Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/lib/Analysis/Lint.cpp
Line
Count
Source (jump to first uncovered line)
1
//===-- Lint.cpp - Check for common errors in LLVM IR ---------------------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This pass statically checks for common and easily-identified constructs
10
// which produce undefined or likely unintended behavior in LLVM IR.
11
//
12
// It is not a guarantee of correctness, in two ways. First, it isn't
13
// comprehensive. There are checks which could be done statically which are
14
// not yet implemented. Some of these are indicated by TODO comments, but
15
// those aren't comprehensive either. Second, many conditions cannot be
16
// checked statically. This pass does no dynamic instrumentation, so it
17
// can't check for all possible problems.
18
//
19
// Another limitation is that it assumes all code will be executed. A store
20
// through a null pointer in a basic block which is never reached is harmless,
21
// but this pass will warn about it anyway. This is the main reason why most
22
// of these checks live here instead of in the Verifier pass.
23
//
24
// Optimization passes may make conditions that this pass checks for more or
25
// less obvious. If an optimization pass appears to be introducing a warning,
26
// it may be that the optimization pass is merely exposing an existing
27
// condition in the code.
28
//
29
// This code may be run before instcombine. In many cases, instcombine checks
30
// for the same kinds of things and turns instructions with undefined behavior
31
// into unreachable (or equivalent). Because of this, this pass makes some
32
// effort to look through bitcasts and so on.
33
//
34
//===----------------------------------------------------------------------===//
35
36
#include "llvm/Analysis/Lint.h"
37
#include "llvm/ADT/APInt.h"
38
#include "llvm/ADT/ArrayRef.h"
39
#include "llvm/ADT/SmallPtrSet.h"
40
#include "llvm/ADT/Twine.h"
41
#include "llvm/Analysis/AliasAnalysis.h"
42
#include "llvm/Analysis/AssumptionCache.h"
43
#include "llvm/Analysis/ConstantFolding.h"
44
#include "llvm/Analysis/InstructionSimplify.h"
45
#include "llvm/Analysis/Loads.h"
46
#include "llvm/Analysis/MemoryLocation.h"
47
#include "llvm/Analysis/Passes.h"
48
#include "llvm/Analysis/TargetLibraryInfo.h"
49
#include "llvm/Analysis/ValueTracking.h"
50
#include "llvm/IR/Argument.h"
51
#include "llvm/IR/BasicBlock.h"
52
#include "llvm/IR/CallSite.h"
53
#include "llvm/IR/Constant.h"
54
#include "llvm/IR/Constants.h"
55
#include "llvm/IR/DataLayout.h"
56
#include "llvm/IR/DerivedTypes.h"
57
#include "llvm/IR/Dominators.h"
58
#include "llvm/IR/Function.h"
59
#include "llvm/IR/GlobalVariable.h"
60
#include "llvm/IR/InstVisitor.h"
61
#include "llvm/IR/InstrTypes.h"
62
#include "llvm/IR/Instruction.h"
63
#include "llvm/IR/Instructions.h"
64
#include "llvm/IR/IntrinsicInst.h"
65
#include "llvm/IR/LegacyPassManager.h"
66
#include "llvm/IR/Module.h"
67
#include "llvm/IR/Type.h"
68
#include "llvm/IR/Value.h"
69
#include "llvm/Pass.h"
70
#include "llvm/Support/Casting.h"
71
#include "llvm/Support/Debug.h"
72
#include "llvm/Support/KnownBits.h"
73
#include "llvm/Support/MathExtras.h"
74
#include "llvm/Support/raw_ostream.h"
75
#include <cassert>
76
#include <cstdint>
77
#include <iterator>
78
#include <string>
79
80
using namespace llvm;
81
82
namespace {
83
  namespace MemRef {
84
    static const unsigned Read     = 1;
85
    static const unsigned Write    = 2;
86
    static const unsigned Callee   = 4;
87
    static const unsigned Branchee = 8;
88
  } // end namespace MemRef
89
90
  class Lint : public FunctionPass, public InstVisitor<Lint> {
91
    friend class InstVisitor<Lint>;
92
93
    void visitFunction(Function &F);
94
95
    void visitCallSite(CallSite CS);
96
    void visitMemoryReference(Instruction &I, Value *Ptr,
97
                              uint64_t Size, unsigned Align,
98
                              Type *Ty, unsigned Flags);
99
    void visitEHBeginCatch(IntrinsicInst *II);
100
    void visitEHEndCatch(IntrinsicInst *II);
101
102
    void visitCallInst(CallInst &I);
103
    void visitInvokeInst(InvokeInst &I);
104
    void visitReturnInst(ReturnInst &I);
105
    void visitLoadInst(LoadInst &I);
106
    void visitStoreInst(StoreInst &I);
107
    void visitXor(BinaryOperator &I);
108
    void visitSub(BinaryOperator &I);
109
    void visitLShr(BinaryOperator &I);
110
    void visitAShr(BinaryOperator &I);
111
    void visitShl(BinaryOperator &I);
112
    void visitSDiv(BinaryOperator &I);
113
    void visitUDiv(BinaryOperator &I);
114
    void visitSRem(BinaryOperator &I);
115
    void visitURem(BinaryOperator &I);
116
    void visitAllocaInst(AllocaInst &I);
117
    void visitVAArgInst(VAArgInst &I);
118
    void visitIndirectBrInst(IndirectBrInst &I);
119
    void visitExtractElementInst(ExtractElementInst &I);
120
    void visitInsertElementInst(InsertElementInst &I);
121
    void visitUnreachableInst(UnreachableInst &I);
122
123
    Value *findValue(Value *V, bool OffsetOk) const;
124
    Value *findValueImpl(Value *V, bool OffsetOk,
125
                         SmallPtrSetImpl<Value *> &Visited) const;
126
127
  public:
128
    Module *Mod;
129
    const DataLayout *DL;
130
    AliasAnalysis *AA;
131
    AssumptionCache *AC;
132
    DominatorTree *DT;
133
    TargetLibraryInfo *TLI;
134
135
    std::string Messages;
136
    raw_string_ostream MessagesStr;
137
138
    static char ID; // Pass identification, replacement for typeid
139
10
    Lint() : FunctionPass(ID), MessagesStr(Messages) {
140
10
      initializeLintPass(*PassRegistry::getPassRegistry());
141
10
    }
142
143
    bool runOnFunction(Function &F) override;
144
145
10
    void getAnalysisUsage(AnalysisUsage &AU) const override {
146
10
      AU.setPreservesAll();
147
10
      AU.addRequired<AAResultsWrapperPass>();
148
10
      AU.addRequired<AssumptionCacheTracker>();
149
10
      AU.addRequired<TargetLibraryInfoWrapperPass>();
150
10
      AU.addRequired<DominatorTreeWrapperPass>();
151
10
    }
152
0
    void print(raw_ostream &O, const Module *M) const override {}
153
154
65
    void WriteValues(ArrayRef<const Value *> Vs) {
155
65
      for (const Value *V : Vs) {
156
65
