[Win64] Insert int3 into trailing empty BBs

Otherwise, the Win64 unwinder considers direct branches to such empty
trailing BBs to be a branch out of the function. It treats such a branch
as a tail call, which can only be part of an epilogue. If the unwinder
misclassifies such a branch as part of the epilogue, it will fail to
unwind the stack further. This can lead to bad stack traces, or failure
to handle exceptions properly. This is described in
https://llvm.org/PR45064#c4, and by the comment at the top of the
X86AvoidTrailingCallPass.cpp file.

It should be safe to insert int3 for such blocks. An empty trailing BB
that reaches this pass is pretty much guaranteed to be unreachable.  If
a program executed such a block, it would fall off the end of the
function.

Most of the complexity in this patch comes from threading through the
"EHFuncletEntry" boolean on the MIRParser and registering the pass so we
can stop and start codegen around it. I used an MIR test because we
should teach LLVM to optimize away these branches as a follow-up.

Reviewed By: hans

Differential Revision: https://reviews.llvm.org/D76531

lib/CodeGen/MIRParser/MILexer.cpp

@@ -260,6 +260,7 @@ static MIToken::TokenKind getIdentifierKind(StringRef Identifier) {
       .Case("liveout", MIToken::kw_liveout)
       .Case("address-taken", MIToken::kw_address_taken)
       .Case("landing-pad", MIToken::kw_landing_pad)
+      .Case("ehfunclet-entry", MIToken::kw_ehfunclet_entry)
       .Case("liveins", MIToken::kw_liveins)
       .Case("successors", MIToken::kw_successors)
       .Case("floatpred", MIToken::kw_floatpred)

lib/CodeGen/MIRParser/MILexer.h

@@ -114,6 +114,7 @@ struct MIToken {
     kw_liveout,
     kw_address_taken,
     kw_landing_pad,
+    kw_ehfunclet_entry,
     kw_liveins,
     kw_successors,
     kw_floatpred,

lib/CodeGen/MIRParser/MIParser.cpp

@@ -650,6 +650,7 @@ bool MIParser::parseBasicBlockDefinition(
   lex();
   bool HasAddressTaken = false;
   bool IsLandingPad = false;
+  bool IsEHFuncletEntry = false;
   MachineBasicBlockSection SectionType = MBBS_None;
   unsigned Alignment = 0;
   BasicBlock *BB = nullptr;
@@ -665,6 +666,10 @@ bool MIParser::parseBasicBlockDefinition(
         IsLandingPad = true;
         lex();
         break;
+      case MIToken::kw_ehfunclet_entry:
+        IsEHFuncletEntry = true;
+        lex();
+        break;
       case MIToken::kw_align:
         if (parseAlignment(Alignment))
           return true;
@@ -708,6 +713,7 @@ bool MIParser::parseBasicBlockDefinition(
   if (HasAddressTaken)
     MBB->setHasAddressTaken();
   MBB->setIsEHPad(IsLandingPad);
+  MBB->setIsEHFuncletEntry(IsEHFuncletEntry);
   if (SectionType != MBBS_None) {
     MBB->setSectionType(SectionType);
     MF.setBBSectionsType(BasicBlockSection::List);

lib/CodeGen/MIRPrinter.cpp

@@ -630,6 +630,11 @@ void MIPrinter::print(const MachineBasicBlock &MBB) {
     OS << "landing-pad";
     HasAttributes = true;
   }
+  if (MBB.isEHFuncletEntry()) {
+    OS << (HasAttributes ? ", " : " (");
+    OS << "ehfunclet-entry";
+    HasAttributes = true;
+  }
   if (MBB.getAlignment() != Align(1)) {
     OS << (HasAttributes ? ", " : " (");
     OS << "align " << MBB.getAlignment().value();

