lib/CodeGen/ImplicitNullChecks.cpp

327952Sdim//===- ImplicitNullChecks.cpp - Fold null checks into memory accesses -----===//
284677Sdim//
353358Sdim// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
353358Sdim// See https://llvm.org/LICENSE.txt for license information.
353358Sdim// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
284677Sdim//
284677Sdim//===----------------------------------------------------------------------===//
284677Sdim//
284677Sdim// This pass turns explicit null checks of the form
284677Sdim//
284677Sdim//   test %r10, %r10
284677Sdim//   je throw_npe
284677Sdim//   movl (%r10), %esi
284677Sdim//   ...
284677Sdim//
284677Sdim// to
284677Sdim//
284677Sdim//   faulting_load_op("movl (%r10), %esi", throw_npe)
284677Sdim//   ...
284677Sdim//
284677Sdim// With the help of a runtime that understands the .fault_maps section,
284677Sdim// faulting_load_op branches to throw_npe if executing movl (%r10), %esi incurs
284677Sdim// a page fault.
321369Sdim// Store and LoadStore are also supported.
284677Sdim//
284677Sdim//===----------------------------------------------------------------------===//
284677Sdim
327952Sdim#include "llvm/ADT/ArrayRef.h"
327952Sdim#include "llvm/ADT/None.h"
327952Sdim#include "llvm/ADT/Optional.h"
327952Sdim#include "llvm/ADT/STLExtras.h"
284677Sdim#include "llvm/ADT/SmallVector.h"
286684Sdim#include "llvm/ADT/Statistic.h"
309124Sdim#include "llvm/Analysis/AliasAnalysis.h"
327952Sdim#include "llvm/Analysis/MemoryLocation.h"
321369Sdim#include "llvm/CodeGen/FaultMaps.h"
327952Sdim#include "llvm/CodeGen/MachineBasicBlock.h"
284677Sdim#include "llvm/CodeGen/MachineFunction.h"
321369Sdim#include "llvm/CodeGen/MachineFunctionPass.h"
327952Sdim#include "llvm/CodeGen/MachineInstr.h"
321369Sdim#include "llvm/CodeGen/MachineInstrBuilder.h"
286684Sdim#include "llvm/CodeGen/MachineMemOperand.h"
284677Sdim#include "llvm/CodeGen/MachineOperand.h"
284677Sdim#include "llvm/CodeGen/MachineRegisterInfo.h"
327952Sdim#include "llvm/CodeGen/PseudoSourceValue.h"
327952Sdim#include "llvm/CodeGen/TargetInstrInfo.h"
327952Sdim#include "llvm/CodeGen/TargetOpcodes.h"
327952Sdim#include "llvm/CodeGen/TargetRegisterInfo.h"
327952Sdim#include "llvm/CodeGen/TargetSubtargetInfo.h"
284677Sdim#include "llvm/IR/BasicBlock.h"
327952Sdim#include "llvm/IR/DebugLoc.h"
296417Sdim#include "llvm/IR/LLVMContext.h"
360784Sdim#include "llvm/InitializePasses.h"
327952Sdim#include "llvm/MC/MCInstrDesc.h"
327952Sdim#include "llvm/MC/MCRegisterInfo.h"
327952Sdim#include "llvm/Pass.h"
284677Sdim#include "llvm/Support/CommandLine.h"
327952Sdim#include <cassert>
327952Sdim#include <cstdint>
327952Sdim#include <iterator>
284677Sdim
284677Sdimusing namespace llvm;
284677Sdim
309124Sdimstatic cl::opt<int> PageSize("imp-null-check-page-size",
309124Sdim                             cl::desc("The page size of the target in bytes"),
327952Sdim                             cl::init(4096), cl::Hidden);
284677Sdim
314564Sdimstatic cl::opt<unsigned> MaxInstsToConsider(
314564Sdim    "imp-null-max-insts-to-consider",
314564Sdim    cl::desc("The max number of instructions to consider hoisting loads over "
314564Sdim             "(the algorithm is quadratic over this number)"),
327952Sdim    cl::Hidden, cl::init(8));
314564Sdim
286684Sdim#define DEBUG_TYPE "implicit-null-checks"
286684Sdim
286684SdimSTATISTIC(NumImplicitNullChecks,
286684Sdim          "Number of explicit null checks made implicit");
286684Sdim
284677Sdimnamespace {
284677Sdim
284677Sdimclass ImplicitNullChecks : public MachineFunctionPass {
314564Sdim  /// Return true if \c computeDependence can process \p MI.
314564Sdim  static bool canHandle(const MachineInstr *MI);
314564Sdim
314564Sdim  /// Helper function for \c computeDependence.  Return true if \p A
314564Sdim  /// and \p B do not have any dependences between them, and can be
314564Sdim  /// re-ordered without changing program semantics.