        if (!V)
157
0
          continue;
158
65
        if (isa<Instruction>(V)) {
159
64
          MessagesStr << *V << '\n';
160
64
        } else {
161
1
          V->printAsOperand(MessagesStr, true, Mod);
162
1
          MessagesStr << '\n';
163
1
        }
164
65
      }
165
65
    }
166
167
    /// A check failed, so printout out the condition and the message.
168
    ///
169
    /// This provides a nice place to put a breakpoint if you want to see why
170
    /// something is not correct.
171
65
    void CheckFailed(const Twine &Message) { MessagesStr << Message << '\n'; }
172
173
    /// A check failed (with values to print).
174
    ///
175
    /// This calls the Message-only version so that the above is easier to set
176
    /// a breakpoint on.
177
    template <typename T1, typename... Ts>
178
65
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
65
      CheckFailed(Message);
180
65
      WriteValues({V1, Vs...});
181
65
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::Function*>(llvm::Twine const&, llvm::Function* const&)
Line
Count
Source
178
1
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
1
      CheckFailed(Message);
180
1
      WriteValues({V1, Vs...});
181
1
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::ReturnInst*>(llvm::Twine const&, llvm::ReturnInst* const&)
Line
Count
Source
178
3
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
3
      CheckFailed(Message);
180
3
      WriteValues({V1, Vs...});
181
3
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::Instruction*>(llvm::Twine const&, llvm::Instruction* const&)
Line
Count
Source
178
39
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
39
      CheckFailed(Message);
180
39
      WriteValues({V1, Vs...});
181
39
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::IndirectBrInst*>(llvm::Twine const&, llvm::IndirectBrInst* const&)
Line
Count
Source
178
1
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
1
      CheckFailed(Message);
180
1
      WriteValues({V1, Vs...});
181
1
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::UnreachableInst*>(llvm::Twine const&, llvm::UnreachableInst* const&)
Line
Count
Source
178
1
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
1
      CheckFailed(Message);
180
1
      WriteValues({V1, Vs...});
181
1
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::BinaryOperator*>(llvm::Twine const&, llvm::BinaryOperator* const&)
Line
Count
Source
178
17
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
17
      CheckFailed(Message);
180
17
      WriteValues({V1, Vs...});
181
17
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::AllocaInst*>(llvm::Twine const&, llvm::AllocaInst* const&)
Line
Count
Source
178
1
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
1
      CheckFailed(Message);
180
1
      WriteValues({V1, Vs...});
181
1
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::ExtractElementInst*>(llvm::Twine const&, llvm::ExtractElementInst* const&)
Line
Count
Source
178
1
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
1
      CheckFailed(Message);
180
1
      WriteValues({V1, Vs...});
181
1
    }
Lint.cpp:void (anonymous namespace)::Lint::CheckFailed<llvm::InsertElementInst*>(llvm::Twine const&, llvm::InsertElementInst* const&)
Line
Count
Source
178
1
    void CheckFailed(const Twine &Message, const T1 &V1, const Ts &...Vs) {
179
1
      CheckFailed(Message);
180
1
      WriteValues({V1, Vs...});
181
1
    }
182
  };
183
} // end anonymous namespace
184
185
char Lint::ID = 0;
186
11.0k
INITIALIZE_PASS_BEGIN(Lint, "lint", "Statically lint-checks LLVM IR",
187
11.0k
                      false, true)
188
11.0k
INITIALIZE_PASS_DEPENDENCY(AssumptionCacheTracker)
189
11.0k
INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
190
11.0k
INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
191
11.0k
INITIALIZE_PASS_DEPENDENCY(AAResultsWrapperPass)
192
11.0k
INITIALIZE_PASS_END(Lint, "lint", "Statically lint-checks LLVM IR",
193
                    false, true)
194
195
// Assert - We know that cond should be true, if not print an error message.
196
#define Assert(C, ...) \
197
1.09k
    do { if (!(
C684
))
{ CheckFailed(__VA_ARGS__); return; }65
} while (
false1.02k
)
198
199
// Lint::run - This is the main Analysis entry point for a
200
// function.
201
//
202
41
bool Lint::runOnFunction(Function &F) {
203
41
  Mod = F.getParent();
204
41
  DL = &F.getParent()->getDataLayout();
205
41
  AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();
206
41
  AC = &getAnalysis<AssumptionCacheTracker>().getAssumptionCache(F);
207
41
  DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();
208
41
  TLI = &getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
209
41
  visit(F);
210
41
  dbgs() << MessagesStr.str();
211
41
  Messages.clear();
212
41
  return false;
213
41
}
214
215
41
void Lint::visitFunction(Function &F) {
216
41
  // This isn't undefined behavior, it's just a little unusual, and it's a
217
41
  // fairly common mistake to neglect to name a function.
218
41
  Assert(F.hasName() || F.hasLocalLinkage(),
219
41
         "Unusual: Unnamed function with non-local linkage", &F);
220
41
221
41
  // TODO: Check for irreducible control flow.
222
41
}
223
224
56
void Lint::visitCallSite(CallSite CS) {
225
56
  Instruction &I = *CS.getInstruction();
226
56
  Value *Callee = CS.getCalledValue();
227
56
228
56
  visitMemoryReference(I, Callee, MemoryLocation::UnknownSize, 0, nullptr,
229
56
                       MemRef::Callee);
230
56
231
56
  if (Function *F = dyn_cast<Function>(findValue(Callee,
232
54
                                                 /*OffsetOk=*/false))) {
233
54
    Assert(CS.getCallingConv() == F->getCallingConv(),
234
54
           "Undefined behavior: Caller and callee calling convention differ",
235
54
           &I);
236
54
237
54
    FunctionType *FT = F->getFunctionType();
238
53
    unsigned NumActualArgs = CS.arg_size();
239
53
240
53
    Assert(FT->isVarArg() ? FT->getNumParams() <= NumActualArgs
241
53
                          : FT->getNumParams() == NumActualArgs,
242
53
           "Undefined behavior: Call argument count mismatches callee "
243
53
           "argument count",
244
53
           &I);
245
53
246
53
    
