diff --git a/include/llvm/Analysis/PointerTracking.h b/include/llvm/Analysis/PointerTracking.h deleted file mode 100644 index 6b49e18c1b6..00000000000 --- a/include/llvm/Analysis/PointerTracking.h +++ /dev/null @@ -1,132 +0,0 @@ -//===- PointerTracking.h - Pointer Bounds Tracking --------------*- C++ -*-===// -// -// The LLVM Compiler Infrastructure -// -// This file is distributed under the University of Illinois Open Source -// License. See LICENSE.TXT for details. -// -//===----------------------------------------------------------------------===// -// -// This file implements tracking of pointer bounds. -// It knows that the libc functions "calloc" and "realloc" allocate memory, thus -// you should avoid using this pass if they mean something else for your -// language. -// -// All methods assume that the pointer is not NULL, if it is then the returned -// allocation size is wrong, and the result from checkLimits is wrong too. -// It also assumes that pointers are valid, and that it is not analyzing a -// use-after-free scenario. -// Due to these limitations the "size" returned by these methods should be -// considered as either 0 or the returned size. -// -// Another analysis pass should be used to find use-after-free/NULL dereference -// bugs. -// -//===----------------------------------------------------------------------===// - -#ifndef LLVM_ANALYSIS_POINTERTRACKING_H -#define LLVM_ANALYSIS_POINTERTRACKING_H - -#include "llvm/ADT/SmallPtrSet.h" -#include "llvm/Analysis/Dominators.h" -#include "llvm/Instructions.h" -#include "llvm/Pass.h" -#include "llvm/Support/PredIteratorCache.h" - -namespace llvm { - class DominatorTree; - class ScalarEvolution; - class SCEV; - class Loop; - class LoopInfo; - class TargetData; - - // Result from solver, assuming pointer is not NULL, - // and it is not a use-after-free situation. - enum SolverResult { - AlwaysFalse,// always false with above constraints - AlwaysTrue,// always true with above constraints - Unknown // it can sometimes be true, sometimes false, or it is undecided - }; - - class PointerTracking : public FunctionPass { - public: - typedef ICmpInst::Predicate Predicate; - static char ID; - PointerTracking(); - - virtual bool doInitialization(Module &M); - - // If this pointer directly points to an allocation, return - // the number of elements of type Ty allocated. - // Otherwise return CouldNotCompute. - // Since allocations can fail by returning NULL, the real element count - // for every allocation is either 0 or the value returned by this function. - const SCEV *getAllocationElementCount(Value *P) const; - - // Same as getAllocationSize() but returns size in bytes. - // We consider one byte as 8 bits. - const SCEV *getAllocationSizeInBytes(Value *V) const; - - // Given a Pointer, determine a base pointer of known size, and an offset - // therefrom. - // When unable to determine, sets Base to NULL, and Limit/Offset to - // CouldNotCompute. - // BaseSize, and Offset are in bytes: Pointer == Base + Offset - void getPointerOffset(Value *Pointer, Value *&Base, const SCEV *& BaseSize, - const SCEV *&Offset) const; - - // Compares the 2 scalar evolution expressions according to predicate, - // and if it can prove that the result is always true or always false - // return AlwaysTrue/AlwaysFalse. Otherwise it returns Unknown. - enum SolverResult compareSCEV(const SCEV *A, Predicate Pred, const SCEV *B, - const Loop *L); - - // Determines whether the condition LHS RHS is sufficient - // for the condition A B to hold. - // Currently only ULT/ULE is supported. - // This errs on the side of returning false. - bool conditionSufficient(const SCEV *LHS, Predicate Pred1, const SCEV *RHS, - const SCEV *A, Predicate Pred2, const SCEV *B, - const Loop *L); - - // Determines whether Offset is known to be always in [0, Limit) bounds. - // This errs on the side of returning Unknown. - enum