Safely implement strict TBAA rules.

atrick · atrick · commit 3d5c4969a0b2 · 2015-11-20T09:59:56.000-08:00
This fixes type punning issues with unsafeBitCast.

The optimizer is still too aggressive with UnsafePointer. To fix that,
we first need an explicit API for circumventing type safety
(rdar://23406272).

I should be able to fix the following regressions by migrating the
stdlib away from unsafeBitCast to unsafeReferenceCast (~2 weeks).

Slowdowns:
|.Benchmark.................|..Before.|...After.|.Speedup|
|.ArrayInClass..............|...49.00.|...78.00.|.-37.2%.|
|.Sim2DArray................|..471.00.|..549.00.|.-14.2%.|
|.PrimeNum..................|.1876.00.|.1980.00.|..-5.3%.|

Speedups:
|.Benchmark.................|..Before.|...After.|.Speedup|
|.HeapSort..................|.2962.00.|.2663.00.|..11.2%.|
|.StdlibSort................|.2672.00.|.2537.00.|...5.3%.|
diff --git a/include/swift/SILAnalysis/AliasAnalysis.h b/include/swift/SILAnalysis/AliasAnalysis.h
@@ -157,10 +157,9 @@ class AliasAnalysis : public SILAnalysis {
 llvm::raw_ostream &operator<<(llvm::raw_ostream &OS,
                               AliasAnalysis::AliasResult R);
 
-/// Look at the origin/user ValueBase of V to see if any of them are
-/// TypedAccessOracle which enable one to ascertain via undefined behavior the
-/// "true" type of the instruction.
-SILType findTypedAccessType(SILValue V);
+/// If this value is an address that obeys strict TBAA, return the address type.
+/// Otherwise, return an empty type.
+SILType computeTBAAType(SILValue V);
 
 /// Check if V points to a let-variable.
 bool isLetPointer(SILValue V);
diff --git a/lib/SIL/SILValue.cpp b/lib/SIL/SILValue.cpp
@@ -98,8 +98,9 @@ SILValue SILValue::stripCasts() {
     V = stripSinglePredecessorArgs(V);
 
     auto K = V->getKind();
-    if (isRCIdentityPreservingCast(K) ||
-        K == ValueKind::UncheckedTrivialBitCastInst) {
+    if (isRCIdentityPreservingCast(K)
+        || K == ValueKind::UncheckedTrivialBitCastInst
+        || K == ValueKind::MarkDependenceInst) {
       V = cast<SILInstruction>(V.getDef())->getOperand(0);
       continue;
     }
diff --git a/lib/SIL/Verifier.cpp b/lib/SIL/Verifier.cpp
@@ -2759,6 +2759,26 @@ class SILVerifier : public SILVerifierBase<SILVerifier> {
                         return true;
                       }),
             "entry point argument types do not match function type");
+
+
+    // TBAA requirement for all address arguments.
+    require(std::equal(entry->bbarg_begin(), entry->bbarg_end(),
+                       ti->getParameters().begin(),
+                       [&](SILArgument *bbarg, SILParameterInfo paramInfo) {
+                         if (!bbarg->getType().isAddress())
+                           return true;
+                         switch (paramInfo.getConvention()) {
+                         default:
+                           return false;
+                         case ParameterConvention::Indirect_In:
+                         case ParameterConvention::Indirect_Inout:
+                         case ParameterConvention::Indirect_Out:
+                         case ParameterConvention::Indirect_In_Guaranteed:
+                           return true;
+                         }
+                       }),
+            "entry point address argument must have a nonaliasing calling "
+            "convention");
   }
 
   void verifyEpilogBlocks(SILFunction *F) {
diff --git a/lib/SILAnalysis/AliasAnalysis.cpp b/lib/SILAnalysis/AliasAnalysis.cpp
@@ -344,6 +344,83 @@ AliasAnalysis::aliasAddressProjection(SILValue V1, SILValue V2,
 //                                TBAA
 //===----------------------------------------------------------------------===//
 
