Subzero: Add a flag to mock up bounds checking on unsafe references.

src/IceTargetLoweringX86BaseImpl.h

 //===- subzero/src/IceTargetLoweringX86BaseImpl.h - x86 lowering -*- C++ -*-==//
 //
 //                        The Subzero Code Generator
 //
 // This file is distributed under the University of Illinois Open Source
 // License. See LICENSE.TXT for details.
 //
 //===----------------------------------------------------------------------===//
 ///
 /// \file
@@ skipping 4048 matching lines @@
   (void)Offset; // TODO: pattern-match for non-zero offsets.
   if (Base == nullptr)
     return;
   // If the Base has more than one use or is live across multiple
   // blocks, then don't go further.  Alternatively (?), never consider
   // a transformation that would change a variable that is currently
   // *not* live across basic block boundaries into one that *is*.
   if (Func->getVMetadata()->isMultiBlock(Base) /* || Base->getUseCount() > 1*/)
     return;
 
+  const bool MockBounds = Func->getContext()->getFlags().getMockBoundsCheck();
   const VariablesMetadata *VMetadata = Func->getVMetadata();
   bool Continue = true;
   while (Continue) {
     const Inst *Reason = nullptr;
     if (matchTransitiveAssign(VMetadata, Base, Reason) ||
         matchTransitiveAssign(VMetadata, Index, Reason) ||
-        matchCombinedBaseIndex(VMetadata, Base, Index, Shift, Reason) ||
-        matchShiftedIndex(VMetadata, Index, Shift, Reason) ||
+        (!MockBounds &&
+         matchCombinedBaseIndex(VMetadata, Base, Index, Shift, Reason)) ||
+        (!MockBounds && matchShiftedIndex(VMetadata, Index, Shift, Reason)) ||
         matchOffsetBase(VMetadata, Base, Offset, Reason)) {
       dumpAddressOpt(Func, Base, Index, Shift, Offset, Reason);
     } else {
       Continue = false;
     }
 
     // Index is Index=Var<<Const && Const+Shift<=3 ==>
     //   Index=Var, Shift+=Const
 
     // Index is Index=Const*Var && log2(Const)+Shift<=3 ==>
@@ skipping 10 matching lines @@
     //   set Index=Var, Offset+=(Const<<Shift)
 
     // Index is Index=Var-Const ==>
     //   set Index=Var, Offset-=(Const<<Shift)
 
     // TODO: consider overflow issues with respect to Offset.
     // TODO: handle symbolic constants.
   }
 }
 
+/// Add a mock bounds check on the memory address before using it as a load or
+/// store operand.  The basic idea is that given a memory operand [reg], we
+/// would first add bounds-check code something like:
+///
+///   cmp reg, <lb>
+///   jl out_of_line_error
+///   cmp reg, <ub>
+///   jg out_of_line_error
+///
+/// In reality, the specific code will depend on how <lb> and <ub> are
+/// represented, e.g. an immediate, a global, or a function argument.
+///
+/// As such, we need to enforce that the memory operand does not have the form
+/// [reg1+reg2], because then there is no simple cmp instruction that would
+/// suffice.  However, we consider [reg+offset] to be OK because the offset is
+/// usually small, and so <ub> could have a safety buffer built in and then we
+/// could instead branch to a custom out_of_line_error that does the precise
+/// check and jumps back if it turns out OK.
+///
+/// For the purpose of mocking the bounds check, we'll do something like this:
+///
+///   cmp reg, 0
+///   je label
+///   cmp reg, 1
+///   je label
+///   label:
+///
+/// Also note that we don't need to add a bounds check to a dereference of a
+/// simple global variable address.
+template <class Machine>
+void TargetX86Base<Machine>::doMockBoundsCheck(Operand *Opnd) {
+  if (!Ctx->getFlags().getMockBoundsCheck())
+    return;
+  if (auto *Mem = llvm::dyn_cast<typename Traits::X86OperandMem>(Opnd)) {
+    if (Mem->getIndex()) {
+      llvm::report_fatal_error("doMockBoundsCheck: Opnd contains index reg");
+    }
+    Opnd = Mem->getBase();
+  }
+  // At this point Opnd could be nullptr, or Variable, or Constant, or perhaps
+  // something else.  We only care if it is Variable.
+  auto *Var = llvm::dyn_cast_or_null<Variable>(Opnd);
+  if (Var == nullptr)
+    return;
+  // We use lowerStore() to copy out-args onto the stack.  This creates a memory
+  // operand with the stack pointer as the base register.  Don't do bounds
+  // checks on that.
+  if (Var->getRegNum() == Traits::RegisterSet::Reg_esp)
+    return;
+
+  typename Traits::Insts::Label *Label =
+      Traits::Insts::Label::create(Func, this);
+  _cmp(Opnd, Ctx->getConstantZero(IceType_i32));
+  _br(Traits::Cond::Br_e, Label);
+  _cmp(Opnd, Ctx->getConstantInt32(1));
+  _br(Traits::Cond::Br_e, Label);
+  Context.insert(Label);
+}
+
 template <class Machine>
 void TargetX86Base<Machine>::lowerLoad(const InstLoad *Load) {
   // A Load instruction can be treated the same as an Assign instruction, after
   // the source operand is transformed into an Traits::X86OperandMem operand.
   // Note that the address mode optimization already creates an
   // Traits::X86OperandMem operand, so it doesn't need another level of
   // transformation.
   Variable *DestLoad = Load->getDest();
   Type Ty = DestLoad->getType();
   Operand *Src0 = formMemoryOperand(Load->getSourceAddress(), Ty);
+  doMockBoundsCheck(Src0);
   InstAssign *Assign = InstAssign::create(Func, DestLoad, Src0);
   lowerAssign(Assign);
 }
 