SolverResult checkLimits(const SCEV *Offset, const SCEV *Limit, - BasicBlock *BB); - - virtual bool runOnFunction(Function &F); - virtual void getAnalysisUsage(AnalysisUsage &AU) const; - void print(raw_ostream &OS, const Module* = 0) const; - Value *computeAllocationCountValue(Value *P, const Type *&Ty) const; - private: - Function *FF; - TargetData *TD; - ScalarEvolution *SE; - LoopInfo *LI; - DominatorTree *DT; - - Function *callocFunc; - Function *reallocFunc; - PredIteratorCache predCache; - - SmallPtrSet analyzing; - - enum SolverResult isLoopGuardedBy(const Loop *L, Predicate Pred, - const SCEV *A, const SCEV *B) const; - static bool isMonotonic(const SCEV *S); - bool scevPositive(const SCEV *A, const Loop *L, bool strict=true) const; - bool conditionSufficient(Value *Cond, bool negated, - const SCEV *A, Predicate Pred, const SCEV *B); - Value *getConditionToReach(BasicBlock *A, - DomTreeNodeBase *B, - bool &negated); - Value *getConditionToReach(BasicBlock *A, - BasicBlock *B, - bool &negated); - const SCEV *computeAllocationCount(Value *P, const Type *&Ty) const; - const SCEV *computeAllocationCountForType(Value *P, const Type *Ty) const; - }; -} -#endif - diff --git a/include/llvm/LinkAllPasses.h b/include/llvm/LinkAllPasses.h index 19c2df217e6..e0bde99097c 100644 --- a/include/llvm/LinkAllPasses.h +++ b/include/llvm/LinkAllPasses.h @@ -20,7 +20,6 @@ #include "llvm/Analysis/FindUsedTypes.h" #include "llvm/Analysis/IntervalPartition.h" #include "llvm/Analysis/Passes.h" -#include "llvm/Analysis/PointerTracking.h" #include "llvm/Analysis/PostDominators.h" #include "llvm/Analysis/RegionPrinter.h" #include "llvm/Analysis/ScalarEvolution.h" @@ -152,7 +151,6 @@ namespace { (void)new llvm::IntervalPartition(); (void)new llvm::FindUsedTypes(); (void)new llvm::ScalarEvolution(); - (void)new llvm::PointerTracking(); ((llvm::Function*)0)->viewCFGOnly(); llvm::AliasSetTracker X(*(llvm::AliasAnalysis*)0); X.add((llvm::Value*)0, 0); // for -print-alias-sets diff --git a/lib/Analysis/PointerTracking.cpp b/lib/Analysis/PointerTracking.cpp deleted file mode 100644 index 07f46824700..00000000000 --- a/lib/Analysis/PointerTracking.cpp +++ /dev/null @@ -1,316 +0,0 @@ -//===- PointerTracking.cpp - Pointer Bounds Tracking ------------*- C++ -*-===// -// -// The LLVM Compiler Infrastructure -// -// This file is distributed under the University of Illinois Open Source -// License. See LICENSE.TXT for details. -// -//===----------------------------------------------------------------------===// -// -// This file implements tracking of pointer bounds. -// -//===----------------------------------------------------------------------===// - -#include "llvm/Analysis/ConstantFolding.h" -#include "llvm/Analysis/Dominators.h" -#include "llvm/Analysis/LoopInfo.h" -#include "llvm/Analysis/MemoryBuiltins.h" -#include "llvm/Analysis/PointerTracking.h" -#include "llvm/Analysis/ScalarEvolution.h" -#include "llvm/Analysis/ScalarEvolutionExpressions.h" -#include "llvm/Constants.h" -#include "llvm/Module.h" -#include "llvm/Value.h" -#include "llvm/Support/CallSite.h" -#include "llvm/Support/InstIterator.h" -#include "llvm/Support/raw_ostream.h" -#include "llvm/Target/TargetData.h" -using namespace llvm; - -char PointerTracking::ID = 0; -PointerTracking::PointerTracking() : FunctionPass(ID) {} - -bool PointerTracking::runOnFunction(Function &F) { - predCache.clear(); - assert(analyzing.empty()); - FF = &F; - TD = getAnalysisIfAvailable(); - SE = &getAnalysis(); - LI = &getAnalysis(); - DT = &getAnalysis(); - return false; -} - -void PointerTracking::getAnalysisUsage(AnalysisUsage &AU) const { - AU.addRequiredTransitive(); - AU.addRequiredTransitive(); - AU.addRequiredTransitive(); - AU.setPreservesAll(); -} - -bool PointerTracking::doInitialization(Module &M) { - const Type *PTy = Type::getInt8PtrTy(M.getContext()); - - // Find calloc(i64, i64) or