SIL: verify store_borrow

Verify that
* the destination address is an alloc_stack
* the stack location is not modified beside a store_borrow
* the stack location has been initialized when used

Author: eeckstein

lib/SIL/Verifier/MemoryLifetime.cpp

@@ -347,6 +347,7 @@ bool MemoryLocations::analyzeLocationUsesRecursively(SILValue V, unsigned locIdx
         break;
       case SILInstructionKind::LoadInst:
       case SILInstructionKind::StoreInst:
+      case SILInstructionKind::StoreBorrowInst:
       case SILInstructionKind::EndAccessInst:
       case SILInstructionKind::LoadBorrowInst:
       case SILInstructionKind::DestroyAddrInst:
@@ -608,6 +609,9 @@ class MemoryLifetimeVerifier {
   SILFunction *function;
   MemoryLocations locations;
 
+  /// alloc_stack memory locations which are used for store_borrow.
+  Bits storeBorrowLocations;
+
   /// Returns true if the enum location \p locIdx can be proven to hold a
   /// hold a trivial value (e non-payload case) at \p atInst.
   bool isEnumTrivialAt(int locIdx, SILInstruction *atInst);
@@ -640,6 +644,18 @@ class MemoryLifetimeVerifier {
   /// \p addr, are set in \p bits.
   void requireBitsSet(const Bits &bits, SILValue addr, SILInstruction *where);
 
+  bool isStoreBorrowLocation(SILValue addr) {
+    auto *loc = locations.getLocation(addr);
+    return loc && storeBorrowLocations.anyCommon(loc->subLocations);
+  }
+
+  /// Require that the location of addr is not an alloc_stack used for a
+  /// store_borrow.
+  void requireNoStoreBorrowLocation(SILValue addr, SILInstruction *where);
+
+  /// Register the destination address of a store_borrow as borrowed location.
+  void registerStoreBorrowLocation(SILValue addr);
+
   /// Handles locations of the predecessor's terminator, which are only valid
   /// in \p block.
   /// Example: @out results of try_apply. They are only valid in the
@@ -800,6 +816,21 @@ void MemoryLifetimeVerifier::requireBitsSet(const Bits &bits, SILValue addr,
   }
 }
 
