2583 PCast32(V128to32(UifUV128(x#,y#)))
2584 )
2586 This is perhaps not so obvious. In particular, it's faster to
2587 do a V128-bit UifU and then take the bottom 32 bits than the more
2588 obvious scheme of taking the bottom 32 bits of each operand
2589 and doing a 32-bit UifU. Basically since UifU is fast and
2590 chopping lanes off vector values is slow.
2592 Finally:
2594 unary32F0x4(x) ==> SetV128lo32(
2595 x#,
2596 PCast32(V128to32(x#))
2597 )
2599 Where:
2601 PCast32(v#) = 1Sto32(CmpNE32(v#,0))
2602 PCast32x4(v#) = CmpNEZ32x4(v#)
2603 */
2605 static
2607 {
2614 }
2616 static
2618 {
2623 }
2625 static
2627 {
2636 }
2638 static
2640 {
2647 }
2649 /* --- ... and ... 64Fx2 versions of the same ... --- */
2651 static
2653 {
2660 }
2662 static
2664 {
2669 }
2671 static
2673 {
2682 }
2684 static
2686 {
2693 }
2695 /* --- --- ... and ... 32Fx2 versions of the same --- --- */
2697 static
2699 {
2706 }
2708 static
2710 {
2715 }
2717 /* --- ... and ... 64Fx4 versions of the same ... --- */
2719 static
2721 {
2728 }
2730 static
2732 {
2737 }
2739 /* --- ... and ... 32Fx8 versions of the same ... --- */
2741 static
2743 {
2750 }
2752 static
2754 {
2759 }
2761 /* --- 64Fx2 binary FP ops, with rounding mode --- */
2763 static
2766 {
2767 /* This is the same as binary64Fx2, except that we subsequently
2768 pessimise vRM (definedness of the rounding mode), widen to 128
2769 bits and UifU it into the result. As with the scalar cases, if
2770 the RM is a constant then it is defined and so this extra bit
2771 will get constant-folded out later. */
2772 // "do" the vector args
2774 // PCast the RM, and widen it to 128 bits
2776 // Roll it into the result
2779 }
2781 /* --- ... and ... 32Fx4 versions of the same --- */
2783 static
2786 {
2788 // PCast the RM, and widen it to 128 bits
2790 // Roll it into the result
2793 }
2795 /* --- ... and ... 64Fx4 versions of the same --- */
2797 static
2800 {
2802 // PCast the RM, and widen it to 256 bits
2804 // Roll it into the result
2807 }
2809 /* --- ... and ... 32Fx8 versions of the same --- */
2811 static
2814 {
2816 // PCast the RM, and widen it to 256 bits
2818 // Roll it into the result
2821 }
2823 /* --- 64Fx2 unary FP ops, with rounding mode --- */
2825 static
2827 {
2828 /* Same scheme as binary64Fx2_w_rm. */
2829 // "do" the vector arg
2831 // PCast the RM, and widen it to 128 bits
2833 // Roll it into the result
2836 }
2838 /* --- ... and ... 32Fx4 versions of the same --- */
2840 static
2842 {
2843 /* Same scheme as binaryFx4_w_rm. */
2845 // PCast the RM, and widen it to 128 bits
2847 // Roll it into the result
2850 }
2852 /* --- ... and ... 32Fx8 versions of the same --- */
2854 static
2856 {
2857 /* Same scheme as unary32Fx8_w_rm. */
2859 // PCast the RM, and widen it to 256 bits
2861 // Roll it into the result
2864 }
2867 /* --- --- Vector saturated narrowing --- --- */
2869 /* We used to do something very clever here, but on closer inspection
2870 (2011-Jun-15), and in particular bug #279698, it turns out to be
2871 wrong. Part of the problem came from the fact that for a long
2872 time, the IR primops to do with saturated narrowing were
2873 underspecified and managed to confuse multiple cases which needed
2874 to be separate: the op names had a signedness qualifier, but in
2875 fact the source and destination signednesses needed to be specified
2876 independently, so the op names really need two independent
2877 signedness specifiers.
2879 As of 2011-Jun-15 (ish) the underspecification was sorted out
2880 properly. The incorrect instrumentation remained, though. That
2881 has now (2011-Oct-22) been fixed.
2883 What we now do is simple:
2885 Let the original narrowing op be QNarrowBinXtoYxZ, where Z is a
2886 number of lanes, X is the source lane width and signedness, and Y
2887 is the destination lane width and signedness. In all cases the
2888 destination lane width is half the source lane width, so the names
2889 have a bit of redundancy, but are at least easy to read.
2891 For example, Iop_QNarrowBin32Sto16Ux8 narrows 8 lanes of signed 32s
2892 to unsigned 16s.
2894 Let Vanilla(OP) be a function that takes OP, one of these
2895 saturating narrowing ops, and produces the same "shaped" narrowing
2896 op which is not saturating, but merely dumps the most significant
2897 bits. "same shape" means that the lane numbers and widths are the
2898 same as with OP.
2900 For example, Vanilla(Iop_QNarrowBin32Sto16Ux8)
2901 = Iop_NarrowBin32to16x8,
2902 that is, narrow 8 lanes of 32 bits to 8 lanes of 16 bits, by
2903 dumping the top half of each lane.
2905 So, with that in place, the scheme is simple, and it is simple to
2906 pessimise each lane individually and then apply Vanilla(OP) so as
2907 to get the result in the right "shape". If the original OP is
2908 QNarrowBinXtoYxZ then we produce
2910 Vanilla(OP)( PCast-X-to-X-x-Z(vatom1), PCast-X-to-X-x-Z(vatom2) )
2912 or for the case when OP is unary (Iop_QNarrowUn*)
2914 Vanilla(OP)( PCast-X-to-X-x-Z(vatom) )
2915 */
2916 static
2918 {
2920 /* Binary: (128, 128) -> 128 */
2931 /* Binary: (64, 64) -> 64 */
2937 /* Unary: 128 -> 64 */
2954 }
2955 }
2957 static
2960 {
2973 }
2981 }
2983 static
2986 {
2994 }
3002 }
3004 static
3007 {
3011 /* For vanilla narrowing (non-saturating), we can just apply
3012 the op directly to the V bits. */
3022 }
3023 /* Plan B: for ops that involve a saturation operation on the args,
3024 we must PCast before the vanilla narrow. */
3036 }
3041 }
3043 static
3046 {
3058 }
3063 }
3066 /* --- --- Vector integer arithmetic --- --- */
3068 /* Simple ... UifU the args and per-lane pessimise the results. */
3070 /* --- V256-bit versions --- */
3072 static
3074 {
3079 }
3081 static
3083 {
3088 }
3090 static
3092 {
3097 }
3099 static
3101 {
3106 }
3108 /* --- V128-bit versions --- */
3110 static
3112 {
3117 }
3119 static
3121 {
3126 }
3128 static
3130 {
3135 }
3137 static
3139 {
3144 }
3146 static
3148 {
3153 }
3155 /* --- 64-bit versions --- */
3157 static
3159 {
3164 }
3166 static
3168 {
3173 }
3175 static
3177 {
3182 }
3184 static
3186 {
3191 }
3193 /* --- 32-bit versions --- */
3195 static
3197 {
3202 }
3204 static
3206 {
3211 }
3214 /*------------------------------------------------------------*/
3215 /*--- Generate shadow values from all kinds of IRExprs. ---*/
3216 /*------------------------------------------------------------*/
3218 static
3220 IROp op,
3223 {
3246 /* I32(rm) x F64 x F64 x F64 -> F64 */
3251 /* I32(rm) x F32 x F32 x F32 -> F32 */
3258 /* I32(rm) x F128 x F128 x F128 -> F128 */
3261 /* V256-bit data-steering */
3266 /* I32/I64 x I8 x I8 x I8 -> I32/I64 */
3274 }
3275 }
3278 static
3280 IROp op,
3282 {
3306 /* I32(rm) x F128/D128 x F128/D128 -> F128/D128 */
3327 /* I32(rm) x F64/D64 x F64/D64 -> F64/D64 */
3331 /* I32(rm) x F64 x F64 -> I32 */
3337 /* I32(rm) x F32 x F32 -> I32 */
3340 /* IRRoundingMode(I32) x I8 x D64 -> D64 */
3343 /* IRRoundingMode(I32) x I8 x D128 -> D128 */
3346 /* (V128, V128, I8) -> V128 */
3350 /* (I64, I64, I8) -> I64 */
3367 /* (V128, V128, V128) -> V128 */
3370 mce,
3373 );
3375 /* Vector FP with rounding mode as the first arg */
3417 }
3418 }
3421 static
3423 IROp op,
3426 {
3443 /* 32-bit SIMD */
3469 /* 64-bit SIMD */
3480 /* Same scheme as with all other shifts. */
3641 );
3650 );
3659 );
3661 /* 64-bit data-steering */
3688 /* Perm8x8: rearrange values in left arg using steering values from
3689 right arg. So rearrange the vbits in the same way but pessimise wrt
3690 steering values. We assume that unused bits in the steering value
3691 are defined zeros, so we can safely PCast within each lane of the the
3692 steering value without having to take precautions to avoid a
3693 dependency on those unused bits.
