IR: New representation for CFI and virtual call optimization pass metadata.
The bitset metadata currently used in LLVM has a few problems:
1. It has the wrong name. The name "bitset" refers to an implementation
detail of one use of the metadata (i.e. its original use case, CFI).
This makes it harder to understand, as the name makes no sense in the
context of virtual call optimization.
2. It is represented using a global named metadata node, rather than
being directly associated with a global. This makes it harder to
manipulate the metadata when rebuilding global variables, summarise it
as part of ThinLTO and drop unused metadata when associated globals are
dropped. For this reason, CFI does not currently work correctly when
both CFI and vcall opt are enabled, as vcall opt needs to rebuild vtable
globals, and fails to associate metadata with the rebuilt globals. As I
understand it, the same problem could also affect ASan, which rebuilds
globals with a red zone.
This patch solves both of those problems in the following way:
1. Rename the metadata to "type metadata". This new name reflects how
the metadata is currently being used (i.e. to represent type information
for CFI and vtable opt). The new name is reflected in the name for the
associated intrinsic (llvm.type.test) and pass (LowerTypeTests).
2. Attach metadata directly to the globals that it pertains to, rather
than using the "llvm.bitsets" global metadata node as we are doing now.
This is done using the newly introduced capability to attach
metadata to global variables (r271348 and r271358).
See also: http://lists.llvm.org/pipermail/llvm-dev/2016-June/100462.html
Differential Revision: http://reviews.llvm.org/D21053
llvm-svn: 273729
2016-06-25 05:21:32 +08:00
|
|
|
=============
|
|
|
|
Type Metadata
|
|
|
|
=============
|
|
|
|
|
|
|
|
Type metadata is a mechanism that allows IR modules to co-operatively build
|
|
|
|
pointer sets corresponding to addresses within a given set of globals. LLVM's
|
|
|
|
`control flow integrity`_ implementation uses this metadata to efficiently
|
|
|
|
check (at each call site) that a given address corresponds to either a
|
|
|
|
valid vtable or function pointer for a given class or function type, and its
|
|
|
|
whole-program devirtualization pass uses the metadata to identify potential
|
|
|
|
callees for a given virtual call.
|
|
|
|
|
|
|
|
To use the mechanism, a client creates metadata nodes with two elements:
|
|
|
|
|
|
|
|
1. a byte offset into the global (generally zero for functions)
|
|
|
|
2. a metadata object representing an identifier for the type
|
|
|
|
|
|
|
|
These metadata nodes are associated with globals by using global object
|
|
|
|
metadata attachments with the ``!type`` metadata kind.
|
|
|
|
|
|
|
|
Each type identifier must exclusively identify either global variables
|
|
|
|
or functions.
|
|
|
|
|
|
|
|
.. admonition:: Limitation
|
|
|
|
|
|
|
|
The current implementation only supports attaching metadata to functions on
|
|
|
|
the x86-32 and x86-64 architectures.
|
|
|
|
|
|
|
|
An intrinsic, :ref:`llvm.type.test <type.test>`, is used to test whether a
|
|
|
|
given pointer is associated with a type identifier.
|
|
|
|
|
|
|
|
.. _control flow integrity: http://clang.llvm.org/docs/ControlFlowIntegrity.html
|
|
|
|
|
|
|
|
Representing Type Information using Type Metadata
|
|
|
|
=================================================
|
|
|
|
|
|
|
|
This section describes how Clang represents C++ type information associated with
|
|
|
|
virtual tables using type metadata.
|
|
|
|
|
|
|
|
Consider the following inheritance hierarchy:
|
|
|
|
|
|
|
|
.. code-block:: c++
|
|
|
|
|
|
|
|
struct A {
|
|
|
|
virtual void f();
|
|
|
|
};
|
|
|
|
|
|
|
|
struct B : A {
|
|
|
|
virtual void f();
|
|
|
|
virtual void g();
|
|
|
|
};
|
|
|
|
|
|
|
|
struct C {
|
|
|
|
virtual void h();
|
|
|
|
};
|
|
|
|
|
|
|
|
struct D : A, C {
|
|
|
|
virtual void f();
|
|
|
|
virtual void h();
|
|
|
|
};
|
|
|
|
|
|
|
|
The virtual table objects for A, B, C and D look like this (under the Itanium ABI):
|
|
|
|
|
|
|
|
.. csv-table:: Virtual Table Layout for A, B, C, D
|
|
|
|
:header: Class, 0, 1, 2, 3, 4, 5, 6
|
|
|
|
|
|
|
|
A, A::offset-to-top, &A::rtti, &A::f
|
|
|
|
B, B::offset-to-top, &B::rtti, &B::f, &B::g
|
|
|
|
C, C::offset-to-top, &C::rtti, &C::h
|
|
|
|
D, D::offset-to-top, &D::rtti, &D::f, &D::h, D::offset-to-top, &D::rtti, thunk for &D::h
|
|
|
|
|
|
|
|
When an object of type A is constructed, the address of ``&A::f`` in A's
|
|
|
|
virtual table object is stored in the object's vtable pointer. In ABI parlance
|
|
|
|
this address is known as an `address point`_. Similarly, when an object of type
|
|
|
|
B is constructed, the address of ``&B::f`` is stored in the vtable pointer. In
|
|
|
|
this way, the vtable in B's virtual table object is compatible with A's vtable.
