bool CallAnalyzer::visitGetElementPtr(GetElementPtrInst &I) {
Value *SROAArg;
DenseMap<Value *, int>::iterator CostIt;
bool SROACandidate = lookupSROAArgAndCost(I.getPointerOperand(),
SROAArg, CostIt);
// Try to fold GEPs of constant-offset call site argument pointers. This
// requires target data and inbounds GEPs.
if (TD && I.isInBounds()) {
// Check if we have a base + offset for the pointer.
Value *Ptr = I.getPointerOperand();
std::pair<Value *, APInt> BaseAndOffset = ConstantOffsetPtrs.lookup(Ptr);
if (BaseAndOffset.first) {
// Check if the offset of this GEP is constant, and if so accumulate it
// into Offset.
if (!accumulateGEPOffset(cast<GEPOperator>(I), BaseAndOffset.second)) {
// Non-constant GEPs aren't folded, and disable SROA.
if (SROACandidate)
disableSROA(CostIt);
return false;
}
// Add the result as a new mapping to Base + Offset.
ConstantOffsetPtrs[&I] = BaseAndOffset;
// Also handle SROA candidates here, we already know that the GEP is
// all-constant indexed.
if (SROACandidate)
SROAArgValues[&I] = SROAArg;
return true;
}
}
if (isGEPOffsetConstant(I)) {
if (SROACandidate)
SROAArgValues[&I] = SROAArg;
// Constant GEPs are modeled as free.
return true;
}
// Variable GEPs will require math and will disable SROA.
if (SROACandidate)
disableSROA(CostIt);
return false;
}
void visitGetElementPtrInst(GetElementPtrInst &GEP) {
Value *pointerOperand = GEP.getPointerOperand();
DSGraph * TDG = budsPass->getDSGraph(*(GEP.getParent()->getParent()));
DSNode *DSN = TDG->getNodeForValue(pointerOperand).getNode();
//FIXME DO we really need this ? markReachableAllocas(DSN);
if (DSN && DSN->isAllocaNode() && !DSN->isNodeCompletelyFolded()) {
unsafeAllocaNodes.push_back(DSN);
}
}
void Executor::executeGep(Instruction *i) {
if (DisabledSymbolicExeCurRun) {
return;
}
assert(i && "Expecting an instruction!");
GetElementPtrInst *gep = (GetElementPtrInst*) i;
assert(gep->getNumIndices()<=2 && "Unsupported gep instruction");
if(AllocaInst *a = dyn_cast<AllocaInst>(gep->getPointerOperand())) {
Type *ty = a->getAllocatedType();
if (ty->isIntegerTy()) {
// Incompleteness: pointer dereferencement on symbolic value
AllLocDefinite = false;
return;
}
}
unsigned idx = 0;
Type *subTy = NULL;
Type *ptrOpTy = gep->getPointerOperandType();
if (ptrOpTy && ptrOpTy->getNumContainedTypes()==1) {
subTy = ptrOpTy->getContainedType(0);
}
if (subTy && subTy->getNumContainedTypes()>0) {
idx = 1;
} else {
assert("Unsupported gep instruction!");
}
Value *ptr = (Value*) i;
if(gep->hasIndices()) {
Value *index = gep->getOperand(idx+1);
if (SMAP->contains(index)) {
// P[v->sv] // sv is a new symbolic value
// Value *a = gep->getPointerOperand();
// ptr = (a index)
//SymbolPtr Sindex = SMAP->get(index);
//PMAP->createGepOp(ptr, a, Sindex);
// Incompleteness: pointer dereferencement on symbolic value
AllLocDefinite = false;
} else {
// P = P - ptr
PMAP->remove(ptr);
}
}
// Global allocation
/*else if(isa<GlobalVariable>(ptr)) {
// ptr in domain(P)
if (PMAP->contains(ptr)) {
SymbolPtr Pptr = PMAP->get(ptr);
// P' = P[ptr->S(val)]
PMAP->update(ptr, Pptr);
} else {
// P = P - ptr
PMAP->remove(ptr);
}
}*/
}
//
// Method: visitGetElementPtrInst()
//
// Description:
// This method checks to see if the specified GEP is safe. If it cannot prove
// it safe, it then adds a run-time check for it.
