tinygo/compiler/asserts.go

package compiler

// This file implements functions that do certain safety checks that are
// required by the Go programming language.

import (
	"go/types"

	"tinygo.org/x/go-llvm"
)

// emitLookupBoundsCheck emits a bounds check before doing a lookup into a
// slice. This is required by the Go language spec: an index out of bounds must
// cause a panic.
func (c *Compiler) emitLookupBoundsCheck(frame *Frame, arrayLen, index llvm.Value, indexType types.Type) {
	if frame.fn.IsNoBounds() {
		// The //go:nobounds pragma was added to the function to avoid bounds
		// checking.
		return
	}

	if index.Type().IntTypeWidth() < arrayLen.Type().IntTypeWidth() {
		// Sometimes, the index can be e.g. an uint8 or int8, and we have to
		// correctly extend that type.
		if indexType.Underlying().(*types.Basic).Info()&types.IsUnsigned == 0 {
			index = c.builder.CreateZExt(index, arrayLen.Type(), "")
		} else {
			index = c.builder.CreateSExt(index, arrayLen.Type(), "")
		}
	} else if index.Type().IntTypeWidth() > arrayLen.Type().IntTypeWidth() {
		// The index is bigger than the array length type, so extend it.
		arrayLen = c.builder.CreateZExt(arrayLen, index.Type(), "")
	}

	faultBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "lookup.outofbounds")
	nextBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "lookup.next")
	frame.blockExits[frame.currentBlock] = nextBlock // adjust outgoing block for phi nodes

	// Now do the bounds check: index >= arrayLen
	outOfBounds := c.builder.CreateICmp(llvm.IntUGE, index, arrayLen, "")
	c.builder.CreateCondBr(outOfBounds, faultBlock, nextBlock)

	// Fail: this is a nil pointer, exit with a panic.
	c.builder.SetInsertPointAtEnd(faultBlock)
	c.createRuntimeCall("lookupPanic", nil, "")
	c.builder.CreateUnreachable()

	// Ok: this is a valid pointer.
	c.builder.SetInsertPointAtEnd(nextBlock)
}

// emitSliceBoundsCheck emits a bounds check before a slicing operation to make
// sure it is within bounds.
//
// This function is both used for slicing a slice (low and high have their
// normal meaning) and for creating a new slice, where 'capacity' means the
// biggest possible slice capacity, 'low' means len and 'high' means cap. The
// logic is the same in both cases.
func (c *Compiler) emitSliceBoundsCheck(frame *Frame, capacity, low, high, max llvm.Value, lowType, highType, maxType *types.Basic) {
	if frame.fn.IsNoBounds() {
		// The //go:nobounds pragma was added to the function to avoid bounds
		// checking.
		return
	}

	// Extend the capacity integer to be at least as wide as low and high.
	capacityType := capacity.Type()
	if low.Type().IntTypeWidth() > capacityType.IntTypeWidth() {
		capacityType = low.Type()
	}
	if high.Type().IntTypeWidth() > capacityType.IntTypeWidth() {
		capacityType = high.Type()
	}
	if max.Type().IntTypeWidth() > capacityType.IntTypeWidth() {
		capacityType = max.Type()
	}
	if capacityType != capacity.Type() {
		capacity = c.builder.CreateZExt(capacity, capacityType, "")
	}

	// Extend low and high to be the same size as capacity.
	if low.Type().IntTypeWidth() < capacityType.IntTypeWidth() {
		if lowType.Info()&types.IsUnsigned != 0 {
			low = c.builder.CreateZExt(low, capacityType, "")
		} else {
			low = c.builder.CreateSExt(low, capacityType, "")
		}
	}
	if high.Type().IntTypeWidth() < capacityType.IntTypeWidth() {
		if highType.Info()&types.IsUnsigned != 0 {
			high = c.builder.CreateZExt(high, capacityType, "")
		} else {
			high = c.builder.CreateSExt(high, capacityType, "")
		}
	}
	if max.Type().IntTypeWidth() < capacityType.IntTypeWidth() {
		if maxType.Info()&types.IsUnsigned != 0 {
			max = c.builder.CreateZExt(max, capacityType, "")
		} else {
			max = c.builder.CreateSExt(max, capacityType, "")
		}
	}

	faultBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "slice.outofbounds")
	nextBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "slice.next")
	frame.blockExits[frame.currentBlock] = nextBlock // adjust outgoing block for phi nodes