Assert51
(FT->getReturnType() == I.getType(),
247
51
           "Undefined behavior: Call return type mismatches "
248
51
           "callee return type",
249
51
           &I);
250
51
251
51
    // Check argument types (in case the callee was casted) and attributes.
252
51
    // TODO: Verify that caller and callee attributes are compatible.
253
51
    Function::arg_iterator PI = F->arg_begin(), PE = F->arg_end();
254
50
    CallSite::arg_iterator AI = CS.arg_begin(), AE = CS.arg_end();
255
138
    for (; AI != AE; 
++AI88
) {
256
93
      Value *Actual = *AI;
257
93
      if (PI != PE) {
258
89
        Argument *Formal = &*PI++;
259
89
        Assert(Formal->getType() == Actual->getType(),
260
89
               "Undefined behavior: Call argument type mismatches "
261
89
               "callee parameter type",
262
89
               &I);
263
89
264
89
        // Check that noalias arguments don't alias other arguments. This is
265
89
        // not fully precise because we don't know the sizes of the dereferenced
266
89
        // memory regions.
267
89
        
if (88
Formal->hasNoAliasAttr()88
&&
Actual->getType()->isPointerTy()6
) {
268
6
          AttributeList PAL = CS.getAttributes();
269
6
          unsigned ArgNo = 0;
270
14
          for (CallSite::arg_iterator BI = CS.arg_begin(); BI != AE;
271
12
               