lib/Target/X86/X86.h

@@ -145,6 +145,7 @@ void initializeFixupLEAPassPass(PassRegistry &);
 void initializeFPSPass(PassRegistry &);
 void initializeWinEHStatePassPass(PassRegistry &);
 void initializeX86AvoidSFBPassPass(PassRegistry &);
+void initializeX86AvoidTrailingCallPassPass(PassRegistry &);
 void initializeX86CallFrameOptimizationPass(PassRegistry &);
 void initializeX86CmovConverterPassPass(PassRegistry &);
 void initializeX86CondBrFoldingPassPass(PassRegistry &);

lib/Target/X86/X86AvoidTrailingCall.cpp

@@ -6,10 +6,29 @@
 //
 //===----------------------------------------------------------------------===//
 //
-// The Windows x64 unwinder has trouble unwinding the stack when a return
-// address points to the end of the function. This pass maintains the invariant
-// that every return address is inside the bounds of its parent function or
-// funclet by inserting int3 if the last instruction would otherwise be a call.
+// The Windows x64 unwinder decodes the instruction stream during unwinding.
+// The unwinder decodes forward from the current PC to detect epilogue code
+// patterns.
+//
+// First, this means that there must be an instruction after every
+// call instruction for the unwinder to decode. LLVM must maintain the invariant
+// that the last instruction of a function or funclet is not a call, or the
+// unwinder may decode into the next function. Similarly, a call may not
+// immediately precede an epilogue code pattern. As of this writing, the
+// SEH_Epilogue pseudo instruction takes care of that.
+//
+// Second, all non-tail call jump targets must be within the *half-open*
+// interval of the bounds of the function. The unwinder distinguishes between
+// internal jump instructions and tail calls in an epilogue sequence by checking
+// the jump target against the function bounds from the .pdata section. This
+// means that the last regular MBB of an LLVM function must not be empty if
+// there are regular jumps targeting it.
+//
+// This pass upholds these invariants by ensuring that blocks at the end of a
+// function or funclet are a) not empty and b) do not end in a CALL instruction.
+//
+// Unwinder implementation for reference:
+// https://github.com/dotnet/coreclr/blob/a9f3fc16483eecfc47fb79c362811d870be02249/src/unwinder/amd64/unwinder_amd64.cpp#L1015
 //
 //===----------------------------------------------------------------------===//
 
@@ -18,33 +37,35 @@
 #include "X86Subtarget.h"
 #include "llvm/CodeGen/MachineInstrBuilder.h"
 
-#define DEBUG_TYPE "x86-avoid-trailing-call"
+#define AVOIDCALL_DESC "X86 avoid trailing call pass"
+#define AVOIDCALL_NAME "x86-avoid-trailing-call"
+
+#define DEBUG_TYPE AVOIDCALL_NAME
 
 using namespace llvm;
 
 namespace {
-
 class X86AvoidTrailingCallPass : public MachineFunctionPass {
 public:
   X86AvoidTrailingCallPass() : MachineFunctionPass(ID) {}
 
   bool runOnMachineFunction(MachineFunction &MF) override;
 
-private:
-  StringRef getPassName() const override {
-    return "X86 avoid trailing call pass";
-  }
   static char ID;
+
+private:
+  StringRef getPassName() const override { return AVOIDCALL_DESC; }
 };
+} // end anonymous namespace
 
 char X86AvoidTrailingCallPass::ID = 0;
 
-} // end anonymous namespace
-
 FunctionPass *llvm::createX86AvoidTrailingCallPass() {
   return new X86AvoidTrailingCallPass();
 }
 
+INITIALIZE_PASS(X86AvoidTrailingCallPass, AVOIDCALL_NAME, AVOIDCALL_DESC, false, false)
+
 // A real instruction is a non-meta, non-pseudo instruction.  Some pseudos
 // expand to nothing, and some expand to code. This logic conservatively assumes
 // they might expand to nothing.
@@ -62,6 +83,11 @@ bool X86AvoidTrailingCallPass::runOnMachineFunction(MachineFunction &MF) {
   const X86InstrInfo &TII = *STI.getInstrInfo();
   assert(STI.isTargetWin64() && "pass only runs on Win64");
 
+  // We don't need to worry about any of the invariants described above if there
+  // is no unwind info (CFI).
+  if (!MF.hasWinCFI())
+    return false;
+
   // FIXME: Perhaps this pass should also replace SEH_Epilogue by inserting nops
   // before epilogues.
 