314564Sdim  bool canReorder(const MachineInstr *A, const MachineInstr *B);
314564Sdim
314564Sdim  /// A data type for representing the result computed by \c
314564Sdim  /// computeDependence.  States whether it is okay to reorder the
314564Sdim  /// instruction passed to \c computeDependence with at most one
344779Sdim  /// dependency.
314564Sdim  struct DependenceResult {
314564Sdim    /// Can we actually re-order \p MI with \p Insts (see \c
314564Sdim    /// computeDependence).
314564Sdim    bool CanReorder;
314564Sdim
314564Sdim    /// If non-None, then an instruction in \p Insts that also must be
314564Sdim    /// hoisted.
314564Sdim    Optional<ArrayRef<MachineInstr *>::iterator> PotentialDependence;
314564Sdim
314564Sdim    /*implicit*/ DependenceResult(
314564Sdim        bool CanReorder,
314564Sdim        Optional<ArrayRef<MachineInstr *>::iterator> PotentialDependence)
314564Sdim        : CanReorder(CanReorder), PotentialDependence(PotentialDependence) {
314564Sdim      assert((!PotentialDependence || CanReorder) &&
314564Sdim             "!CanReorder && PotentialDependence.hasValue() not allowed!");
314564Sdim    }
314564Sdim  };
314564Sdim
314564Sdim  /// Compute a result for the following question: can \p MI be
314564Sdim  /// re-ordered from after \p Insts to before it.
314564Sdim  ///
314564Sdim  /// \c canHandle should return true for all instructions in \p
314564Sdim  /// Insts.
314564Sdim  DependenceResult computeDependence(const MachineInstr *MI,
341825Sdim                                     ArrayRef<MachineInstr *> Block);
314564Sdim
284677Sdim  /// Represents one null check that can be made implicit.
309124Sdim  class NullCheck {
284677Sdim    // The memory operation the null check can be folded into.
284677Sdim    MachineInstr *MemOperation;
284677Sdim
284677Sdim    // The instruction actually doing the null check (Ptr != 0).
284677Sdim    MachineInstr *CheckOperation;
284677Sdim
284677Sdim    // The block the check resides in.
284677Sdim    MachineBasicBlock *CheckBlock;
284677Sdim
284677Sdim    // The block branched to if the pointer is non-null.
284677Sdim    MachineBasicBlock *NotNullSucc;
284677Sdim
284677Sdim    // The block branched to if the pointer is null.
284677Sdim    MachineBasicBlock *NullSucc;
284677Sdim
341825Sdim    // If this is non-null, then MemOperation has a dependency on this
309124Sdim    // instruction; and it needs to be hoisted to execute before MemOperation.
309124Sdim    MachineInstr *OnlyDependency;
284677Sdim
309124Sdim  public:
284677Sdim    explicit NullCheck(MachineInstr *memOperation, MachineInstr *checkOperation,
284677Sdim                       MachineBasicBlock *checkBlock,
284677Sdim                       MachineBasicBlock *notNullSucc,
309124Sdim                       MachineBasicBlock *nullSucc,
309124Sdim                       MachineInstr *onlyDependency)
284677Sdim        : MemOperation(memOperation), CheckOperation(checkOperation),
309124Sdim          CheckBlock(checkBlock), NotNullSucc(notNullSucc), NullSucc(nullSucc),
309124Sdim          OnlyDependency(onlyDependency) {}
309124Sdim
309124Sdim    MachineInstr *getMemOperation() const { return MemOperation; }
309124Sdim
309124Sdim    MachineInstr *getCheckOperation() const { return CheckOperation; }
309124Sdim
309124Sdim    MachineBasicBlock *getCheckBlock() const { return CheckBlock; }
309124Sdim
309124Sdim    MachineBasicBlock *getNotNullSucc() const { return NotNullSucc; }
309124Sdim
309124Sdim    MachineBasicBlock *getNullSucc() const { return NullSucc; }
309124Sdim
309124Sdim    MachineInstr *getOnlyDependency() const { return OnlyDependency; }
284677Sdim  };
284677Sdim
284677Sdim  const TargetInstrInfo *TII = nullptr;
284677Sdim  const TargetRegisterInfo *TRI = nullptr;
309124Sdim  AliasAnalysis *AA = nullptr;
321369Sdim  MachineFrameInfo *MFI = nullptr;
284677Sdim
284677Sdim  bool analyzeBlockForNullChecks(MachineBasicBlock &MBB,
284677Sdim                                 SmallVectorImpl<NullCheck> &NullCheckList);
321369Sdim  MachineInstr *insertFaultingInstr(MachineInstr *MI, MachineBasicBlock *MBB,
321369Sdim                                    MachineBasicBlock *HandlerMBB);
284677Sdim  void rewriteNullChecks(ArrayRef<NullCheck> NullCheckList);
284677Sdim
321369Sdim  enum AliasResult {
321369Sdim    AR_NoAlias,
321369Sdim    AR_MayAlias,
321369Sdim    AR_WillAliasEverything
321369Sdim  };
327952Sdim
321369Sdim  /// Returns AR_NoAlias if \p MI memory operation does not alias with
321369Sdim  /// \p PrevMI, AR_MayAlias if they may alias and AR_WillAliasEverything if
321369Sdim  /// they may alias and any further memory operation may alias with \p PrevMI.