+void MemoryLifetimeVerifier::requireNoStoreBorrowLocation(SILValue addr,
+                                                  SILInstruction *where) {
+  if (isStoreBorrowLocation(addr)) {
+    reportError("store-borrow location cannot be written",
+                locations.getLocation(addr)->selfAndParents.find_first(), where);
+  }
+}
+
+void MemoryLifetimeVerifier::registerStoreBorrowLocation(SILValue addr) {
+  if (auto *loc = locations.getLocation(addr)) {
+    storeBorrowLocations.resize(locations.getNumLocations());
+    storeBorrowLocations |= loc->subLocations;
+  }
+}
+
 void MemoryLifetimeVerifier::initDataflow(MemoryDataflow &dataFlow) {
   // Initialize the entry and exit sets to all-bits-set. Except for the function
   // entry.
@@ -849,6 +880,12 @@ void MemoryLifetimeVerifier::initDataflowInBlock(SILBasicBlock *block,
       case SILInstructionKind::StoreInst:
         state.genBits(cast<StoreInst>(&I)->getDest(), locations);
         break;
+      case SILInstructionKind::StoreBorrowInst: {
+        SILValue destAddr = cast<StoreBorrowInst>(&I)->getDest();
+        state.genBits(destAddr, locations);
+        registerStoreBorrowLocation(destAddr);
+        break;
+      }
       case SILInstructionKind::CopyAddrInst: {
         auto *CAI = cast<CopyAddrInst>(&I);
         if (CAI->isTakeOfSrc())
@@ -1019,6 +1056,7 @@ void MemoryLifetimeVerifier::checkBlock(SILBasicBlock *block, Bits &bits) {
         switch (LI->getOwnershipQualifier()) {
           case LoadOwnershipQualifier::Take:
             locations.clearBits(bits, LI->getOperand());
+            requireNoStoreBorrowLocation(LI->getOperand(), &I);
             break;
           case LoadOwnershipQualifier::Copy:
           case LoadOwnershipQualifier::Trivial:
@@ -1044,19 +1082,29 @@ void MemoryLifetimeVerifier::checkBlock(SILBasicBlock *block, Bits &bits) {
           case StoreOwnershipQualifier::Unqualified:
             llvm_unreachable("unqualified store shouldn't be in ownership SIL");
         }
+        requireNoStoreBorrowLocation(SI->getDest(), &I);
+        break;
+      }
+      case SILInstructionKind::StoreBorrowInst: {
+        SILValue destAddr = cast<StoreBorrowInst>(&I)->getDest();
+        locations.setBits(bits, destAddr);
+        registerStoreBorrowLocation(destAddr);
         break;
       }
       case SILInstructionKind::CopyAddrInst: {
         auto *CAI = cast<CopyAddrInst>(&I);
         requireBitsSet(bits, CAI->getSrc(), &I);
-        if (CAI->isTakeOfSrc())
+        if (CAI->isTakeOfSrc()) {
           locations.clearBits(bits, CAI->getSrc());
+          requireNoStoreBorrowLocation(CAI->getSrc(), &I);
+        }
         if (CAI->isInitializationOfDest()) {
           requireBitsClear(bits & nonTrivialLocations, CAI->getDest(), &I);
         } else {
           requireBitsSet(bits | ~nonTrivialLocations, CAI->getDest(), &I);
         }
         locations.setBits(bits, CAI->getDest());
+        requireNoStoreBorrowLocation(CAI->getDest(), &I);
         break;
       }
       case SILInstructionKind::InjectEnumAddrInst: {
@@ -1068,25 +1116,31 @@ void MemoryLifetimeVerifier::checkBlock(SILBasicBlock *block, Bits &bits) {
           requireBitsClear(bits & nonTrivialLocations, IEAI->getOperand(), &I);
           locations.setBits(bits, IEAI->getOperand());
         }
+        requireNoStoreBorrowLocation(IEAI->getOperand(), &I);
         break;
       }
-      case SILInstructionKind::InitEnumDataAddrInst:
-        requireBitsClear(bits, cast<InitEnumDataAddrInst>(&I)->getOperand(), &I);
+      case SILInstructionKind::InitEnumDataAddrInst: {
+        SILValue enumAddr = cast<InitEnumDataAddrInst>(&I)->getOperand();
+        requireBitsClear(bits, enumAddr, &I);
+        requireNoStoreBorrowLocation(enumAddr, &I);
         break;
+      }
       case SILInstructionKind::UncheckedTakeEnumDataAddrInst: {
         // Note that despite the name, unchecked_take_enum_data_addr does _not_
         // "take" the payload of the Swift.Optional enum. This is a terrible
         // hack in SIL.
-        auto *UTEDAI = cast<UncheckedTakeEnumDataAddrInst>(&I);
-        int enumIdx = locations.getLocationIdx(UTEDAI->getOperand());
+        SILValue enumAddr = cast<UncheckedTakeEnumDataAddrInst>(&I)->getOperand();
+        int enumIdx = locations.getLocationIdx(enumAddr);
         if (enumIdx >= 0)
-          requireBitsSet(bits, UTEDAI->getOperand(), &I);
+          requireBitsSet(bits, enumAddr, &I);
+        requireNoStoreBorrowLocation(enumAddr, &I);
         break;
       }
       case SILInstructionKind::DestroyAddrInst: {
         SILValue opVal = cast<DestroyAddrInst>(&I)->getOperand();
         requireBitsSet(bits | ~nonTrivialLocations, opVal, &I);
         locations.clearBits(bits, opVal);
+        requireNoStoreBorrowLocation(opVal, &I);
         break;
       }
       case SILInstructionKind::EndBorrowInst: {
@@ -1117,7 +1171,11 @@ void MemoryLifetimeVerifier::checkBlock(SILBasicBlock *block, Bits &bits) {
         break;
       case SILInstructionKind::DeallocStackInst: {
         SILValue opVal = cast<DeallocStackInst>(&I)->getOperand();
-        requireBitsClear(bits & nonTrivialLocations, opVal, &I);
+        if (isStoreBorrowLocation(opVal)) {
+          requireBitsSet(bits, opVal, &I);
+        } else {
+          requireBitsClear(bits & nonTrivialLocations, opVal, &I);
+        }
         // Needed to clear any bits of trivial locations (which are not required
         // to be zero).
         locations.clearBits(bits, opVal);
@@ -1132,6 +1190,9 @@ void MemoryLifetimeVerifier::checkBlock(SILBasicBlock *block, Bits &bits) {
 void MemoryLifetimeVerifier::checkFuncArgument(Bits &bits, Operand &argumentOp,
                          SILArgumentConvention argumentConvention,
                          SILInstruction *applyInst) {
+  if (argumentConvention != SILArgumentConvention::Indirect_In_Guaranteed)
+    requireNoStoreBorrowLocation(argumentOp.get(), applyInst);
+  
   switch (argumentConvention) {
     case SILArgumentConvention::Indirect_In:
     case SILArgumentConvention::Indirect_In_Constant:
@@ -1169,6 +1230,7 @@ void MemoryLifetimeVerifier::verify() {
   }
   // Second step: handle single-block locations.
   locations.handleSingleBlockLocations([this](SILBasicBlock *block) {
+    storeBorrowLocations.clear();
     Bits bits(locations.getNumLocations());
     checkBlock(block, bits);
   });