|
|
|
|
|
|
|
|
D is a little more complicated, due to the use of multiple inheritance. Its
|
|
|
|
virtual table object contains two vtables, one compatible with A's vtable and
|
|
|
|
the other compatible with C's vtable. Objects of type D contain two virtual
|
|
|
|
pointers, one belonging to the A subobject and containing the address of
|
|
|
|
the vtable compatible with A's vtable, and the other belonging to the C
|
|
|
|
subobject and containing the address of the vtable compatible with C's vtable.
|
|
|
|
|
|
|
|
The full set of compatibility information for the above class hierarchy is
|
|
|
|
shown below. The following table shows the name of a class, the offset of an
|
|
|
|
address point within that class's vtable and the name of one of the classes
|
|
|
|
with which that address point is compatible.
|
|
|
|
|
|
|
|
.. csv-table:: Type Offsets for A, B, C, D
|
|
|
|
:header: VTable for, Offset, Compatible Class
|
|
|
|
|
|
|
|
A, 16, A
|
|
|
|
B, 16, A
|
|
|
|
, , B
|
|
|
|
C, 16, C
|
|
|
|
D, 16, A
|
|
|
|
, , D
|
|
|
|
, 48, C
|
|
|
|
|
|
|
|
The next step is to encode this compatibility information into the IR. The way
|
|
|
|
this is done is to create type metadata named after each of the compatible
|
|
|
|
classes, with which we associate each of the compatible address points in
|
|
|
|
each vtable. For example, these type metadata entries encode the compatibility
|
|
|
|
information for the above hierarchy:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
@_ZTV1A = constant [...], !type !0
|
|
|
|
@_ZTV1B = constant [...], !type !0, !type !1
|
|
|
|
@_ZTV1C = constant [...], !type !2
|
|
|
|
@_ZTV1D = constant [...], !type !0, !type !3, !type !4
|
|
|
|
|
|
|
|
!0 = !{i64 16, !"_ZTS1A"}
|
|
|
|
!1 = !{i64 16, !"_ZTS1B"}
|
|
|
|
!2 = !{i64 16, !"_ZTS1C"}
|
|
|
|
!3 = !{i64 16, !"_ZTS1D"}
|
|
|
|
!4 = !{i64 48, !"_ZTS1C"}
|
|
|
|
|
|
|
|
With this type metadata, we can now use the ``llvm.type.test`` intrinsic to
|
|
|
|
test whether a given pointer is compatible with a type identifier. Working
|
|
|
|
backwards, if ``llvm.type.test`` returns true for a particular pointer,
|
|
|
|
we can also statically determine the identities of the virtual functions
|
|
|
|
that a particular virtual call may call. For example, if a program assumes
|
|
|
|
a pointer to be a member of ``!"_ZST1A"``, we know that the address can
|
|
|
|
be only be one of ``_ZTV1A+16``, ``_ZTV1B+16`` or ``_ZTV1D+16`` (i.e. the
|
|
|
|
address points of the vtables of A, B and D respectively). If we then load
|
|
|
|
an address from that pointer, we know that the address can only be one of
|
|
|
|
``&A::f``, ``&B::f`` or ``&D::f``.
|
|
|
|
|
2017-09-12 08:19:11 +08:00
|
|
|
.. _address point: https://itanium-cxx-abi.github.io/cxx-abi/abi.html#vtable-general
|
IR: New representation for CFI and virtual call optimization pass metadata.
The bitset metadata currently used in LLVM has a few problems:
1. It has the wrong name. The name "bitset" refers to an implementation
detail of one use of the metadata (i.e. its original use case, CFI).
This makes it harder to understand, as the name makes no sense in the
context of virtual call optimization.