353358Sdim  AliasResult areMemoryOpsAliased(const MachineInstr &MI,
353358Sdim                                  const MachineInstr *PrevMI) const;
321369Sdim
321369Sdim  enum SuitabilityResult {
321369Sdim    SR_Suitable,
321369Sdim    SR_Unsuitable,
321369Sdim    SR_Impossible
321369Sdim  };
327952Sdim
321369Sdim  /// Return SR_Suitable if \p MI a memory operation that can be used to
321369Sdim  /// implicitly null check the value in \p PointerReg, SR_Unsuitable if
321369Sdim  /// \p MI cannot be used to null check and SR_Impossible if there is
321369Sdim  /// no sense to continue lookup due to any other instruction will not be able
321369Sdim  /// to be used. \p PrevInsts is the set of instruction seen since
314564Sdim  /// the explicit null check on \p PointerReg.
353358Sdim  SuitabilityResult isSuitableMemoryOp(const MachineInstr &MI,
353358Sdim                                       unsigned PointerReg,
321369Sdim                                       ArrayRef<MachineInstr *> PrevInsts);
314564Sdim
341825Sdim  /// Return true if \p FaultingMI can be hoisted from after the
314564Sdim  /// instructions in \p InstsSeenSoFar to before them.  Set \p Dependence to a
314564Sdim  /// non-null value if we also need to (and legally can) hoist a depedency.
321369Sdim  bool canHoistInst(MachineInstr *FaultingMI, unsigned PointerReg,
321369Sdim                    ArrayRef<MachineInstr *> InstsSeenSoFar,
321369Sdim                    MachineBasicBlock *NullSucc, MachineInstr *&Dependence);
314564Sdim
284677Sdimpublic:
284677Sdim  static char ID;
284677Sdim
284677Sdim  ImplicitNullChecks() : MachineFunctionPass(ID) {
284677Sdim    initializeImplicitNullChecksPass(*PassRegistry::getPassRegistry());
284677Sdim  }
284677Sdim
284677Sdim  bool runOnMachineFunction(MachineFunction &MF) override;
327952Sdim
309124Sdim  void getAnalysisUsage(AnalysisUsage &AU) const override {
309124Sdim    AU.addRequired<AAResultsWrapperPass>();
309124Sdim    MachineFunctionPass::getAnalysisUsage(AU);
309124Sdim  }
309124Sdim
309124Sdim  MachineFunctionProperties getRequiredProperties() const override {
309124Sdim    return MachineFunctionProperties().set(
314564Sdim        MachineFunctionProperties::Property::NoVRegs);
309124Sdim  }
284677Sdim};
296417Sdim
327952Sdim} // end anonymous namespace
309124Sdim
314564Sdimbool ImplicitNullChecks::canHandle(const MachineInstr *MI) {
353358Sdim  if (MI->isCall() || MI->mayRaiseFPException() ||
353358Sdim      MI->hasUnmodeledSideEffects())
314564Sdim    return false;
314564Sdim  auto IsRegMask = [](const MachineOperand &MO) { return MO.isRegMask(); };
314564Sdim  (void)IsRegMask;
296417Sdim
314564Sdim  assert(!llvm::any_of(MI->operands(), IsRegMask) &&
314564Sdim         "Calls were filtered out above!");
296417Sdim
314564Sdim  auto IsUnordered = [](MachineMemOperand *MMO) { return MMO->isUnordered(); };
314564Sdim  return llvm::all_of(MI->memoperands(), IsUnordered);
285181Sdim}
284677Sdim
314564SdimImplicitNullChecks::DependenceResult
314564SdimImplicitNullChecks::computeDependence(const MachineInstr *MI,
314564Sdim                                      ArrayRef<MachineInstr *> Block) {
314564Sdim  assert(llvm::all_of(Block, canHandle) && "Check this first!");
327952Sdim  assert(!is_contained(Block, MI) && "Block must be exclusive of MI!");
296417Sdim
314564Sdim  Optional<ArrayRef<MachineInstr *>::iterator> Dep;
296417Sdim
314564Sdim  for (auto I = Block.begin(), E = Block.end(); I != E; ++I) {
314564Sdim    if (canReorder(*I, MI))
314564Sdim      continue;
296417Sdim
314564Sdim    if (Dep == None) {
314564Sdim      // Found one possible dependency, keep track of it.
314564Sdim      Dep = I;
314564Sdim    } else {
314564Sdim      // We found two dependencies, so bail out.
