Taming Undefined Behavior in LLVM Juneyoung Lee Yoonseung Kim - - PowerPoint PPT Presentation

Taming Undefined Behavior in LLVM

Nuno P. Lopes

PLDI 2017 Barcelona

Seoul National Univ. Juneyoung Lee Yoonseung Kim Youngju Song Chung-Kil Hur Azul Systems Sanjoy Das Google John Regehr University of Utah David Majnemer Microsoft Research

/ 21

What this talk is about

• A compiler IR (Intermediate Representation)

can be designed to allow more optimizations by supporting “undefined behaviors (UBs)”

• LLVM IR’s UB model
• Complicated
• Invalidates some textbook optimizations
• Our new UB model
• Simpler
• Can validate textbook optimizations (and more)

2

/ 21

Undefined Behavior (UB) & Problems

3

/ 21

int* p int a int b

Peephole Optimization

• utput(p + a > p + b)
• utput(a > b)

IR IR

4

Motivation for UB

/ 21

int* p int a int b

Peephole Optimization

• utput(p + a > p + b)
• utput(a > b)

IR IR

0x100 0x100 0xFFFFFF00

4

Motivation for UB

/ 21

int* p int a int b

Peephole Optimization

• utput(p + a > p + b)
• utput(a > b)

IR IR

0x0 (Overflow!)

0x100 0x100 0xFFFFFF00

4

Motivation for UB

/ 21

int* p int a int b

Peephole Optimization

• utput(p + a > p + b)
• utput(a > b)

IR IR

false

0x0 (Overflow!)

0x100 0x100 0xFFFFFF00

4

Motivation for UB

/ 21

int* p int a int b

Peephole Optimization

• utput(p + a > p + b)
• utput(a > b)

IR IR

false true

0x0 (Overflow!)

0x100 0x100 0xFFFFFF00

4

Motivation for UB

/ 21

int* p int a int b

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior

Peephole Optimization

• utput(p + a > p + b)
• utput(a > b)

IR IR

false true

0x0 (Overflow!)

0x100 0x100 0xFFFFFF00

4

UB

Motivation for UB

/ 21

Loop Invariant Code Motion

5

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior

Problems with UB

/ 21

Loop Invariant Code Motion

5

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

0xFFFFFF00 0xFFFFFF00

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior

Problems with UB

/ 21

Loop Invariant Code Motion

5

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

0xFFFFFF00 0xFFFFFF00 Overflow!

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior

Problems with UB

/ 21

Loop Invariant Code Motion

5

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

0xFFFFFF00 0xFFFFFF00 Overflow!

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior

UB

Problems with UB

/ 21

Existing Approaches

6

/ 21

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior

Poison Value: A Deferred UB

7

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

0xFFFFFF00 0xFFFFFF00 Overflow!

UB

/ 21

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value”

Poison Value: A Deferred UB

7

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

0xFFFFFF00 0xFFFFFF00 Overflow! poison

UB

/ 21

Simple UB Model: Pointer Arithmetic Overflow is Undefined Behavior LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value”

Poison Value: A Deferred UB

7

... for(i=0; i<n; ++i) { a[i] = p + 0x100 } q = p + 0x100 for(i=0; i<n; ++i) { a[i] = q }

IR IR

0xFFFFFF00 0xFFFFFF00 Overflow! poison

UB

/ 21

LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value”

Poison Value: A Deferred UB

• utput(p + a > p + b)
• utput(a > b)

IR IR

0xFFFFFF00 0x100 0x100 0

8

UB

0x0 (Overflow!)

/ 21

LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value”

Poison Value: A Deferred UB

• utput(p + a > p + b)
• utput(a > b)

IR IR

0xFFFFFF00 0x100 0x100 0

8

UB

0x0 (Overflow!)

Poison

/ 21

LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value”

Poison Value: A Deferred UB

• utput(p + a > p + b)
• utput(a > b)

IR IR

0xFFFFFF00 0x100 0x100 0

8

UB

0x0 (Overflow!)