+/// Is this an instruction that can act as a type "oracle" allowing typed access
+/// TBAA to know what the real types associated with the SILInstruction are.
+static bool isTypedAccessOracle(SILInstruction *I) {
+  switch (I->getKind()) {
+  case ValueKind::RefElementAddrInst:
+  case ValueKind::StructElementAddrInst:
+  case ValueKind::TupleElementAddrInst:
+  case ValueKind::UncheckedTakeEnumDataAddrInst:
+  case ValueKind::LoadInst:
+  case ValueKind::StoreInst:
+  case ValueKind::AllocStackInst:
+  case ValueKind::AllocBoxInst:
+  case ValueKind::DeallocStackInst:
+  case ValueKind::DeallocBoxInst:
+    return true;
+  default:
+    return false;
+  }
+}
+
+/// Return true if the given value is an instruction or block argument that is
+/// known to produce a nonaliasing address with respect to TBAA rules (i.e. the
+/// pointer is not type punned). The only way to produce an aliasing typed
+/// address is with pointer_to_address (via UnsafePointer) or
+/// unchecked_addr_cast (via Builtin.reinterpretCast). Consequently, if the
+/// given value is directly derived from a memory location, it cannot
+/// alias. Call arguments also cannot alias because they must follow @in, @out,
+/// @inout, or @in_guaranteed conventions.
+///
+/// FIXME: pointer_to_address should contain a flag that indicates whether the
+/// address is aliasing. Currently, we aggressively assume that
+/// pointer-to-address is never used for type punning, which is not yet
+/// clearly specified by our UnsafePointer API.
+static bool isAddressRootTBAASafe(SILValue V) {
+  if (auto *Arg = dyn_cast<SILArgument>(V))
+    return Arg->isFunctionArg();
+
+  switch (V->getKind()) {
+  default:
+    return false;
+  case ValueKind::AllocStackInst:
+  case ValueKind::AllocBoxInst:
+  case ValueKind::PointerToAddressInst:
+    return true;
+  }
+}
+
+/// Look at the origin/user ValueBase of V to see if any of them are
+/// TypedAccessOracle which enable one to ascertain via undefined behavior the
+/// "true" type of the instruction.
+static SILType findTypedAccessType(SILValue V) {
+  // First look at the origin of V and see if we have any instruction that is a
+  // typed oracle.
+  if (auto *I = dyn_cast<SILInstruction>(V))
+    if (isTypedAccessOracle(I))
+      return V.getType();
+
+  // Then look at any uses of V that potentially could act as a typed access
+  // oracle.
+  for (auto Use : V.getUses())
+    if (isTypedAccessOracle(Use->getUser()))
+      return V.getType();
+
+  // Otherwise return an empty SILType
+  return SILType();
+}
+
+SILType swift::computeTBAAType(SILValue V) {
+  if (isAddressRootTBAASafe(getUnderlyingObject(V)))
+    return findTypedAccessType(V);
+
+  // FIXME: add ref_element_addr check here. TBAA says that objects cannot be
+  // type punned.
+
+  return SILType();
+}
+
 static bool typedAccessTBAABuiltinTypesMayAlias(SILType LTy, SILType RTy,
                                                 SILModule &Mod) {
   assert(LTy != RTy && "LTy should have already been shown to not equal RTy to "
diff --git a/lib/SILAnalysis/MemoryBehavior.cpp b/lib/SILAnalysis/MemoryBehavior.cpp
@@ -20,50 +20,6 @@
 
 using namespace swift;
 