//
void
InsertGEPChecks::visitGetElementPtrInst (GetElementPtrInst & GEP) {
//
// Don't insert a check if GEP only indexes into a structure and the
// user doesn't want to do structure index checking.
//
if (DisableStructChecks && indexesStructsOnly (&GEP)) {
return;
}
//
// Get the function in which the GEP instruction lives.
//
Value * PH = ConstantPointerNull::get (getVoidPtrType(GEP.getContext()));
BasicBlock::iterator InsertPt = &GEP;
++InsertPt;
Instruction * ResultPtr = castTo (&GEP,
getVoidPtrType(GEP.getContext()),
GEP.getName() + ".cast",
InsertPt);
//
// Make this an actual cast instruction; it will make it easier to update
// DSA.
//
Value * SrcPtr = castTo (GEP.getPointerOperand(),
getVoidPtrType(GEP.getContext()),
GEP.getName()+".cast",
InsertPt);
//
// Create the call to the run-time check.
//
std::vector<Value *> args(1, PH);
args.push_back (SrcPtr);
args.push_back (ResultPtr);
CallInst * CI = CallInst::Create (PoolCheckArrayUI, args, "", InsertPt);
//
// Add debugging info metadata to the run-time check.
//
if (MDNode * MD = GEP.getMetadata ("dbg"))
CI->setMetadata ("dbg", MD);
//
// Update the statistics.
//
++GEPChecks;
return;
}
// -- handle GetElementPtr instruction --
void UnsafeTypeCastingCheck::handleGetElementPtrInstruction (Instruction *inst) {
GetElementPtrInst * ginst = dyn_cast<GetElementPtrInst>(inst);
if (ginst == NULL)
utccAbort("handleGetElementPtrInstruction cannot process with a non-getelementptr instruction");
Value *pt = ginst->getPointerOperand();
UTCC_TYPE pt_ut_self = UH_UT;
UTCC_TYPE pt_ut_base = UH_UT;
UTCC_TYPE pt_ut_element = llvmT2utccT(ginst->getType()->getPointerElementType(), ginst);
if (isVisitedPointer(ginst)) pt_ut_self = queryPointedType(ginst);
if (isVisitedPointer(pt)) pt_ut_base = queryPointedType(pt);
setPointedType(ginst, utSaturate(pt_ut_element,
utSaturate(pt_ut_self, pt_ut_base)));
setExprType(ginst, llvmT2utccT(ginst->getType(), ginst));
}
void ArrayIndexChecker::visitGetElementPtrInst(GetElementPtrInst& I) {
DEBUG(dbgs() << "ArrayIndexChecker: visiting GEP " << I << "\n");
visitValue(*I.getPointerOperand());
for (auto Idx = I.idx_begin(), E = I.idx_end(); Idx != E; ++Idx) {
visitValue(**Idx);
}
auto pos = std::find(ptr_value_vec_.begin(), ptr_value_vec_.end(), &I);
assert(pos != ptr_value_vec_.end());
index_t varIdx = pos - ptr_value_vec_.begin();
assert(idx2addr_.find(varIdx) != idx2addr_.end());
if (addr2version_[idx2addr_[varIdx]] != 0)
throw ArrayIndexIsNotConstant;;
DEBUG(dbgs() << "ArrayIndexChecker: visited GEP\n");
}
void Interpreter::visitGetElementPtrInst(GetElementPtrInst &I) {
ExecutionContext &SF = ECStack.back();
SetValue(&I, TheEE->executeGEPOperation(I.getPointerOperand(),
gep_type_begin(I), gep_type_end(I), SF), SF);
}
Value *llvm::ConvertExpressionToType(Value *V, const Type *Ty,
ValueMapCache &VMC, const TargetData &TD) {
if (V->getType() == Ty) return V; // Already where we need to be?
ValueMapCache::ExprMapTy::iterator VMCI = VMC.ExprMap.find(V);
if (VMCI != VMC.ExprMap.end()) {
const Value *GV = VMCI->second;
const Type *GTy = VMCI->second->getType();
assert(VMCI->second->getType() == Ty);
if (Instruction *I = dyn_cast<Instruction>(V))
ValueHandle IHandle(VMC, I); // Remove I if it is unused now!
return VMCI->second;
}
DEBUG(std::cerr << "CETT: " << (void*)V << " " << *V);
Instruction *I = dyn_cast<Instruction>(V);
if (I == 0) {
Constant *CPV = cast<Constant>(V);
// Constants are converted by constant folding the cast that is required.