2. It is represented using a global named metadata node, rather than
being directly associated with a global. This makes it harder to
manipulate the metadata when rebuilding global variables, summarise it
as part of ThinLTO and drop unused metadata when associated globals are
dropped. For this reason, CFI does not currently work correctly when
both CFI and vcall opt are enabled, as vcall opt needs to rebuild vtable
globals, and fails to associate metadata with the rebuilt globals. As I
understand it, the same problem could also affect ASan, which rebuilds
globals with a red zone.
This patch solves both of those problems in the following way:
1. Rename the metadata to "type metadata". This new name reflects how
the metadata is currently being used (i.e. to represent type information
for CFI and vtable opt). The new name is reflected in the name for the
associated intrinsic (llvm.type.test) and pass (LowerTypeTests).
2. Attach metadata directly to the globals that it pertains to, rather
than using the "llvm.bitsets" global metadata node as we are doing now.
This is done using the newly introduced capability to attach
metadata to global variables (r271348 and r271358).
See also: http://lists.llvm.org/pipermail/llvm-dev/2016-June/100462.html
Differential Revision: http://reviews.llvm.org/D21053
llvm-svn: 273729
2016-06-25 05:21:32 +08:00
|
|
|
|
|
|
|
Testing Addresses For Type Membership
|
|
|
|
=====================================
|
|
|
|
|
|
|
|
If a program tests an address using ``llvm.type.test``, this will cause
|
|
|
|
a link-time optimization pass, ``LowerTypeTests``, to replace calls to this
|
|
|
|
intrinsic with efficient code to perform type member tests. At a high level,
|
|
|
|
the pass will lay out referenced globals in a consecutive memory region in
|
|
|
|
the object file, construct bit vectors that map onto that memory region,
|
|
|
|
and generate code at each of the ``llvm.type.test`` call sites to test
|
|
|
|
pointers against those bit vectors. Because of the layout manipulation, the
|
|
|
|
globals' definitions must be available at LTO time. For more information,
|
|
|
|
see the `control flow integrity design document`_.
|
|
|
|
|
|
|
|
A type identifier that identifies functions is transformed into a jump table,
|
|
|
|
which is a block of code consisting of one branch instruction for each
|
|
|
|
of the functions associated with the type identifier that branches to the
|
|
|
|
target function. The pass will redirect any taken function addresses to the
|
|
|
|
corresponding jump table entry. In the object file's symbol table, the jump
|
|
|
|
table entries take the identities of the original functions, so that addresses
|
|
|
|
taken outside the module will pass any verification done inside the module.
|
|
|
|
|
|
|
|
Jump tables may call external functions, so their definitions need not
|
|
|
|
be available at LTO time. Note that if an externally defined function is
|
|
|
|
associated with a type identifier, there is no guarantee that its identity
|
|
|
|
within the module will be the same as its identity outside of the module,
|
|
|
|
as the former will be the jump table entry if a jump table is necessary.
|
|
|
|
|
|
|
|
The `GlobalLayoutBuilder`_ class is responsible for laying out the globals
|
|
|
|
efficiently to minimize the sizes of the underlying bitsets.
|
|
|
|
|
|
|
|
.. _control flow integrity design document: http://clang.llvm.org/docs/ControlFlowIntegrityDesign.html
|
|
|
|
|
|
|
|
:Example:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
target datalayout = "e-p:32:32"
|
|
|
|
|
|
|
|
@a = internal global i32 0, !type !0
|
|
|
|
@b = internal global i32 0, !type !0, !type !1
|
|
|
|
@c = internal global i32 0, !type !1
|
|
|
|
@d = internal global [2 x i32] [i32 0, i32 0], !type !2
|
|
|
|
|
|
|
|
define void @e() !type !3 {
|
|
|
|
ret void
|
|
|
|
}
|
|
|
|
|
|
|
|
define void @f() {
|
|
|
|
ret void
|
|
|
|
}
|
|
|
|
|
|
|
|
declare void @g() !type !3
|
|
|
|
|
|
|
|
!0 = !{i32 0, !"typeid1"}
|
|
|
|
!1 = !{i32 0, !"typeid2"}
|
|
|
|
!2 = !{i32 4, !"typeid2"}
|
|