Poison

/ 21

LLVM’s UB Model: Pointer Arithmetic Overflow is A Poison “Value”

Poison Value: A Deferred UB

• utput(p + a > p + b)
• utput(a > b)

IR IR

0xFFFFFF00 0x100 0x100 0

8

UB UB

0x0 (Overflow!)

Poison

/ 21

Summary of Poison

9

p a p b + + >

• utput

0xFFFFFF00 0x100

/ 21

Summary of Poison

9

p a p b + + >

• utput

0xFFFFFF00 0x100

poison

/ 21

Summary of Poison

9

p a p b + + >

• utput

0xFFFFFF00 0x100

poison poison

Propagate

/ 21

Summary of Poison

9

p a p b + + >

• utput

0xFFFFFF00 0x100

poison poison

Propagate Raise UB

UB

/ 21

Summary of Poison

9

p a p b + + >

• utput

0xFFFFFF00 0x100

poison poison

Propagate Raise UB

“Poison is Sometimes Too Poisonous” UB

/ 21

LLVM’s UB Model: Branching on poison is ???

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

Global Value Numbering (GVN)

Problems with LLVM’s UB

/ 21

LLVM’s UB Model: Branching on poison is ???

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

/ 21

LLVM’s UB Model: Branching on poison is ???

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

/ 21

LLVM’s UB Model: Branching on poison is ???

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

/ 21

LLVM’s UB Model: Branching on poison is ???

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison poison poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

/ 21

LLVM’s UB Model: Branching on poison is ???

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison poison poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

UB

/ 21

LLVM’s UB Model: Branching on poison is ??? LLVM’s UB Model: Branching on poison is Undefined Behavior

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison poison poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

UB

/ 21

LLVM’s UB Model: Branching on poison is ??? LLVM’s UB Model: Branching on poison is Undefined Behavior

10

if (x == y) { .. use x .. } if (x == y) { .. use y .. }

poison poison poison poison poison

Global Value Numbering (GVN)

Problems with LLVM’s UB

UB UB

/ 21

Loop Unswitching (LU)

11

while (n > 0) { if (cond) A else B } if (cond) while (n > 0) { A } else while (n > 0) { B }

LLVM’s UB Model: Branching on poison is Undefined Behavior

Problems with LLVM’s UB

/ 21

Loop Unswitching (LU)

11

while (n > 0) { if (cond) A else B } if (cond) while (n > 0) { A } else while (n > 0) { B }

poison poison LLVM’s UB Model: Branching on poison is Undefined Behavior

Problems with LLVM’s UB

/ 21

Loop Unswitching (LU)

11

while (n > 0) { if (cond) A else B } if (cond) while (n > 0) { A } else while (n > 0) { B }

poison poison LLVM’s UB Model: Branching on poison is Undefined Behavior

Problems with LLVM’s UB

UB

/ 21

Inconsistency in LLVM

• GVN + LU is inconsistent.
• We found a miscompilation bug in LLVM

due to the inconsistency (LLVM Bugzilla 31652).

• It is being discussed in the community
• No solution has been found yet

12

/ 21

Our Approach

13

/ 21

Overview

14

Existing Approaches

Defined values

• Undef. values

Poison values

Can’t Control Poison

GVN + LU

More Defined Complex Inconsistent

UB

/ 21

Overview

14

𝒈𝒔𝒇𝒇𝒜𝒇

Existing Approaches Our Approach

Defined values

• Undef. values

Poison values Defined values Poison values

Can’t Control Poison

GVN + LU

More Defined Complex Inconsistent Simpler

UB UB

/ 21

Overview

14

𝒈𝒔𝒇𝒇𝒜𝒇

Existing Approaches Our Approach

Defined values

• Undef. values

Poison values Defined values Poison values

Can’t Control Poison

GVN + LU

More Defined Can Control Poison Complex Inconsistent Simpler

UB UB

/ 21

Overview

14

𝒈𝒔𝒇𝒇𝒜𝒇

Existing Approaches Our Approach

Defined values

• Undef. values

Poison values Defined values Poison values

Can’t Control Poison

GVN + LU

More Defined Can Control Poison Complex Inconsistent Simpler Consistent

UB UB

/ 21

Key Idea: “Freeze”