314564Sdim      return {false, None};
296417Sdim    }
296417Sdim  }
296417Sdim
314564Sdim  return {true, Dep};
296417Sdim}
296417Sdim
314564Sdimbool ImplicitNullChecks::canReorder(const MachineInstr *A,
314564Sdim                                    const MachineInstr *B) {
314564Sdim  assert(canHandle(A) && canHandle(B) && "Precondition!");
296417Sdim
314564Sdim  // canHandle makes sure that we _can_ correctly analyze the dependencies
314564Sdim  // between A and B here -- for instance, we should not be dealing with heap
314564Sdim  // load-store dependencies here.
296417Sdim
314564Sdim  for (auto MOA : A->operands()) {
314564Sdim    if (!(MOA.isReg() && MOA.getReg()))
314564Sdim      continue;
296417Sdim
360784Sdim    Register RegA = MOA.getReg();
314564Sdim    for (auto MOB : B->operands()) {
314564Sdim      if (!(MOB.isReg() && MOB.getReg()))
314564Sdim        continue;
309124Sdim
360784Sdim      Register RegB = MOB.getReg();
309124Sdim
321369Sdim      if (TRI->regsOverlap(RegA, RegB) && (MOA.isDef() || MOB.isDef()))
314564Sdim        return false;
296417Sdim    }
296417Sdim  }
296417Sdim
296417Sdim  return true;
296417Sdim}
296417Sdim
284677Sdimbool ImplicitNullChecks::runOnMachineFunction(MachineFunction &MF) {
284677Sdim  TII = MF.getSubtarget().getInstrInfo();
284677Sdim  TRI = MF.getRegInfo().getTargetRegisterInfo();
321369Sdim  MFI = &MF.getFrameInfo();
309124Sdim  AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
284677Sdim
284677Sdim  SmallVector<NullCheck, 16> NullCheckList;
284677Sdim
284677Sdim  for (auto &MBB : MF)
284677Sdim    analyzeBlockForNullChecks(MBB, NullCheckList);
284677Sdim
284677Sdim  if (!NullCheckList.empty())
284677Sdim    rewriteNullChecks(NullCheckList);
284677Sdim
284677Sdim  return !NullCheckList.empty();
284677Sdim}
284677Sdim
309124Sdim// Return true if any register aliasing \p Reg is live-in into \p MBB.
309124Sdimstatic bool AnyAliasLiveIn(const TargetRegisterInfo *TRI,
309124Sdim                           MachineBasicBlock *MBB, unsigned Reg) {
309124Sdim  for (MCRegAliasIterator AR(Reg, TRI, /*IncludeSelf*/ true); AR.isValid();
309124Sdim       ++AR)
309124Sdim    if (MBB->isLiveIn(*AR))
309124Sdim      return true;
309124Sdim  return false;
309124Sdim}
309124Sdim
321369SdimImplicitNullChecks::AliasResult
353358SdimImplicitNullChecks::areMemoryOpsAliased(const MachineInstr &MI,
353358Sdim                                        const MachineInstr *PrevMI) const {
321369Sdim  // If it is not memory access, skip the check.
321369Sdim  if (!(PrevMI->mayStore() || PrevMI->mayLoad()))
321369Sdim    return AR_NoAlias;
321369Sdim  // Load-Load may alias
321369Sdim  if (!(MI.mayStore() || PrevMI->mayStore()))
321369Sdim    return AR_NoAlias;
321369Sdim  // We lost info, conservatively alias. If it was store then no sense to
321369Sdim  // continue because we won't be able to check against it further.
321369Sdim  if (MI.memoperands_empty())
321369Sdim    return MI.mayStore() ? AR_WillAliasEverything : AR_MayAlias;
321369Sdim  if (PrevMI->memoperands_empty())
321369Sdim    return PrevMI->mayStore() ? AR_WillAliasEverything : AR_MayAlias;
321369Sdim
321369Sdim  for (MachineMemOperand *MMO1 : MI.memoperands()) {
321369Sdim    // MMO1 should have a value due it comes from operation we'd like to use
321369Sdim    // as implicit null check.
321369Sdim    assert(MMO1->getValue() && "MMO1 should have a Value!");
321369Sdim    for (MachineMemOperand *MMO2 : PrevMI->memoperands()) {
321369Sdim      if (const PseudoSourceValue *PSV = MMO2->getPseudoValue()) {
321369Sdim        if (PSV->mayAlias(MFI))
321369Sdim          return AR_MayAlias;
321369Sdim        continue;
321369Sdim      }
344779Sdim      llvm::AliasResult AAResult =
344779Sdim          AA->alias(MemoryLocation(MMO1->getValue(), LocationSize::unknown(),
344779Sdim                                   MMO1->getAAInfo()),
344779Sdim                    MemoryLocation(MMO2->getValue(), LocationSize::unknown(),
344779Sdim                                   MMO2->getAAInfo()));
321369Sdim      if (AAResult != NoAlias)
321369Sdim        return AR_MayAlias;
321369Sdim    }
321369Sdim  }
321369Sdim  return AR_NoAlias;
321369Sdim}
321369Sdim
321369SdimImplicitNullChecks::SuitabilityResult
353358SdimImplicitNullChecks::isSuitableMemoryOp(const MachineInstr &MI,
353358Sdim                                       unsigned PointerReg,
321369Sdim                                       ArrayRef<MachineInstr *> PrevInsts) {
314564Sdim  int64_t Offset;
353358Sdim  const MachineOperand *BaseOp;
314564Sdim
344779Sdim  if (!TII->getMemOperandWithOffset(MI, BaseOp, Offset, TRI) ||
344779Sdim      !BaseOp->isReg() || BaseOp->getReg() != PointerReg)
321369Sdim    return SR_Unsuitable;
314564Sdim
321369Sdim  // We want the mem access to be issued at a sane offset from PointerReg,
321369Sdim  // so that if PointerReg is null then the access reliably page faults.