// We assume here that all casts are implemented for constant prop.
Value *Result = ConstantExpr::getCast(CPV, Ty);
// Add the instruction to the expression map
//VMC.ExprMap[V] = Result;
return Result;
}
BasicBlock *BB = I->getParent();
std::string Name = I->getName(); if (!Name.empty()) I->setName("");
Instruction *Res; // Result of conversion
ValueHandle IHandle(VMC, I); // Prevent I from being removed!
Constant *Dummy = Constant::getNullValue(Ty);
switch (I->getOpcode()) {
case Instruction::Cast:
assert(VMC.NewCasts.count(ValueHandle(VMC, I)) == 0);
Res = new CastInst(I->getOperand(0), Ty, Name);
VMC.NewCasts.insert(ValueHandle(VMC, Res));
break;
case Instruction::Add:
case Instruction::Sub:
Res = BinaryOperator::create(cast<BinaryOperator>(I)->getOpcode(),
Dummy, Dummy, Name);
VMC.ExprMap[I] = Res; // Add node to expression eagerly
Res->setOperand(0, ConvertExpressionToType(I->getOperand(0), Ty, VMC, TD));
Res->setOperand(1, ConvertExpressionToType(I->getOperand(1), Ty, VMC, TD));
break;
case Instruction::Shl:
case Instruction::Shr:
Res = new ShiftInst(cast<ShiftInst>(I)->getOpcode(), Dummy,
I->getOperand(1), Name);
VMC.ExprMap[I] = Res;
Res->setOperand(0, ConvertExpressionToType(I->getOperand(0), Ty, VMC, TD));
break;
case Instruction::Load: {
LoadInst *LI = cast<LoadInst>(I);
Res = new LoadInst(Constant::getNullValue(PointerType::get(Ty)), Name);
VMC.ExprMap[I] = Res;
Res->setOperand(0, ConvertExpressionToType(LI->getPointerOperand(),
PointerType::get(Ty), VMC, TD));
assert(Res->getOperand(0)->getType() == PointerType::get(Ty));
assert(Ty == Res->getType());
assert(Res->getType()->isFirstClassType() && "Load of structure or array!");
break;
}
case Instruction::PHI: {
PHINode *OldPN = cast<PHINode>(I);
PHINode *NewPN = new PHINode(Ty, Name);
VMC.ExprMap[I] = NewPN; // Add node to expression eagerly
while (OldPN->getNumOperands()) {
BasicBlock *BB = OldPN->getIncomingBlock(0);
Value *OldVal = OldPN->getIncomingValue(0);
ValueHandle OldValHandle(VMC, OldVal);
OldPN->removeIncomingValue(BB, false);
Value *V = ConvertExpressionToType(OldVal, Ty, VMC, TD);
NewPN->addIncoming(V, BB);
}
Res = NewPN;
break;
}
case Instruction::Malloc: {
Res = ConvertMallocToType(cast<MallocInst>(I), Ty, Name, VMC, TD);
break;
}
case Instruction::GetElementPtr: {
// GetElementPtr's are directly convertible to a pointer type if they have
// a number of zeros at the end. Because removing these values does not
// change the logical offset of the GEP, it is okay and fair to remove them.
// This can change this:
// %t1 = getelementptr %Hosp * %hosp, ubyte 4, ubyte 0 ; <%List **>
// %t2 = cast %List * * %t1 to %List *
// into
// %t2 = getelementptr %Hosp * %hosp, ubyte 4 ; <%List *>
//
GetElementPtrInst *GEP = cast<GetElementPtrInst>(I);
// Check to see if there are zero elements that we can remove from the
// index array. If there are, check to see if removing them causes us to
// get to the right type...
