1//===--- CaptureTracking.cpp - Determine whether a pointer is captured ----===// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 7//===----------------------------------------------------------------------===// 9// This file contains routines that help determine which pointers are captured. 10// A pointer value is captured if the function makes a copy of any part of the 11// pointer that outlives the call. Not being captured means, more or less, that 12// the pointer is only dereferenced and not stored in a global. Returning part 13// of the pointer as the function return value may or may not count as capturing 14// the pointer, depending on the context. 16//===----------------------------------------------------------------------===// 33#define DEBUG_TYPE "capture-tracking" 35STATISTIC(NumCaptured,
"Number of pointers maybe captured");
36STATISTIC(NumNotCaptured,
"Number of pointers not captured");
37STATISTIC(NumCapturedBefore,
"Number of pointers maybe captured before");
38STATISTIC(NumNotCapturedBefore,
"Number of pointers not captured before");
40/// The default value for MaxUsesToExplore argument. It's relatively small to 41/// keep the cost of analysis reasonable for clients like BasicAliasAnalysis, 42/// where the results can't be cached. 43/// TODO: we should probably introduce a caching CaptureTracking analysis and 44/// use it where possible. The caching version can use much higher limit or 45/// don't have this cap at all. 48cl::desc(
"Maximal number of uses to explore."),
60// We want comparisons to null pointers to not be considered capturing, 61// but need to guard against cases like gep(p, -ptrtoint(p2)) == null, 62// which are equivalent to p == p2 and would capture the pointer. 64// A dereferenceable pointer is a case where this is known to be safe, 65// because the pointer resulting from such a construction would not be 68// It is not sufficient to check for inbounds GEP here, because GEP with 69// zero offset is always inbounds. 70bool CanBeNull, CanBeFreed;
71return O->getPointerDereferenceableBytes(
DL, CanBeNull, CanBeFreed);
76explicit SimpleCaptureTracker(
bool ReturnCaptures)
77 : ReturnCaptures(ReturnCaptures) {}
79void tooManyUses()
override{
84bool captured(
constUse *U)
override{
85if (isa<ReturnInst>(
U->getUser()) && !ReturnCaptures)
99/// Only find pointer captures which happen before the given instruction. Uses 100/// the dominator tree to determine whether one instruction is before another. 101/// Only support the case where the Value is defined in the same basic block 102/// as the given instruction and the use. 107 : BeforeHere(
I), DT(DT), ReturnCaptures(ReturnCaptures),
108 IncludeI(IncludeI), LI(LI) {}
110void tooManyUses()
override{ Captured =
true; }
116// We explore this usage only if the usage can reach "BeforeHere". 117// If use is not reachable from entry, there is no need to explore. 121// Check whether there is a path from I to BeforeHere. 125bool captured(
constUse *U)
override{
127if (isa<ReturnInst>(
I) && !ReturnCaptures)
130// Check isSafeToPrune() here rather than in shouldExplore() to avoid 131// an expensive reachability query for every instruction we look at. 132// Instead we only do one for actual capturing candidates. 151/// Find the 'earliest' instruction before which the pointer is known not to 152/// be captured. Here an instruction A is considered earlier than instruction 153/// B, if A dominates B. If 2 escapes do not dominate each other, the 154/// terminator of the common dominator is chosen. If not all uses cannot be 155/// analyzed, the earliest escape is set to the first instruction in the 156/// function entry block. 157// NOTE: Users have to make sure instructions compared against the earliest 158// escape are not in a cycle. 162 : DT(DT), ReturnCaptures(ReturnCaptures),
F(
F) {}
164void tooManyUses()
override{
166 EarliestCapture = &*
F.getEntryBlock().begin();
169bool captured(
constUse *U)
override{
171if (isa<ReturnInst>(
I) && !ReturnCaptures)