-//===----------------------------------------------------------------------===//
-//                               TBAA Utilities
-//===----------------------------------------------------------------------===//
-
-/// Is this an instruction that can act as a type "oracle" allowing typed access
-/// TBAA to know what the real types associated with the SILInstruction are.
-static bool isTypedAccessOracle(SILInstruction *I) {
-  switch (I->getKind()) {
-  case ValueKind::RefElementAddrInst:
-  case ValueKind::StructElementAddrInst:
-  case ValueKind::TupleElementAddrInst:
-  case ValueKind::UncheckedTakeEnumDataAddrInst:
-  case ValueKind::LoadInst:
-  case ValueKind::StoreInst:
-  case ValueKind::AllocStackInst:
-  case ValueKind::AllocBoxInst:
-  case ValueKind::DeallocStackInst:
-  case ValueKind::DeallocBoxInst:
-    return true;
-  default:
-    return false;
-  }
-}
-
-/// Look at the origin/user ValueBase of V to see if any of them are
-/// TypedAccessOracle which enable one to ascertain via undefined behavior the
-/// "true" type of the instruction.
-SILType swift::findTypedAccessType(SILValue V) {
-  // First look at the origin of V and see if we have any instruction that is a
-  // typed oracle.
-  if (auto *I = dyn_cast<SILInstruction>(V))
-    if (isTypedAccessOracle(I))
-      return V.getType();
-
-  // Then look at any uses of V that potentially could act as a typed access
-  // oracle.
-  for (auto Use : V.getUses())
-    if (isTypedAccessOracle(Use->getUser()))
-      return V.getType();
-
-  // Otherwise return an empty SILType
-  return SILType();
-}
-
 //===----------------------------------------------------------------------===//
 //                       Memory Behavior Implementation
 //===----------------------------------------------------------------------===//
@@ -96,9 +52,9 @@ class MemoryBehaviorVisitor
                         RetainObserveKind IgnoreRefCountIncs)
       : AA(AA), V(V), IgnoreRefCountIncrements(IgnoreRefCountIncs) {}
 
-  SILType getTypedAccessType() {
+  SILType getValueTBAAType() {
     if (!TypedAccessTy)
-      TypedAccessTy = findTypedAccessType(V);
+      TypedAccessTy = computeTBAAType(V);
     return *TypedAccessTy;
   }
 
@@ -190,8 +146,8 @@ class MemoryBehaviorVisitor
 } // end anonymous namespace
 
 MemBehavior MemoryBehaviorVisitor::visitLoadInst(LoadInst *LI) {
-  if (AA.isNoAlias(LI->getOperand(), V, LI->getOperand().getType(),
-                   getTypedAccessType())) {
+  if (AA.isNoAlias(LI->getOperand(), V, computeTBAAType(LI->getOperand()),
+                   getValueTBAAType())) {
     DEBUG(llvm::dbgs() << "  Load Operand does not alias inst. Returning "
                           "None.\n");
     return MemBehavior::None;
@@ -210,8 +166,8 @@ MemBehavior MemoryBehaviorVisitor::visitStoreInst(StoreInst *SI) {
 
   // If the store dest cannot alias the pointer in question, then the
   // specified value can not be modified by the store.
-  if (AA.isNoAlias(SI->getDest(), V, SI->getDest().getType(),
-                   getTypedAccessType())) {
+  if (AA.isNoAlias(SI->getDest(), V, computeTBAAType(SI->getDest()),
+                   getValueTBAAType())) {
     DEBUG(llvm::dbgs() << "  Store Dst does not alias inst. Returning "
                           "None.\n");
     return MemBehavior::None;
@@ -292,7 +248,7 @@ MemBehavior MemoryBehaviorVisitor::visitApplyInst(ApplyInst *AI) {
         SILValue Arg = AI->getArgument(Idx);
         // We only consider the argument effects if the argument aliases V.
         if (!Arg.getType().isAddress() ||
-            !AA.isNoAlias(Arg, V, Arg.getType(), getTypedAccessType())) {
+            !AA.isNoAlias(Arg, V, computeTBAAType(Arg), getValueTBAAType())) {
           Behavior = ArgBehavior;
         }
       }
diff --git a/lib/SILAnalysis/ValueTracking.cpp b/lib/SILAnalysis/ValueTracking.cpp
@@ -25,6 +25,7 @@ using namespace swift::PatternMatch;
 /// Strip off casts/indexing insts/address projections from V until there is
 /// nothing left to strip.
 /// FIXME: Maybe put this on SILValue?
+/// FIXME: Why don't we strip projections after stripping indexes?
 SILValue swift::getUnderlyingObject(SILValue V) {
   while (true) {
     SILValue V2 = V.stripCasts().stripAddressProjections().stripIndexingInsts();
diff --git a/lib/SILPasses/UtilityPasses/AADumper.cpp b/lib/SILPasses/UtilityPasses/AADumper.cpp
@@ -76,7 +76,7 @@ class SILAADumper : public SILFunctionTransform {
         auto V2 = Values[i2];
 
