Start a whitelist of intrinsics for the PNaCl ABI checker.

lib/Analysis/NaCl/PNaClABIVerifyModule.cpp

 //===- PNaClABIVerifyModule.cpp - Verify PNaCl ABI rules --------===//
 //
 //                     The LLVM Compiler Infrastructure
 //
 // This file is distributed under the University of Illinois Open Source
 // License. See LICENSE.TXT for details.
 //
 //===----------------------------------------------------------------------===//
 //
 // Verify module-level PNaCl ABI requirements (specifically those that do not
 // require looking at the function bodies)
 //
 //
 //===----------------------------------------------------------------------===//
 
 #include "llvm/Pass.h"
 #include "llvm/ADT/Twine.h"
 #include "llvm/Analysis/NaCl.h"
 #include "llvm/IR/DerivedTypes.h"
+#include "llvm/IR/Intrinsics.h"
 #include "llvm/IR/Module.h"
+#include "llvm/Support/Debug.h"
 #include "llvm/Support/raw_ostream.h"
 
 #include "PNaClABITypeChecker.h"
 using namespace llvm;
 
 namespace llvm {
 cl::opt<bool>
 PNaClABIAllowDebugMetadata("pnaclabi-allow-debug-metadata",
   cl::desc("Allow debug metadata during PNaCl ABI verification."),
   cl::init(false));
+
 }
 
+static cl::opt<bool>
+PNaClABIAllowDevIntrinsics("pnaclabi-allow-dev-intrinsics",
+  cl::desc("Allow all LLVM intrinsics duing PNaCl ABI verification."),

[eliben, 2013/05/07 17:49:36]

duing

[jvoung (off chromium), 2013/05/07 21:24:41]

Done.

+  cl::init(true));  // TODO(jvoung): Make this false by default.
+
 namespace {
 // This pass should not touch function bodies, to stay streaming-friendly
 class PNaClABIVerifyModule : public ModulePass {
  public:
   static char ID;
   PNaClABIVerifyModule() :
       ModulePass(ID),
       Reporter(new PNaClABIErrorReporter),
       ReporterIsOwned(true) {
     initializePNaClABIVerifyModulePass(*PassRegistry::getPassRegistry());
   }
   explicit PNaClABIVerifyModule(PNaClABIErrorReporter *Reporter_) :
       ModulePass(ID),
       Reporter(Reporter_),
       ReporterIsOwned(false) {
     initializePNaClABIVerifyModulePass(*PassRegistry::getPassRegistry());
   }
   ~PNaClABIVerifyModule() {
     if (ReporterIsOwned)
       delete Reporter;
   }
   bool runOnModule(Module &M);
   virtual void print(raw_ostream &O, const Module *M) const;
  private:
   void CheckGlobalValueCommon(const GlobalValue *GV);
+  bool IsWhitelistedIntrinsic(const Function* F, unsigned ID);
   bool IsWhitelistedMetadata(const NamedMDNode *MD);
   PNaClABITypeChecker TC;
   PNaClABIErrorReporter *Reporter;
   bool ReporterIsOwned;
 };
 
 static const char *linkageName(GlobalValue::LinkageTypes LT) {
   // This logic is taken from PrintLinkage in lib/VMCore/AsmWriter.cpp
   switch (LT) {
     case GlobalValue::ExternalLinkage: return "external";
@@ skipping 38 matching lines @@
       Reporter->addError() << GVTypeName << GV->getName()
                            << " has disallowed linkage type: "
                            << linkageName(GV->getLinkage()) << "\n";
   }
   if (GV->hasSection()) {
     Reporter->addError() << GVTypeName << GV->getName() <<
         " has disallowed \"section\" attribute\n";
   }
 }
 
+bool PNaClABIVerifyModule::IsWhitelistedIntrinsic(const Function* F,
+                                                  unsigned ID) {
+  // Keep 3 categories of intrinsics for now.
+  // (1) Allowed always
+  // (2) Never allowed
+  // (3) "Dev" intrinsics, which may or may not be allowed.
+  // "Dev" intrinsics are controlled by the PNaClABIAllowDevIntrinsics flag.
+  // Please keep these sorted within each category.
+  switch(ID) {
+    default: {
+      StringRef name = F->getName();
+      // Disallow target-specific intrinsics
+      // (see list of target TD includes in Intrinsics.td).
+      if (name.startswith("llvm.arm.")
+          || name.startswith("llvm.hexagon.")
+          || name.startswith("llvm.mips.")
+          || name.startswith("llvm.nvvm.")
+          || name.startswith("llvm.ppc.")
+          || name.startswith("llvm.r600.")
+          || name.startswith("llvm.x86.")
+          || name.startswith("llvm.xcore.")) {
+        return false;
+      } else {
+        DEBUG(dbgs() << "Unknown intrinsic: " << F->getName() << "\n");

[eliben, 2013/05/07 17:49:36]

Again, I'm not sure why we can't:

Detect (1) and (3) in the switch, leaving the rest to 'default'. Are there very
many intrinsics in (3) ?