180// Return false to continue analysis; we need to see all potential 197/// PointerMayBeCaptured - Return true if this pointer value may be captured 198/// by the enclosing function (which is required to exist). This routine can 199/// be expensive, so consider caching the results. The boolean ReturnCaptures 200/// specifies whether returning the value (or part of it) from the function 201/// counts as capturing it or not. The boolean StoreCaptures specified whether 202/// storing the value (or part of it) into memory anywhere automatically 203/// counts as capturing it or not. 205bool StoreCaptures,
unsigned MaxUsesToExplore) {
206assert(!isa<GlobalValue>(V) &&
207"It doesn't make sense to ask whether a global is captured.");
209// TODO: If StoreCaptures is not true, we could do Fancy analysis 210// to determine whether this store is not actually an escape point. 211// In that case, BasicAliasAnalysis should be updated as well to 212// take advantage of this. 217 SimpleCaptureTracker SCT(ReturnCaptures);
228/// PointerMayBeCapturedBefore - Return true if this pointer value may be 229/// captured by the enclosing function (which is required to exist). If a 230/// DominatorTree is provided, only captures which happen before the given 231/// instruction are considered. This routine can be expensive, so consider 232/// caching the results. The boolean ReturnCaptures specifies whether 233/// returning the value (or part of it) from the function counts as capturing 234/// it or not. The boolean StoreCaptures specified whether storing the value 235/// (or part of it) into memory anywhere automatically counts as capturing it 240unsigned MaxUsesToExplore,
242assert(!isa<GlobalValue>(V) &&
243"It doesn't make sense to ask whether a global is captured.");
249// TODO: See comment in PointerMayBeCaptured regarding what could be done 250// with StoreCaptures. 252 CapturesBefore CB(ReturnCaptures,
I, DT, IncludeI, LI);
257 ++NumNotCapturedBefore;
262bool ReturnCaptures,
bool StoreCaptures,
264unsigned MaxUsesToExplore) {
265assert(!isa<GlobalValue>(V) &&
266"It doesn't make sense to ask whether a global is captured.");
268 EarliestCaptures CB(ReturnCaptures,
F, DT);
273 ++NumNotCapturedBefore;
274return CB.EarliestCapture;
282// TODO: Investigate non-instruction uses. 286switch (
I->getOpcode()) {
287case Instruction::Call:
288case Instruction::Invoke: {
289auto *Call = cast<CallBase>(
I);
290// Not captured if the callee is readonly, doesn't return a copy through 291// its return value and doesn't unwind (a readonly function can leak bits 292// by throwing an exception or not depending on the input value). 293if (Call->onlyReadsMemory() && Call->doesNotThrow() &&
294 Call->getType()->isVoidTy())
297// The pointer is not captured if returned pointer is not captured. 298// NOTE: CaptureTracking users should not assume that only functions 299// marked with nocapture do not capture. This means that places like 300// getUnderlyingObject in ValueTracking or DecomposeGEPExpression 301// in BasicAA also need to know about this property. 305// Volatile operations effectively capture the memory location that they 307if (
auto *
MI = dyn_cast<MemIntrinsic>(Call))
311// Calling a function pointer does not in itself cause the pointer to 312// be captured. This is a subtle point considering that (for example) 313// the callee might return its own address. It is analogous to saying 314// that loading a value from a pointer does not cause the pointer to be 315// captured, even though the loaded value might be the pointer itself 316// (think of self-referential objects). 317if (Call->isCallee(&U))
320// Not captured if only passed via 'nocapture' arguments. 321if (Call->isDataOperand(&U) &&
322 !Call->doesNotCapture(Call->getDataOperandNo(&U))) {
323// The parameter is not marked 'nocapture' - captured. 328case Instruction::Load:
329// Volatile loads make the address observable. 330if (cast<LoadInst>(
I)->isVolatile())
333case Instruction::VAArg:
334// "va-arg" from a pointer does not cause it to be captured. 336case Instruction::Store:
337// Stored the pointer - conservatively assume it may be captured. 338// Volatile stores make the address observable. 339if (U.getOperandNo() == 0 || cast<StoreInst>(
I)->isVolatile())
342case Instruction::AtomicRMW: {
343// atomicrmw conceptually includes both a load and store from 345// As with a store, the location being accessed is not captured, 346// but the value being stored is. 347// Volatile stores make the address observable. 348auto *ARMWI = cast<AtomicRMWInst>(
I);
349if (U.getOperandNo() == 1 || ARMWI->isVolatile())
353case Instruction::AtomicCmpXchg: {
354// cmpxchg conceptually includes both a load and store from 356// As with a store, the location being accessed is not captured, 357// but the value being stored is. 358// Volatile stores make the address observable. 359auto *ACXI = cast<AtomicCmpXchgInst>(
I);
360if (U.getOperandNo() == 1 || U.getOperandNo() == 2 || ACXI->isVolatile())
364case Instruction::GetElementPtr:
365// AA does not support pointers of vectors, so GEP vector splats need to 366// be considered as captures. 367if (
I->getType()->isVectorTy())
370case Instruction::BitCast:
371case Instruction::PHI:
372case Instruction::Select:
373case Instruction::AddrSpaceCast:
374// The original value is not captured via this if the new value isn't. 376case Instruction::ICmp: {
377unsignedIdx = U.getOperandNo();
378unsigned OtherIdx = 1 -
Idx;
379if (
auto *CPN = dyn_cast<ConstantPointerNull>(
I->getOperand(OtherIdx))) {
380// Don't count comparisons of a no-alias return value against null as 381// captures. This allows us to ignore comparisons of malloc results 382// with null, for example. 383if (CPN->getType()->getAddressSpace() == 0)
386if (!
I->getFunction()->nullPointerIsDefined()) {
387auto *O =
I->getOperand(
Idx)->stripPointerCastsSameRepresentation();
388// Comparing a dereferenceable_or_null pointer against null cannot 389// lead to pointer escapes, because if it is not null it must be a 390// valid (in-bounds) pointer. 392if (IsDereferenceableOrNull && IsDereferenceableOrNull(O,
DL))
397// Otherwise, be conservative. There are crazy ways to capture pointers 402// Something else - be conservative and say it is captured. 408unsigned MaxUsesToExplore) {
409assert(V->getType()->isPointerTy() &&
"Capture is for pointers only!");
410if (MaxUsesToExplore == 0)
417auto AddUses = [&](
constValue *V) {
418for (
constUse &U : V->uses()) {
419// If there are lots of uses, conservatively say that the value 420// is captured to avoid taking too much compile time. 421if (Visited.
size() >= MaxUsesToExplore) {
425if (!Visited.
insert(&U).second)
439while (!Worklist.
empty()) {
449if (!AddUses(U->getUser()))
461if (IsCapturedCache) {
463 std::tie(CacheIt, Inserted) = IsCapturedCache->
insert({V,
false});
465// Found cached result, return it! 466return CacheIt->second;
469// If this is an identified function-local object, check to see if it escapes. 471// Set StoreCaptures to True so that we can assume in our callers that the 472// pointer is not the result of a load instruction. Currently 473// PointerMayBeCaptured doesn't have any special analysis for the 474// StoreCaptures=false case; if it did, our callers could be refined to be 478 CacheIt->second = Ret;
MachineBasicBlock MachineBasicBlock::iterator DebugLoc DL
static cl::opt< unsigned > DefaultMaxUsesToExplore("capture-tracking-max-uses-to-explore", cl::Hidden, cl::desc("Maximal number of uses to explore."), cl::init(100))
The default value for MaxUsesToExplore argument.
This file contains the declarations for the subclasses of Constant, which represent the different fla...
Returns the sub type a function will return at a given Idx Should correspond to the result type of an ExtractValue instruction executed with just that one unsigned Idx
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
This file defines the SmallSet class.
This file defines the SmallVector class.
