| Sanjoy Das | c63244d | 2015-06-15 18:44:08 +0000 | [diff] [blame] | 1 | ============================== |
| 2 | FaultMaps and implicit checks |
| 3 | ============================== |
| 4 | |
| 5 | .. contents:: |
| 6 | :local: |
| 7 | :depth: 2 |
| 8 | |
| 9 | Motivation |
| 10 | ========== |
| 11 | |
| 12 | Code generated by managed language runtimes tend to have checks that |
| 13 | are required for safety but never fail in practice. In such cases, it |
| 14 | is profitable to make the non-failing case cheaper even if it makes |
| 15 | the failing case significantly more expensive. This asymmetry can be |
| 16 | exploited by folding such safety checks into operations that can be |
| 17 | made to fault reliably if the check would have failed, and recovering |
| 18 | from such a fault by using a signal handler. |
| 19 | |
| 20 | For example, Java requires null checks on objects before they are read |
| 21 | from or written to. If the object is ``null`` then a |
| 22 | ``NullPointerException`` has to be thrown, interrupting normal |
| 23 | execution. In practice, however, dereferencing a ``null`` pointer is |
| 24 | extremely rare in well-behaved Java programs, and typically the null |
| 25 | check can be folded into a nearby memory operation that operates on |
| 26 | the same memory location. |
| 27 | |
| 28 | The Fault Map Section |
| 29 | ===================== |
| 30 | |
| 31 | Information about implicit checks generated by LLVM are put in a |
| 32 | special "fault map" section. On Darwin this section is named |
| 33 | ``__llvm_faultmaps``. |
| 34 | |
| 35 | The format of this section is |
| 36 | |
| 37 | .. code-block:: none |
| 38 | |
| 39 | Header { |
| 40 | uint8 : Fault Map Version (current version is 1) |
| 41 | uint8 : Reserved (expected to be 0) |
| 42 | uint16 : Reserved (expected to be 0) |
| 43 | } |
| 44 | uint32 : NumFunctions |
| 45 | FunctionInfo[NumFunctions] { |
| 46 | uint64 : FunctionAddress |
| 47 | uint32 : NumFaultingPCs |
| 48 | uint32 : Reserved (expected to be 0) |
| 49 | FunctionFaultInfo[NumFaultingPCs] { |
| Sanjoy Das | baeb678 | 2015-06-15 19:29:44 +0000 | [diff] [blame] | 50 | uint32 : FaultKind = FaultMaps::FaultingLoad (only legal value currently) |
| Sanjoy Das | c63244d | 2015-06-15 18:44:08 +0000 | [diff] [blame] | 51 | uint32 : FaultingPCOffset |
| Sanjoy Das | 7b136a2 | 2015-06-22 18:02:55 +0000 | [diff] [blame] | 52 | uint32 : HandlerPCOffset |
| Sanjoy Das | c63244d | 2015-06-15 18:44:08 +0000 | [diff] [blame] | 53 | } |
| 54 | } |
| Sanjoy Das | 3c7828e | 2015-06-29 22:00:30 +0000 | [diff] [blame^] | 55 | |
| 56 | |
| 57 | The ``ImplicitNullChecks`` pass |
| 58 | =============================== |
| 59 | |
| 60 | The ``ImplicitNullChecks`` pass transforms explicit control flow for |
| 61 | checking if a pointer is ``null``, like: |
| 62 | |
| 63 | .. code-block:: llvm |
| 64 | |
| 65 | %ptr = call i32* @get_ptr() |
| 66 | %ptr_is_null = icmp i32* %ptr, null |
| 67 | br i1 %ptr_is_null, label %is_null, label %not_null |
| 68 | |
| 69 | not_null: |
| 70 | %t = load i32, i32* %ptr |
| 71 | br label %do_something_with_t |
| 72 | |
| 73 | is_null: |
| 74 | call void @HFC() |
| 75 | unreachable |
| 76 | |
| 77 | to control flow implicit in the instruction loading or storing through |
| 78 | the pointer being null checked: |
| 79 | |
| 80 | .. code-block:: llvm |
| 81 | |
| 82 | %ptr = call i32* @get_ptr() |
| 83 | %t = load i32, i32* %ptr ;; handler-pc = label %is_null |
| 84 | br label %do_something_with_t |
| 85 | |
| 86 | is_null: |
| 87 | call void @HFC() |
| 88 | unreachable |
| 89 | |
| 90 | This transform happens at the ``MachineInstr`` level, not the LLVM IR |
| 91 | level (so the above example is only representative, not literal). The |
| 92 | ``ImplicitNullChecks`` pass runs during codegen, if |
| 93 | ``-enable-implicit-null-checks`` is passed to ``llc``. |
| 94 | |
| 95 | The ``ImplicitNullChecks`` pass adds entries to the |
| 96 | ``__llvm_faultmaps`` section described above as needed. |