++BI, ++ArgNo8
) {
272
12
            // Skip ByVal arguments since they will be memcpy'd to the callee's
273
12
            // stack so we're not really passing the pointer anyway.
274
12
            if (PAL.hasParamAttribute(ArgNo, Attribute::ByVal))
275
1
              continue;
276
11
            // If both arguments are readonly, they have no dependence.
277
11
            if (Formal->onlyReadsMemory() && 
CS.onlyReadsMemory(ArgNo)4
)
278
3
              continue;
279
8
            if (AI != BI && 
(*BI)->getType()->isPointerTy()4
) {
280
4
              AliasResult Result = AA->alias(*AI, *BI);
281
4
              Assert(Result != MustAlias && Result != PartialAlias,
282
4
                     "Unusual: noalias argument aliases another argument", &I);
283
4
            }
284
8
          }
285
6
        }
286
88
287
88
        // Check that an sret argument points to valid memory.
288
88
        
if (84
Formal->hasStructRetAttr()84
&&
Actual->getType()->isPointerTy()2
) {
289
2
          Type *Ty =
290
2
            cast<PointerType>(Formal->getType())->getElementType();
291
2
          visitMemoryReference(I, Actual, DL->getTypeStoreSize(Ty),
292
2
                               DL->getABITypeAlignment(Ty), Ty,
293
2
                               MemRef::Read | MemRef::Write);
294
2
        }
295
84
      }
296
93
    }
297
50
  }
298
56
299
56
  
if (47
CS.isCall()47
) {
300
41
    const CallInst *CI = cast<CallInst>(CS.getInstruction());
301
41
    if (CI->isTailCall()) {
302
5
      const AttributeList &PAL = CI->getAttributes();
303
5
      unsigned ArgNo = 0;
304
5
      for (Value *Arg : CS.args()) {
305
4
        // Skip ByVal arguments since they will be memcpy'd to the callee's
306
4
        // stack anyway.
307
4
        if (PAL.hasParamAttribute(ArgNo++, Attribute::ByVal))
308
1
          continue;
309
3
        Value *Obj = findValue(Arg, /*OffsetOk=*/true);
310
3
        Assert(!isa<AllocaInst>(Obj),
311
3
               "Undefined behavior: Call with \"tail\" keyword references "
312
3
               "alloca",
313
3
               &I);
314
3
      }
315
5
    }
316
41
  }
317
47
318
47
319
47
  
if (IntrinsicInst *45
II45
= dyn_cast<IntrinsicInst>(&I))
320
28
    switch (II->getIntrinsicID()) {
321
28
    
default: break10
;
322
28
323
28
    // TODO: Check more intrinsics
324
28
325
28
    case Intrinsic::memcpy: {
326
6
      MemCpyInst *MCI = cast<MemCpyInst>(&I);
327
6
      // TODO: If the size is known, use it.
328
6
      visitMemoryReference(I, MCI->getDest(), MemoryLocation::UnknownSize,
329
6
                           MCI->getDestAlignment(), nullptr, MemRef::Write);
330
6
      visitMemoryReference(I, MCI->getSource(), MemoryLocation::UnknownSize,
331
6
                           MCI->getSourceAlignment(), nullptr, MemRef::Read);
332
6
333
6
      // Check that the memcpy arguments don't overlap. The AliasAnalysis API
334
6
      // isn't expressive enough for what we really want to do. Known partial
335
6
      // overlap is not distinguished from the case where nothing is known.
336
6
      auto Size = LocationSize::unknown();
337
6
      if (const ConstantInt *Len =
338
6
              dyn_cast<ConstantInt>(findValue(MCI->getLength(),
339
6
                                              /*OffsetOk=*/false)))
340
6
        if (Len->getValue().isIntN(32))
341
6
          Size = LocationSize::precise(Len->getValue().getZExtValue());
342
6
      Assert(AA->alias(MCI->getSource(), Size, MCI->getDest(), Size) !=
343
6
                 MustAlias,
344
6
             "Undefined behavior: memcpy source and destination overlap", &I);
345
6
      