[jvoung (off chromium), 2013/05/07 21:24:41]

Added the list of stuff triggered by our scons + gcc + llvm nightly + spec
tests.

+        // TODO(jvoung): Dev intrinsics should be listed out, instead
+        // of being caught by the default case.
+        return PNaClABIAllowDevIntrinsics;
+      }
+    }
+    // (1) Always allowed.
+    case Intrinsic::invariant_end:
+    case Intrinsic::invariant_start:
+    case Intrinsic::lifetime_end:
+    case Intrinsic::lifetime_start:
+    case Intrinsic::memcpy:
+    case Intrinsic::memmove:
+    case Intrinsic::memset:
+    case Intrinsic::nacl_read_tp:
+    case Intrinsic::trap:
+      return true;
+    // (2) Never allowed.
+    case Intrinsic::not_intrinsic:
+    // Trampoline intrinsics depend on target-specific-sized buffer.
+    // Perhaps if the allocator was target-independent, then this could
+    // be accepted.
+    case Intrinsic::adjust_trampoline:
+    case Intrinsic::init_trampoline:
+    // Var-args code is expanded out, so we shouldn't need va_arg intrinsics.
+    case Intrinsic::vacopy:
+    case Intrinsic::vaend:
+    case Intrinsic::vastart:
+      return false;
+    // (3) Dev intrinsics.
+    case Intrinsic::dbg_declare:
+    case Intrinsic::dbg_value:
+    case Intrinsic::frameaddress: // Support for 0-level or not?
+    case Intrinsic::returnaddress: // Support for 0-level or not?
+      return PNaClABIAllowDevIntrinsics || PNaClABIAllowDebugMetadata;
+  }
+}
+
 bool PNaClABIVerifyModule::IsWhitelistedMetadata(const NamedMDNode* MD) {
   return MD->getName().startswith("llvm.dbg.") && PNaClABIAllowDebugMetadata;
 }
 
 bool PNaClABIVerifyModule::runOnModule(Module &M) {
   for (Module::const_global_iterator MI = M.global_begin(), ME = M.global_end();
        MI != ME; ++MI) {
     // Check types of global variables and their initializers
     if (!TC.isValidType(MI->getType())) {
       // GVs are pointers, so print the pointed-to type for clarity
@@ skipping 20 matching lines @@
   }
 
   // No aliases allowed for now.
   for (Module::alias_iterator MI = M.alias_begin(),
            E = M.alias_end(); MI != E; ++MI) {
     Reporter->addError() << "Variable " << MI->getName() <<
         " is an alias (disallowed)\n";
   }
 
   for (Module::const_iterator MI = M.begin(), ME = M.end(); MI != ME; ++MI) {
+    // Check intrinsics.
+    if (MI->isIntrinsic()) {

[eliben, 2013/05/07 17:49:36]

Any reason not to combine into a single condition?

[jvoung (off chromium), 2013/05/07 21:24:41]

Done.

+      if (!IsWhitelistedIntrinsic(MI, MI->getIntrinsicID())) {
+        Reporter->addError() << "Function " << MI->getName()
+                             << " is a disallowed LLVM intrinsic\n";
+      }
+    }
+
     // Check types of functions and their arguments
     FunctionType *FT = MI->getFunctionType();
     if (!TC.isValidType(FT->getReturnType())) {
       Reporter->addError() << "Function " << MI->getName() <<
           " has disallowed return type: " <<
           PNaClABITypeChecker::getTypeName(FT->getReturnType()) << "\n";
     }
     for (unsigned I = 0, E = FT->getNumParams(); I < E; ++I) {
       Type *PT = FT->getParamType(I);
       if (!TC.isValidType(PT)) {
@@ skipping 49 matching lines @@
 }
 
 char PNaClABIVerifyModule::ID = 0;
 INITIALIZE_PASS(PNaClABIVerifyModule, "verify-pnaclabi-module",
                 "Verify module for PNaCl", false, true)
 
 ModulePass *llvm::createPNaClABIVerifyModulePass(
     PNaClABIErrorReporter *Reporter) {
   return new PNaClABIVerifyModule(Reporter);
 }