	// Now do the bounds check: low > high || high > capacity
	outOfBounds1 := c.builder.CreateICmp(llvm.IntUGT, low, high, "slice.lowhigh")
	outOfBounds2 := c.builder.CreateICmp(llvm.IntUGT, high, max, "slice.highmax")
	outOfBounds3 := c.builder.CreateICmp(llvm.IntUGT, max, capacity, "slice.maxcap")
	outOfBounds := c.builder.CreateOr(outOfBounds1, outOfBounds2, "slice.lowmax")
	outOfBounds = c.builder.CreateOr(outOfBounds, outOfBounds3, "slice.lowcap")
	c.builder.CreateCondBr(outOfBounds, faultBlock, nextBlock)

	// Fail: this is a nil pointer, exit with a panic.
	c.builder.SetInsertPointAtEnd(faultBlock)
	c.createRuntimeCall("slicePanic", nil, "")
	c.builder.CreateUnreachable()

	// Ok: this is a valid pointer.
	c.builder.SetInsertPointAtEnd(nextBlock)
}

// emitNilCheck checks whether the given pointer is nil, and panics if it is. It
// has no effect in well-behaved programs, but makes sure no uncaught nil
// pointer dereferences exist in valid Go code.
func (c *Compiler) emitNilCheck(frame *Frame, ptr llvm.Value, blockPrefix string) {
	// Check whether we need to emit this check at all.
	if !ptr.IsAGlobalValue().IsNil() {
		return
	}

	// Check whether this is a nil pointer.
	faultBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, blockPrefix+".nil")
	nextBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, blockPrefix+".next")
	frame.blockExits[frame.currentBlock] = nextBlock // adjust outgoing block for phi nodes

	// Compare against nil.
	var isnil llvm.Value
	if ptr.Type().PointerAddressSpace() == 0 {
		// Do the nil check using the isnil builtin, which marks the parameter
		// as nocapture.
		// The reason it has to go through a builtin, is that a regular icmp
		// instruction may capture the pointer in LLVM semantics, see
		// https://reviews.llvm.org/D60047 for details. Pointer capturing
		// unfortunately breaks escape analysis, so we use this trick to let the
		// functionattr pass know that this pointer doesn't really escape.
		ptr = c.builder.CreateBitCast(ptr, c.i8ptrType, "")
		isnil = c.createRuntimeCall("isnil", []llvm.Value{ptr}, "")
	} else {
		// Do the nil check using a regular icmp. This can happen with function
		// pointers on AVR, which don't benefit from escape analysis anyway.
		nilptr := llvm.ConstPointerNull(ptr.Type())
		isnil = c.builder.CreateICmp(llvm.IntEQ, ptr, nilptr, "")
	}
	c.builder.CreateCondBr(isnil, faultBlock, nextBlock)

	// Fail: this is a nil pointer, exit with a panic.
	c.builder.SetInsertPointAtEnd(faultBlock)
	c.createRuntimeCall("nilPanic", nil, "")
	c.builder.CreateUnreachable()

	// Ok: this is a valid pointer.
	c.builder.SetInsertPointAtEnd(nextBlock)
}
compiler: implement nil checks This commit implements nil checks for all platforms. These nil checks can be optimized on systems with a MMU, but since a major target is systems without MMU, keep it this way for now. It implements three checks: * Nil checks before dereferencing a pointer. * Nil checks before calculating an address (ssa.FieldAddr and ssa.IndexAddr) * Nil checks before calling a function pointer. The first check has by far the biggest impact, with around 5% increase in code size. The other checks only trigger in only some test cases and have a minimal impact on code size. This first nil check is also the one that is easiest to avoid on systems with MMU, if necessary. 6 years ago			`package compiler`

			`// This file implements functions that do certain safety checks that are`
			`// required by the Go programming language.`