3695 This is also correct for PermOrZero8x8, but it is a bit subtle. For
3696 each lane, if bit 7 of the steering value is zero, then we'll steer
3697 the shadow value exactly as per Perm8x8. If that bit is one, then
3698 the operation will set the resulting (concrete) value to zero. That
3699 means it is defined, and should have a shadow value of zero. Hence
3700 in both cases (bit 7 is 0 or 1) we can self-shadow (in the same way
3701 as Perm8x8) and then pessimise against the steering values. */
3705 mce,
3708 );
3710 /* V128-bit SIMD */
3731 /* Same scheme as with all other shifts. Note: 22 Oct 05:
3732 this is wrong now, scalar shifts are done properly lazily.
3733 Vector shifts should be fixed too. */
3737 /* V x V shifts/rotates are done using the standard lazy scheme. */
3738 /* For the non-rounding variants of bi-di vector x vector
3739 shifts (the Iop_Sh.. ops, that is) we use the lazy scheme.
3740 But note that this is overly pessimistic, because in fact only
3741 the bottom 8 bits of each lane of the second argument are taken
3742 into account when shifting. So really we ought to ignore
3743 undefinedness in bits 8 and above of each lane in the
3744 second argument. */
3755 );
3767 );
3779 );
3791 );
3793 /* For the rounding variants of bi-di vector x vector shifts, the
3794 rounding adjustment can cause undefinedness to propagate through
3795 the entire lane, in the worst case. Too complex to handle
3796 properly .. just UifU the arguments and then PCast them.
3797 Suboptimal but safe. */
3876 /* PwExtUSMulQAdd8x16 is a bit subtle. The effect of it is that each
3877 16-bit chunk of the output is formed from corresponding 16-bit chunks
3878 of the input args, so we can treat it like an other binary 16x8
3879 operation. That's despite it having '8x16' in its name. */
4035 /* Q-and-Qshift-by-imm-and-narrow of the form (V128, I8) -> V128.
4036 To make this simpler, do the following:
4037 * complain if the shift amount (the I8) is undefined
4038 * pcast each lane at the wide width
4039 * truncate each lane to half width
4040 * pcast the resulting 64-bit value to a single bit and use
4041 that as the least significant bit of the upper half of the
4042 result. */
4061 {
4094 }
4096 // Pessimised shift result
4097 IRAtom* shV
4099 // Narrowed, pessimised shift result
4100 IRAtom* shVnarrowed
4102 // Generates: Def--(63)--Def PCast-to-I1(narrowed)
4104 // and assemble the result
4107 }
4142 /* V128-bit data-steering */
4187 /* Perm8x16: rearrange values in left arg using steering values
4188 from right arg. So rearrange the vbits in the same way but
4189 pessimise wrt steering values. Perm32x4 ditto. */
4190 /* PermOrZero8x16: see comments above for PermOrZero8x8. */
4194 mce,
4197 );
4200 mce,
4203 );
4205 /* These two take the lower half of each 16-bit lane, sign/zero
4206 extend it to 32, and multiply together, producing a 32x4
4207 result (and implicitly ignoring half the operand bits). So
4208 treat it as a bunch of independent 16x8 operations, but then
4209 do 32-bit shifts left-right to copy the lower half results
4210 (which are all 0s or all 1s due to PCasting in binary16Ix8)
4211 into the upper half of each result lane. */
4219 }
4221 /* Same deal as Iop_MullEven16{S,U}x8 */
4229 }
4231 /* Same deal as Iop_MullEven16{S,U}x8 */
4239 }
4241 /* narrow 2xV128 into 1xV128, hi half from left arg, in a 2 x
4242 32x4 -> 16x8 laneage, discarding the upper half of each lane.
4243 Simply apply same op to the V bits, since this really no more
4244 than a data steering operation. */
4255 /* Same scheme as with all other shifts. Note: 10 Nov 05:
4256 this is wrong now, scalar shifts are done properly lazily.
4257 Vector shifts should be fixed too. */
4265 /* SHA Iops */
4271 /* I128-bit data-steering */
4275 /* V256-bit SIMD */
4285 /* V256-bit data-steering */
4289 /* Scalar floating point */
4293 /* I32(rm) x F32 -> I64 */
4297 /* I32(rm) x I64 -> F32 */
4312 /* I32(rm) x I64/F64 -> I64/F64 */
4318 /* I32(rm) x D64 -> D64 */
4324 /* I32(rm) x D128 -> D128 */
4328 /* I32(rm) x F128 -> F128 */
4335 /* I32(rm) x I64/D64 -> D64/I64 */
4344 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D32/F32 */
4353 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D64/F64 */
4362 /* I32(rm) x F32/F64/F128/D32/D64/D128 -> D128/F128 */
4368 /* I32(rm) x I32/F32 -> I32/F32 */
4372 /* I32(rm) x F128 -> F128 */
4379 /* First arg is I32 (rounding mode), second is F32/I32 (data). */
4384 /* First arg is I32 (rounding mode), second is F64/F32 (data). */
4417 /* First arg is I32 (rounding mode), second is F64/D64 (data). */
4421 /* First arg is I32 (rounding mode), second is D64 (data). */
4425 /* First arg is I32 (rounding mode), second is F64 (data). */
4429 /* I64 x I64 -> D64 */
4433 /* I64 x I128 -> D128 */
4447 /* F32 x F32 -> F32 */
4452 /* F64 x F64 -> F64 */
4455 /* non-FP after here */
4477 }
4485 }
4492 }
4500 }
4508 }
4515 }
4539 }
4547 }
4549 cheap_AddSub32:
4566 }
4574 }
4576 cheap_AddSub64:
4590 ////---- CmpXX64
4594 else
4597 expensive_cmp64:
4601 cheap_cmp64:
4606 ////---- CmpXX32
4610 else
4613 expensive_cmp32:
4617 cheap_cmp32:
4622 ////---- CmpXX16
4626 else
4629 expensive_cmp16:
4633 cheap_cmp16:
4636 ////---- CmpXX8
4640 else
4643 expensive_cmp8:
4646 cheap_cmp8:
4649 ////---- end CmpXX{64,32,16,8}
4655 /* Just say these all produce a defined result, regardless
4656 of their arguments. See COMMENT_ON_CasCmpEQ in this file. */
4715 do_And_Or:
4716 return
4719 and_or_ty,
4737 /* V256-bit SIMD */
4747 /* Same scheme as with all other shifts. Note: 22 Oct 05:
4748 this is wrong now, scalar shifts are done properly lazily.
4749 Vector shifts should be fixed too. */
4807 /* Perm32x8: rearrange values in left arg using steering values
4808 from right arg. So rearrange the vbits in the same way but
4809 pessimise wrt steering values. */
4812 mce,
4815 );
4817 /* Q-and-Qshift-by-vector of the form (V128, V128) -> V256.
4818 Handle the shifted results in the same way that other
4819 binary Q ops are handled, eg QSub: UifU the two args,
4820 then pessimise -- which is binaryNIxM. But for the upper
4821 V128, we require to generate just 1 bit which is the
4822 pessimised shift result, with 127 defined zeroes above it.
4824 Note that this overly pessimistic in that in fact only the
4825 bottom 8 bits of each lane of the second arg determine the shift
4826 amount. Really we ought to ignore any undefinedness in the
4827 rest of the lanes of the second arg. */
4836 {
4837 // The function to generate the pessimised shift result
4866 }
4868 // Pessimised shift result, shV[127:0]
4870 // Generates: Def--(127)--Def PCast-to-I1(shV)
4872 // and assemble the result
4875 }
4878 // First, PCast the input vector, retaining the 32x4 format.
4880 // Now truncate each 32 bit lane to 16 bits. Since we already PCasted
4881 // the input, we're not going to lose any information.
4882 IRAtom* pcHI64
4884 IRAtom* pcLO64
4886 IRAtom* narrowed
4889 // Finally, roll in any badness from the rounding mode.
4892 }
4895 // Same scheme as for Iop_F32toF16x4.
4897 IRAtom* pcHI128
4900 IRAtom* pcLO128
4903 IRAtom* narrowed
4906 // Finally, roll in any badness from the rounding mode.
4909 }
4914 }
4915 }
4918 static
4920 {
4921 /* For the widening operations {8,16,32}{U,S}to{16,32,64}, the
4922 selection of shadow operation implicitly duplicates the logic in
4923 do_shadow_LoadG and should be kept in sync (in the very unlikely
4924 event that the interpretation of such widening ops changes in
4925 future). See comment in do_shadow_LoadG. */
4979 // These are self-shadowing.