• Introduce a new instruction
• Semantics:

15

y = freeze x When x is a defined value: When x is a poison value: freeze x freeze x

1 2 . . .

x

• Nondet. Choice of

A Defined Value

/ 21

Our UB Model: Branching on poison is Undefined Behavior poison

if (freeze(cond)) while (n > 0) { A } else while (n > 0) { B } (cond)

16

while (n > 0) { if (cond) A else B }

Our Solution

Loop Unswitching

UB

/ 21

Our UB Model: Branching on poison is Undefined Behavior

if (freeze(cond)) while (n > 0) { A } else while (n > 0) { B }

poison

16

while (n > 0) { if (cond) A else B }

Our Solution

Loop Unswitching

UB

/ 21

Our UB Model: Branching on poison is Undefined Behavior

if (freeze(cond)) while (n > 0) { A } else while (n > 0) { B }

poison

16

while (n > 0) { if (cond) A else B }

true false

Our Solution

Loop Unswitching

UB

/ 21

Our UB Model: Branching on poison is Undefined Behavior

if (freeze(cond)) while (n > 0) { A } else while (n > 0) { B }

poison

16

while (n > 0) { if (cond) A else B }

true false

Our Solution

Loop Unswitching

UB

/ 21

Summary of Freeze

• Branching on freeze(poison) => Nondet.
• Used for Loop Unswitching
• Branching on poison => UB
• Used for Global Value Numbering

17

Compilers can control poison!

/ 21

Summary of Freeze

• Branching on freeze(poison) => Nondet.
• Used for Loop Unswitching
• Branching on poison => UB
• Used for Global Value Numbering

17

Compilers can control poison!

Freeze can also fix many other UB-related problems.

/ 21

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

/ 21

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison

/ 21

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison poison

/ 21

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison poison

/ 21

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison

UB

poison poison

/ 21

LLVM does not currently support it.

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison

UB

poison poison

/ 21

LLVM does not currently support it.

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t)

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison

/ 21

LLVM does not currently support it.

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t) freeze(x) | 0x1

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison

/ 21

LLVM does not currently support it.

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t) freeze(x) | 0x1

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison

A defined value

/ 21

LLVM does not currently support it.

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t) freeze(x) | 0x1

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison

A defined value non-zero

/ 21

LLVM does not currently support it. Freeze can make LLVM support it!

// bitwise-or k = x | 0x1 t = 100 / k while (n > 0) use(t) freeze(x) | 0x1

18

// bitwise-or k = x | 0x1 while (n > 0) use(100 / k)

Hoisting Division

Further Example

poison poison poison

A defined value non-zero

/ 21

Implementation

• Target: LLVM 4.0 RC 4 (Mar. 2017)
• Add Freeze instruction to LLVM IR
• Bug Fixes Using Freeze
• Loop Unswitching Optimization
• C Bitfield Translation to LLVM IR
• InstCombine Optimizations

19

* More details are given in the paper

/ 21

Experiment Results

• Benchmarks (4.6M LOC):
• SPEC CPU2006
• LLVM Nightly Test
• Large Single File Benchmarks
• Compilation Time: ± 1%
• Compilation Memory Usage: Max + 2%
• Generated Code Size: ± 0.5%
• Execution Time: ± 3%

20

* More details are given in the paper

/ 21

Experiment Results

• Benchmarks (4.6M LOC):
• SPEC CPU2006
• LLVM Nightly Test
• Large Single File Benchmarks
• Compilation Time: ± 1%
• Compilation Memory Usage: Max + 2%
• Generated Code Size: ± 0.5%
• Execution Time: ± 3%

20

* More details are given in the paper

“Freeze” Can Fix UB Semantics Without Significant Performance Penalty

/ 21

Conclusion

• Modern compilers’ UB models cannot support

some textbook optimizations.

• We propose “freeze” to fix such problems.
• Freeze has little impact on performance.

21