         auto Result =
-            AA->alias(V1, V2, findTypedAccessType(V1), findTypedAccessType(V2));
+            AA->alias(V1, V2, computeTBAAType(V1), computeTBAAType(V2));
 
         // Results should always be the same. But if they are different print it
         // out so we find the error. This should make our test results less
diff --git a/test/SILAnalysis/typed-access-tb-aa.sil b/test/SILAnalysis/typed-access-tb-aa.sil
@@ -33,10 +33,9 @@ sil @baz_init : $@convention(thin) (@thick baz.Type) -> @owned baz
 sil @goo_init : $@convention(thin) (@thick goo.Type) -> @owned goo 
 
 // CHECK-LABEL: no_parent_child_relation_reftype_tests
-
-// CHECK: PAIR #54.
-// CHECK: (0):   %4 = apply %2(%3) : $@convention(thin) (@thick boo.Type) -> @owned boo
-// CHECK: (0):   %8 = apply %6(%7) : $@convention(thin) (@thick baz.Type) -> @owned baz
+// CHECK: PAIR #13.
+// CHECK: (1):   %0 = alloc_stack $boo
+// CHECK: (1):   %1 = alloc_stack $baz
 // CHECK: NoAlias
 sil hidden @no_parent_child_relation_reftype_tests : $@convention(thin) () -> () {
 bb0:
@@ -900,3 +899,30 @@ sil @tuple_tests : $@convention(thin) () -> () {
   return %9999 : $()
 }
 
+// Check that TBAA fails when the root is unchecked_addr_cast or
+// pointer_to_address.
+//
+// CHECK-LABEL: @tbaa_dump
+// CHECK:      PAIR #2.
+// CHECK-NEXT: (0):   %0 = argument of bb0 : $*Builtin.Int64
+// CHECK-NEXT: (0):   %3 = unchecked_addr_cast %0 : $*Builtin.Int64 to $*Builtin.Int32
+// CHECK-NEXT: MayAlias
+// CHECK:      PAIR #5.
+// CHECK-NEXT: (0):   %0 = argument of bb0 : $*Builtin.Int64
+// CHECK-NEXT: (0):   %7 = pointer_to_address %6 : $Builtin.RawPointer to $*Builtin.Int32
+// FIXME: This should be MayAlias unless the pointer_to_address instruction
+//        comes with a "must not alias" flag.
+// CHECK-NEXT: NoAlias
+sil @tbaa_dump : $@convention(thin) (@in Builtin.Int64) -> Builtin.Int64 {
+bb0(%0 : $*Builtin.Int64):
+  %1 = integer_literal $Builtin.Int64, 42
+  store %1 to %0 : $*Builtin.Int64
+  %3 = unchecked_addr_cast %0 : $*Builtin.Int64 to $*Builtin.Int32
+  %4 = integer_literal $Builtin.Int32, 0
+  store %4 to %3 : $*Builtin.Int32
+  %6 = address_to_pointer %0 : $*Builtin.Int64 to $Builtin.RawPointer
+  %7 = pointer_to_address %6 : $Builtin.RawPointer to $*Builtin.Int32
+  store %4 to %7 : $*Builtin.Int32
+  %8 = load %0 : $*Builtin.Int64
+  return %8 : $Builtin.Int64
+}