			`import (`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`"go/types"`

compiler: implement nil checks This commit implements nil checks for all platforms. These nil checks can be optimized on systems with a MMU, but since a major target is systems without MMU, keep it this way for now. It implements three checks: * Nil checks before dereferencing a pointer. * Nil checks before calculating an address (ssa.FieldAddr and ssa.IndexAddr) * Nil checks before calling a function pointer. The first check has by far the biggest impact, with around 5% increase in code size. The other checks only trigger in only some test cases and have a minimal impact on code size. This first nil check is also the one that is easiest to avoid on systems with MMU, if necessary. 6 years ago			`"tinygo.org/x/go-llvm"`
			`)`

compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`// emitLookupBoundsCheck emits a bounds check before doing a lookup into a`
			`// slice. This is required by the Go language spec: an index out of bounds must`
			`// cause a panic.`
			`func (c Compiler) emitLookupBoundsCheck(frame Frame, arrayLen, index llvm.Value, indexType types.Type) {`
			`if frame.fn.IsNoBounds() {`
			`// The //go:nobounds pragma was added to the function to avoid bounds`
			`// checking.`
			`return`
			`}`

			`if index.Type().IntTypeWidth() < arrayLen.Type().IntTypeWidth() {`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`// Sometimes, the index can be e.g. an uint8 or int8, and we have to`
			`// correctly extend that type.`
compiler: support constant indices with a named type 5 years ago			`if indexType.Underlying().(*types.Basic).Info()&types.IsUnsigned == 0 {`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`index = c.builder.CreateZExt(index, arrayLen.Type(), "")`
			`} else {`
			`index = c.builder.CreateSExt(index, arrayLen.Type(), "")`
			`}`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`} else if index.Type().IntTypeWidth() > arrayLen.Type().IntTypeWidth() {`
			`// The index is bigger than the array length type, so extend it.`
			`arrayLen = c.builder.CreateZExt(arrayLen, index.Type(), "")`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`}`

compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`faultBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "lookup.outofbounds")`
			`nextBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "lookup.next")`
			`frame.blockExits[frame.currentBlock] = nextBlock // adjust outgoing block for phi nodes`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`// Now do the bounds check: index >= arrayLen`
			`outOfBounds := c.builder.CreateICmp(llvm.IntUGE, index, arrayLen, "")`
			`c.builder.CreateCondBr(outOfBounds, faultBlock, nextBlock)`

			`// Fail: this is a nil pointer, exit with a panic.`
			`c.builder.SetInsertPointAtEnd(faultBlock)`
compiler,runtime: make panic functions camelCase Rename panic functions to be runtime.nilPanic, runtime.lookupPanic, and runtime.slicePanic. 6 years ago			`c.createRuntimeCall("lookupPanic", nil, "")`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`c.builder.CreateUnreachable()`

			`// Ok: this is a valid pointer.`
			`c.builder.SetInsertPointAtEnd(nextBlock)`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`}`

			`// emitSliceBoundsCheck emits a bounds check before a slicing operation to make`
			`// sure it is within bounds.`
compiler: fix MakeSlice bounds check and casting 6 years ago			`//`
			`// This function is both used for slicing a slice (low and high have their`
			`// normal meaning) and for creating a new slice, where 'capacity' means the`
			`// biggest possible slice capacity, 'low' means len and 'high' means cap. The`
			`// logic is the same in both cases.`
compiler: implement full slice expression This feature was introduced in Go 1.2 and is used by some standard library packages. 5 years ago			`func (c Compiler) emitSliceBoundsCheck(frame Frame, capacity, low, high, max llvm.Value, lowType, highType, maxType *types.Basic) {`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`if frame.fn.IsNoBounds() {`
			`// The //go:nobounds pragma was added to the function to avoid bounds`
			`// checking.`
			`return`
			`}`

compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`// Extend the capacity integer to be at least as wide as low and high.`
			`capacityType := capacity.Type()`
			`if low.Type().IntTypeWidth() > capacityType.IntTypeWidth() {`
			`capacityType = low.Type()`
			`}`
			`if high.Type().IntTypeWidth() > capacityType.IntTypeWidth() {`
			`capacityType = high.Type()`
			`}`
compiler: implement full slice expression This feature was introduced in Go 1.2 and is used by some standard library packages. 5 years ago			`if max.Type().IntTypeWidth() > capacityType.IntTypeWidth() {`
			`capacityType = max.Type()`
			`}`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`if capacityType != capacity.Type() {`
			`capacity = c.builder.CreateZExt(capacity, capacityType, "")`
			`}`