@@ -73,33 +99,34 @@ bool X86AvoidTrailingCallPass::runOnMachineFunction(MachineFunction &MF) {
     if (NextMBB && !NextMBB->isEHFuncletEntry())
       continue;
 
-    // Find the last real instruction in this block, or previous blocks if this
-    // block is empty.
-    MachineBasicBlock::reverse_iterator LastRealInstr;
-    for (MachineBasicBlock &RMBB :
-         make_range(MBB.getReverseIterator(), MF.rend())) {
-      LastRealInstr = llvm::find_if(reverse(RMBB), isRealInstruction);
-      if (LastRealInstr != RMBB.rend())
-        break;
-    }
+    // Find the last real instruction in this block.
+    auto LastRealInstr = llvm::find_if(reverse(MBB), isRealInstruction);
 
-    // Do nothing if this function or funclet has no instructions.
-    if (LastRealInstr == MF.begin()->rend())
-      continue;
-
-    // If this is a call instruction, insert int3 right after it with the same
-    // DebugLoc. Convert back to a forward iterator and advance the insertion
-    // position once.
-    if (isCallInstruction(*LastRealInstr)) {
+    // If the block is empty or the last real instruction is a call instruction,
+    // insert an int3. If there is a call instruction, insert the int3 between
+    // the call and any labels or other meta instructions. If the block is
+    // empty, insert at block end.
+    bool IsEmpty = LastRealInstr == MBB.rend();
+    bool IsCall = !IsEmpty && isCallInstruction(*LastRealInstr);
+    if (IsEmpty || IsCall) {
       LLVM_DEBUG({
-        dbgs() << "inserting int3 after trailing call instruction:\n";
-        LastRealInstr->dump();
-        dbgs() << '\n';
+        if (IsCall) {
+          dbgs() << "inserting int3 after trailing call instruction:\n";
+          LastRealInstr->dump();
+          dbgs() << '\n';
+        } else {
+          dbgs() << "inserting int3 in trailing empty MBB:\n";
+          MBB.dump();
+        }
       });
 
-      MachineBasicBlock::iterator MBBI = std::next(LastRealInstr.getReverse());
-      BuildMI(*LastRealInstr->getParent(), MBBI, LastRealInstr->getDebugLoc(),
-              TII.get(X86::INT3));
+      MachineBasicBlock::iterator MBBI = MBB.end();
+      DebugLoc DL;
+      if (IsCall) {
+        MBBI = std::next(LastRealInstr.getReverse());
+        DL = LastRealInstr->getDebugLoc();
+      }
+      BuildMI(MBB, MBBI, DL, TII.get(X86::INT3));
       Changed = true;
     }
   }

lib/Target/X86/X86TargetMachine.cpp

@@ -79,6 +79,7 @@ extern "C" LLVM_EXTERNAL_VISIBILITY void LLVMInitializeX86Target() {
   initializeX86ExecutionDomainFixPass(PR);
   initializeX86DomainReassignmentPass(PR);
   initializeX86AvoidSFBPassPass(PR);
+  initializeX86AvoidTrailingCallPassPass(PR);
   initializeX86SpeculativeLoadHardeningPassPass(PR);
   initializeX86FlagsCopyLoweringPassPass(PR);
   initializeX86CondBrFoldingPassPass(PR);

