[Sema][CodeGen] Support __builtin_<op>_overflow with __intcap

Morello LLVM has downstream support for this, but it's both incomplete
(see https://git.morello-project.org/morello/llvm-project/-/issues/80)
and incorrect with regards to provenance (in that it takes a naive
type-based approach rather than considering the cheri_no_provenance
attribute, meaning it differs from the binary operators in provenance
semantics). This is a from-scratch implementation that aims to not have
the same shortcomings.

Fixes #720

Author: jrtc27

clang/lib/CodeGen/CGBuiltin.cpp

@@ -36,6 +36,7 @@
 #include "llvm/ADT/StringExtras.h"
 #include "llvm/Analysis/AssumptionCache.h"
 #include "llvm/Analysis/ValueTracking.h"
+#include "llvm/IR/Constants.h"
 #include "llvm/IR/DataLayout.h"
 #include "llvm/IR/InlineAsm.h"
 #include "llvm/IR/IntrinsicInst.h"
@@ -771,9 +772,7 @@ static WidthAndSignedness
 getIntegerWidthAndSignedness(const clang::ASTContext &context,
                              const clang::QualType Type) {
   assert(Type->isIntegerType() && "Given type is not an integer.");
-  unsigned Width = Type->isBooleanType()  ? 1
-                   : Type->isBitIntType() ? context.getIntWidth(Type)
-                                          : context.getTypeInfo(Type).Width;
+  unsigned Width = context.getIntWidth(Type);
   bool Signed = Type->isSignedIntegerType();
   return {Width, Signed};
 }
@@ -1996,14 +1995,40 @@ static RValue EmitCheckedUnsignedMultiplySignedResult(
     CodeGenFunction &CGF, const clang::Expr *Op1, WidthAndSignedness Op1Info,
     const clang::Expr *Op2, WidthAndSignedness Op2Info,
     const clang::Expr *ResultArg, QualType ResultQTy,
-    WidthAndSignedness ResultInfo) {
+    WidthAndSignedness ResultInfo, SourceLocation Loc) {
   assert(isSpecialUnsignedMultiplySignedResult(
              Builtin::BI__builtin_mul_overflow, Op1Info, Op2Info, ResultInfo) &&
          "Cannot specialize this multiply");
 
+  clang::QualType Op1QTy = Op1->getType();
+  clang::QualType Op2QTy = Op2->getType();
+  bool Op1IsCap = Op1QTy->isCHERICapabilityType(CGF.getContext());
+  bool Op2IsCap = Op2QTy->isCHERICapabilityType(CGF.getContext());
+  bool ResultIsCap = ResultQTy->isCHERICapabilityType(CGF.getContext());
+
   llvm::Value *V1 = CGF.EmitScalarExpr(Op1);
   llvm::Value *V2 = CGF.EmitScalarExpr(Op2);
 
+  llvm::Value *ProvenanceCap = nullptr;
+  if (ResultIsCap) {
+    bool Op1NoProvenance =
+        !Op1IsCap || Op1QTy->hasAttr(attr::CHERINoProvenance);
+    bool Op2NoProvenance =
+        !Op2IsCap || Op2QTy->hasAttr(attr::CHERINoProvenance);
+    if (Op1NoProvenance && Op2NoProvenance)
+      ProvenanceCap = llvm::ConstantPointerNull::get(CGF.Int8CheriCapTy);
+    else if (Op1NoProvenance)
+      ProvenanceCap = V2;
+    else
+      ProvenanceCap = V1;
+  }
+
+  if (Op1IsCap)
+    V1 = CGF.getCapabilityIntegerValue(V1);
+
+  if (Op2IsCap)
+    V2 = CGF.getCapabilityIntegerValue(V2);
+
   llvm::Value *HasOverflow;
   llvm::Value *Result = EmitOverflowIntrinsic(
       CGF, llvm::Intrinsic::umul_with_overflow, V1, V2, HasOverflow);
@@ -2017,6 +2042,9 @@ static RValue EmitCheckedUnsignedMultiplySignedResult(
   llvm::Value *IntMaxOverflow = CGF.Builder.CreateICmpUGT(Result, IntMaxValue);
   HasOverflow = CGF.Builder.CreateOr(HasOverflow, IntMaxOverflow);
 
