[EVM] Refine intrinsic memory effects for improved alias analysis accuracy

EVM opcodes can be classified based on how their behavior
or output depends on the transaction state:
 - Readnone (Pure)
 - Volatile (State-Dependent)
 - Side-Effecting (State-Changing)
(Reference: EVM opcodes categorization)

This patch adjusts the memory attributes of LLVM intrinsics corresponding
to these opcodes. At the LLVM IR level, the transaction-scoped EVM
state is modeled as reads/writes to inaccessible memory. This state does
not include the heap, which is modeled separately via regular LLVM pointer
parameters. State-dependent intrinsics are now marked as reading from
inaccessible memory. State-changing intrinsics are marked as both reading
from and writing to it.
To capture memory dependencies between plain loads/stores to storage
(or transient storage) and context (CALL* or CREATE* like) intrinsics, we
extended EVM alias analysis to determine aliasing between the call and
the memory location in a custom way.

Author: PavelKopyl

llvm/include/llvm/IR/IntrinsicsEVM.td

@@ -176,8 +176,6 @@ MemoryLocation MemoryLocation::getForArgument(const CallBase *Call,
     // location
     auto T = Call->getModule()->getTargetTriple();
     if (Triple(T).isEraVM() || Triple(T).isEVM()) {
-      // For EVM intrinsics, the memory size argument always immediately
-      // follows the memory argument, meaning its index is ArgIdx + 1.
       auto GetMemLocation = [Call, Arg, &AATags](unsigned MemSizeArgIdx) {
         const auto *LenCI =
             dyn_cast<ConstantInt>(Call->getArgOperand(MemSizeArgIdx));
@@ -212,6 +210,23 @@ MemoryLocation MemoryLocation::getForArgument(const CallBase *Call,
         assert((ArgIdx == 0) && "Invalid argument index for calldataload");
         return MemoryLocation(Arg, LocationSize::precise(32), AATags);
       }
+      case Intrinsic::evm_revert: {
+        assert((ArgIdx == 0) && "Invalid argument index for revert");
+        return GetMemLocation(ArgIdx + 1);
+      }
+      case Intrinsic::evm_extcodecopy: {
+        assert((ArgIdx == 1 || ArgIdx == 2) &&
+               "Invalid argument index for extcodecopy");
+        return GetMemLocation(3);
+      }
+      case Intrinsic::evm_log0:
+      case Intrinsic::evm_log1:
+      case Intrinsic::evm_log2:
+      case Intrinsic::evm_log3:
+      case Intrinsic::evm_log4: {
+        assert((ArgIdx == 0) && "Invalid argument index for log");
+        return GetMemLocation(ArgIdx + 1);
+      }
       default:
         llvm_unreachable("Unexpected intrinsic for EraVM/EVM target");
         break;

llvm/lib/Analysis/MemoryLocation.cpp

@@ -156,6 +156,11 @@ AliasResult VMAAResult::alias(const MemoryLocation &LocA,
   // If heap locations are the same, they either must or partially alias based
   // on the size of locations.
   if (StartAVal == StartBVal) {
+    // If either of the memory references is empty, it doesn't matter what the
+    // pointer values are.
+    if (LocA.Size.isZero() || LocB.Size.isZero())
+      return AliasResult::NoAlias;
+
     if (LocA.Size == LocB.Size)
       return AliasResult::MustAlias;
     return AliasResult::PartialAlias;

llvm/lib/Analysis/VMAliasAnalysis.cpp

@@ -12,6 +12,8 @@
 
 #include "EVMAliasAnalysis.h"
 #include "EVM.h"
+#include "llvm/IR/IntrinsicInst.h"
+#include "llvm/IR/IntrinsicsEVM.h"
 #include "llvm/IR/Module.h"
 
 using namespace llvm;
@@ -36,6 +38,108 @@ ImmutablePass *llvm::createEVMExternalAAWrapperPass() {
   return new EVMExternalAAWrapper();
 }
 