360784Sdim  if (!(MI.mayLoadOrStore() && !MI.isPredicable() &&
327952Sdim        -PageSize < Offset && Offset < PageSize))
321369Sdim    return SR_Unsuitable;
314564Sdim
321369Sdim  // Finally, check whether the current memory access aliases with previous one.
321369Sdim  for (auto *PrevMI : PrevInsts) {
321369Sdim    AliasResult AR = areMemoryOpsAliased(MI, PrevMI);
321369Sdim    if (AR == AR_WillAliasEverything)
321369Sdim      return SR_Impossible;
321369Sdim    if (AR == AR_MayAlias)
321369Sdim      return SR_Unsuitable;
321369Sdim  }
321369Sdim  return SR_Suitable;
314564Sdim}
314564Sdim
321369Sdimbool ImplicitNullChecks::canHoistInst(MachineInstr *FaultingMI,
321369Sdim                                      unsigned PointerReg,
321369Sdim                                      ArrayRef<MachineInstr *> InstsSeenSoFar,
321369Sdim                                      MachineBasicBlock *NullSucc,
321369Sdim                                      MachineInstr *&Dependence) {
314564Sdim  auto DepResult = computeDependence(FaultingMI, InstsSeenSoFar);
314564Sdim  if (!DepResult.CanReorder)
314564Sdim    return false;
314564Sdim
314564Sdim  if (!DepResult.PotentialDependence) {
314564Sdim    Dependence = nullptr;
314564Sdim    return true;
314564Sdim  }
314564Sdim
314564Sdim  auto DependenceItr = *DepResult.PotentialDependence;
314564Sdim  auto *DependenceMI = *DependenceItr;
314564Sdim
314564Sdim  // We don't want to reason about speculating loads.  Note -- at this point
314564Sdim  // we should have already filtered out all of the other non-speculatable
314564Sdim  // things, like calls and stores.
327952Sdim  // We also do not want to hoist stores because it might change the memory
327952Sdim  // while the FaultingMI may result in faulting.
314564Sdim  assert(canHandle(DependenceMI) && "Should never have reached here!");
327952Sdim  if (DependenceMI->mayLoadOrStore())
314564Sdim    return false;
314564Sdim
314564Sdim  for (auto &DependenceMO : DependenceMI->operands()) {
314564Sdim    if (!(DependenceMO.isReg() && DependenceMO.getReg()))
314564Sdim      continue;
314564Sdim
314564Sdim    // Make sure that we won't clobber any live ins to the sibling block by
314564Sdim    // hoisting Dependency.  For instance, we can't hoist INST to before the
314564Sdim    // null check (even if it safe, and does not violate any dependencies in
314564Sdim    // the non_null_block) if %rdx is live in to _null_block.
314564Sdim    //
314564Sdim    //    test %rcx, %rcx
314564Sdim    //    je _null_block
314564Sdim    //  _non_null_block:
327952Sdim    //    %rdx = INST
314564Sdim    //    ...
314564Sdim    //
314564Sdim    // This restriction does not apply to the faulting load inst because in
314564Sdim    // case the pointer loaded from is in the null page, the load will not
314564Sdim    // semantically execute, and affect machine state.  That is, if the load
314564Sdim    // was loading into %rax and it faults, the value of %rax should stay the
314564Sdim    // same as it would have been had the load not have executed and we'd have
314564Sdim    // branched to NullSucc directly.
314564Sdim    if (AnyAliasLiveIn(TRI, NullSucc, DependenceMO.getReg()))
314564Sdim      return false;
314564Sdim
314564Sdim    // The Dependency can't be re-defining the base register -- then we won't
314564Sdim    // get the memory operation on the address we want.  This is already
314564Sdim    // checked in \c IsSuitableMemoryOp.