//
std::vector<Value*> Indices(GEP->idx_begin(), GEP->idx_end());
const Type *BaseType = GEP->getPointerOperand()->getType();
const Type *PVTy = cast<PointerType>(Ty)->getElementType();
Res = 0;
while (!Indices.empty() &&
Indices.back() == Constant::getNullValue(Indices.back()->getType())){
Indices.pop_back();
if (GetElementPtrInst::getIndexedType(BaseType, Indices, true) == PVTy) {
if (Indices.size() == 0)
Res = new CastInst(GEP->getPointerOperand(), BaseType); // NOOP CAST
else
Res = new GetElementPtrInst(GEP->getPointerOperand(), Indices, Name);
break;
}
}
if (Res == 0 && GEP->getNumOperands() == 2 &&
GEP->getType() == PointerType::get(Type::SByteTy)) {
// Otherwise, we can convert a GEP from one form to the other iff the
// current gep is of the form 'getelementptr sbyte*, unsigned N
// and we could convert this to an appropriate GEP for the new type.
//
const PointerType *NewSrcTy = PointerType::get(PVTy);
BasicBlock::iterator It = I;
// Check to see if 'N' is an expression that can be converted to
// the appropriate size... if so, allow it.
//
std::vector<Value*> Indices;
const Type *ElTy = ConvertibleToGEP(NewSrcTy, I->getOperand(1),
Indices, TD, &It);
if (ElTy) {
assert(ElTy == PVTy && "Internal error, setup wrong!");
Res = new GetElementPtrInst(Constant::getNullValue(NewSrcTy),
Indices, Name);
VMC.ExprMap[I] = Res;
Res->setOperand(0, ConvertExpressionToType(I->getOperand(0),
NewSrcTy, VMC, TD));
}
}
// Otherwise, it could be that we have something like this:
// getelementptr [[sbyte] *] * %reg115, uint %reg138 ; [sbyte]**
// and want to convert it into something like this:
// getelemenptr [[int] *] * %reg115, uint %reg138 ; [int]**
//
if (Res == 0) {
const PointerType *NewSrcTy = PointerType::get(PVTy);
std::vector<Value*> Indices(GEP->idx_begin(), GEP->idx_end());
Res = new GetElementPtrInst(Constant::getNullValue(NewSrcTy),
Indices, Name);
VMC.ExprMap[I] = Res;
Res->setOperand(0, ConvertExpressionToType(I->getOperand(0),
NewSrcTy, VMC, TD));
}
assert(Res && "Didn't find match!");
break;
}
case Instruction::Call: {
assert(!isa<Function>(I->getOperand(0)));
// If this is a function pointer, we can convert the return type if we can
// convert the source function pointer.
//
const PointerType *PT = cast<PointerType>(I->getOperand(0)->getType());
const FunctionType *FT = cast<FunctionType>(PT->getElementType());
std::vector<const Type *> ArgTys(FT->param_begin(), FT->param_end());
const FunctionType *NewTy =
FunctionType::get(Ty, ArgTys, FT->isVarArg());
const PointerType *NewPTy = PointerType::get(NewTy);
if (Ty == Type::VoidTy)
Name = ""; // Make sure not to name calls that now return void!
Res = new CallInst(Constant::getNullValue(NewPTy),
std::vector<Value*>(I->op_begin()+1, I->op_end()),
Name);
VMC.ExprMap[I] = Res;
Res->setOperand(0, ConvertExpressionToType(I->getOperand(0),NewPTy,VMC,TD));
break;
}
default:
assert(0 && "Expression convertible, but don't know how to convert?");
return 0;
}
assert(Res->getType() == Ty && "Didn't convert expr to correct type!");
BB->getInstList().insert(I, Res);
// Add the instruction to the expression map
VMC.ExprMap[I] = Res;
unsigned NumUses = I->use_size();
for (unsigned It = 0; It < NumUses; ) {
unsigned OldSize = NumUses;
Value::use_iterator UI = I->use_begin();
std::advance(UI, It);
ConvertOperandToType(*UI, I, Res, VMC, TD);
NumUses = I->use_size();
if (NumUses == OldSize) ++It;
}
DEBUG(std::cerr << "ExpIn: " << (void*)I << " " << *I
<< "ExpOut: " << (void*)Res << " " << *Res);
return Res;
}
// ExpressionConvertibleToType - Return true if it is possible
bool llvm::ExpressionConvertibleToType(Value *V, const Type *Ty,
ValueTypeCache &CTMap, const TargetData &TD) {
// Expression type must be holdable in a register.
if (!Ty->isFirstClassType())
return false;
ValueTypeCache::iterator CTMI = CTMap.find(V);
if (CTMI != CTMap.end()) return CTMI->second == Ty;
// If it's a constant... all constants can be converted to a different
// type.