break5
;
346
6
    }
347
6
    case Intrinsic::memmove: {
348
5
      MemMoveInst *MMI = cast<MemMoveInst>(&I);
349
5
      // TODO: If the size is known, use it.
350
5
      visitMemoryReference(I, MMI->getDest(), MemoryLocation::UnknownSize,
351
5
                           MMI->getDestAlignment(), nullptr, MemRef::Write);
352
5
      visitMemoryReference(I, MMI->getSource(), MemoryLocation::UnknownSize,
353
5
                           MMI->getSourceAlignment(), nullptr, MemRef::Read);
354
5
      break;
355
6
    }
356
6
    case Intrinsic::memset: {
357
5
      MemSetInst *MSI = cast<MemSetInst>(&I);
358
5
      // TODO: If the size is known, use it.
359
5
      visitMemoryReference(I, MSI->getDest(), MemoryLocation::UnknownSize,
360
5
                           MSI->getDestAlignment(), nullptr, MemRef::Write);
361
5
      break;
362
6
    }
363
6
364
6
    case Intrinsic::vastart:
365
1
      Assert(I.getParent()->getParent()->isVarArg(),
366
1
             "Undefined behavior: va_start called in a non-varargs function",
367
1
             &I);
368
1
369
1
      visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0,
370
0
                           nullptr, MemRef::Read | MemRef::Write);
371
0
      break;
372
1
    case Intrinsic::vacopy:
373
0
      visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0,
374
0
                           nullptr, MemRef::Write);
375
0
      visitMemoryReference(I, CS.getArgument(1), MemoryLocation::UnknownSize, 0,
376
0
                           nullptr, MemRef::Read);
377
0
      break;
378
1
    case Intrinsic::vaend:
379
0
      visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0,
380
0
                           nullptr, MemRef::Read | MemRef::Write);
381
0
      break;
382
1
383
1
    case Intrinsic::stackrestore:
384
1
      // Stackrestore doesn't read or write memory, but it sets the
385
1
      // stack pointer, which the compiler may read from or write to
386
1
      // at any time, so check it for both readability and writeability.
387
1
      visitMemoryReference(I, CS.getArgument(0), MemoryLocation::UnknownSize, 0,
388
1
                           nullptr, MemRef::Read | MemRef::Write);
389
1
      break;
390
28
    }
391
45
}
392
393
50
void Lint::visitCallInst(CallInst &I) {
394
50
  return visitCallSite(&I);
395
50
}
396
397
6
void Lint::visitInvokeInst(InvokeInst &I) {
398
6
  return visitCallSite(&I);
399
6
}
400
401
38
void Lint::visitReturnInst(ReturnInst &I) {
402
38
  Function *F = I.getParent()->getParent();
403
38
  Assert(!F->doesNotReturn(),
404
38
         "Unusual: Return statement in function with noreturn attribute", &I);
405
38
406
38
  
if (Value *37
V37
= I.getReturnValue()) {
407
18
    Value *Obj = findValue(V, /*OffsetOk=*/true);
408
18
    Assert(!isa<AllocaInst>(Obj), "Unusual: Returning alloca value", &I);
409
18
  }
410
37
}
411
412
// TODO: Check that the reference is in bounds.
413
// TODO: Check readnone/readonly function attributes.
414
void Lint::visitMemoryReference(Instruction &I,
415
                                Value *Ptr, uint64_t Size, unsigned Align,
416
106
                                Type *Ty, unsigned Flags) {
417
106
  // If no memory is being referenced, it doesn't matter if the pointer
418
106
  // is valid.
419
106
  if (Size == 0)
420
0
    return;
421
106
422
106
  Value *UnderlyingObject = findValue(Ptr, /*OffsetOk=*/true);
423
106
  Assert(!isa<ConstantPointerNull>(UnderlyingObject),
424
106
         "Undefined behavior: Null pointer dereference", &I);
425
106
  
Assert101
(!isa<UndefValue>(UnderlyingObject),
426
101
         "Undefined behavior: Undef pointer dereference", &I);
427
101
  
Assert98
(!isa<ConstantInt>(UnderlyingObject) ||
428
98
             !cast<ConstantInt>(UnderlyingObject)->isMinusOne(),
429
98
         "Unusual: All-ones pointer dereference", &I);
430
98
  
Assert97
(!isa<ConstantInt>(UnderlyingObject) ||
431
97
             !cast<ConstantInt>(UnderlyingObject)->isOne(),
432
97
         "Unusual: Address one pointer dereference", &I);
433
97
434
97
  
if (96
Flags & MemRef::Write96
) {
435
26
    if (const GlobalVariable *GV = dyn_cast<GlobalVariable>(UnderlyingObject))
436
26
      
Assert3
(!GV->isConstant(), "Undefined behavior: Write to read-only memory",
437
26
             &I);
438
26
    
Assert24
(!isa<Function>(UnderlyingObject) &&
439
24
               !isa<BlockAddress>(UnderlyingObject),
440
24
           "Undefined behavior: Write to text section", &I);
441
24
  }
442
96
  
if (93
Flags & MemRef::Read93
) {
443
14
    Assert(!isa<Function>(UnderlyingObject), "Unusual: Load from function body",
444
14
           &I);
445
14
    Assert(!isa<BlockAddress>(UnderlyingObject),
446
14
           "Undefined behavior: Load from block address", &I);
447
14
  }
448
93
  
if (92
Flags & MemRef::Callee92
) {
449
56
    Assert(!isa<BlockAddress>(UnderlyingObject),
450
56
           "Undefined behavior: Call to block address", &I);
451
56
  }
452
92
  