5020 // FIXME JRS 2018-Nov-15. This is surely not correct!
5074 // PopCount32: this is slightly pessimistic. It is true that the
5075 // result depends on all input bits, so that aspect of the PCast is
5076 // correct. However, regardless of the input, only the lowest 5 bits
5077 // out of the output can ever be undefined. So we could actually
5078 // "improve" the results here by marking the top 27 bits of output as
5079 // defined. A similar comment applies for PopCount64.
5085 // These are self-shadowing.
5111 // These are self-shadowing.
5124 // These are self-shadowing.
5133 // These are self-shadowing.
5162 // FIXME JRS 2018-Nov-15. This is surely not correct!
5224 // This is self-shadowing.
5242 // JRS FIXME 2019 Mar 17: per comments on F16toF32x4, this is probably not
5243 // right.
5256 // JRS 2019 Mar 17: this definitely isn't right, but it probably works
5257 // OK by accident if -- as seems likely -- the F16 to F32 conversion
5258 // preserves will generate an output 32 bits with at least one 1 bit
5259 // set if there's one or more 1 bits set in the input 16 bits. More
5260 // correct code for this is just below, but commented out, so as to
5261 // avoid short-term backend failures on targets that can't do
5262 // Iop_Interleave{LO,HI}16x4.
5266 // PCast the input at 16x8. This makes each lane hold either all
5267 // zeroes or all ones.
5269 // Now double the width of each lane to 32 bits. Because the lanes are
5270 // all zeroes or all ones, we can just copy the each lane twice into
5271 // the result. Here's the low half:
5275 // And the high half:
5279 // Glue them back together:
5282 }
5284 // See comment just above, for Iop_F16toF32x4
5285 //case Iop_F16toF32x4: {
5286 // // Same scheme as F16toF32x4
5287 // IRAtom* pcasted = mkPCast16x4(mce, vatom); // :: I16x4
5288 // IRAtom* widenedLO // :: I32x2
5289 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveLO16x4,
5290 // pcasted, pcasted));
5291 // IRAtom* widenedHI // :: I32x4
5292 // = assignNew('V', mce, Ity_I64, binop(Iop_InterleaveHI16x4,
5293 // pcasted, pcasted));
5294 // // Glue them back together:
5295 // return assignNew('V', mce, Ity_V128, binop(Iop_64HLtoV128,
5296 // widenedHI, widenedLO));
5297 //}
5337 }
5338 }
5341 /* Worker function -- do not call directly. See comments on
5342 expr2vbits_Load for the meaning of |guard|.
5344 Generates IR to (1) perform a definedness test of |addr|, (2)
5345 perform a validity test of |addr|, and (3) return the Vbits for the
5346 location indicated by |addr|. All of this only happens when
5347 |guard| is NULL or |guard| evaluates to True at run time.
5349 If |guard| evaluates to False at run time, the returned value is
5350 the IR-mandated 0x55..55 value, and no checks nor shadow loads are
5351 performed.
5353 The definedness of |guard| itself is not checked. That is assumed
5354 to have been done before this point, by the caller. */
5355 static
5359 {
5363 /* First, emit a definedness test for the address. This also sets
5364 the address (shadow) to 'defined' following the test. */
5367 /* Now cook up a call to the relevant helper function, to read the
5368 data V bits from shadow memory. */
5399 }
5424 }
5425 }
5430 /* Generate the actual address into addrAct. */
5435 IROp mkAdd;
5442 }
5444 /* We need to have a place to park the V bits we're just about to
5445 read. */
5448 /* Here's the call. */
5460 }
5465 /* Ideally the didn't-happen return value here would be all-ones
5466 (all-undefined), so it'd be obvious if it got used
5467 inadvertently. We can get by with the IR-mandated default
5468 value (0b01 repeating, 0x55 etc) as that'll still look pretty
5469 undefined if it ever leaks out. */
5470 }
5474 }
5477 /* Generate IR to do a shadow load. The helper is expected to check
5478 the validity of the address and return the V bits for that address.
5479 This can optionally be controlled by a guard, which is assumed to
5480 be True if NULL. In the case where the guard is False at runtime,
5481 the helper will return the didn't-do-the-call value of 0x55..55.
5482 Since that means "completely undefined result", the caller of
5483 this function will need to fix up the result somehow in that
5484 case.
5486 Caller of this function is also expected to have checked the
5487 definedness of |guard| before this point.
5488 */
5489 static
5494 {
5506 }
5507 }
5510 /* The most general handler for guarded loads. Assumes the
5511 definedness of GUARD has already been checked by the caller. A
5512 GUARD of NULL is assumed to mean "always True". Generates code to
5513 check the definedness and validity of ADDR.
5515 Generate IR to do a shadow load from ADDR and return the V bits.
5516 The loaded type is TY. The loaded data is then (shadow) widened by
5517 using VWIDEN, which can be Iop_INVALID to denote a no-op. If GUARD
5518 evaluates to False at run time then the returned Vbits are simply
5519 VALT instead. Note therefore that the argument type of VWIDEN must
5520 be TY and the result type of VWIDEN must equal the type of VALT.
5521 */
5522 static
5528 {
5529 /* Sanity check the conversion operation, and also set TYWIDE. */
5540 }
5542 /* If the guard evaluates to True, this will hold the loaded V bits
5543 at TY. If the guard evaluates to False, this will be all
5544 ones, meaning "all undefined", in which case we will have to
5545 replace it using an ITE below. */
5546 IRAtom* iftrue1
5549 /* Now (shadow-) widen the loaded V bits to the desired width. In
5550 the guard-is-False case, the allowable widening operators will
5551 in the worst case (unsigned widening) at least leave the
5552 pre-widened part as being marked all-undefined, and in the best
5553 case (signed widening) mark the whole widened result as
5554 undefined. Anyway, it doesn't matter really, since in this case
5555 we will replace said value with the default value |valt| using an
5556 ITE. */
5557 IRAtom* iftrue2
5559 ? iftrue1
5561 /* These are the V bits we will return if the load doesn't take
5562 place. */
5563 IRAtom* iffalse
5565 /* Prepare the cond for the ITE. Convert a NULL cond into
5566 something that iropt knows how to fold out later. */
5567 IRAtom* cond
5569 /* And assemble the final result. */
5571 }
5574 /* A simpler handler for guarded loads, in which there is no
5575 conversion operation, and the default V bit return (when the guard
5576 evaluates to False at runtime) is "all defined". If there is no
5577 guard expression or the guard is always TRUE this function behaves
5578 like expr2vbits_Load. It is assumed that definedness of GUARD has
5579 already been checked at the call site. */
5580 static
5585 {
5588 );
5589 }
5592 static
5595 {
5597 IRType ty;
5598 /* Given ITE(cond, iftrue, iffalse), generate
5599 ITE(cond, iftrue#, iffalse#) `UifU` PCast(cond#)
5600 That is, steer the V bits like the originals, but trash the
5601 result if the steering value is undefined. This gives
5602 lazy propagation. */
5612 return
5616 }
5618 /* --------- This is the main expression-handling function. --------- */
5620 static
5623 {
5641 mce,
5645 );
5649 mce,
5653 );
5657 mce,
5660 hu
5661 );
5686 }
5687 }
5690 /*------------------------------------------------------------*/
5691 /*--- Generate shadow stmts from all kinds of IRStmts. ---*/
5692 /*------------------------------------------------------------*/
5694 /* Widen a value to the host word size. */
5696 static
5698 {
5701 /* vatom is vbits-value and as such can only have a shadow type. */
5717 }
5731 }
5734 }
5735 unhandled:
5738 }
5741 /* Generate a shadow store. |addr| is always the original address
5742 atom. You can pass in either originals or V-bits for the data
5743 atom, but obviously not both. This function generates a check for
5744 the definedness and (indirectly) the validity of |addr|, but only
5745 when |guard| evaluates to True at run time (or is NULL).
5747 |guard| :: Ity_I1 controls whether the store really happens; NULL
5748 means it unconditionally does. Note that |guard| itself is not
5749 checked for definedness; the caller of this function must do that
5750 if necessary.
5751 */
5752 static
5754 IREndness end,
5758 {
5759 IROp mkAdd;
5777 }
5785 }
5789 // If we're not doing undefined value checking, pretend that this value
5790 // is "all valid". That lets Vex's optimiser remove some of the V bit
5791 // shadow computation ops that precede it.