 template <class Machine> void TargetX86Base<Machine>::doAddressOptLoad() {
   Inst *Inst = Context.getCur();
   Variable *Dest = Inst->getDest();
   Operand *Addr = Inst->getSrc(0);
   Variable *Index = nullptr;
   uint16_t Shift = 0;
@@ skipping 173 matching lines @@
   _cmov(T, SrcT, Cond);
   _mov(Dest, T);
 }
 
 template <class Machine>
 void TargetX86Base<Machine>::lowerStore(const InstStore *Inst) {
   Operand *Value = Inst->getData();
   Operand *Addr = Inst->getAddr();
   typename Traits::X86OperandMem *NewAddr =
       formMemoryOperand(Addr, Value->getType());
+  doMockBoundsCheck(NewAddr);
   Type Ty = NewAddr->getType();
 
   if (!Traits::Is64Bit && Ty == IceType_i64) {
     Value = legalizeUndef(Value);
     Operand *ValueHi = legalize(hiOperand(Value), Legal_Reg | Legal_Imm);
     Operand *ValueLo = legalize(loOperand(Value), Legal_Reg | Legal_Imm);
     _store(ValueHi,
            llvm::cast<typename Traits::X86OperandMem>(hiOperand(NewAddr)));
     _store(ValueLo,
            llvm::cast<typename Traits::X86OperandMem>(loOperand(NewAddr)));
@@ skipping 334 matching lines @@
   // that follows.  This means that the original Store instruction is
   // still there, either because the value being stored is used beyond
   // the Store instruction, or because dead code elimination did not
   // happen.  In either case, we cancel RMW lowering (and the caller
   // deletes the RMW instruction).
   if (!RMW->isLastUse(RMW->getBeacon()))
     return;
   Operand *Src = RMW->getData();
   Type Ty = Src->getType();
   typename Traits::X86OperandMem *Addr = formMemoryOperand(RMW->getAddr(), Ty);
+  doMockBoundsCheck(Addr);
   if (!Traits::Is64Bit && Ty == IceType_i64) {
     Src = legalizeUndef(Src);
     Operand *SrcLo = legalize(loOperand(Src), Legal_Reg | Legal_Imm);
     Operand *SrcHi = legalize(hiOperand(Src), Legal_Reg | Legal_Imm);
     typename Traits::X86OperandMem *AddrLo =
         llvm::cast<typename Traits::X86OperandMem>(loOperand(Addr));
     typename Traits::X86OperandMem *AddrHi =
         llvm::cast<typename Traits::X86OperandMem>(hiOperand(Addr));
     switch (RMW->getOp()) {
     default:
@@ skipping 672 matching lines @@
   }
   // the offset is not eligible for blinding or pooling, return the original
   // mem operand
   return MemOperand;
 }
 
 } // end of namespace X86Internal
 } // end of namespace Ice
 
 #endif // SUBZERO_SRC_ICETARGETLOWERINGX86BASEIMPL_H