+  if (ResultIsCap)
+    Result = CGF.setCapabilityIntegerValue(ProvenanceCap, Result, Loc);
+
   bool isVolatile =
       ResultArg->getType()->getPointeeType().isVolatileQualified();
   Address ResultPtr = CGF.EmitPointerWithAlignment(ResultArg);
@@ -2042,18 +2070,47 @@ EmitCheckedMixedSignMultiply(CodeGenFunction &CGF, const clang::Expr *Op1,
                              WidthAndSignedness Op1Info, const clang::Expr *Op2,
                              WidthAndSignedness Op2Info,
                              const clang::Expr *ResultArg, QualType ResultQTy,
-                             WidthAndSignedness ResultInfo) {
+                             WidthAndSignedness ResultInfo,
+                             SourceLocation Loc) {
   assert(isSpecialMixedSignMultiply(Builtin::BI__builtin_mul_overflow, Op1Info,
                                     Op2Info, ResultInfo) &&
          "Not a mixed-sign multipliction we can specialize");
 
+  QualType Op1QTy = Op1->getType();
+  QualType Op2QTy = Op2->getType();
+  bool Op1IsCap = Op1QTy->isCHERICapabilityType(CGF.getContext());
+  bool Op2IsCap = Op2QTy->isCHERICapabilityType(CGF.getContext());
+  bool ResultIsCap = ResultQTy->isCHERICapabilityType(CGF.getContext());
+
   // Emit the signed and unsigned operands.
   const clang::Expr *SignedOp = Op1Info.Signed ? Op1 : Op2;
   const clang::Expr *UnsignedOp = Op1Info.Signed ? Op2 : Op1;
   llvm::Value *Signed = CGF.EmitScalarExpr(SignedOp);
   llvm::Value *Unsigned = CGF.EmitScalarExpr(UnsignedOp);
   unsigned SignedOpWidth = Op1Info.Signed ? Op1Info.Width : Op2Info.Width;
   unsigned UnsignedOpWidth = Op1Info.Signed ? Op2Info.Width : Op1Info.Width;
+  bool SignedIsCap = Op1Info.Signed ? Op1IsCap : Op2IsCap;
+  bool UnsignedIsCap = Op1Info.Signed ? Op2IsCap : Op1IsCap;
+
+  llvm::Value *ProvenanceCap = nullptr;
+  if (ResultIsCap) {
+    bool Op1NoProvenance =
+        !Op1IsCap || Op1QTy->hasAttr(attr::CHERINoProvenance);
+    bool Op2NoProvenance =
+        !Op2IsCap || Op2QTy->hasAttr(attr::CHERINoProvenance);
+    if (Op1NoProvenance && Op2NoProvenance)
+      ProvenanceCap = llvm::ConstantPointerNull::get(CGF.Int8CheriCapTy);
+    else if (Op1NoProvenance)
+      ProvenanceCap = Op1Info.Signed ? Unsigned : Signed;
+    else
+      ProvenanceCap = Op1Info.Signed ? Signed : Unsigned;
+  }
+
+  if (SignedIsCap)
+    Signed = CGF.getCapabilityIntegerValue(Signed);
+
+  if (UnsignedIsCap)
+    Unsigned = CGF.getCapabilityIntegerValue(Unsigned);
 
   // One of the operands may be smaller than the other. If so, [s|z]ext it.
   if (SignedOpWidth < UnsignedOpWidth)
@@ -2064,7 +2121,9 @@ EmitCheckedMixedSignMultiply(CodeGenFunction &CGF, const clang::Expr *Op1,
   llvm::Type *OpTy = Signed->getType();
   llvm::Value *Zero = llvm::Constant::getNullValue(OpTy);
   Address ResultPtr = CGF.EmitPointerWithAlignment(ResultArg);
-  llvm::Type *ResTy = ResultPtr.getElementType();
+  llvm::Type *ResTy = ResultIsCap ? llvm::IntegerType::get(CGF.getLLVMContext(),
+                                                           ResultInfo.Width)
+                                  : ResultPtr.getElementType();
   unsigned OpWidth = std::max(Op1Info.Width, Op2Info.Width);
 