5803 }
5805 }
5807 /* First, emit a definedness test for the address. This also sets
5808 the address (shadow) to 'defined' following the test. Both of
5809 those actions are gated on |guard|. */
5812 /* Now decide which helper function to call to write the data V
5813 bits into shadow memory. */
5831 }
5847 /* Note, no V256 case here, because no big-endian target that
5848 we support, has 256 vectors. */
5850 }
5851 }
5855 /* V256-bit case -- phrased in terms of 64 bit units (Qs), with
5856 Q3 being the most significant lane. */
5857 /* These are the offsets of the Qs in memory. */
5860 /* Various bits for constructing the 4 lane helper calls */
5870 }
5879 );
5888 );
5897 );
5906 );
5920 }
5923 /* V128-bit case */
5924 /* See comment in next clause re 64-bit regparms */
5925 /* also, need to be careful about endianness */
5939 }
5948 );
5956 );
5969 /* 8/16/32/64-bit cases */
5970 /* Generate the actual address into addrAct. */
5976 }
5979 /* We can't do this with regparm 2 on 32-bit platforms, since
5980 the back ends aren't clever enough to handle 64-bit
5981 regparm args. Therefore be different. */
5986 );
5993 );
5994 }
5998 }
6000 }
6003 /* Do lazy pessimistic propagation through a dirty helper call, by
6004 looking at the annotations on it. This is the most complex part of
6005 Memcheck. */
6008 {
6015 }
6016 }
6018 static
6020 {
6024 IRTemp dst;
6025 IREndness end;
6027 /* What's the native endianness? We need to know this. */
6028 # if defined(VG_BIGENDIAN)
6030 # elif defined(VG_LITTLEENDIAN)
6032 # else
6034 # endif
6036 /* First check the guard. */
6039 /* Now round up all inputs and PCast over them. */
6042 /* Inputs: unmasked args
6043 Note: arguments are evaluated REGARDLESS of the guard expression */
6048 /* ignore this arg */
6052 }
6053 }
6055 /* Inputs: guest state that we read. */
6061 /* Enumerate the described state segments */
6066 /* Ignore any sections marked as 'always defined'. */
6072 }
6074 /* This state element is read or modified. So we need to
6075 consider it. If larger than 8 bytes, deal with it in
6076 8-byte chunks. */
6081 /* update 'curr' with UifU of the state slice
6082 gOff .. gOff+n-1 */
6085 /* Observe the guard expression. If it is false use an
6086 all-bits-defined bit pattern */
6099 }
6100 }
6101 }
6103 /* Inputs: memory. First set up some info needed regardless of
6104 whether we're doing reads or writes. */
6107 /* Because we may do multiple shadow loads/stores from the same
6108 base address, it's best to do a single test of its
6109 definedness right now. Post-instrumentation optimisation
6110 should remove all but this test. */
6111 IRType tyAddr;
6118 }
6120 /* Deal with memory inputs (reads or modifies) */
6123 /* chew off 32-bit chunks. We don't care about the endianness
6124 since it's all going to be condensed down to a single bit,
6125 but nevertheless choose an endianness which is hopefully
6126 native to the platform. */
6132 );
6135 }
6136 /* chew off 16-bit chunks */
6142 );
6145 }
6146 /* chew off the remaining 8-bit chunk, if any */
6152 );
6155 }
6157 }
6159 /* Whew! So curr is a 32-bit V-value summarising pessimistically
6160 all the inputs to the helper. Now we need to re-distribute the
6161 results to all destinations. */
6163 /* Outputs: the destination temporary, if there is one. */
6168 }
6170 /* Outputs: guest state that we write or modify. */
6176 /* Enumerate the described state segments */
6181 /* Ignore any sections marked as 'always defined'. */
6185 /* This state element is written or modified. So we need to
6186 consider it. If larger than 8 bytes, deal with it in
6187 8-byte chunks. */
6192 /* Write suitably-casted 'curr' to the state slice
6193 gOff .. gOff+n-1 */
6200 }
6201 }
6202 }
6204 /* Outputs: memory that we write or modify. Same comments about
6205 endianness as above apply. */
6208 /* chew off 32-bit chunks */
6215 }
6216 /* chew off 16-bit chunks */
6223 }
6224 /* chew off the remaining 8-bit chunk, if any */
6231 }
6233 }
6235 }
6238 /* We have an ABI hint telling us that [base .. base+len-1] is to
6239 become undefined ("writable"). Generate code to call a helper to
6240 notify the A/V bit machinery of this fact.
6242 We call
6243 void MC_(helperc_MAKE_STACK_UNINIT) ( Addr base, UWord len,
6244 Addr nia );
6245 */
6246 static
6248 {
6257 );
6259 /* We ignore the supplied nia, since it is irrelevant. */
6261 /* Special-case the len==128 case, since that is for amd64-ELF,
6262 which is a very common target. */
6269 );
6276 );
6277 }
6278 }
6281 }
6284 /* ------ Dealing with IRCAS (big and complex) ------ */
6286 /* FWDS */
6298 /* Either ORIG and SHADOW are both IRExpr.RdTmps, or they are both
6299 IRExpr.Consts, else this asserts. If they are both Consts, it
6300 doesn't do anything. So that just leaves the RdTmp case.
6302 In which case: this assigns the shadow value SHADOW to the IR
6303 shadow temporary associated with ORIG. That is, ORIG, being an
6304 original temporary, will have a shadow temporary associated with
6305 it. However, in the case envisaged here, there will so far have
6306 been no IR emitted to actually write a shadow value into that
6307 temporary. What this routine does is to (emit IR to) copy the
6308 value in SHADOW into said temporary, so that after this call,
6309 IRExpr.RdTmps of ORIG's shadow temp will correctly pick up the
6310 value in SHADOW.
6312 Point is to allow callers to compute "by hand" a shadow value for
6313 ORIG, and force it to be associated with ORIG.
6315 How do we know that that shadow associated with ORIG has not so far
6316 been assigned to? Well, we don't per se know that, but supposing
6317 it had. Then this routine would create a second assignment to it,
6318 and later the IR sanity checker would barf. But that never
6319 happens. QED.
6320 */
6324 {
6335 shadow);
6339 shadow);
6340 }
6344 }
6345 }
6348 static
6350 {
6351 /* Scheme is (both single- and double- cases):
6353 1. fetch data#,dataB (the proposed new value)
6355 2. fetch expd#,expdB (what we expect to see at the address)
6357 3. check definedness of address
6359 4. load old#,oldB from shadow memory; this also checks
6360 addressibility of the address
6362 5. the CAS itself
6364 6. compute "expected == old". See COMMENT_ON_CasCmpEQ below.
6366 7. if "expected == old" (as computed by (6))
6367 store data#,dataB to shadow memory
6369 Note that 5 reads 'old' but 4 reads 'old#'. Similarly, 5 stores
6370 'data' but 7 stores 'data#'. Hence it is possible for the
6371 shadow data to be incorrectly checked and/or updated:
6373 * 7 is at least gated correctly, since the 'expected == old'
6374 condition is derived from outputs of 5. However, the shadow
6375 write could happen too late: imagine after 5 we are
6376 descheduled, a different thread runs, writes a different
6377 (shadow) value at the address, and then we resume, hence
6378 overwriting the shadow value written by the other thread.
6380 Because the original memory access is atomic, there's no way to
6381 make both the original and shadow accesses into a single atomic
6382 thing, hence this is unavoidable.
6384 At least as Valgrind stands, I don't think it's a problem, since
6385 we're single threaded *and* we guarantee that there are no
6386 context switches during the execution of any specific superblock
6387 -- context switches can only happen at superblock boundaries.
6389 If Valgrind ever becomes MT in the future, then it might be more
6390 of a problem. A possible kludge would be to artificially
6391 associate with the location, a lock, which we must acquire and
6392 release around the transaction as a whole. Hmm, that probably
6393 would't work properly since it only guards us against other
6394 threads doing CASs on the same location, not against other
6395 threads doing normal reads and writes.
6397 ------------------------------------------------------------
6399 COMMENT_ON_CasCmpEQ:
6401 Note two things. Firstly, in the sequence above, we compute
6402 "expected == old", but we don't check definedness of it. Why
6403 not? Also, the x86 and amd64 front ends use
6404 Iop_CasCmp{EQ,NE}{8,16,32,64} comparisons to make the equivalent
6405 determination (expected == old ?) for themselves, and we also
6406 don't check definedness for those primops; we just say that the
6407 result is defined. Why? Details follow.
6409 x86/amd64 contains various forms of locked insns:
6410 * lock prefix before all basic arithmetic insn;
6411 eg lock xorl %reg1,(%reg2)
6412 * atomic exchange reg-mem
6413 * compare-and-swaps
6415 Rather than attempt to represent them all, which would be a
6416 royal PITA, I used a result from Maurice Herlihy
6417 (http://en.wikipedia.org/wiki/Maurice_Herlihy), in which he
6418 demonstrates that compare-and-swap is a primitive more general
6419 than the other two, and so can be used to represent all of them.