calloc(i32, i32). - callocFunc = M.getFunction("calloc"); - if (callocFunc) { - const FunctionType *Ty = callocFunc->getFunctionType(); - - std::vector args, args2; - args.push_back(Type::getInt64Ty(M.getContext())); - args.push_back(Type::getInt64Ty(M.getContext())); - args2.push_back(Type::getInt32Ty(M.getContext())); - args2.push_back(Type::getInt32Ty(M.getContext())); - const FunctionType *Calloc1Type = - FunctionType::get(PTy, args, false); - const FunctionType *Calloc2Type = - FunctionType::get(PTy, args2, false); - if (Ty != Calloc1Type && Ty != Calloc2Type) - callocFunc = 0; // Give up - } - - // Find realloc(i8*, i64) or realloc(i8*, i32). - reallocFunc = M.getFunction("realloc"); - if (reallocFunc) { - const FunctionType *Ty = reallocFunc->getFunctionType(); - std::vector args, args2; - args.push_back(PTy); - args.push_back(Type::getInt64Ty(M.getContext())); - args2.push_back(PTy); - args2.push_back(Type::getInt32Ty(M.getContext())); - - const FunctionType *Realloc1Type = - FunctionType::get(PTy, args, false); - const FunctionType *Realloc2Type = - FunctionType::get(PTy, args2, false); - if (Ty != Realloc1Type && Ty != Realloc2Type) - reallocFunc = 0; // Give up - } - return false; -} - -// Calculates the number of elements allocated for pointer P, -// the type of the element is stored in Ty. -const SCEV *PointerTracking::computeAllocationCount(Value *P, - const Type *&Ty) const { - Value *V = P->stripPointerCasts(); - if (AllocaInst *AI = dyn_cast(V)) { - Value *arraySize = AI->getArraySize(); - Ty = AI->getAllocatedType(); - // arraySize elements of type Ty. - return SE->getSCEV(arraySize); - } - - if (CallInst *CI = extractMallocCall(V)) { - Value *arraySize = getMallocArraySize(CI, TD); - const Type* AllocTy = getMallocAllocatedType(CI); - if (!AllocTy || !arraySize) return SE->getCouldNotCompute(); - Ty = AllocTy; - // arraySize elements of type Ty. - return SE->getSCEV(arraySize); - } - - if (GlobalVariable *GV = dyn_cast(V)) { - if (GV->hasDefinitiveInitializer()) { - Constant *C = GV->getInitializer(); - if (const ArrayType *ATy = dyn_cast(C->getType())) { - Ty = ATy->getElementType(); - return SE->getConstant(Type::getInt32Ty(P->getContext()), - ATy->getNumElements()); - } - } - Ty = GV->getType(); - return SE->getConstant(Type::getInt32Ty(P->getContext()), 1); - //TODO: implement more tracking for globals - } - - if (CallInst *CI = dyn_cast(V)) { - CallSite CS(CI); - Function *F = dyn_cast(CS.getCalledValue()->stripPointerCasts()); - const Loop *L = LI->getLoopFor(CI->getParent()); - if (F == callocFunc) { - Ty = Type::getInt8Ty(P->getContext()); - // calloc allocates arg0*arg1 bytes. - return SE->getSCEVAtScope(SE->getMulExpr(SE->getSCEV(CS.getArgument(0)), - SE->getSCEV(CS.getArgument(1))), - L); - } else if (F == reallocFunc) { - Ty = Type::getInt8Ty(P->getContext()); - // realloc allocates arg1 bytes. - return SE->getSCEVAtScope(CS.getArgument(1), L); - } - } - - return SE->getCouldNotCompute(); -} - -Value *PointerTracking::computeAllocationCountValue(Value *P, const Type *&Ty) const -{ - Value *V = P->stripPointerCasts(); - if (AllocaInst *AI = dyn_cast(V)) { - Ty = AI->getAllocatedType(); - // arraySize elements of type Ty. - return AI->getArraySize(); - } - - if (CallInst *CI = extractMallocCall(V)) { - Ty = getMallocAllocatedType(CI); - if (!Ty) - return 0; - Value *arraySize = getMallocArraySize(CI, TD); - if (!arraySize) { - Ty = Type::getInt8Ty(P->getContext()); - return CI->getArgOperand(0); - } - // arraySize elements of type Ty. - return arraySize; - } - - if (GlobalVariable *GV = dyn_cast(V)) { - if (GV->hasDefinitiveInitializer()) { - Constant *C = GV->getInitializer(); - if (const ArrayType *ATy = dyn_cast(C->getType())) { - Ty = ATy->getElementType(); - return ConstantInt::get(Type::getInt32Ty(P->getContext()), - ATy->getNumElements()); - } - } - Ty = cast(GV->getType())->getElementType(); - return