lib/SIL/Verifier/SILVerifier.cpp

@@ -2193,6 +2193,23 @@ class SILVerifier : public SILVerifierBase<SILVerifier> {
     }
   }
 
+  void checkStoreBorrowInst(StoreBorrowInst *SI) {
+    require(SI->getSrc()->getType().isObject(),
+            "Can't store from an address source");
+    require(!fnConv.useLoweredAddresses()
+                || SI->getSrc()->getType().isLoadable(*SI->getFunction()),
+            "Can't store a non loadable type");
+    require(SI->getDest()->getType().isAddress(),
+            "Must store to an address dest");
+    requireSameType(SI->getDest()->getType().getObjectType(),
+                    SI->getSrc()->getType(),
+                    "Store operand type and dest type mismatch");
+
+    // Note: This is the current implementation and the design is not final.
+    require(isa<AllocStackInst>(SI->getDest()),
+            "store_borrow destination can only be an alloc_stack");
+  }
+
   void checkAssignInst(AssignInst *AI) {
     SILValue Src = AI->getSrc(), Dest = AI->getDest();
     require(AI->getModule().getStage() == SILStage::Raw,

lib/SILOptimizer/Transforms/DestroyHoisting.cpp

@@ -350,6 +350,7 @@ void DestroyHoisting::getUsedLocationsOfInst(Bits &bits, SILInstruction *I) {
       break;
     case SILInstructionKind::LoadInst:
     case SILInstructionKind::StoreInst:
+    case SILInstructionKind::StoreBorrowInst:
     case SILInstructionKind::CopyAddrInst:
     case SILInstructionKind::InjectEnumAddrInst:
     case SILInstructionKind::PartialApplyInst:

test/SIL/memory_lifetime.sil

@@ -484,3 +484,12 @@ bb0(%0 :  $*T):
   return %res : $()
 }
 
+sil [ossa] @test_store_borrow : $@convention(thin) (@guaranteed T) -> () {
+bb0(%0 :  @guaranteed $T):
+  %s = alloc_stack $T
+  store_borrow %0 to %s : $*T
+  dealloc_stack %s : $*T
+  %res = tuple ()
+  return %res : $()
+}
+