test/CodeGen/X86/win64-eh-empty-block-2.mir

@@ -0,0 +1,223 @@
+# RUN: llc -start-before=x86-avoid-trailing-call %s -o - | FileCheck %s
+
+# If there is a trailing unreachable block, make sure it is non-empty.
+
+# Manually modified the IR of the following C++ to share one unreachable block,
+# as clang does for the real C++ throw:
+# void __declspec(noreturn) mythrow();
+# int multi_throw(bool c1, bool c2, bool c3) {
+#   try {
+#     if (c1)
+#       mythrow();
+#     if (c2)
+#       mythrow();
+#     if (c3)
+#       mythrow();
+#   } catch (...) {
+#     return 1;
+#   }
+#   return 0;
+# }
+
+# CHECK-LABEL: "?multi_throw@@YAH_N00@Z": # @"?multi_throw@@YAH_N00@Z"
+# CHECK: retq
+# CHECK: .LBB{{.*}} # %if.then
+# CHECK: callq mythrow
+# CHECK: .LBB{{.*}} # %if.then4
+# CHECK: callq mythrow
+# CHECK: .LBB{{.*}} # %if.then8
+# CHECK: callq mythrow
+# CHECK: .LBB{{.*}} # %unreachable
+# CHECK-NEXT: int3
+# CHECK: .seh_endproc
+# CHECK: # %catch
+
+--- |
+  ; ModuleID = '../llvm/test/CodeGen/X86/win64-eh-empty-block-2.ll'
+  source_filename = "t.cpp"
+  target datalayout = "e-m:w-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
+  target triple = "x86_64-unknown-windows-msvc19.11.0"
+
+  ; Function Attrs: uwtable
+  define dso_local i32 @"?multi_throw@@YAH_N00@Z"(i1 zeroext %c1, i1 zeroext %c2, i1 zeroext %c3) local_unnamed_addr #0 personality i8* bitcast (i32 (...)* @__CxxFrameHandler3 to i8*) {
+  entry:
+    br i1 %c1, label %if.then, label %if.end
+
+  if.then:                                          ; preds = %entry
+    invoke void @mythrow()
+            to label %unreachable unwind label %catch.dispatch
+
+  unreachable:                                      ; preds = %if.then8, %if.then4, %if.then
+    unreachable
+
+  if.end:                                           ; preds = %entry
+    br i1 %c2, label %if.then4, label %if.end6
+
+  if.then4:                                         ; preds = %if.end
+    invoke void @mythrow()
+            to label %unreachable unwind label %catch.dispatch
+
+  if.end6:                                          ; preds = %if.end
+    br i1 %c3, label %if.then8, label %return
+
+  if.then8:                                         ; preds = %if.end6
+    invoke void @mythrow()
+            to label %unreachable unwind label %catch.dispatch
+
+  catch.dispatch:                                   ; preds = %if.then8, %if.then4, %if.then
+    %0 = catchswitch within none [label %catch] unwind to caller
+
+  catch:                                            ; preds = %catch.dispatch
+    %1 = catchpad within %0 [i8* null, i32 64, i8* null]
+    catchret from %1 to label %return
+
+  return:                                           ; preds = %catch, %if.end6
+    %retval.0 = phi i32 [ 1, %catch ], [ 0, %if.end6 ]
+    ret i32 %retval.0
+  }
+
+  declare dso_local void @mythrow()
+
+  declare dso_local i32 @__CxxFrameHandler3(...)
+
+  attributes #0 = { uwtable }
+
+  !llvm.module.flags = !{!0, !1}
+
+  !0 = !{i32 1, !"wchar_size", i32 2}
+  !1 = !{i32 7, !"PIC Level", i32 2}
+
+...
+---
+name:            '?multi_throw@@YAH_N00@Z'
+alignment:       16
+exposesReturnsTwice: false
+legalized:       false
+regBankSelected: false
+selected:        false
+failedISel:      false
+tracksRegLiveness: true
+hasWinCFI:       true
+registers:       []
+liveins:
+  - { reg: '$cl', virtual-reg: '' }
+  - { reg: '$dl', virtual-reg: '' }
+  - { reg: '$r8b', virtual-reg: '' }
+frameInfo:
+  isFrameAddressTaken: false
+  isReturnAddressTaken: false
+  hasStackMap:     false
+  hasPatchPoint:   false
+  stackSize:       56
+  offsetAdjustment: -56
+  maxAlignment:    8
+  adjustsStack:    true
+  hasCalls:        true
+  stackProtector:  ''
+  maxCallFrameSize: 32
+  cvBytesOfCalleeSavedRegisters: 0
+  hasOpaqueSPAdjustment: true
+  hasVAStart:      false
+  hasMustTailInVarArgFunc: false