//
if (isa<Constant>(V) && !isa<GlobalValue>(V))
return true;
CTMap[V] = Ty;
if (V->getType() == Ty) return true; // Expression already correct type!
Instruction *I = dyn_cast<Instruction>(V);
if (I == 0) return false; // Otherwise, we can't convert!
switch (I->getOpcode()) {
case Instruction::Cast:
// We can convert the expr if the cast destination type is losslessly
// convertible to the requested type.
if (!Ty->isLosslesslyConvertibleTo(I->getType())) return false;
// We also do not allow conversion of a cast that casts from a ptr to array
// of X to a *X. For example: cast [4 x %List *] * %val to %List * *
//
if (const PointerType *SPT =
dyn_cast<PointerType>(I->getOperand(0)->getType()))
if (const PointerType *DPT = dyn_cast<PointerType>(I->getType()))
if (const ArrayType *AT = dyn_cast<ArrayType>(SPT->getElementType()))
if (AT->getElementType() == DPT->getElementType())
return false;
break;
case Instruction::Add:
case Instruction::Sub:
if (!Ty->isInteger() && !Ty->isFloatingPoint()) return false;
if (!ExpressionConvertibleToType(I->getOperand(0), Ty, CTMap, TD) ||
!ExpressionConvertibleToType(I->getOperand(1), Ty, CTMap, TD))
return false;
break;
case Instruction::Shr:
if (!Ty->isInteger()) return false;
if (Ty->isSigned() != V->getType()->isSigned()) return false;
// FALL THROUGH
case Instruction::Shl:
if (!Ty->isInteger()) return false;
if (!ExpressionConvertibleToType(I->getOperand(0), Ty, CTMap, TD))
return false;
break;
case Instruction::Load: {
LoadInst *LI = cast<LoadInst>(I);
if (!ExpressionConvertibleToType(LI->getPointerOperand(),
PointerType::get(Ty), CTMap, TD))
return false;
break;
}
case Instruction::PHI: {
PHINode *PN = cast<PHINode>(I);
// Be conservative if we find a giant PHI node.
if (PN->getNumIncomingValues() > 32) return false;
for (unsigned i = 0; i < PN->getNumIncomingValues(); ++i)
if (!ExpressionConvertibleToType(PN->getIncomingValue(i), Ty, CTMap, TD))
return false;
break;
}
case Instruction::Malloc:
if (!MallocConvertibleToType(cast<MallocInst>(I), Ty, CTMap, TD))
return false;
break;
case Instruction::GetElementPtr: {
// GetElementPtr's are directly convertible to a pointer type if they have
// a number of zeros at the end. Because removing these values does not
// change the logical offset of the GEP, it is okay and fair to remove them.
// This can change this:
// %t1 = getelementptr %Hosp * %hosp, ubyte 4, ubyte 0 ; <%List **>
// %t2 = cast %List * * %t1 to %List *
// into
// %t2 = getelementptr %Hosp * %hosp, ubyte 4 ; <%List *>
//
GetElementPtrInst *GEP = cast<GetElementPtrInst>(I);
const PointerType *PTy = dyn_cast<PointerType>(Ty);
if (!PTy) return false; // GEP must always return a pointer...
const Type *PVTy = PTy->getElementType();
// Check to see if there are zero elements that we can remove from the
// index array. If there are, check to see if removing them causes us to
// get to the right type...
//
std::vector<Value*> Indices(GEP->idx_begin(), GEP->idx_end());
const Type *BaseType = GEP->getPointerOperand()->getType();
const Type *ElTy = 0;
while (!Indices.empty() &&
Indices.back() == Constant::getNullValue(Indices.back()->getType())){
Indices.pop_back();
ElTy = GetElementPtrInst::getIndexedType(BaseType, Indices, true);
if (ElTy == PVTy)
break; // Found a match!!