ConstantInt::get(Type::getInt32Ty(P->getContext()), 1); - //TODO: implement more tracking for globals - } - - if (CallInst *CI = dyn_cast(V)) { - CallSite CS(CI); - Function *F = dyn_cast(CS.getCalledValue()->stripPointerCasts()); - if (F == reallocFunc) { - Ty = Type::getInt8Ty(P->getContext()); - // realloc allocates arg1 bytes. - return CS.getArgument(1); - } - } - - return 0; -} - -// Calculates the number of elements of type Ty allocated for P. -const SCEV *PointerTracking::computeAllocationCountForType(Value *P, - const Type *Ty) - const { - const Type *elementTy; - const SCEV *Count = computeAllocationCount(P, elementTy); - if (isa(Count)) - return Count; - if (elementTy == Ty) - return Count; - - if (!TD) // need TargetData from this point forward - return SE->getCouldNotCompute(); - - uint64_t elementSize = TD->getTypeAllocSize(elementTy); - uint64_t wantSize = TD->getTypeAllocSize(Ty); - if (elementSize == wantSize) - return Count; - if (elementSize % wantSize) //fractional counts not possible - return SE->getCouldNotCompute(); - return SE->getMulExpr(Count, SE->getConstant(Count->getType(), - elementSize/wantSize)); -} - -const SCEV *PointerTracking::getAllocationElementCount(Value *V) const { - // We only deal with pointers. - const PointerType *PTy = cast(V->getType()); - return computeAllocationCountForType(V, PTy->getElementType()); -} - -const SCEV *PointerTracking::getAllocationSizeInBytes(Value *V) const { - return computeAllocationCountForType(V, Type::getInt8Ty(V->getContext())); -} - -// Helper for isLoopGuardedBy that checks the swapped and inverted predicate too -enum SolverResult PointerTracking::isLoopGuardedBy(const Loop *L, - Predicate Pred, - const SCEV *A, - const SCEV *B) const { - if (SE->isLoopEntryGuardedByCond(L, Pred, A, B)) - return AlwaysTrue; - Pred = ICmpInst::getSwappedPredicate(Pred); - if (SE->isLoopEntryGuardedByCond(L, Pred, B, A)) - return AlwaysTrue; - - Pred = ICmpInst::getInversePredicate(Pred); - if (SE->isLoopEntryGuardedByCond(L, Pred, B, A)) - return AlwaysFalse; - Pred = ICmpInst::getSwappedPredicate(Pred); - if (SE->isLoopEntryGuardedByCond(L, Pred, A, B)) - return AlwaysTrue; - return Unknown; -} - -enum SolverResult PointerTracking::checkLimits(const SCEV *Offset, - const SCEV *Limit, - BasicBlock *BB) -{ - //FIXME: merge implementation - return Unknown; -} - -void PointerTracking::getPointerOffset(Value *Pointer, Value *&Base, - const SCEV *&Limit, - const SCEV *&Offset) const -{ - Pointer = Pointer->stripPointerCasts(); - Base = Pointer->getUnderlyingObject(); - Limit = getAllocationSizeInBytes(Base); - if (isa(Limit)) { - Base = 0; - Offset = Limit; - return; - } - - Offset = SE->getMinusSCEV(SE->getSCEV(Pointer), SE->getSCEV(Base)); - if (isa(Offset)) { - Base = 0; - Limit = Offset; - } -} - -void PointerTracking::print(raw_ostream &OS, const Module* M) const { - // Calling some PT methods may cause caches to be updated, however - // this should be safe for the same reason its safe for SCEV. - PointerTracking &PT = *const_cast(this); - for (inst_iterator I=inst_begin(*FF), E=inst_end(*FF); I != E; ++I) { - if (!I->getType()->isPointerTy()) - continue; - Value *Base; - const SCEV *Limit, *Offset; - getPointerOffset(&*I, Base, Limit, Offset); - if (!Base) - continue; - - if (Base == &*I) { - const SCEV *S = getAllocationElementCount(Base); - OS << *Base << " ==> " << *S << " elements, "; - OS << *Limit << " bytes allocated\n"; - continue; - } - OS << &*I << " -- base: " << *Base; - OS << " offset: " << *Offset; - - enum SolverResult res = PT.checkLimits(Offset, Limit, I->getParent()); - switch (res) { - case AlwaysTrue: - OS << " always safe\n"; - break; - case AlwaysFalse: - OS << " always unsafe\n"; - break; - case Unknown: - OS << " <>\n"; - break; - } - } -} - -INITIALIZE_PASS(PointerTracking, "pointertracking", - "Track pointer bounds", false, true);