|
|
!3 = !{i32 0, !"typeid3"}
|
|
|
|
|
|
|
|
declare i1 @llvm.type.test(i8* %ptr, metadata %typeid) nounwind readnone
|
|
|
|
|
|
|
|
define i1 @foo(i32* %p) {
|
|
|
|
%pi8 = bitcast i32* %p to i8*
|
|
|
|
%x = call i1 @llvm.type.test(i8* %pi8, metadata !"typeid1")
|
|
|
|
ret i1 %x
|
|
|
|
}
|
|
|
|
|
|
|
|
define i1 @bar(i32* %p) {
|
|
|
|
%pi8 = bitcast i32* %p to i8*
|
|
|
|
%x = call i1 @llvm.type.test(i8* %pi8, metadata !"typeid2")
|
|
|
|
ret i1 %x
|
|
|
|
}
|
|
|
|
|
|
|
|
define i1 @baz(void ()* %p) {
|
|
|
|
%pi8 = bitcast void ()* %p to i8*
|
|
|
|
%x = call i1 @llvm.type.test(i8* %pi8, metadata !"typeid3")
|
|
|
|
ret i1 %x
|
|
|
|
}
|
|
|
|
|
|
|
|
define void @main() {
|
|
|
|
%a1 = call i1 @foo(i32* @a) ; returns 1
|
|
|
|
%b1 = call i1 @foo(i32* @b) ; returns 1
|
|
|
|
%c1 = call i1 @foo(i32* @c) ; returns 0
|
|
|
|
%a2 = call i1 @bar(i32* @a) ; returns 0
|
|
|
|
%b2 = call i1 @bar(i32* @b) ; returns 1
|
|
|
|
%c2 = call i1 @bar(i32* @c) ; returns 1
|
|
|
|
%d02 = call i1 @bar(i32* getelementptr ([2 x i32]* @d, i32 0, i32 0)) ; returns 0
|
|
|
|
%d12 = call i1 @bar(i32* getelementptr ([2 x i32]* @d, i32 0, i32 1)) ; returns 1
|
|
|
|
%e = call i1 @baz(void ()* @e) ; returns 1
|
|
|
|
%f = call i1 @baz(void ()* @f) ; returns 0
|
|
|
|
%g = call i1 @baz(void ()* @g) ; returns 1
|
|
|
|
ret void
|
|
|
|
}
|
|
|
|
|
2019-01-15 06:27:32 +08:00
|
|
|
.. _GlobalLayoutBuilder: https://github.com/llvm/llvm-project/blob/master/llvm/include/llvm/Transforms/IPO/LowerTypeTests.h
|
Reland: Dead Virtual Function Elimination
Remove dead virtual functions from vtables with
replaceNonMetadataUsesWith, so that CGProfile metadata gets cleaned up
correctly.
Original commit message:
Currently, it is hard for the compiler to remove unused C++ virtual
functions, because they are all referenced from vtables, which are referenced
by constructors. This means that if the constructor is called from any live
code, then we keep every virtual function in the final link, even if there
are no call sites which can use it.
This patch allows unused virtual functions to be removed during LTO (and
regular compilation in limited circumstances) by using type metadata to match
virtual function call sites to the vtable slots they might load from. This
information can then be used in the global dead code elimination pass instead
of the references from vtables to virtual functions, to more accurately
determine which functions are reachable.
To make this transformation safe, I have changed clang's code-generation to
always load virtual function pointers using the llvm.type.checked.load
intrinsic, instead of regular load instructions. I originally tried writing
this using clang's existing code-generation, which uses the llvm.type.test
and llvm.assume intrinsics after doing a normal load. However, it is possible
for optimisations to obscure the relationship between the GEP, load and
llvm.type.test, causing GlobalDCE to fail to find virtual function call
sites.
The existing linkage and visibility types don't accurately describe the scope
in which a virtual call could be made which uses a given vtable. This is
wider than the visibility of the type itself, because a virtual function call
could be made using a more-visible base class. I've added a new
!vcall_visibility metadata type to represent this, described in
TypeMetadata.rst. The internalization pass and libLTO have been updated to
change this metadata when linking is performed.
This doesn't currently work with ThinLTO, because it needs to see every call
to llvm.type.checked.load in the linkage unit. It might be possible to
extend this optimisation to be able to use the ThinLTO summary, as was done
for devirtualization, but until then that combination is rejected in the
clang driver.
To test this, I've written a fuzzer which generates random C++ programs with
complex class inheritance graphs, and virtual functions called through object
and function pointers of different types. The programs are spread across
multiple translation units and DSOs to test the different visibility
restrictions.