			`// Extend low and high to be the same size as capacity.`
			`if low.Type().IntTypeWidth() < capacityType.IntTypeWidth() {`
			`if lowType.Info()&types.IsUnsigned != 0 {`
			`low = c.builder.CreateZExt(low, capacityType, "")`
			`} else {`
			`low = c.builder.CreateSExt(low, capacityType, "")`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`}`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`}`
			`if high.Type().IntTypeWidth() < capacityType.IntTypeWidth() {`
			`if highType.Info()&types.IsUnsigned != 0 {`
			`high = c.builder.CreateZExt(high, capacityType, "")`
			`} else {`
			`high = c.builder.CreateSExt(high, capacityType, "")`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`}`
			`}`
compiler: implement full slice expression This feature was introduced in Go 1.2 and is used by some standard library packages. 5 years ago			`if max.Type().IntTypeWidth() < capacityType.IntTypeWidth() {`
			`if maxType.Info()&types.IsUnsigned != 0 {`
			`max = c.builder.CreateZExt(max, capacityType, "")`
			`} else {`
			`max = c.builder.CreateSExt(max, capacityType, "")`
			`}`
			`}`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago
			`faultBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "slice.outofbounds")`
			`nextBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, "slice.next")`
			`frame.blockExits[frame.currentBlock] = nextBlock // adjust outgoing block for phi nodes`

			`// Now do the bounds check: low > high \|\| high > capacity`
			`outOfBounds1 := c.builder.CreateICmp(llvm.IntUGT, low, high, "slice.lowhigh")`
compiler: implement full slice expression This feature was introduced in Go 1.2 and is used by some standard library packages. 5 years ago			`outOfBounds2 := c.builder.CreateICmp(llvm.IntUGT, high, max, "slice.highmax")`
			`outOfBounds3 := c.builder.CreateICmp(llvm.IntUGT, max, capacity, "slice.maxcap")`
			`outOfBounds := c.builder.CreateOr(outOfBounds1, outOfBounds2, "slice.lowmax")`
			`outOfBounds = c.builder.CreateOr(outOfBounds, outOfBounds3, "slice.lowcap")`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`c.builder.CreateCondBr(outOfBounds, faultBlock, nextBlock)`

			`// Fail: this is a nil pointer, exit with a panic.`
			`c.builder.SetInsertPointAtEnd(faultBlock)`
compiler,runtime: make panic functions camelCase Rename panic functions to be runtime.nilPanic, runtime.lookupPanic, and runtime.slicePanic. 6 years ago			`c.createRuntimeCall("slicePanic", nil, "")`
compiler: inline slice bounds checking This improves code size in all tests by about 1% and up to 5% in some cases, likely because LLVM can better reason about inline bounds checks. 6 years ago			`c.builder.CreateUnreachable()`

			`// Ok: this is a valid pointer.`
			`c.builder.SetInsertPointAtEnd(nextBlock)`
compiler: refactor slice related asserts Move these asserts into compiler/asserts.go, to keep them together. The make([]T) asserts aren't moved yet because that code is (still!) quite ugly and in need of some clean up. 6 years ago			`}`

compiler: implement nil checks This commit implements nil checks for all platforms. These nil checks can be optimized on systems with a MMU, but since a major target is systems without MMU, keep it this way for now. It implements three checks: * Nil checks before dereferencing a pointer. * Nil checks before calculating an address (ssa.FieldAddr and ssa.IndexAddr) * Nil checks before calling a function pointer. The first check has by far the biggest impact, with around 5% increase in code size. The other checks only trigger in only some test cases and have a minimal impact on code size. This first nil check is also the one that is easiest to avoid on systems with MMU, if necessary. 6 years ago			`// emitNilCheck checks whether the given pointer is nil, and panics if it is. It`
			`// has no effect in well-behaved programs, but makes sure no uncaught nil`
			`// pointer dereferences exist in valid Go code.`
			`func (c Compiler) emitNilCheck(frame Frame, ptr llvm.Value, blockPrefix string) {`
compiler: avoid some obviously false nil checks Pointers to globals are never nil. 6 years ago			`// Check whether we need to emit this check at all.`
			`if !ptr.IsAGlobalValue().IsNil() {`
			`return`
			`}`

