xref: /netbsd/external/apache2/llvm/dist/llvm/docs/FaultMaps.rst (revision 06f32e7e)

==============================
FaultMaps and implicit checks
==============================

.. contents::
   :local:
   :depth: 2

Motivation
==========

Code generated by managed language runtimes tend to have checks that
are required for safety but never fail in practice.  In such cases, it
is profitable to make the non-failing case cheaper even if it makes
the failing case significantly more expensive.  This asymmetry can be
exploited by folding such safety checks into operations that can be
made to fault reliably if the check would have failed, and recovering
from such a fault by using a signal handler.

For example, Java requires null checks on objects before they are read
from or written to.  If the object is ``null`` then a
``NullPointerException`` has to be thrown, interrupting normal
execution.  In practice, however, dereferencing a ``null`` pointer is
extremely rare in well-behaved Java programs, and typically the null
check can be folded into a nearby memory operation that operates on
the same memory location.

The Fault Map Section
=====================

Information about implicit checks generated by LLVM are put in a
special "fault map" section.  On Darwin this section is named
``__llvm_faultmaps``.

The format of this section is

.. code-block:: none

  Header {
    uint8  : Fault Map Version (current version is 1)
    uint8  : Reserved (expected to be 0)
    uint16 : Reserved (expected to be 0)
  }
  uint32 : NumFunctions
  FunctionInfo[NumFunctions] {
    uint64 : FunctionAddress
    uint32 : NumFaultingPCs
    uint32 : Reserved (expected to be 0)
    FunctionFaultInfo[NumFaultingPCs] {
      uint32  : FaultKind
      uint32  : FaultingPCOffset
      uint32  : HandlerPCOffset
    }
  }

FailtKind describes the reason of expected fault. Currently three kind
of faults are supported:

  1. ``FaultMaps::FaultingLoad`` - fault due to load from memory.
  2. ``FaultMaps::FaultingLoadStore`` - fault due to instruction load and store.
  3. ``FaultMaps::FaultingStore`` - fault due to store to memory.

The ``ImplicitNullChecks`` pass
===============================

The ``ImplicitNullChecks`` pass transforms explicit control flow for
checking if a pointer is ``null``, like:

.. code-block:: llvm

    %ptr = call i32* @get_ptr()
    %ptr_is_null = icmp i32* %ptr, null
    br i1 %ptr_is_null, label %is_null, label %not_null, !make.implicit !0

  not_null:
    %t = load i32, i32* %ptr
    br label %do_something_with_t

  is_null:
    call void @HFC()
    unreachable

  !0 = !{}

to control flow implicit in the instruction loading or storing through
the pointer being null checked:

.. code-block:: llvm

    %ptr = call i32* @get_ptr()
    %t = load i32, i32* %ptr  ;; handler-pc = label %is_null
    br label %do_something_with_t

  is_null:
    call void @HFC()
    unreachable

This transform happens at the ``MachineInstr`` level, not the LLVM IR
level (so the above example is only representative, not literal).  The
``ImplicitNullChecks`` pass runs during codegen, if
``-enable-implicit-null-checks`` is passed to ``llc``.

The ``ImplicitNullChecks`` pass adds entries to the
``__llvm_faultmaps`` section described above as needed.

``make.implicit`` metadata
--------------------------

Making null checks implicit is an aggressive optimization, and it can
be a net performance pessimization if too many memory operations end
up faulting because of it.  A language runtime typically needs to
ensure that only a negligible number of implicit null checks actually
fault once the application has reached a steady state.  A standard way
of doing this is by healing failed implicit null checks into explicit
null checks via code patching or recompilation.  It follows that there
are two requirements an explicit null check needs to satisfy for it to
be profitable to convert it to an implicit null check:

  1. The case where the pointer is actually null (i.e. the "failing"
     case) is extremely rare.

  2. The failing path heals the implicit null check into an explicit
     null check so that the application does not repeatedly page
     fault.

The frontend is expected to mark branches that satisfy (1) and (2)
using a ``!make.implicit`` metadata node (the actual content of the
metadata node is ignored).  Only branches that are marked with
``!make.implicit`` metadata are considered as candidates for
conversion into implicit null checks.

(Note that while we could deal with (1) using profiling data, dealing
with (2) requires some information not present in branch profiles.)