if (91
Flags & MemRef::Branchee91
) {
453
1
    Assert(!isa<Constant>(UnderlyingObject) ||
454
1
               isa<BlockAddress>(UnderlyingObject),
455
1
           "Undefined behavior: Branch to non-blockaddress", &I);
456
1
  }
457
91
458
91
  // Check for buffer overflows and misalignment.
459
91
  // Only handles memory references that read/write something simple like an
460
91
  // alloca instruction or a global variable.
461
91
  int64_t Offset = 0;
462
90
  if (Value *Base = GetPointerBaseWithConstantOffset(Ptr, Offset, *DL)) {
463
90
    // OK, so the access is to a constant offset from Ptr.  Check that Ptr is
464
90
    // something we can handle and if so extract the size of this base object
465
90
    // along with its alignment.
466
90
    uint64_t BaseSize = MemoryLocation::UnknownSize;
467
90
    unsigned BaseAlign = 0;
468
90
469
90
    if (AllocaInst *AI = dyn_cast<AllocaInst>(Base)) {
470
33
      Type *ATy = AI->getAllocatedType();
471
33
      if (!AI->isArrayAllocation() && ATy->isSized())
472
33
        BaseSize = DL->getTypeAllocSize(ATy);
473
33
      BaseAlign = AI->getAlignment();
474
33
      if (BaseAlign == 0 && 
ATy->isSized()8
)
475
8
        BaseAlign = DL->getABITypeAlignment(ATy);
476
57
    } else if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Base)) {
477
2
      // If the global may be defined differently in another compilation unit
478
2
      // then don't warn about funky memory accesses.
479
2
      if (GV->hasDefinitiveInitializer()) {
480
1
        Type *GTy = GV->getValueType();
481
1
        if (GTy->isSized())
482
1
          BaseSize = DL->getTypeAllocSize(GTy);
483
1
        BaseAlign = GV->getAlignment();
484
1
        if (BaseAlign == 0 && GTy->isSized())
485
1
          BaseAlign = DL->getABITypeAlignment(GTy);
486
1
      }
487
2
    }
488
90
489
90
    // Accesses from before the start or after the end of the object are not
490
90
    // defined.
491
90
    Assert(Size == MemoryLocation::UnknownSize ||
492
90
               BaseSize == MemoryLocation::UnknownSize ||
493
90
               (Offset >= 0 && Offset + Size <= BaseSize),
494
90
           "Undefined behavior: Buffer overflow", &I);
495
90
496
90
    // Accesses that say that the memory is more aligned than it is are not
497
90
    // defined.
498
90
    
if (87
Align == 087
&&
Ty61
&&
Ty->isSized()3
)
499
3
      Align = DL->getABITypeAlignment(Ty);
500
87
    Assert(!BaseAlign || Align <= MinAlign(BaseAlign, Offset),
501
87
           "Undefined behavior: Memory reference address is misaligned", &I);
502
87
  }
503
90
}
504
505
5
void Lint::visitLoadInst(LoadInst &I) {
506
5
  visitMemoryReference(I, I.getPointerOperand(),
507
5
                       DL->getTypeStoreSize(I.getType()), I.getAlignment(),
508
5
                       I.getType(), MemRef::Read);
509
5
}
510
511
13
void Lint::visitStoreInst(StoreInst &I) {
512
13
  visitMemoryReference(I, I.getPointerOperand(),
513
13
                       DL->getTypeStoreSize(I.getOperand(0)->getType()),
514
13
                       I.getAlignment(),
515
13
                       I.getOperand(0)->getType(), MemRef::Write);
516
13
}
517
518
1
void Lint::visitXor(BinaryOperator &I) {
519
1
  Assert(!isa<UndefValue>(I.getOperand(0)) || !isa<UndefValue>(I.getOperand(1)),
520
1
         "Undefined result: xor(undef, undef)", &I);
521
1
}
522
523
1
void Lint::visitSub(BinaryOperator &I) {
524
1
  Assert(!isa<UndefValue>(I.getOperand(0)) || !isa<UndefValue>(I.getOperand(1)),
525
1
         "Undefined result: sub(undef, undef)", &I);
526
1
}
527
528
1
void Lint::visitLShr(BinaryOperator &I) {
529
1
  if (ConstantInt *CI = dyn_cast<ConstantInt>(findValue(I.getOperand(1),
530
1
                                                        /*OffsetOk=*/false)))
531
1
    Assert(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()),
532
1
           "Undefined result: Shift count out of range", &I);
533
1
}
534
535
1
void Lint::visitAShr(BinaryOperator &I) {
536
1
  if (ConstantInt *CI =
537
1
          dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false)))
538
1
    Assert(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()),
539
1
           "Undefined result: Shift count out of range", &I);
540
1
}
541
542
1
void Lint::visitShl(BinaryOperator &I) {
543
1
  if (ConstantInt *CI =
544
1
          dyn_cast<ConstantInt>(findValue(I.getOperand(1), /*OffsetOk=*/false)))
545
1
    Assert(CI->getValue().ult(cast<IntegerType>(I.getType())->getBitWidth()),
546
1
           "Undefined result: Shift count out of range", &I);
547
1
}
548
549
static bool isZero(Value *V, const DataLayout &DL, DominatorTree *DT,
550
16
                   AssumptionCache *AC) {
551
16
  // Assume undef could be zero.
552
16
  if (isa<UndefValue>(V))
553
1
    return true;
554
15
555
15
  VectorType *VecTy = dyn_cast<VectorType>(V->getType());
556
15
  if (!VecTy) {
557
6
    KnownBits Known = computeKnownBits(V, DL, 0, AC, dyn_cast<Instruction>(V), DT);
558
6
    return Known.isZero();
559
6
  }
560
9
561
9
  // Per-component check doesn't work with zeroinitializer
562
9
  Constant *C = dyn_cast<Constant>(V);
563
9
  if (!C)
564
0
    return false;
565
9
566
9
  if (C->isZeroValue())
567
1
    return true;
568
8
569
8
  // For a vector, KnownZero will only be true if all values are zero, so check
570
8
  // this per component
571
18
  