6420 So the translation scheme for (eg) lock incl (%reg) is as
6421 follows:
6423 again:
6424 old = * %reg
6425 new = old + 1
6426 atomically { if (* %reg == old) { * %reg = new } else { goto again } }
6428 The "atomically" is the CAS bit. The scheme is always the same:
6429 get old value from memory, compute new value, atomically stuff
6430 new value back in memory iff the old value has not changed (iow,
6431 no other thread modified it in the meantime). If it has changed
6432 then we've been out-raced and we have to start over.
6434 Now that's all very neat, but it has the bad side effect of
6435 introducing an explicit equality test into the translation.
6436 Consider the behaviour of said code on a memory location which
6437 is uninitialised. We will wind up doing a comparison on
6438 uninitialised data, and mc duly complains.
6440 What's difficult about this is, the common case is that the
6441 location is uncontended, and so we're usually comparing the same
6442 value (* %reg) with itself. So we shouldn't complain even if it
6443 is undefined. But mc doesn't know that.
6445 My solution is to mark the == in the IR specially, so as to tell
6446 mc that it almost certainly compares a value with itself, and we
6447 should just regard the result as always defined. Rather than
6448 add a bit to all IROps, I just cloned Iop_CmpEQ{8,16,32,64} into
6449 Iop_CasCmpEQ{8,16,32,64} so as not to disturb anything else.
6451 So there's always the question of, can this give a false
6452 negative? eg, imagine that initially, * %reg is defined; and we
6453 read that; but then in the gap between the read and the CAS, a
6454 different thread writes an undefined (and different) value at
6455 the location. Then the CAS in this thread will fail and we will
6456 go back to "again:", but without knowing that the trip back
6457 there was based on an undefined comparison. No matter; at least
6458 the other thread won the race and the location is correctly
6459 marked as undefined. What if it wrote an uninitialised version
6460 of the same value that was there originally, though?
6462 etc etc. Seems like there's a small corner case in which we
6463 might lose the fact that something's defined -- we're out-raced
6464 in between the "old = * reg" and the "atomically {", _and_ the
6465 other thread is writing in an undefined version of what's
6466 already there. Well, that seems pretty unlikely.
6468 ---
6470 If we ever need to reinstate it .. code which generates a
6471 definedness test for "expected == old" was removed at r10432 of
6472 this file.
6473 */
6478 }
6479 }
6483 {
6488 IROp opCasCmpEQ;
6489 Int elemSzB;
6490 IRType elemTy;
6493 /* single CAS */
6505 }
6507 /* 1. fetch data# (the proposed new value) */
6509 vdataLo
6513 bdataLo
6516 }
6518 /* 2. fetch expected# (what we expect to see at the address) */
6520 vexpdLo
6524 bexpdLo
6527 }
6529 /* 3. check definedness of address */
6530 /* 4. fetch old# from shadow memory; this also checks
6531 addressibility of the address */
6532 voldLo
6536 mce,
6538 NULL/*always happens*/
6539 ));
6542 boldLo
6546 }
6548 /* 5. the CAS itself */
6551 /* 6. compute "expected == old" */
6552 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6553 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6554 tree, but it's not copied from the input block. */
6555 expd_eq_old
6559 /* 7. if "expected == old"
6560 store data# to shadow memory */
6568 }
6569 }
6573 {
6584 IRType elemTy;
6587 /* double CAS */
6612 }
6614 /* 1. fetch data# (the proposed new value) */
6617 vdataHi
6619 vdataLo
6624 bdataHi
6626 bdataLo
6630 }
6632 /* 2. fetch expected# (what we expect to see at the address) */
6635 vexpdHi
6637 vexpdLo
6642 bexpdHi
6644 bexpdLo
6648 }
6650 /* 3. check definedness of address */
6651 /* 4. fetch old# from shadow memory; this also checks
6652 addressibility of the address */
6660 }
6661 voldHi
6665 mce,
6667 NULL/*always happens*/
6668 ));
6669 voldLo
6673 mce,
6675 NULL/*always happens*/
6676 ));
6680 boldHi
6684 boldLo
6690 }
6692 /* 5. the CAS itself */
6695 /* 6. compute "expected == old" */
6696 /* See COMMENT_ON_CasCmpEQ in this file background/rationale. */
6697 /* Note that 'C' is kinda faking it; it is indeed a non-shadow
6698 tree, but it's not copied from the input block. */
6699 /*
6700 xHi = oldHi ^ expdHi;
6701 xLo = oldLo ^ expdLo;
6702 xHL = xHi | xLo;
6703 expd_eq_old = xHL == 0;
6704 */
6711 expd_eq_old
6715 /* 7. if "expected == old"
6716 store data# to shadow memory */
6730 }
6731 }
6734 /* ------ Dealing with LL/SC (not difficult) ------ */
6737 IREndness stEnd,
6738 IRTemp stResult,
6741 {
6742 /* In short: treat a load-linked like a normal load followed by an
6743 assignment of the loaded (shadow) data to the result temporary.
6744 Treat a store-conditional like a normal store, and mark the
6745 result temporary as defined. */
6754 /* Load Linked */
6755 /* Just treat this as a normal load, followed by an assignment of
6756 the value to .result. */
6757 /* Stay sane */
6765 /* Store Conditional */
6766 /* Stay sane */
6768 stStoredata);
6773 stStoredata,
6776 /* This is a store conditional, so it writes to .result a value
6777 indicating whether or not the store succeeded. Just claim
6778 this value is always defined. In the PowerPC interpretation
6779 of store-conditional, definedness of the success indication
6780 depends on whether the address of the store matches the
6781 reservation address. But we can't tell that here (and
6782 anyway, we're not being PowerPC-specific). At least we are
6783 guaranteed that the definedness of the store address, and its
6784 addressibility, will be checked as per normal. So it seems
6785 pretty safe to just say that the success indication is always
6786 defined.
6788 In schemeS, for origin tracking, we must correspondingly set
6789 a no-origin value for the origin shadow of .result.
6790 */
6793 }
6794 }
6797 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
6800 {
6802 /* do_shadow_Store will generate code to check the definedness and
6803 validity of sg->addr, in the case where sg->guard evaluates to
6804 True at run-time. */
6810 }
6813 {
6815 /* expr2vbits_Load_guarded_General will generate code to check the
6816 definedness and validity of lg->addr, in the case where
6817 lg->guard evaluates to True at run-time. */
6819 /* Look at the LoadG's built-in conversion operation, to determine
6820 the source (actual loaded data) type, and the equivalent IROp.
6821 NOTE that implicitly we are taking a widening operation to be
6822 applied to original atoms and producing one that applies to V
6823 bits. Since signed and unsigned widening are self-shadowing,
6824 this is a straight copy of the op (modulo swapping from the
6825 IRLoadGOp form to the IROp form). Note also therefore that this
6826 implicitly duplicates the logic to do with said widening ops in
6827 expr2vbits_Unop. See comment at the start of expr2vbits_Unop. */
6839 }
6841 IRAtom* vbits_alt
6843 IRAtom* vbits_final
6847 /* And finally, bind the V bits to the destination temporary. */
6849 }
6852 /*------------------------------------------------------------*/
6853 /*--- Origin tracking stuff ---*/
6854 /*------------------------------------------------------------*/
6856 /* Almost identical to findShadowTmpV. */
6858 {
6860 /* VG_(indexXA) range-checks 'orig', hence no need to check
6861 here. */
6865 IRTemp tmpB
6867 /* newTemp may cause mce->tmpMap to resize, hence previous results
6868 from VG_(indexXA) are invalid. */
6873 }
6875 }
6878 {
6880 }
6883 /* Make a guarded origin load, with no special handling in the
6884 didn't-happen case. A GUARD of NULL is assumed to mean "always
6885 True".
6887 Generate IR to do a shadow origins load from BASEADDR+OFFSET and
6888 return the otag. The loaded size is SZB. If GUARD evaluates to
6889 False at run time then the returned otag is zero.
6890 */
6894 {
6897 IRTemp bTmp;
6906 }
6931 }
6935 );
6938 /* Ideally the didn't-happen return value here would be
6939 all-zeroes (unknown-origin), so it'd be harmless if it got
6940 used inadvertently. We slum it out with the IR-mandated
6941 default value (0b01 repeating, 0x55 etc) as that'll probably
6942 trump all legitimate otags via Max32, and it's pretty
6943 obviously bogus. */
6944 }
6945 /* no need to mess with any annotations. This call accesses
6946 neither guest state nor guest memory. */
6949 /* 64-bit host */
6954 /* 32-bit host */
6956 }
6957 }
6960 /* Generate IR to do a shadow origins load from BASEADDR+OFFSET. The
6961 loaded size is SZB. The load is regarded as unconditional (always
6962 happens).