ElTy = 0;
}
if (ElTy) break; // Found a number of zeros we can strip off!
// Otherwise, we can convert a GEP from one form to the other iff the
// current gep is of the form 'getelementptr sbyte*, long N
// and we could convert this to an appropriate GEP for the new type.
//
if (GEP->getNumOperands() == 2 &&
GEP->getType() == PointerType::get(Type::SByteTy)) {
// Do not Check to see if our incoming pointer can be converted
// to be a ptr to an array of the right type... because in more cases than
// not, it is simply not analyzable because of pointer/array
// discrepancies. To fix this, we will insert a cast before the GEP.
//
// Check to see if 'N' is an expression that can be converted to
// the appropriate size... if so, allow it.
//
std::vector<Value*> Indices;
const Type *ElTy = ConvertibleToGEP(PTy, I->getOperand(1), Indices, TD);
if (ElTy == PVTy) {
if (!ExpressionConvertibleToType(I->getOperand(0),
PointerType::get(ElTy), CTMap, TD))
return false; // Can't continue, ExConToTy might have polluted set!
break;
}
}
// Otherwise, it could be that we have something like this:
// getelementptr [[sbyte] *] * %reg115, long %reg138 ; [sbyte]**
// and want to convert it into something like this:
// getelemenptr [[int] *] * %reg115, long %reg138 ; [int]**
//
if (GEP->getNumOperands() == 2 &&
PTy->getElementType()->isSized() &&
TD.getTypeSize(PTy->getElementType()) ==
TD.getTypeSize(GEP->getType()->getElementType())) {
const PointerType *NewSrcTy = PointerType::get(PVTy);
if (!ExpressionConvertibleToType(I->getOperand(0), NewSrcTy, CTMap, TD))
return false;
break;
}
return false; // No match, maybe next time.
}
case Instruction::Call: {
if (isa<Function>(I->getOperand(0)))
return false; // Don't even try to change direct calls.
// If this is a function pointer, we can convert the return type if we can
// convert the source function pointer.
//
const PointerType *PT = cast<PointerType>(I->getOperand(0)->getType());
const FunctionType *FT = cast<FunctionType>(PT->getElementType());
std::vector<const Type *> ArgTys(FT->param_begin(), FT->param_end());
const FunctionType *NewTy =
FunctionType::get(Ty, ArgTys, FT->isVarArg());
if (!ExpressionConvertibleToType(I->getOperand(0),
PointerType::get(NewTy), CTMap, TD))
return false;
break;
}
default:
return false;
}
// Expressions are only convertible if all of the users of the expression can
// have this value converted. This makes use of the map to avoid infinite
// recursion.
//
for (Value::use_iterator It = I->use_begin(), E = I->use_end(); It != E; ++It)
if (!OperandConvertibleToType(*It, I, Ty, CTMap, TD))
return false;
return true;
}
bool Aa::LowerGepPass::runOnFunction(Function &F)
{
const llvm::Type *ptr_int_type = TD->getIntPtrType(F.getContext());
for (Function::iterator bi = F.begin(), be = F.end(); bi != be; ++bi) {
BasicBlock *bb = bi;
BasicBlock::iterator ii = bb->begin();
while (ii != bb->end()) {
GetElementPtrInst *gep = dyn_cast<GetElementPtrInst>(ii);
BasicBlock::iterator gi = ii++;
if (!gep) {
continue;
}
for (llvm::Value::use_iterator ui = gep->use_begin(), ue = gep->use_end();
ui != ue; ++ui) {
Use &u = ui.getUse();
IOCode ioc = get_io_code(u);
if (ioc == NOT_IO)
continue;
u.set(CastInst::CreatePointerCast(gep->getPointerOperand()
, gep->getType()
, "", gep));
}
assert(gep->hasIndices() && "GEP without indices??");
llvm::Value *ptr = gep->getPointerOperand();
const Type *ctype = ptr->getType();
// deal with the base pointer first
llvm::Value *base = gep->getPointerOperand();
std::string base_name = gep->getNameStr() + ".base";
llvm::Value *address = new PtrToIntInst(base, ptr_int_type, base_name + ".cast", gi);
unsigned i = 0;
for (User::op_iterator oi = gep->idx_begin(), oe = gep->idx_end();