for (unsigned I = 0, N = VecTy->getNumElements(); 8
I != N;
++I10
) {
572
14
    Constant *Elem = C->getAggregateElement(I);
573
14
    if (isa<UndefValue>(Elem))
574
2
      return true;
575
12
576
12
    KnownBits Known = computeKnownBits(Elem, DL);
577
12
    if (Known.isZero())
578
2
      return true;
579
12
  }
580
8
581
8
  
return false4
;
582
8
}
583
584
10
void Lint::visitSDiv(BinaryOperator &I) {
585
10
  Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC),
586
10
         "Undefined behavior: Division by zero", &I);
587
10
}
588
589
2
void Lint::visitUDiv(BinaryOperator &I) {
590
2
  Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC),
591
2
         "Undefined behavior: Division by zero", &I);
592
2
}
593
594
2
void Lint::visitSRem(BinaryOperator &I) {
595
2
  Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC),
596
2
         "Undefined behavior: Division by zero", &I);
597
2
}
598
599
2
void Lint::visitURem(BinaryOperator &I) {
600
2
  Assert(!isZero(I.getOperand(1), I.getModule()->getDataLayout(), DT, AC),
601
2
         "Undefined behavior: Division by zero", &I);
602
2
}
603
604
18
void Lint::visitAllocaInst(AllocaInst &I) {
605
18
  if (isa<ConstantInt>(I.getArraySize()))
606
18
    // This isn't undefined behavior, it's just an obvious pessimization.
607
18
    