compiler: implement nil checks This commit implements nil checks for all platforms. These nil checks can be optimized on systems with a MMU, but since a major target is systems without MMU, keep it this way for now. It implements three checks: * Nil checks before dereferencing a pointer. * Nil checks before calculating an address (ssa.FieldAddr and ssa.IndexAddr) * Nil checks before calling a function pointer. The first check has by far the biggest impact, with around 5% increase in code size. The other checks only trigger in only some test cases and have a minimal impact on code size. This first nil check is also the one that is easiest to avoid on systems with MMU, if necessary. 6 years ago			`// Check whether this is a nil pointer.`
			`faultBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, blockPrefix+".nil")`
			`nextBlock := c.ctx.AddBasicBlock(frame.fn.LLVMFn, blockPrefix+".next")`
			`frame.blockExits[frame.currentBlock] = nextBlock // adjust outgoing block for phi nodes`

			`// Compare against nil.`
compiler: fix escapes due to nil checks Some tests get bigger, most get smaller. However, all tested driver examples get smaller in size showing that this is a good change in the real world. 6 years ago			`var isnil llvm.Value`
			`if ptr.Type().PointerAddressSpace() == 0 {`
			`// Do the nil check using the isnil builtin, which marks the parameter`
			`// as nocapture.`
			`// The reason it has to go through a builtin, is that a regular icmp`
			`// instruction may capture the pointer in LLVM semantics, see`
			`// https://reviews.llvm.org/D60047 for details. Pointer capturing`
			`// unfortunately breaks escape analysis, so we use this trick to let the`
			`// functionattr pass know that this pointer doesn't really escape.`
			`ptr = c.builder.CreateBitCast(ptr, c.i8ptrType, "")`
			`isnil = c.createRuntimeCall("isnil", []llvm.Value{ptr}, "")`
			`} else {`
			`// Do the nil check using a regular icmp. This can happen with function`
			`// pointers on AVR, which don't benefit from escape analysis anyway.`
			`nilptr := llvm.ConstPointerNull(ptr.Type())`
			`isnil = c.builder.CreateICmp(llvm.IntEQ, ptr, nilptr, "")`
			`}`
compiler: implement nil checks This commit implements nil checks for all platforms. These nil checks can be optimized on systems with a MMU, but since a major target is systems without MMU, keep it this way for now. It implements three checks: * Nil checks before dereferencing a pointer. * Nil checks before calculating an address (ssa.FieldAddr and ssa.IndexAddr) * Nil checks before calling a function pointer. The first check has by far the biggest impact, with around 5% increase in code size. The other checks only trigger in only some test cases and have a minimal impact on code size. This first nil check is also the one that is easiest to avoid on systems with MMU, if necessary. 6 years ago			`c.builder.CreateCondBr(isnil, faultBlock, nextBlock)`

			`// Fail: this is a nil pointer, exit with a panic.`
			`c.builder.SetInsertPointAtEnd(faultBlock)`
compiler,runtime: make panic functions camelCase Rename panic functions to be runtime.nilPanic, runtime.lookupPanic, and runtime.slicePanic. 6 years ago			`c.createRuntimeCall("nilPanic", nil, "")`
compiler: implement nil checks This commit implements nil checks for all platforms. These nil checks can be optimized on systems with a MMU, but since a major target is systems without MMU, keep it this way for now. It implements three checks: * Nil checks before dereferencing a pointer. * Nil checks before calculating an address (ssa.FieldAddr and ssa.IndexAddr) * Nil checks before calling a function pointer. The first check has by far the biggest impact, with around 5% increase in code size. The other checks only trigger in only some test cases and have a minimal impact on code size. This first nil check is also the one that is easiest to avoid on systems with MMU, if necessary. 6 years ago			`c.builder.CreateUnreachable()`

			`// Ok: this is a valid pointer.`
			`c.builder.SetInsertPointAtEnd(nextBlock)`
			`}`