I've also tried doing bootstrap builds of LLVM to test this. This isn't
ideal, because only classes in anonymous namespaces can be optimised with
-fvisibility=default, and some parts of LLVM (plugins and bugpoint) do not
work correctly with -fvisibility=hidden. However, there are only 12 test
failures when building with -fvisibility=hidden (and an unmodified compiler),
and this change does not cause any new failures for either value of
-fvisibility.
On the 7 C++ sub-benchmarks of SPEC2006, this gives a geomean code-size
reduction of ~6%, over a baseline compiled with "-O2 -flto
-fvisibility=hidden -fwhole-program-vtables". The best cases are reductions
of ~14% in 450.soplex and 483.xalancbmk, and there are no code size
increases.
I've also run this on a set of 8 mbed-os examples compiled for Armv7M, which
show a geomean size reduction of ~3%, again with no size increases.
I had hoped that this would have no effect on performance, which would allow
it to awlays be enabled (when using -fwhole-program-vtables). However, the
changes in clang to use the llvm.type.checked.load intrinsic are causing ~1%
performance regression in the C++ parts of SPEC2006. It should be possible to
recover some of this perf loss by teaching optimisations about the
llvm.type.checked.load intrinsic, which would make it worth turning this on
by default (though it's still dependent on -fwhole-program-vtables).
Differential revision: https://reviews.llvm.org/D63932
llvm-svn: 375094
2019-10-17 17:58:57 +08:00
|
|
|
|
|
|
|
``!vcall_visibility`` Metadata
|
|
|
|
==============================
|
|
|
|
|
|
|
|
In order to allow removing unused function pointers from vtables, we need to
|
|
|
|
know whether every virtual call which could use it is known to the compiler, or
|
|
|
|
whether another translation unit could introduce more calls through the vtable.
|
|
|
|
This is not the same as the linkage of the vtable, because call sites could be
|
|
|
|
using a pointer of a more widely-visible base class. For example, consider this
|
|
|
|
code:
|
|
|
|
|
|
|
|
.. code-block:: c++
|
|
|
|
|
|
|
|
__attribute__((visibility("default")))
|
|
|
|
struct A {
|
|
|
|
virtual void f();
|
|
|
|
};
|
|
|
|
|
|
|
|
__attribute__((visibility("hidden")))
|
|
|
|
struct B : A {
|
|
|
|
virtual void f();
|
|
|
|
};
|
|
|
|
|
|
|
|
With LTO, we know that all code which can see the declaration of ``B`` is
|
|
|
|
visible to us. However, a pointer to a ``B`` could be cast to ``A*`` and passed
|
|
|
|
to another linkage unit, which could then call ``f`` on it. This call would
|
|
|
|
load from the vtable for ``B`` (using the object pointer), and then call
|
|
|
|
``B::f``. This means we can't remove the function pointer from ``B``'s vtable,
|
|
|
|
or the implementation of ``B::f``. However, if we can see all code which knows
|
|
|
|
about any dynamic base class (which would be the case if ``B`` only inherited
|
|
|
|
from classes with hidden visibility), then this optimisation would be valid.
|
|
|
|
|
|
|
|
This concept is represented in IR by the ``!vcall_visibility`` metadata
|
|
|
|
attached to vtable objects, with the following values:
|
|
|
|
|
|
|
|
.. list-table::
|
|
|
|
:header-rows: 1
|
|
|
|
:widths: 10 90
|
|
|
|
|
|
|
|
* - Value
|
|
|
|
- Behavior
|
|
|
|
|
|
|
|
* - 0 (or omitted)
|
|
|
|
- **Public**
|
|
|
|
Virtual function calls using this vtable could be made from external
|
|
|
|
code.
|
|
|
|
|
|
|
|
* - 1
|
|
|
|
- **Linkage Unit**
|
|
|
|
All virtual function calls which might use this vtable are in the
|
|
|
|
current LTO unit, meaning they will be in the current module once
|
|
|
|
LTO linking has been performed.
|
|
|
|
|
|
|
|
* - 2
|
|
|
|
- **Translation Unit**
|
|
|
|
All virtual function calls which might use this vtable are in the
|
|
|
|
current module.
|
|
|
|
|
|
|
|
In addition, all function pointer loads from a vtable marked with the
|
|
|
|
``!vcall_visibility`` metadata (with a non-zero value) must be done using the
|
|
|
|
:ref:`llvm.type.checked.load <type.checked.load>` intrinsic, so that virtual
|
|
|
|
calls sites can be correlated with the vtables which they might load from.
|
|
|
|
Other parts of the vtable (RTTI, offset-to-top, ...) can still be accessed with
|
|
|
|
normal loads.
|