+  localFrameSize:  0
+  savePoint:       ''
+  restorePoint:    ''
+fixedStack:
+  - { id: 0, type: default, offset: -24, size: 8, alignment: 8, stack-id: default,
+      isImmutable: false, isAliased: false, callee-saved-register: '',
+      callee-saved-restored: true, debug-info-variable: '', debug-info-expression: '',
+      debug-info-location: '' }
+  - { id: 1, type: spill-slot, offset: -16, size: 8, alignment: 16, stack-id: default,
+      callee-saved-register: '', callee-saved-restored: true, debug-info-variable: '',
+      debug-info-expression: '', debug-info-location: '' }
+stack:
+  - { id: 0, name: '', type: spill-slot, offset: -28, size: 4, alignment: 4,
+      stack-id: default, callee-saved-register: '', callee-saved-restored: true,
+      debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
+callSites:       []
+constants:       []
+machineFunctionInfo: {}
+body:             |
+  bb.0.entry:
+    successors: %bb.1(0x00000001), %bb.3(0x7fffffff)
+    liveins: $cl, $dl, $r8b
+
+    frame-setup PUSH64r killed $rbp, implicit-def $rsp, implicit $rsp
+    frame-setup SEH_PushReg 50
+    $rsp = frame-setup SUB64ri8 $rsp, 48, implicit-def dead $eflags
+    frame-setup SEH_StackAlloc 48
+    $rbp = LEA64r $rsp, 1, $noreg, 48, $noreg
+    frame-setup SEH_SetFrame 50, 48
+    frame-setup SEH_EndPrologue
+    MOV64mi32 $rbp, 1, $noreg, -8, $noreg, -2 :: (store 8 into %fixed-stack.0)
+    TEST8rr killed renamable $cl, renamable $cl, implicit-def $eflags
+    JCC_1 %bb.1, 5, implicit $eflags
+
+  bb.3.if.end:
+    successors: %bb.4(0x00000001), %bb.5(0x7fffffff)
+    liveins: $dl, $r8b
+
+    TEST8rr killed renamable $dl, renamable $dl, implicit-def $eflags
+    JCC_1 %bb.4, 5, implicit $eflags
+
+  bb.5.if.end6:
+    successors: %bb.6(0x00000001), %bb.8(0x7fffffff)
+    liveins: $r8b
+
+    MOV32mi $rbp, 1, $noreg, -12, $noreg, 0 :: (store 4 into %stack.0)
+    TEST8rr killed renamable $r8b, renamable $r8b, implicit-def $eflags
+    JCC_1 %bb.6, 5, implicit $eflags
+
+  bb.8.return (address-taken):
+    $eax = MOV32rm $rbp, 1, $noreg, -12, $noreg :: (load 4 from %stack.0)
+    SEH_Epilogue
+    $rsp = frame-destroy ADD64ri8 $rsp, 48, implicit-def dead $eflags
+    $rbp = frame-destroy POP64r implicit-def $rsp, implicit $rsp
+    RETQ $eax
+
+  bb.1.if.then:
+    successors: %bb.2(0x7ffff800), %bb.7(0x00000800)
+
+    EH_LABEL <mcsymbol .Leh1>
+    CALL64pcrel32 @mythrow, csr_win64, implicit $rsp, implicit $ssp, implicit-def $rsp, implicit-def $ssp
+    EH_LABEL <mcsymbol .Leh2>
+    JMP_1 %bb.2
+
+  bb.4.if.then4:
+    successors: %bb.2(0x7ffff800), %bb.7(0x00000800)
+
+    EH_LABEL <mcsymbol .Leh3>
+    CALL64pcrel32 @mythrow, csr_win64, implicit $rsp, implicit $ssp, implicit-def $rsp, implicit-def $ssp
+    EH_LABEL <mcsymbol .Leh4>
+    JMP_1 %bb.2
+
+  bb.6.if.then8:
+    successors: %bb.2(0x7ffff800), %bb.7(0x00000800)
+
+    EH_LABEL <mcsymbol .Leh5>
+    CALL64pcrel32 @mythrow, csr_win64, implicit $rsp, implicit $ssp, implicit-def $rsp, implicit-def $ssp
+    EH_LABEL <mcsymbol .Leh6>
+
+  bb.2.unreachable:
+    successors:
+
+
+  bb.7.catch (landing-pad, ehfunclet-entry):
+    successors: %bb.8(0x80000000)
+    liveins: $rdx
+
+    frame-setup MOV64mr killed $rsp, 1, $noreg, 16, $noreg, $rdx
+    frame-setup PUSH64r killed $rbp, implicit-def $rsp, implicit $rsp
+    frame-setup SEH_PushReg 50
+    $rsp = frame-setup SUB64ri8 $rsp, 32, implicit-def dead $eflags
+    frame-setup SEH_StackAlloc 32
+    $rbp = LEA64r $rdx, 1, $noreg, 48, $noreg
+    frame-setup SEH_EndPrologue
+    MOV32mi $rbp, 1, $noreg, -12, $noreg, 1 :: (store 4 into %stack.0)
+    $rax = LEA64r $rip, 0, $noreg, %bb.8, $noreg
+    SEH_Epilogue
+    $rsp = frame-destroy ADD64ri8 $rsp, 32, implicit-def dead $eflags
+    $rbp = frame-destroy POP64r implicit-def $rsp, implicit $rsp
+    CATCHRET %bb.8, %bb.0
+
+...