This file defines the 'Statistic' class, which is designed to be an easy way to expose various metric...
#define STATISTIC(VARNAME, DESC)
A parsed version of the target data layout string in and methods for querying it.
std::pair< iterator, bool > insert(const std::pair< KeyT, ValueT > &KV)
Concrete subclass of DominatorTreeBase that is used to compute a normal dominator tree.
bool isReachableFromEntry(const Use &U) const
Provide an overload for a Use.
Instruction * findNearestCommonDominator(Instruction *I1, Instruction *I2) const
Find the nearest instruction I that dominates both I1 and I2, in the sense that a result produced bef...
SmallSet - This maintains a set of unique values, optimizing for the case when the set is small (less...
std::pair< const_iterator, bool > insert(const T &V)
insert - Insert an element into the set if it isn't already there.
void reserve(size_type N)
void push_back(const T &Elt)
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
A Use represents the edge between a Value definition and its users.
LLVM Value Representation.
An efficient, type-erasing, non-owning reference to a callable.
initializer< Ty > init(const Ty &Val)
This is an optimization pass for GlobalISel generic memory operations.
UseCaptureKind DetermineUseCaptureKind(const Use &U, llvm::function_ref< bool(Value *, const DataLayout &)> IsDereferenceableOrNull)
Determine what kind of capture behaviour U may exhibit.
bool PointerMayBeCapturedBefore(const Value *V, bool ReturnCaptures, bool StoreCaptures, const Instruction *I, const DominatorTree *DT, bool IncludeI=false, unsigned MaxUsesToExplore=0, const LoopInfo *LI=nullptr)
PointerMayBeCapturedBefore - Return true if this pointer value may be captured by the enclosing funct...
bool isNoAliasCall(const Value *V)
Return true if this pointer is returned by a noalias function.
bool isNonEscapingLocalObject(const Value *V, SmallDenseMap< const Value *, bool, 8 > *IsCapturedCache=nullptr)
Returns true if the pointer is to a function-local object that never escapes from the function.
unsigned getDefaultMaxUsesToExploreForCaptureTracking()
getDefaultMaxUsesToExploreForCaptureTracking - Return default value of the maximal number of uses to ...
bool isIntrinsicReturningPointerAliasingArgumentWithoutCapturing(const CallBase *Call, bool MustPreserveNullness)
{launder,strip}.invariant.group returns pointer that aliases its argument, and it only captures point...
bool PointerMayBeCaptured(const Value *V, bool ReturnCaptures, bool StoreCaptures, unsigned MaxUsesToExplore=0)
PointerMayBeCaptured - Return true if this pointer value may be captured by the enclosing function (w...
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Instruction * FindEarliestCapture(const Value *V, Function &F, bool ReturnCaptures, bool StoreCaptures, const DominatorTree &DT, unsigned MaxUsesToExplore=0)
bool isIdentifiedFunctionLocal(const Value *V)
Return true if V is umabigously identified at the function-level.
UseCaptureKind
Types of use capture kinds, see DetermineUseCaptureKind.
bool isPotentiallyReachable(const Instruction *From, const Instruction *To, const SmallPtrSetImpl< BasicBlock * > *ExclusionSet=nullptr, const DominatorTree *DT=nullptr, const LoopInfo *LI=nullptr)
Determine whether instruction 'To' is reachable from 'From', without passing through any blocks in Ex...
This callback is used in conjunction with PointerMayBeCaptured.
virtual bool shouldExplore(const Use *U)
shouldExplore - This is the use of a value derived from the pointer.
virtual bool isDereferenceableOrNull(Value *O, const DataLayout &DL)
isDereferenceableOrNull - Overload to allow clients with additional knowledge about pointer dereferen...
virtual void tooManyUses()=0
tooManyUses - The depth of traversal has breached a limit.
virtual ~CaptureTracker()
virtual bool captured(const Use *U)=0
captured - Information about the pointer was captured by the user of use U.