321369Sdim    assert(!(DependenceMO.isDef() &&
321369Sdim             TRI->regsOverlap(DependenceMO.getReg(), PointerReg)) &&
314564Sdim           "Should have been checked before!");
314564Sdim  }
314564Sdim
314564Sdim  auto DepDepResult =
314564Sdim      computeDependence(DependenceMI, {InstsSeenSoFar.begin(), DependenceItr});
314564Sdim
314564Sdim  if (!DepDepResult.CanReorder || DepDepResult.PotentialDependence)
314564Sdim    return false;
314564Sdim
314564Sdim  Dependence = DependenceMI;
314564Sdim  return true;
314564Sdim}
314564Sdim
284677Sdim/// Analyze MBB to check if its terminating branch can be turned into an
284677Sdim/// implicit null check.  If yes, append a description of the said null check to
284677Sdim/// NullCheckList and return true, else return false.
284677Sdimbool ImplicitNullChecks::analyzeBlockForNullChecks(
284677Sdim    MachineBasicBlock &MBB, SmallVectorImpl<NullCheck> &NullCheckList) {
327952Sdim  using MachineBranchPredicate = TargetInstrInfo::MachineBranchPredicate;
284677Sdim
296417Sdim  MDNode *BranchMD = nullptr;
296417Sdim  if (auto *BB = MBB.getBasicBlock())
296417Sdim    BranchMD = BB->getTerminator()->getMetadata(LLVMContext::MD_make_implicit);
296417Sdim
285181Sdim  if (!BranchMD)
285181Sdim    return false;
285181Sdim
284677Sdim  MachineBranchPredicate MBP;
284677Sdim
309124Sdim  if (TII->analyzeBranchPredicate(MBB, MBP, true))
284677Sdim    return false;
284677Sdim
284677Sdim  // Is the predicate comparing an integer to zero?
284677Sdim  if (!(MBP.LHS.isReg() && MBP.RHS.isImm() && MBP.RHS.getImm() == 0 &&
284677Sdim        (MBP.Predicate == MachineBranchPredicate::PRED_NE ||
284677Sdim         MBP.Predicate == MachineBranchPredicate::PRED_EQ)))
284677Sdim    return false;
284677Sdim
284677Sdim  // If we cannot erase the test instruction itself, then making the null check
284677Sdim  // implicit does not buy us much.
284677Sdim  if (!MBP.SingleUseCondition)
284677Sdim    return false;
284677Sdim
284677Sdim  MachineBasicBlock *NotNullSucc, *NullSucc;
284677Sdim
284677Sdim  if (MBP.Predicate == MachineBranchPredicate::PRED_NE) {
284677Sdim    NotNullSucc = MBP.TrueDest;
284677Sdim    NullSucc = MBP.FalseDest;
284677Sdim  } else {
284677Sdim    NotNullSucc = MBP.FalseDest;
284677Sdim    NullSucc = MBP.TrueDest;
284677Sdim  }
284677Sdim
284677Sdim  // We handle the simplest case for now.  We can potentially do better by using
284677Sdim  // the machine dominator tree.
284677Sdim  if (NotNullSucc->pred_size() != 1)
284677Sdim    return false;
284677Sdim
341825Sdim  // To prevent the invalid transformation of the following code:
341825Sdim  //
341825Sdim  //   mov %rax, %rcx
341825Sdim  //   test %rax, %rax
341825Sdim  //   %rax = ...
341825Sdim  //   je throw_npe
341825Sdim  //   mov(%rcx), %r9
341825Sdim  //   mov(%rax), %r10
341825Sdim  //
341825Sdim  // into:
341825Sdim  //
341825Sdim  //   mov %rax, %rcx
341825Sdim  //   %rax = ....
341825Sdim  //   faulting_load_op("movl (%rax), %r10", throw_npe)
341825Sdim  //   mov(%rcx), %r9
341825Sdim  //
341825Sdim  // we must ensure that there are no instructions between the 'test' and
341825Sdim  // conditional jump that modify %rax.
360784Sdim  const Register PointerReg = MBP.LHS.getReg();
341825Sdim
341825Sdim  assert(MBP.ConditionDef->getParent() ==  &MBB && "Should be in basic block");
341825Sdim
341825Sdim  for (auto I = MBB.rbegin(); MBP.ConditionDef != &*I; ++I)
341825Sdim    if (I->modifiesRegister(PointerReg, TRI))
341825Sdim      return false;
341825Sdim
284677Sdim  // Starting with a code fragment like:
284677Sdim  //
327952Sdim  //   test %rax, %rax
284677Sdim  //   jne LblNotNull
284677Sdim  //
284677Sdim  //  LblNull:
284677Sdim  //   callq throw_NullPointerException
284677Sdim  //
284677Sdim  //  LblNotNull:
286684Sdim  //   Inst0
286684Sdim  //   Inst1
286684Sdim  //   ...
327952Sdim  //   Def = Load (%rax + <offset>)
284677Sdim  //   ...