6963 */
6965 Int offset )
6966 {
6968 }
6971 /* The most general handler for guarded origin loads. A GUARD of NULL
6972 is assumed to mean "always True".
6974 Generate IR to do a shadow origin load from ADDR+BIAS and return
6975 the B bits. The loaded type is TY. If GUARD evaluates to False at
6976 run time then the returned B bits are simply BALT instead.
6977 */
6978 static
6980 IRType ty,
6983 {
6984 /* If the guard evaluates to True, this will hold the loaded
6985 origin. If the guard evaluates to False, this will be zero,
6986 meaning "unknown origin", in which case we will have to replace
6987 it using an ITE below. */
6988 IRAtom* iftrue
6992 /* These are the bits we will return if the load doesn't take
6993 place. */
6994 IRAtom* iffalse
6996 /* Prepare the cond for the ITE. Convert a NULL cond into
6997 something that iropt knows how to fold out later. */
6998 IRAtom* cond
7000 /* And assemble the final result. */
7002 }
7005 /* Generate a shadow origins store. guard :: Ity_I1 controls whether
7006 the store really happens; NULL means it unconditionally does. */
7010 {
7020 }
7025 }
7050 }
7054 );
7055 /* no need to mess with any annotations. This call accesses
7056 neither guest state nor guest memory. */
7059 }
7068 }
7076 }
7080 {
7089 IRType equivIntTy
7091 /* If this array is unshadowable for whatever reason, use the
7092 usual approximation. */
7099 /* Do a shadow indexed get of the same size, giving t1. Take
7100 the bottom 32 bits of it, giving t2. Compute into t3 the
7101 origin for the index (almost certainly zero, but there's
7102 no harm in being completely general here, since iropt will
7103 remove any useless code), and fold it in, giving a final
7104 value t4. */
7112 }
7114 Int i;
7121 /* Only take notice of this arg if the callee's
7122 mc-exclusion mask does not say it is to be excluded. */
7124 /* the arg is to be excluded from definedness checking.
7125 Do nothing. */
7129 /* calculate the arg's definedness, and pessimistically
7130 merge it in. */
7133 }
7134 }
7136 }
7138 Int dszB;
7140 /* assert that the B value for the address is already
7141 available (somewhere) */
7145 }
7151 }
7159 }
7165 }
7172 /* Just say these all produce a defined result,
7173 regardless of their arguments. See
7174 COMMENT_ON_CasCmpEQ in this file. */
7180 }
7181 }
7183 /*NOTREACHED*/
7184 }
7188 }
7197 );
7201 /* FIXME: this isn't an atom! */
7203 Ity_I32 );
7204 }
7206 }
7211 }
7212 }
7216 {
7217 // This is a hacked version of do_shadow_Dirty
7220 IRTemp dst;
7222 /* First check the guard. */
7225 /* Now round up all inputs and maxU32 over them. */
7227 /* Inputs: unmasked args
7228 Note: arguments are evaluated REGARDLESS of the guard expression */
7233 /* ignore this arg */
7237 }
7238 }
7240 /* Inputs: guest state that we read. */
7246 /* Enumerate the described state segments */
7251 /* Ignore any sections marked as 'always defined'. */
7257 }
7259 /* This state element is read or modified. So we need to
7260 consider it. If larger than 4 bytes, deal with it in
7261 4-byte chunks. */
7263 Int b_offset;
7267 /* update 'curr' with maxU32 of the state slice
7268 gOff .. gOff+n-1 */
7271 /* Observe the guard expression. If it is false use 0, i.e.
7272 nothing is known about the origin */
7280 Ity_I32));
7284 }
7287 }
7288 }
7289 }
7291 /* Inputs: memory */
7294 /* Because we may do multiple shadow loads/stores from the same
7295 base address, it's best to do a single test of its
7296 definedness right now. Post-instrumentation optimisation
7297 should remove all but this test. */
7301 }
7303 /* Deal with memory inputs (reads or modifies) */
7306 /* chew off 32-bit chunks. We don't care about the endianness
7307 since it's all going to be condensed down to a single bit,
7308 but nevertheless choose an endianness which is hopefully
7309 native to the platform. */
7315 }
7316 /* handle possible 16-bit excess */
7322 }
7323 /* chew off the remaining 8-bit chunk, if any */
7329 }
7331 }
7333 /* Whew! So curr is a 32-bit B-value which should give an origin
7334 of some use if any of the inputs to the helper are undefined.
7335 Now we need to re-distribute the results to all destinations. */
7337 /* Outputs: the destination temporary, if there is one. */
7341 }
7343 /* Outputs: guest state that we write or modify. */
7349 /* Enumerate the described state segments */
7354 /* Ignore any sections marked as 'always defined'. */
7358 /* This state element is written or modified. So we need to
7359 consider it. If larger than 4 bytes, deal with it in
7360 4-byte chunks. */
7362 Int b_offset;
7366 /* Write 'curr' to the state slice gOff .. gOff+n-1 */
7370 /* If the guard expression evaluates to false we simply Put
7371 the value that is already stored in the guest state slot */
7379 Ity_I32));
7385 curr ));
7386 }
7389 }
7390 }
7391 }
7393 /* Outputs: memory that we write or modify. Same comments about
7394 endianness as above apply. */
7397 /* chew off 32-bit chunks */
7402 }
7403 /* handle possible 16-bit excess */
7408 }
7409 /* chew off the remaining 8-bit chunk, if any */
7414 }
7416 }
7417 }
7420 /* Generate IR for origin shadowing for a general guarded store. */
7422 IREndness stEnd,
7426 {
7427 Int dszB;
7429 /* assert that the B value for the address is already available
7430 (somewhere), since the call to schemeE will want to see it.
7431 XXXX how does this actually ensure that?? */
7437 }
7440 /* Generate IR for origin shadowing for a plain store. */
7442 IREndness stEnd,
7445 {
7448 }
7451 /* ---- Dealing with LoadG/StoreG (not entirely simple) ---- */
7454 {
7457 }
7460 {
7471 }
7472 IRAtom* ori_alt
7474 IRAtom* ori_final
7478 /* And finally, bind the origin to the destination temporary. */
7480 }
7484 {
7490 /* The value-check instrumenter handles this - by arranging
7491 to pass the address of the next instruction to
7492 MC_(helperc_MAKE_STACK_UNINIT). This is all that needs to
7493 happen for origin tracking w.r.t. AbiHints. So there is
7494 nothing to do here. */
7502 IRType equivIntTy
7504 /* If this array is unshadowable for whatever reason,
7505 generate no code. */
7510 descr_b
7513 /* Compute a value to Put - the conjoinment of the origin for
7514 the data to be Put-ted (obviously) and of the index value
7515 (not so obviously). */
7523 }
7544 /* In short: treat a load-linked like a normal load followed
7545 by an assignment of the loaded (shadow) data the result
7546 temporary. Treat a store-conditional like a normal store,
7547 and mark the result temporary as defined. */
7549 /* Load Linked */
7550 IRType resTy
7552 IRExpr* vanillaLoad
7559 /* Store conditional */
7563 /* For the rationale behind this, see comments at the
7564 place where the V-shadow for .result is constructed, in
7565 do_shadow_LLSC. In short, we regard .result as
7566 always-defined. */
7569 }
7571 }
7574 Int b_offset
7578 );
7580 /* FIXME: this isn't an atom! */
7583 }
7585 }
7602 }
7603 }
7606 /*------------------------------------------------------------*/
7607 /*--- Post-tree-build final tidying ---*/
7608 /*------------------------------------------------------------*/
7610 /* This exploits the observation that Memcheck often produces
7611 repeated conditional calls of the form
7613 Dirty G MC_(helperc_value_check0/1/4/8_fail)(UInt otag)
7615 with the same guard expression G guarding the same helper call.