test/SIL/memory_lifetime_failures.sil

@@ -260,3 +260,93 @@ bb0(%0 :  $*T):
   return %res : $()
 }
 
+// CHECK: SIL memory lifetime failure in @test_store_borrow_destroy: memory is not initialized, but should
+sil [ossa] @test_store_borrow_destroy : $@convention(thin) (@guaranteed T) -> () {
+bb0(%0 :  @guaranteed $T):
+  %s = alloc_stack $T
+  store_borrow %0 to %s : $*T
+  destroy_addr %s : $*T
+  dealloc_stack %s : $*T
+  %res = tuple ()
+  return %res : $()
+}
+
+sil [ossa] @func_with_inout_param : $@convention(thin) (@inout T) -> ()
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_inout: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_inout : $@convention(thin) (@guaranteed T) -> () {
+bb0(%0 :  @guaranteed $T):
+  %s = alloc_stack $T
+  store_borrow %0 to %s : $*T
+  %f = function_ref @func_with_inout_param : $@convention(thin) (@inout T) -> ()
+  %a = apply %f(%s) : $@convention(thin) (@inout T) -> ()
+  dealloc_stack %s : $*T
+  %res = tuple ()
+  return %res : $()
+}
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_store: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_store : $@convention(thin) (@guaranteed T, @owned T) -> () {
+bb0(%0 :  @guaranteed $T, %1 : @owned $T):
+  %s = alloc_stack $T
+  store_borrow %0 to %s : $*T
+  store %1 to [assign] %s : $*T
+  dealloc_stack %s : $*T
+  %res = tuple ()
+  return %res : $()
+}
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_load: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_load : $@convention(thin) (@guaranteed T) -> @owned T {
+bb0(%0 :  @guaranteed $T):
+  %s = alloc_stack $T
+  store_borrow %0 to %s : $*T
+  %res = load [take] %s : $*T
+  dealloc_stack %s : $*T
+  return %res : $T
+}
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_copy_src: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_copy_src : $@convention(thin) (@guaranteed T) -> @out T {
+bb0(%0 :  $*T, %1 :  @guaranteed $T):
+  %s = alloc_stack $T
+  store_borrow %1 to %s : $*T
+  copy_addr [take] %s to [initialization] %0 : $*T
+  dealloc_stack %s : $*T
+  %res = tuple ()
+  return %res : $()
+}
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_copy_dst: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_copy_dst : $@convention(thin) (@in_guaranteed T, @guaranteed T) -> () {
+bb0(%0 :  $*T, %1 :  @guaranteed $T):
+  %s = alloc_stack $T
+  store_borrow %1 to %s : $*T
+  copy_addr %0 to %s : $*T
+  dealloc_stack %s : $*T
+  %res = tuple ()
+  return %res : $()
+}
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_init_enum: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_init_enum : $@convention(thin) (@guaranteed Optional<T>) -> () {
+bb0(%0 :  @guaranteed $Optional<T>):
+  %s = alloc_stack $Optional<T>
+  store_borrow %0 to %s : $*Optional<T>
+  %ie = init_enum_data_addr %s : $*Optional<T>, #Optional.some!enumelt
+  dealloc_stack %s : $*Optional<T>
+  %res = tuple ()
+  return %res : $()
+}
+
+// CHECK: SIL memory lifetime failure in @test_store_borrow_take_enum: store-borrow location cannot be written
+sil [ossa] @test_store_borrow_take_enum : $@convention(thin) (@guaranteed Optional<T>) -> () {
+bb0(%0 :  @guaranteed $Optional<T>):
+  %s = alloc_stack $Optional<T>
+  store_borrow %0 to %s : $*Optional<T>
+  %ue = unchecked_take_enum_data_addr %s : $*Optional<T>, #Optional.some!enumelt
+  dealloc_stack %s : $*Optional<T>
+  %res = tuple ()
+  return %res : $()
+}
+

test/SIL/ownership-verifier/interior_pointer.sil

@@ -125,19 +125,18 @@ bb0(%0 : @owned $Builtin.NativeObject):
 
 // CHECK-LABEL: Error#: 0. Begin Error in Function: 'recursive_interior_pointer_error'
 // CHECK-NEXT: Found outside of lifetime use?!
-// CHECK-NEXT: Value:   %2 = begin_borrow %0 : $KlassUser               // users: %5, %3
-// CHECK-NEXT: Consuming User:   end_borrow %2 : $KlassUser                      // id: %5
-// CHECK-NEXT: Non Consuming User:   %7 = load [copy] %4 : $*Klass                   // user: %8
+// CHECK-NEXT: Value:   %2 = begin_borrow %0 : $KlassUser
+// CHECK-NEXT: Consuming User:   end_borrow %2 : $KlassUser
+// CHECK-NEXT: Non Consuming User:   %6 = load [copy] %3 : $*Klass
 // CHECK-NEXT: Block: bb0
 // CHECK: Error#: 0. End Error in Function: 'recursive_interior_pointer_error'
 sil [ossa] @recursive_interior_pointer_error : $@convention(thin) (@owned KlassUser, @guaranteed Klass) -> @owned Klass {
 bb0(%0 : @owned $KlassUser, %0a : @guaranteed $Klass):
   %1 = begin_borrow %0 : $KlassUser
   %2 = ref_tail_addr %1 : $KlassUser, $Klass
-  %result = store_borrow %0a to %2 : $*Klass
   end_borrow %1 : $KlassUser
   destroy_value %0 : $KlassUser
-  %3 = load [copy] %result : $*Klass
+  %3 = load [copy] %2 : $*Klass
   return %3 : $Klass
 }