oi != oe; ++oi, ++i) {
llvm::Value *index = *oi;
llvm::Value *offset = NULL;
std::stringstream index_name;
index_name << gep->getNameStr() << ".idx." << i;
if (const SequentialType *qtype = dyn_cast<SequentialType>(ctype)) {
// multiply index by size of element
unsigned element_size = getTypePaddedSize(TD, qtype->getElementType());
const llvm::IntegerType *index_type = cast<IntegerType>(index->getType());
ConstantInt *cint = ConstantInt::get(index_type, element_size);
assert(cint && "uh oh!");
offset = BinaryOperator::Create(Instruction::Mul
, cint
, index
, index_name.str()
, gi);
ctype = qtype->getElementType();
} else if (const StructType *stype = dyn_cast<StructType>(ctype)) {
// calculate offset into the struct
const StructLayout *layout = TD->getStructLayout(stype);
unsigned idx = cast<ConstantInt>(index)->getValue().getZExtValue();
unsigned struct_offset = layout->getElementOffset(idx);
offset = ConstantInt::get(ptr_int_type, struct_offset);
ctype = stype->getElementType(idx);
} else
assert(false && "unhandled offset into composite type");
// add offset to the address
assert(address && "uh oh!");
std::stringstream add_name;
add_name << gep->getNameStr() << ".lvl." << i;
if (offset->getType() != address->getType()) {
offset = CastInst::CreateIntegerCast(offset, address->getType()
, false, offset->getName() + ".resized"
, gi);
}
address = BinaryOperator::Create(Instruction::Add
, address, offset
, add_name.str(), gi);
}
if (address->getType() != ptr_int_type)
address = CastInst::CreateIntegerCast(address, ptr_int_type
, false, address->getName() + ".final", gi);
Instruction *new_ptr = new IntToPtrInst(address, gep->getType()
, gep->getName() + ".cast");
ReplaceInstWithInst(bb->getInstList(), gi, new_ptr);
}
}
return true;
}
//
// Methods: insertBadIndexing()
//
// Description:
// This method modifieds GEP indexing expressions so that their indices are
// (most likely) below the bounds of the object pointed to by the source
// pointer. It does this by modifying the first index to be -1.
//
// Return value:
// true - One or more changes were made to the program.
// false - No changes were made to the program.
//
bool
FaultInjector::insertBadIndexing (Function & F) {
// Worklist of allocation sites to rewrite
std::vector<GetElementPtrInst *> WorkList;
//
// Find GEP instructions that index into an array. Add these to the
// worklist.
//
for (Function::iterator fI = F.begin(), fE = F.end(); fI != fE; ++fI) {
BasicBlock & BB = *fI;
for (BasicBlock::iterator I = BB.begin(), bE = BB.end(); I != bE; ++I) {
if (GetElementPtrInst * GEP = dyn_cast<GetElementPtrInst>(I)) {
// Skip if we should not insert a fault.
if (!doFault()) continue;
WorkList.push_back (GEP);
}
}
}
// Flag whether the program was modified
bool modified = (WorkList.size() > 0);
//
// Iterator through the worklist and transform each GEP.
//
while (WorkList.size()) {
GetElementPtrInst * GEP = WorkList.back();
WorkList.pop_back();
//
// Print out where the fault will be inserted in the source code.
//
printSourceInfo ("Bad indexing", GEP);
// The index arguments to the new GEP
std::vector<Value *> args;
//
// Create a copy of the GEP's indices.
//
User::op_iterator i = GEP->idx_begin();
if (i == GEP->idx_end()) continue;
args.push_back (ConstantInt::get (Int32Type, INT_MAX, true));
for (++i; i != GEP->idx_end(); ++i) {
args.push_back (*i);
}
//
// Create the new GEP instruction.
//
Value * Pointer = GEP->getPointerOperand();
Twine name = GEP->getName() + "badindex";
GetElementPtrInst * NewGEP = GetElementPtrInst::Create (Pointer,
args.begin(),
args.end(),
name,
GEP);
GEP->replaceAllUsesWith (NewGEP);
GEP->eraseFromParent();
++BadIndices;
}
return modified;
}