Assert17
(&I.getParent()->getParent()->getEntryBlock() == I.getParent(),
608
18
           "Pessimization: Static alloca outside of entry block", &I);
609
18
610
18
  // TODO: Check for an unusual size (MSB set?)
611
18
}
612
613
0
void Lint::visitVAArgInst(VAArgInst &I) {
614
0
  visitMemoryReference(I, I.getOperand(0), MemoryLocation::UnknownSize, 0,
615
0
                       nullptr, MemRef::Read | MemRef::Write);
616
0
}
617
618
2
void Lint::visitIndirectBrInst(IndirectBrInst &I) {
619
2
  visitMemoryReference(I, I.getAddress(), MemoryLocation::UnknownSize, 0,
620
2
                       nullptr, MemRef::Branchee);
621
2
622
2
  Assert(I.getNumDestinations() != 0,
623
2
         "Undefined behavior: indirectbr with no destinations", &I);
624
2
}
625
626
1
void Lint::visitExtractElementInst(ExtractElementInst &I) {
627
1
  if (ConstantInt *CI = dyn_cast<ConstantInt>(findValue(I.getIndexOperand(),
628
1
                                                        /*OffsetOk=*/false)))
629
1
    Assert(CI->getValue().ult(I.getVectorOperandType()->getNumElements()),
630
1
           "Undefined result: extractelement index out of range", &I);
631
1
}
632
633
1
void Lint::visitInsertElementInst(InsertElementInst &I) {
634
1
  if (ConstantInt *CI = dyn_cast<ConstantInt>(findValue(I.getOperand(2),
635
1
                                                        /*OffsetOk=*/false)))
636
1
    Assert(CI->getValue().ult(I.getType()->getNumElements()),
637
1
           "Undefined result: insertelement index out of range", &I);
638
1
}
639
640
3
void Lint::visitUnreachableInst(UnreachableInst &I) {
641
3
  // This isn't undefined behavior, it's merely suspicious.
642
3
  Assert(&I == &I.getParent()->front() ||
643
3
             std::prev(I.getIterator())->mayHaveSideEffects(),
644
3
         "Unusual: unreachable immediately preceded by instruction without "
645
3
         "side effects",
646
3
         &I);
647
3
}
648
649
/// findValue - Look through bitcasts and simple memory reference patterns
650
/// to identify an equivalent, but more informative, value.  If OffsetOk
651
/// is true, look through getelementptrs with non-zero offsets too.
652
///
653
/// Most analysis passes don't require this logic, because instcombine
654
/// will simplify most of these kinds of things away. But it's a goal of
655
/// this Lint pass to be useful even on non-optimized IR.
656
194
Value *Lint::findValue(Value *V, bool OffsetOk) const {
657
194
  SmallPtrSet<Value *, 4> Visited;
658
194
  return findValueImpl(V, OffsetOk, Visited);
659
194
}
660
661
/// findValueImpl - Implementation helper for findValue.
662
Value *Lint::findValueImpl(Value *V, bool OffsetOk,
663
212
                           SmallPtrSetImpl<Value *> &Visited) const {
664
212
  // Detect self-referential values.
665
212
  if (!Visited.insert(V).second)
666
1
    return UndefValue::get(V->getType());
667
211
668
211
  // TODO: Look through sext or zext cast, when the result is known to
669
211
  // be interpreted as signed or unsigned, respectively.
670
211
  // TODO: Look through eliminable cast pairs.
671
211
  // TODO: Look through calls with unique return values.
672
211
  // TODO: Look through vector insert/extract/shuffle.
673
211
  V = OffsetOk ? 
GetUnderlyingObject(V, *DL)143
:
V->stripPointerCasts()68
;
674
211
  if (LoadInst *L = dyn_cast<LoadInst>(V)) {
675
1
    BasicBlock::iterator BBI = L->getIterator();
676
1
    BasicBlock *BB = L->getParent();
677
1
    SmallPtrSet<BasicBlock *, 4> VisitedBlocks;
678
2
    for (;;) {
679
2
      if (!VisitedBlocks.insert(BB).second)
680
0
        break;
681
2
      if (Value *U =
682
1
          FindAvailableLoadedValue(L, BB, BBI, DefMaxInstsToScan, AA))
683
1
        return findValueImpl(U, OffsetOk, Visited);
684
1
      if (BBI != BB->begin()) 
break0
;
685
1
      BB = BB->getUniquePredecessor();
686
1
      if (!BB) 
break0
;
687
1
      BBI = BB->end();
688
1
    }
689
210
  } else if (PHINode *PN = dyn_cast<PHINode>(V)) {
690
1
    if (Value *W = PN->hasConstantValue())
691
1
      if (W != V)
692
1
        return findValueImpl(W, OffsetOk, Visited);
693
209
  } else if (CastInst *CI = dyn_cast<CastInst>(V)) {
694
7
    if (CI->isNoopCast(*DL))
695
3
      return findValueImpl(CI->getOperand(0), OffsetOk, Visited);
696
202
  } else if (ExtractValueInst *Ex = dyn_cast<ExtractValueInst>(V)) {
697
0
    if (Value *W = FindInsertedValue(Ex->getAggregateOperand(),
698
0
                                     Ex->getIndices()))
699
0
      if (W != V)
700
0
        return findValueImpl(W, OffsetOk, Visited);
701
202
  } else if (ConstantExpr *CE = dyn_cast<ConstantExpr>(V)) {
702
7
    // Same as above, but for ConstantExpr instead of Instruction.
703
7
    if (Instruction::isCast(CE->getOpcode())) {
704
7
      if (CastInst::isNoopCast(Instruction::CastOps(CE->getOpcode()),
705
7
                               CE->getOperand(0)->getType(), CE->getType(),
706
7
                               *DL))
707
4
        return findValueImpl(CE->getOperand(0), OffsetOk, Visited);
708
0
    } else if (CE->getOpcode() == Instruction::ExtractValue) {
709
0
      ArrayRef<unsigned> Indices = CE->getIndices();
710
0
      if (Value *W = FindInsertedValue(CE->getOperand(0), Indices))
711
0
        if (W != V)
712
0
          return findValueImpl(W, OffsetOk, Visited);
713
202
    }
714
7
  }
715
202
716
202
  // As a last resort, try SimplifyInstruction or constant folding.
717
202
  if (Instruction *Inst = dyn_cast<Instruction>(V)) {
718
54
    if (Value *W = SimplifyInstruction(Inst, {*DL, TLI, DT, AC}))
719
9
      return findValueImpl(W, OffsetOk, Visited);
720
148
  } else if (auto *C = dyn_cast<Constant>(V)) {
721
148
    if (Value *W = ConstantFoldConstant(C, *DL, TLI))
722
3
      if (W && W != V)
723
0
        return findValueImpl(W, OffsetOk, Visited);
724
193
  }
725
193
726
193
  return V;
727
193
}
728
729
//===----------------------------------------------------------------------===//
730
//  Implement the public interfaces to this file...
731
//===----------------------------------------------------------------------===//
732
733
0
FunctionPass *llvm::createLintPass() {
734
0
  return new Lint();
735
0
}
736
737
/// lintFunction - Check a function for errors, printing messages on stderr.
738
///
739
0
void llvm::lintFunction(const Function &f) {
740
0
  Function &F = const_cast<Function&>(f);
741
0
  assert(!F.isDeclaration() && "Cannot lint external functions");
742
0
743
0
  legacy::FunctionPassManager FPM(F.getParent());
744
0
  Lint *V = new Lint();
745
0
  FPM.add(V);
746
0
  FPM.run(F);
747
0
}
748
749
/// lintModule - Check a module for errors, printing messages on stderr.
750
///
751
0
void llvm::lintModule(const Module &M) {
752
0
  legacy::PassManager PM;
753
0
  Lint *V = new Lint();
754
0
  PM.add(V);
755
0
  PM.run(const_cast<Module&>(M));
756
0
}