7616 The second and subsequent calls are redundant. This usually
7617 results from instrumentation of guest code containing multiple
7618 memory references at different constant offsets from the same base
7619 register. After optimisation of the instrumentation, you get a
7620 test for the definedness of the base register for each memory
7621 reference, which is kinda pointless. MC_(final_tidy) therefore
7622 looks for such repeated calls and removes all but the first. */
7625 /* With some testing on perf/bz2.c, on amd64 and x86, compiled with
7626 gcc-5.3.1 -O2, it appears that 16 entries in the array are enough to
7627 get almost all the benefits of this transformation whilst causing
7628 the slide-back case to just often enough to be verifiably
7629 correct. For posterity, the numbers are:
7631 bz2-32
7633 1 4,336 (112,212 -> 1,709,473; ratio 15.2)
7634 2 4,336 (112,194 -> 1,669,895; ratio 14.9)
7635 3 4,336 (112,194 -> 1,660,713; ratio 14.8)
7636 4 4,336 (112,194 -> 1,658,555; ratio 14.8)
7637 5 4,336 (112,194 -> 1,655,447; ratio 14.8)
7638 6 4,336 (112,194 -> 1,655,101; ratio 14.8)
7639 7 4,336 (112,194 -> 1,654,858; ratio 14.7)
7640 8 4,336 (112,194 -> 1,654,810; ratio 14.7)
7641 10 4,336 (112,194 -> 1,654,621; ratio 14.7)
7642 12 4,336 (112,194 -> 1,654,678; ratio 14.7)
7643 16 4,336 (112,194 -> 1,654,494; ratio 14.7)
7644 32 4,336 (112,194 -> 1,654,602; ratio 14.7)
7645 inf 4,336 (112,194 -> 1,654,602; ratio 14.7)
7647 bz2-64
7649 1 4,113 (107,329 -> 1,822,171; ratio 17.0)
7650 2 4,113 (107,329 -> 1,806,443; ratio 16.8)
7651 3 4,113 (107,329 -> 1,803,967; ratio 16.8)
7652 4 4,113 (107,329 -> 1,802,785; ratio 16.8)
7653 5 4,113 (107,329 -> 1,802,412; ratio 16.8)
7654 6 4,113 (107,329 -> 1,802,062; ratio 16.8)
7655 7 4,113 (107,329 -> 1,801,976; ratio 16.8)
7656 8 4,113 (107,329 -> 1,801,886; ratio 16.8)
7657 10 4,113 (107,329 -> 1,801,653; ratio 16.8)
7658 12 4,113 (107,329 -> 1,801,526; ratio 16.8)
7659 16 4,113 (107,329 -> 1,801,298; ratio 16.8)
7660 32 4,113 (107,329 -> 1,800,827; ratio 16.8)
7661 inf 4,113 (107,329 -> 1,800,827; ratio 16.8)
7662 */
7664 /* Structs for recording which (helper, guard) pairs we have already
7665 seen. */
7667 #define N_TIDYING_PAIRS 16
7669 typedef
7671 Pair;
7673 typedef
7676 UInt pairsUsed;
7677 }
7678 Pairs;
7681 /* Return True if e1 and e2 definitely denote the same value (used to
7682 compare guards). Return False if unknown; False is the safe
7683 answer. Since guest registers and guest memory do not have the
7684 SSA property we must return False if any Gets or Loads appear in
7685 the expression. This implicitly assumes that e1 and e2 have the
7686 same IR type, which is always true here -- the type is Ity_I1. */
7689 {
7711 /* be lazy. Could define equality for these, but they never
7712 appear to be used. */
7717 /* be conservative - these may not give the same value each
7718 time */
7721 /* should never see this */
7722 /* fallthrough */
7728 }
7729 }
7731 /* See if 'pairs' already has an entry for (entry, guard). Return
7732 True if so. If not, add an entry. */
7734 static
7736 {
7743 }
7744 /* (guard, entry) wasn't found in the array. Add it at the end.
7745 If the array is already full, slide the entries one slot
7746 backwards. This means we will lose to ability to detect
7747 duplicates from the pair in slot zero, but that happens so
7748 rarely that it's unlikely to have much effect on overall code
7749 quality. Also, this strategy loses the check for the oldest
7750 tracked exit (memory reference, basically) and so that is (I'd
7751 guess) least likely to be re-used after this point. */
7756 }
7763 n++;
7765 }
7767 }
7770 {
7771 /* This is expensive because it happens a lot. We are checking to
7772 see whether |name| is one of the following 8 strings:
7774 MC_(helperc_value_check8_fail_no_o)
7775 MC_(helperc_value_check4_fail_no_o)
7776 MC_(helperc_value_check0_fail_no_o)
7777 MC_(helperc_value_check1_fail_no_o)
7778 MC_(helperc_value_check8_fail_w_o)
7779 MC_(helperc_value_check0_fail_w_o)
7780 MC_(helperc_value_check1_fail_w_o)
7781 MC_(helperc_value_check4_fail_w_o)
7783 To speed it up, check the common prefix just once, rather than
7784 all 8 times.
7785 */
7793 /* We still have some prefix to use */
7796 name++;
7797 prefix++;
7798 }
7800 /* Check the part after the prefix. */
7810 }
7813 {
7814 Int i;
7819 Bool alreadyPresent;
7820 Pairs pairs;
7827 /* Scan forwards through the statements. Each time a call to one
7828 of the relevant helpers is seen, check if we have made a
7829 previous call to the same helper using the same guard
7830 expression, and if so, delete the call. */
7843 /* Ok, we have a call to helperc_value_check0/1/4/8_fail with
7844 guard 'guard'. Check if we have already seen a call to this
7845 function with the same guard. If so, delete it. If not,
7846 add it to the set of calls we do know about. */
7851 }
7852 }
7858 }
7860 #undef N_TIDYING_PAIRS
7863 /*------------------------------------------------------------*/
7864 /*--- Startup assertion checking ---*/
7865 /*------------------------------------------------------------*/
7868 {
7869 /* Make a best-effort check to see that is_helperc_value_checkN_fail
7870 is working as we expect. */
7872 # define CHECK(_expected, _string) \
7873 tl_assert((_expected) == is_helperc_value_checkN_fail(_string))
7875 /* It should identify these 8, and no others, as targets. */
7885 /* Ad-hoc selection of other strings gathered via a quick test. */
7915 # undef CHECK
7916 }
7919 /*------------------------------------------------------------*/
7920 /*--- Memcheck main ---*/
7921 /*------------------------------------------------------------*/
7924 {
7944 }
7945 /* VG_(printf)("%llx\n", n); */
7946 /* Shortcuts */
7949 /* The list of bogus atoms is: */
7960 );
7961 }
7964 /* Does 'st' mention any of the literals identified/listed in
7965 isBogusAtom()? */
7967 {
7968 Int i;
8011 }
8019 }
8020 }
8038 }
8043 }
8066 unhandled:
8069 }
8070 }
8073 /* This is the pre-instrumentation analysis. It does a backwards pass over
8074 the stmts in |sb_in| to determine a HowUsed value for each tmp defined in
8075 the block.
8077 Unrelatedly, it also checks all literals in the block with |isBogusAtom|,
8078 as a positive result from that is a strong indication that we need to
8079 expensively instrument add/sub in the block. We do both analyses in one
8080 pass, even though they are independent, so as to avoid the overhead of
8081 having to traverse the whole block twice.
8083 The usage pass proceeds as follows. Let max= be the max operation in the
8084 HowUsed lattice, hence
8086 X max= Y means X = max(X, Y)
8088 then
8090 for t in original tmps . useEnv[t] = HuUnU
8092 for t used in the block's . next field
8093 useEnv[t] max= HuPCa // because jmp targets are PCast-tested
8095 for st iterating *backwards* in the block
8097 match st
8099 case "t1 = load(t2)" // case 1
8100 useEnv[t2] max= HuPCa
8102 case "t1 = add(t2, t3)" // case 2
8103 useEnv[t2] max= useEnv[t1]
8104 useEnv[t3] max= useEnv[t1]
8106 other
8107 for t in st.usedTmps // case 3
8108 useEnv[t] max= HuOth
8109 // same as useEnv[t] = HuOth
8111 The general idea is that we accumulate, in useEnv[], information about
8112 how each tmp is used. That can be updated as we work further back
8113 through the block and find more uses of it, but its HowUsed value can
8114 only ascend the lattice, not descend.
8116 Initially we mark all tmps as unused. In case (1), if a tmp is seen to
8117 be used as a memory address, then its use is at least HuPCa. The point
8118 is that for a memory address we will add instrumentation to check if any
8119 bit of the address is undefined, which means that we won't need expensive
8120 V-bit propagation through an add expression that computed the address --
8121 cheap add instrumentation will be equivalent.
8123 Note in case (1) that if we have previously seen a non-memory-address use
8124 of the tmp, then its use will already be HuOth and will be unchanged by
8125 the max= operation. And if it turns out that the source of the tmp was
8126 an add, then we'll have to expensively instrument the add, because we
8127 can't prove that, for the previous non-memory-address use of the tmp,
8128 cheap and expensive instrumentation will be equivalent.
8130 In case 2, we propagate the usage-mode of the result of an add back
8131 through to its operands. Again, we use max= so as to take account of the
8132 fact that t2 or t3 might later in the block (viz, earlier in the
8133 iteration) have been used in a way that requires expensive add
8134 instrumentation.
8136 In case 3, we deal with all other tmp uses. We assume that we'll need a
8137 result that is as accurate as possible, so we max= HuOth into its use
8138 mode. Since HuOth is the top of the lattice, that's equivalent to just
8139 setting its use to HuOth.