   // Take the absolute value of the signed operand.
@@ -2103,8 +2162,7 @@ EmitCheckedMixedSignMultiply(CodeGenFunction &CGF, const clang::Expr *Op1,
         IsNegative, CGF.Builder.CreateIsNotNull(UnsignedResult));
     Overflow = CGF.Builder.CreateOr(UnsignedOverflow, Underflow);
     if (ResultInfo.Width < OpWidth) {
-      auto IntMax =
-          llvm::APInt::getMaxValue(ResultInfo.Width).zext(OpWidth);
+      auto IntMax = llvm::APInt::getMaxValue(ResultInfo.Width).zext(OpWidth);
       llvm::Value *TruncOverflow = CGF.Builder.CreateICmpUGT(
           UnsignedResult, llvm::ConstantInt::get(OpTy, IntMax));
       Overflow = CGF.Builder.CreateOr(Overflow, TruncOverflow);
@@ -2118,6 +2176,9 @@ EmitCheckedMixedSignMultiply(CodeGenFunction &CGF, const clang::Expr *Op1,
   }
   assert(Overflow && Result && "Missing overflow or result");
 
+  if (ResultIsCap)
+    Result = CGF.setCapabilityIntegerValue(ProvenanceCap, Result, Loc);
+
   bool isVolatile =
       ResultArg->getType()->getPointeeType().isVolatileQualified();
   CGF.Builder.CreateStore(CGF.EmitToMemory(Result, ResultQTy), ResultPtr,
@@ -4636,13 +4697,18 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
     const clang::Expr *RightArg = E->getArg(1);
     const clang::Expr *ResultArg = E->getArg(2);
 
+    clang::QualType LeftQTy = LeftArg->getType();
+    clang::QualType RightQTy = RightArg->getType();
     clang::QualType ResultQTy =
         ResultArg->getType()->castAs<PointerType>()->getPointeeType();
 
+    bool LeftIsCap = LeftQTy->isCHERICapabilityType(CGM.getContext());
+    bool RightIsCap = RightQTy->isCHERICapabilityType(CGM.getContext());
+    bool ResultIsCap = ResultQTy->isCHERICapabilityType(CGM.getContext());
     WidthAndSignedness LeftInfo =
-        getIntegerWidthAndSignedness(CGM.getContext(), LeftArg->getType());
+        getIntegerWidthAndSignedness(CGM.getContext(), LeftQTy);
     WidthAndSignedness RightInfo =
-        getIntegerWidthAndSignedness(CGM.getContext(), RightArg->getType());
+        getIntegerWidthAndSignedness(CGM.getContext(), RightQTy);
     WidthAndSignedness ResultInfo =
         getIntegerWidthAndSignedness(CGM.getContext(), ResultQTy);
 
@@ -4651,37 +4717,44 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
     if (isSpecialMixedSignMultiply(BuiltinID, LeftInfo, RightInfo, ResultInfo))
       return EmitCheckedMixedSignMultiply(*this, LeftArg, LeftInfo, RightArg,
                                           RightInfo, ResultArg, ResultQTy,
-                                          ResultInfo);
+                                          ResultInfo, E->getExprLoc());
 
     if (isSpecialUnsignedMultiplySignedResult(BuiltinID, LeftInfo, RightInfo,
                                               ResultInfo))
       return EmitCheckedUnsignedMultiplySignedResult(
           *this, LeftArg, LeftInfo, RightArg, RightInfo, ResultArg, ResultQTy,
-          ResultInfo);
+          ResultInfo, E->getExprLoc());
 
     WidthAndSignedness EncompassingInfo =
         EncompassingIntegerType({LeftInfo, RightInfo, ResultInfo});
 
     llvm::Type *EncompassingLLVMTy =
         llvm::IntegerType::get(CGM.getLLVMContext(), EncompassingInfo.Width);
 