284677Sdim  //
284677Sdim  //
284677Sdim  // we want to end up with
284677Sdim  //
327952Sdim  //   Def = FaultingLoad (%rax + <offset>), LblNull
284677Sdim  //   jmp LblNotNull ;; explicit or fallthrough
284677Sdim  //
284677Sdim  //  LblNotNull:
286684Sdim  //   Inst0
286684Sdim  //   Inst1
284677Sdim  //   ...
284677Sdim  //
284677Sdim  //  LblNull:
284677Sdim  //   callq throw_NullPointerException
284677Sdim  //
296417Sdim  //
296417Sdim  // To see why this is legal, consider the two possibilities:
296417Sdim  //
327952Sdim  //  1. %rax is null: since we constrain <offset> to be less than PageSize, the
296417Sdim  //     load instruction dereferences the null page, causing a segmentation
296417Sdim  //     fault.
296417Sdim  //
327952Sdim  //  2. %rax is not null: in this case we know that the load cannot fault, as
296417Sdim  //     otherwise the load would've faulted in the original program too and the
296417Sdim  //     original program would've been undefined.
296417Sdim  //
296417Sdim  // This reasoning cannot be extended to justify hoisting through arbitrary
296417Sdim  // control flow.  For instance, in the example below (in pseudo-C)
296417Sdim  //
296417Sdim  //    if (ptr == null) { throw_npe(); unreachable; }
296417Sdim  //    if (some_cond) { return 42; }
296417Sdim  //    v = ptr->field;  // LD
296417Sdim  //    ...
296417Sdim  //
296417Sdim  // we cannot (without code duplication) use the load marked "LD" to null check
296417Sdim  // ptr -- clause (2) above does not apply in this case.  In the above program
296417Sdim  // the safety of ptr->field can be dependent on some_cond; and, for instance,
296417Sdim  // ptr could be some non-null invalid reference that never gets loaded from
296417Sdim  // because some_cond is always true.
284677Sdim
314564Sdim  SmallVector<MachineInstr *, 8> InstsSeenSoFar;
286684Sdim
314564Sdim  for (auto &MI : *NotNullSucc) {
314564Sdim    if (!canHandle(&MI) || InstsSeenSoFar.size() >= MaxInstsToConsider)
314564Sdim      return false;
309124Sdim
314564Sdim    MachineInstr *Dependence;
321369Sdim    SuitabilityResult SR = isSuitableMemoryOp(MI, PointerReg, InstsSeenSoFar);
321369Sdim    if (SR == SR_Impossible)
321369Sdim      return false;
321369Sdim    if (SR == SR_Suitable &&
321369Sdim        canHoistInst(&MI, PointerReg, InstsSeenSoFar, NullSucc, Dependence)) {
314564Sdim      NullCheckList.emplace_back(&MI, MBP.ConditionDef, &MBB, NotNullSucc,
314564Sdim                                 NullSucc, Dependence);
314564Sdim      return true;
314564Sdim    }
309124Sdim
321369Sdim    // If MI re-defines the PointerReg then we cannot move further.
327952Sdim    if (llvm::any_of(MI.operands(), [&](MachineOperand &MO) {
321369Sdim          return MO.isReg() && MO.getReg() && MO.isDef() &&
321369Sdim                 TRI->regsOverlap(MO.getReg(), PointerReg);
321369Sdim        }))
321369Sdim      return false;
314564Sdim    InstsSeenSoFar.push_back(&MI);
286684Sdim  }
286684Sdim
284677Sdim  return false;
284677Sdim}
284677Sdim
321369Sdim/// Wrap a machine instruction, MI, into a FAULTING machine instruction.
321369Sdim/// The FAULTING instruction does the same load/store as MI
321369Sdim/// (defining the same register), and branches to HandlerMBB if the mem access
321369Sdim/// faults.  The FAULTING instruction is inserted at the end of MBB.
321369SdimMachineInstr *ImplicitNullChecks::insertFaultingInstr(
321369Sdim    MachineInstr *MI, MachineBasicBlock *MBB, MachineBasicBlock *HandlerMBB) {
296417Sdim  const unsigned NoRegister = 0; // Guaranteed to be the NoRegister value for
296417Sdim                                 // all targets.