8141 The net result of all this is that:
8143 tmps that are used either
8144 - only as a memory address, or
8145 - only as part of a tree of adds that computes a memory address,
8146 and has no other use
8147 are marked as HuPCa, and so we can instrument their generating Add
8148 nodes cheaply, which is the whole point of this analysis
8150 tmps that are used any other way at all are marked as HuOth
8152 tmps that are unused are marked as HuUnU. We don't expect to see any
8153 since we expect that the incoming IR has had all dead assignments
8154 removed by previous optimisation passes. Nevertheless the analysis is
8155 correct even in the presence of dead tmps.
8157 A final comment on dead tmps. In case 1 and case 2, we could actually
8158 conditionalise the updates thusly:
8160 if (useEnv[t1] > HuUnU) { useEnv[t2] max= HuPCa } // case 1
8162 if (useEnv[t1] > HuUnU) { useEnv[t2] max= useEnv[t1] } // case 2
8163 if (useEnv[t1] > HuUnU) { useEnv[t3] max= useEnv[t1] } // case 2
8165 In other words, if the assigned-to tmp |t1| is never used, then there's
8166 no point in propagating any use through to its operands. That won't
8167 change the final HuPCa-vs-HuOth results, which is what we care about.
8168 Given that we expect to get dead-code-free inputs, there's no point in
8169 adding this extra refinement.
8170 */
8172 /* Helper for |preInstrumentationAnalysis|. */
8174 UInt tyenvUsed,
8176 {
8177 /* For the atom |at|, declare that for any tmp |t| in |at|, we will have
8178 seen a use of |newUse|. So, merge that info into |t|'s accumulated
8179 use info. */
8188 // The "max" operation in the lattice
8191 }
8193 // We should never get here -- it implies non-flat IR
8196 }
8197 /*NOTREACHED*/
8199 }
8205 {
8208 // We've seen no bogus literals so far.
8211 // This is calloc'd, so implicitly all entries are initialised to HuUnU.
8215 // Firstly, roll in contributions from the final dst address.
8219 // Now work backwards through the stmts.
8223 // Deal with literals.
8226 }
8228 // Deal with tmp uses.
8233 // This is the one place where we have to consider all possible
8234 // tags for |rhs|, and can't just assume it is a tmp or a const.
8237 // just propagate demand for |dst| into this tmp use.
8246 // propagate demand for |dst| through to the operands.
8252 // just say that the operands are used in some unknown way.
8257 }
8260 // All operands are used in some unknown way.
8266 }
8268 // All operands are used in some unknown way.
8275 }
8277 // The address will be checked (== PCasted).
8281 // The condition is PCasted, the then- and else-values
8282 // aren't.
8288 // The args are used in unknown ways.
8291 }
8294 // The index will be checked/PCasted (see do_shadow_GETI)
8297 }
8305 }
8307 }
8309 // The address will be checked (== PCasted). The data will be
8310 // used in some unknown way.
8315 // The guard will be checked (== PCasted)
8323 // The index will be checked/PCasted (see do_shadow_PUTI). The
8324 // data will be used in an unknown way.
8328 }
8331 // The guard will be checked (== PCasted)
8333 // The args will be used in unknown ways.
8336 }
8338 }
8341 // Address will be pcasted, everything else used as unknown
8350 }
8352 // Both exprs are used in unknown ways. TODO: can we safely
8353 // just ignore AbiHints?
8358 // We might be able to do better, and use HuPCa for the addr.
8359 // It's not immediately obvious that we can, because the address
8360 // is regarded as "used" only when the guard is true.
8366 }
8368 // Per similar comments to Ist_StoreG .. not sure whether this
8369 // is really optimal.
8375 }
8381 }
8389 }
8390 }
8393 // Return the computed use env and the bogus-atom flag.
8399 }
8408 {
8412 MCEnv mce;
8416 /* We don't currently support this case. */
8418 }
8420 /* Check we're not completely nuts */
8431 /* Set up SB */
8434 /* Set up the running environment. Both .sb and .tmpMap are
8435 modified as we go along. Note that tmps are added to both
8436 .sb->tyenv and .tmpMap together, so the valid index-set for
8437 those two arrays should always be identical. */
8445 /* BEGIN decide on expense levels for instrumentation. */
8447 /* Initially, select the cheap version of everything for which we have an
8448 option. */
8451 /* Take account of the --expensive-definedness-checks= flag. */
8453 /* We just selected 'cheap for everything', so we don't need to do
8454 anything here. mce.tmpHowUsed remains NULL. */
8455 }
8457 /* Select 'expensive for everything'. mce.tmpHowUsed remains NULL. */
8459 }
8462 /* We'll make our own selection, based on known per-target constraints
8463 and also on analysis of the block to be instrumented. First, set
8464 up default values for detail levels.
8466 On x86 and amd64, we'll routinely encounter code optimised by LLVM
8467 5 and above. Enable accurate interpretation of the following.
8468 LLVM uses adds for some bitfield inserts, and we get a lot of false
8469 errors if the cheap interpretation is used, alas. Could solve this
8470 much better if we knew which of such adds came from x86/amd64 LEA
8471 instructions, since these are the only ones really needing the
8472 expensive interpretation, but that would require some way to tag
8473 them in the _toIR.c front ends, which is a lot of faffing around.
8474 So for now we use preInstrumentationAnalysis() to detect adds which
8475 are used only to construct memory addresses, which is an
8476 approximation to the above, and is self-contained.*/
8477 # if defined(VGA_x86)
8480 # elif defined(VGA_amd64)
8484 # elif defined(VGA_ppc64le)
8485 // Needed by (at least) set_AV_CR6() in the front end.
8487 # endif
8489 /* preInstrumentationAnalysis() will allocate &mce.tmpHowUsed and then
8490 fill it in. */
8495 /* This happens very rarely. In this case just select expensive
8496 for everything, and throw away the tmp-use analysis results. */
8501 /* Nothing. mce.tmpHowUsed contains tmp-use analysis results,
8502 which will be used for some subset of Iop_{Add,Sub}{32,64},
8503 based on which ones are set to DLauto for this target. */
8504 }
8505 }
8510 // Debug printing: which tmps have been identified as PCast-only use
8516 }
8517 }
8519 }
8521 // Debug printing: number of ops by detail level
8528 }
8529 /* END decide on expense levels for instrumentation. */
8531 /* Initialise the running the tmp environment. */
8537 TempMapEnt ent;
8542 }
8545 /* Finally, begin instrumentation. */
8546 /* Copy verbatim any IR preamble preceding the first IMark */
8559 i++;
8560 }
8562 /* Nasty problem. IR optimisation of the pre-instrumented IR may
8563 cause the IR following the preamble to contain references to IR
8564 temporaries defined in the preamble. Because the preamble isn't
8565 instrumented, these temporaries don't have any shadows.
8566 Nevertheless uses of them following the preamble will cause
8567 memcheck to generate references to their shadows. End effect is
8568 to cause IR sanity check failures, due to references to
8569 non-existent shadows. This is only evident for the complex
8570 preambles used for function wrapping on TOC-afflicted platforms
8571 (ppc64-linux).
8573 The following loop therefore scans the preamble looking for
8574 assignments to temporaries. For each one found it creates an
8575 assignment to the corresponding (V) shadow temp, marking it as
8576 'defined'. This is the same resulting IR as if the main
8577 instrumentation loop before had been applied to the statement
8578 'tmp = CONSTANT'.
8580 Similarly, if origin tracking is enabled, we must generate an
8581 assignment for the corresponding origin (B) shadow, claiming
8582 no-origin, as appropriate for a defined value.
8583 */
8586 /* findShadowTmpV checks its arg is an original tmp;
8587 no need to assert that here. */
8596 }
8601 }
8602 }
8603 }
8605 /* Iterate over the remaining stmts to generate instrumentation. */
8621 }
8624 /* See comments on case Ist_CAS below. */
8627 }
8629 /* Generate instrumentation code for each stmt ... */
8641 }
8693 /* Note, do_shadow_CAS copies the CAS itself to the output
8694 block, because it needs to add instrumentation both
8695 before and after it. Hence skip the copy below. Also
8696 skip the origin-tracking stuff (call to schemeS) above,
8697 since that's all tangled up with it too; do_shadow_CAS
8698 does it all. */
8722 }
8724 }
8726 /* ... and finally copy the stmt itself to the output. Except,
8727 skip the copy of IRCASs; see comments on case Ist_CAS
8728 above. */
8731 }
8733 /* Now we need to complain if the jump target is undefined. */
8740 }
8749 }
8751 }
8753 /* If this fails, there's been some serious snafu with tmp management,
8754 that should be investigated. */
8760 }
8764 }
8767 /*--------------------------------------------------------------------*/
8768 /*--- end mc_translate.c ---*/
8769 /*--------------------------------------------------------------------*/