-    llvm::Type *ResultLLVMTy = CGM.getTypes().ConvertType(ResultQTy);
+    llvm::Type *ResultLLVMTy =
+        ResultIsCap
+            ? llvm::IntegerType::get(CGM.getLLVMContext(), ResultInfo.Width)
+            : CGM.getTypes().ConvertType(ResultQTy);
 
     llvm::Intrinsic::ID IntrinsicId;
+    bool Commutative;
     switch (BuiltinID) {
     default:
       llvm_unreachable("Unknown overflow builtin id.");
     case Builtin::BI__builtin_add_overflow:
+      Commutative = true;
       IntrinsicId = EncompassingInfo.Signed
                         ? llvm::Intrinsic::sadd_with_overflow
                         : llvm::Intrinsic::uadd_with_overflow;
       break;
     case Builtin::BI__builtin_sub_overflow:
+      Commutative = false;
       IntrinsicId = EncompassingInfo.Signed
                         ? llvm::Intrinsic::ssub_with_overflow
                         : llvm::Intrinsic::usub_with_overflow;
       break;
     case Builtin::BI__builtin_mul_overflow:
+      Commutative = true;
       IntrinsicId = EncompassingInfo.Signed
                         ? llvm::Intrinsic::smul_with_overflow
                         : llvm::Intrinsic::umul_with_overflow;
@@ -4692,6 +4765,33 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
     llvm::Value *Right = EmitScalarExpr(RightArg);
     Address ResultPtr = EmitPointerWithAlignment(ResultArg);
 
+    llvm::Value *ProvenanceCap = nullptr;
+    if (ResultIsCap) {
+      if (!Commutative) {
+        if (LeftIsCap)
+          ProvenanceCap = Left;
+        else
+          ProvenanceCap = llvm::ConstantPointerNull::get(Int8CheriCapTy);
+      } else {
+        bool LeftNoProvenance =
+            !LeftIsCap || LeftQTy->hasAttr(attr::CHERINoProvenance);
+        bool RightNoProvenance =
+            !RightIsCap || RightQTy->hasAttr(attr::CHERINoProvenance);
+        if (LeftNoProvenance && RightNoProvenance)
+          ProvenanceCap = llvm::ConstantPointerNull::get(Int8CheriCapTy);
+        else if (LeftNoProvenance)
+          ProvenanceCap = Right;
+        else
+          ProvenanceCap = Left;
+      }
+    }
+
+    if (LeftIsCap)
+      Left = getCapabilityIntegerValue(Left);
+
+    if (RightIsCap)
+      Right = getCapabilityIntegerValue(Right);
+
     // Extend each operand to the encompassing type.
     Left = Builder.CreateIntCast(Left, EncompassingLLVMTy, LeftInfo.Signed);
     Right = Builder.CreateIntCast(Right, EncompassingLLVMTy, RightInfo.Signed);
@@ -4716,6 +4816,10 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
       Result = ResultTrunc;
     }
 
+    if (ResultIsCap)
+      Result =
+          setCapabilityIntegerValue(ProvenanceCap, Result, E->getExprLoc());
+
     // Finally, store the result using the pointer.
     bool isVolatile =
       ResultArg->getType()->getPointeeType().isVolatileQualified();

clang/lib/Sema/SemaChecking.cpp

@@ -37,8 +37,10 @@
 #include "clang/AST/TypeLoc.h"
 #include "clang/AST/UnresolvedSet.h"
 #include "clang/Basic/AddressSpaces.h"
+#include "clang/Basic/Builtins.h"
 #include "clang/Basic/CharInfo.h"
 #include "clang/Basic/Diagnostic.h"
+#include "clang/Basic/DiagnosticFrontend.h"
 #include "clang/Basic/IdentifierTable.h"
 #include "clang/Basic/LLVM.h"
 #include "clang/Basic/LangOptions.h"
@@ -475,6 +477,18 @@ static bool SemaBuiltinOverflow(Sema &S, CallExpr *TheCall,
     }
   }
 
+  // ScalarExprEmitter::EmitSub's diagnostics aren't included here since
+  // they're generally unhelpful, grouped under pedantic warnings, and would be
+  // confusing without also taking into account the type of the result.
+  if (BuiltinID != Builtin::BI__builtin_sub_overflow) {
+    assert((BuiltinID == Builtin::BI__builtin_add_overflow ||
+            BuiltinID == Builtin::BI__builtin_mul_overflow) &&
+           "Unexpected overflow builtin");
+
+    S.DiagnoseAmbiguousProvenance(TheCall->getArg(0), TheCall->getArg(1),
+                                  TheCall->getExprLoc(), false);
+  }
+
   return false;
 }