296417Sdim
284677Sdim  DebugLoc DL;
321369Sdim  unsigned NumDefs = MI->getDesc().getNumDefs();
296417Sdim  assert(NumDefs <= 1 && "other cases unhandled!");
284677Sdim
296417Sdim  unsigned DefReg = NoRegister;
296417Sdim  if (NumDefs != 0) {
341825Sdim    DefReg = MI->getOperand(0).getReg();
341825Sdim    assert(NumDefs == 1 && "expected exactly one def!");
296417Sdim  }
284677Sdim
321369Sdim  FaultMaps::FaultKind FK;
321369Sdim  if (MI->mayLoad())
321369Sdim    FK =
321369Sdim        MI->mayStore() ? FaultMaps::FaultingLoadStore : FaultMaps::FaultingLoad;
321369Sdim  else
321369Sdim    FK = FaultMaps::FaultingStore;
321369Sdim
321369Sdim  auto MIB = BuildMI(MBB, DL, TII->get(TargetOpcode::FAULTING_OP), DefReg)
321369Sdim                 .addImm(FK)
309124Sdim                 .addMBB(HandlerMBB)
321369Sdim                 .addImm(MI->getOpcode());
284677Sdim
321369Sdim  for (auto &MO : MI->uses()) {
321369Sdim    if (MO.isReg()) {
321369Sdim      MachineOperand NewMO = MO;
321369Sdim      if (MO.isUse()) {
321369Sdim        NewMO.setIsKill(false);
321369Sdim      } else {
321369Sdim        assert(MO.isDef() && "Expected def or use");
321369Sdim        NewMO.setIsDead(false);
321369Sdim      }
321369Sdim      MIB.add(NewMO);
321369Sdim    } else {
321369Sdim      MIB.add(MO);
321369Sdim    }
321369Sdim  }
284677Sdim
344779Sdim  MIB.setMemRefs(MI->memoperands());
284677Sdim
284677Sdim  return MIB;
284677Sdim}
284677Sdim
284677Sdim/// Rewrite the null checks in NullCheckList into implicit null checks.
284677Sdimvoid ImplicitNullChecks::rewriteNullChecks(
284677Sdim    ArrayRef<ImplicitNullChecks::NullCheck> NullCheckList) {
284677Sdim  DebugLoc DL;
284677Sdim
284677Sdim  for (auto &NC : NullCheckList) {
284677Sdim    // Remove the conditional branch dependent on the null check.
314564Sdim    unsigned BranchesRemoved = TII->removeBranch(*NC.getCheckBlock());
284677Sdim    (void)BranchesRemoved;
284677Sdim    assert(BranchesRemoved > 0 && "expected at least one branch!");
284677Sdim
309124Sdim    if (auto *DepMI = NC.getOnlyDependency()) {
309124Sdim      DepMI->removeFromParent();
309124Sdim      NC.getCheckBlock()->insert(NC.getCheckBlock()->end(), DepMI);
309124Sdim    }
309124Sdim
321369Sdim    // Insert a faulting instruction where the conditional branch was
321369Sdim    // originally. We check earlier ensures that this bit of code motion
321369Sdim    // is legal.  We do not touch the successors list for any basic block
321369Sdim    // since we haven't changed control flow, we've just made it implicit.
321369Sdim    MachineInstr *FaultingInstr = insertFaultingInstr(
309124Sdim        NC.getMemOperation(), NC.getCheckBlock(), NC.getNullSucc());
309124Sdim    // Now the values defined by MemOperation, if any, are live-in of
309124Sdim    // the block of MemOperation.
321369Sdim    // The original operation may define implicit-defs alongside
321369Sdim    // the value.
309124Sdim    MachineBasicBlock *MBB = NC.getMemOperation()->getParent();
321369Sdim    for (const MachineOperand &MO : FaultingInstr->operands()) {
309124Sdim      if (!MO.isReg() || !MO.isDef())
309124Sdim        continue;
360784Sdim      Register Reg = MO.getReg();
309124Sdim      if (!Reg || MBB->isLiveIn(Reg))
309124Sdim        continue;
309124Sdim      MBB->addLiveIn(Reg);
309124Sdim    }
284677Sdim
309124Sdim    if (auto *DepMI = NC.getOnlyDependency()) {
309124Sdim      for (auto &MO : DepMI->operands()) {
360784Sdim        if (!MO.isReg() || !MO.getReg() || !MO.isDef() || MO.isDead())
309124Sdim          continue;
309124Sdim        if (!NC.getNotNullSucc()->isLiveIn(MO.getReg()))
309124Sdim          NC.getNotNullSucc()->addLiveIn(MO.getReg());
309124Sdim      }
309124Sdim    }
309124Sdim
309124Sdim    NC.getMemOperation()->eraseFromParent();
309124Sdim    NC.getCheckOperation()->eraseFromParent();
309124Sdim
284677Sdim    // Insert an *unconditional* branch to not-null successor.
314564Sdim    TII->insertBranch(*NC.getCheckBlock(), NC.getNotNullSucc(), nullptr,
309124Sdim                      /*Cond=*/None, DL);
284677Sdim
286684Sdim    NumImplicitNullChecks++;
284677Sdim  }
284677Sdim}
284677Sdim
327952Sdimchar ImplicitNullChecks::ID = 0;
314564Sdim
284677Sdimchar &llvm::ImplicitNullChecksID = ImplicitNullChecks::ID;
327952Sdim
321369SdimINITIALIZE_PASS_BEGIN(ImplicitNullChecks, DEBUG_TYPE,
284677Sdim                      "Implicit null checks", false, false)
309124SdimINITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass)
321369SdimINITIALIZE_PASS_END(ImplicitNullChecks, DEBUG_TYPE,
284677Sdim                    "Implicit null checks", false, false)