test/CodeGen/X86/win64-eh-empty-block.ll

@@ -20,8 +20,8 @@
 ; CHECK: callq   __cxa_throw
 ; CHECK: # %eh.resume
 ; CHECK: callq _Unwind_Resume
-; CHECK-NEXT: int3
 ; CHECK-NEXT: # %unreachable
+; CHECK-NEXT: int3
 ; CHECK-NEXT: .Lfunc_end0:
 
 %struct.as = type { i32* }

test/CodeGen/X86/wineh-coreclr.ll

@@ -320,8 +320,8 @@ unreachable:
 ; CHECK: [[test2_before_f2:.+]]:
 ; CHECK-NEXT: movl $2, %ecx
 ; CHECK-NEXT: callq f
-; CHECK-NEXT: int3
 ; CHECK-NEXT: [[test2_after_f2:.+]]:
+; CHECK: int3
 ; CHECK: [[test2_end:.*func_end.*]]:
 
 
@@ -512,24 +512,24 @@ unreachable:
 ; CHECK: [[test3_before_f4:.+]]:
 ; CHECK-NEXT: movl $4, %ecx
 ; CHECK-NEXT: callq f
-; CHECK-NEXT: int3
 ; CHECK-NEXT: [[test3_after_f4:.+]]:
+; CHECK: int3
 ; CHECK: .seh_proc [[test3_fault2:[^ ]+]]
 ; CHECK: # %fault2
 ; CHECK: .seh_endprologue
 ; CHECK: [[test3_before_f3:.+]]:
 ; CHECK-NEXT: movl $3, %ecx
 ; CHECK-NEXT: callq f
-; CHECK-NEXT: int3
 ; CHECK-NEXT: [[test3_after_f3:.+]]:
+; CHECK: int3
 ; CHECK: .seh_proc [[test3_fault1:[^ ]+]]
 ; CHECK: # %fault1
 ; CHECK: .seh_endprologue
 ; CHECK: [[test3_before_f2:.+]]:
 ; CHECK-NEXT: movl $2, %ecx
 ; CHECK-NEXT: callq f
-; CHECK-NEXT: int3
 ; CHECK-NEXT: [[test3_after_f2:.+]]:
+; CHECK: int3
 ; CHECK: [[test3_end:.*func_end.*]]:
 }