+EVMAAResult::EVMAAResult(const DataLayout &DL)
+    : VMAAResult(DL, {EVMAS::AS_STORAGE, EVMAS::AS_TSTORAGE}, {EVMAS::AS_HEAP},
+                 EVMAS::MAX_ADDRESS) {}
+
+ModRefInfo EVMAAResult::getArgModRefInfo(const CallBase *Call,
+                                         unsigned ArgIdx) {
+  if (Call->doesNotAccessMemory(ArgIdx))
+    return ModRefInfo::NoModRef;
+
+  if (Call->onlyWritesMemory(ArgIdx))
+    return ModRefInfo::Mod;
+
+  if (Call->onlyReadsMemory(ArgIdx))
+    return ModRefInfo::Ref;
+
+  return ModRefInfo::ModRef;
+}
+
+static MemoryLocation getMemLocForArgument(const CallBase *Call,
+                                           unsigned ArgIdx) {
+  AAMDNodes AATags = Call->getAAMetadata();
+  const Value *Arg = Call->getArgOperand(ArgIdx);
+  const auto *II = cast<IntrinsicInst>(Call);
+
+  auto GetMemLocation = [Call, Arg, &AATags](unsigned MemSizeArgIdx) {
+    const auto *LenCI =
+        dyn_cast<ConstantInt>(Call->getArgOperand(MemSizeArgIdx));
+    if (LenCI && LenCI->getValue().getActiveBits() <= 64)
+      return MemoryLocation(Arg, LocationSize::precise(LenCI->getZExtValue()),
+                            AATags);
+    return MemoryLocation::getAfter(Arg, AATags);
+  };
+
+  switch (II->getIntrinsicID()) {
+  case Intrinsic::evm_return: {
+    assert((ArgIdx == 0) && "Invalid argument index for return");
+    return GetMemLocation(ArgIdx + 1);
+  }
+  case Intrinsic::evm_create:
+  case Intrinsic::evm_create2: {
+    assert((ArgIdx == 1) && "Invalid argument index for create/create2");
+    return GetMemLocation(ArgIdx + 1);
+  }
+  case Intrinsic::evm_call:
+  case Intrinsic::evm_callcode: {
+    assert((ArgIdx == 3 || ArgIdx == 5) &&
+           "Invalid argument index for call/callcode");
+    return GetMemLocation(ArgIdx + 1);
+  }
+  case Intrinsic::evm_delegatecall:
+  case Intrinsic::evm_staticcall: {
+    assert((ArgIdx == 2 || ArgIdx == 4) &&
+           "Invalid argument index for delegatecall/staticcall");
+    return GetMemLocation(ArgIdx + 1);
+  }
+  default:
+    llvm_unreachable("Unexpected intrinsic for EraVM/EVM target");
+    break;
+  }
+}
+
+ModRefInfo EVMAAResult::getModRefInfo(const CallBase *Call,
+                                      const MemoryLocation &Loc,
+                                      AAQueryInfo &AAQI) {
+  const auto *II = dyn_cast<IntrinsicInst>(Call);
+  if (!II)
+    return AAResultBase::getModRefInfo(Call, Loc, AAQI);
+
+  unsigned AS = Loc.Ptr->getType()->getPointerAddressSpace();
+  switch (II->getIntrinsicID()) {
+  case Intrinsic::evm_return:
+    if (AS == EVMAS::AS_STORAGE || AS == EVMAS::AS_TSTORAGE)
+      return ModRefInfo::Ref;
+    break;
+  case Intrinsic::evm_create:
+  case Intrinsic::evm_create2:
+  case Intrinsic::evm_call:
+  case Intrinsic::evm_callcode:
+  case Intrinsic::evm_delegatecall:
+  case Intrinsic::evm_staticcall:
+    if (AS == EVMAS::AS_STORAGE || AS == EVMAS::AS_TSTORAGE)
+      return ModRefInfo::ModRef;
+    break;
+  default:
+    return AAResultBase::getModRefInfo(Call, Loc, AAQI);
+  }
+
+  ModRefInfo Result = ModRefInfo::NoModRef;
+  for (const auto &I : llvm::enumerate(Call->args())) {
+    const Value *Arg = I.value();
+    if (!Arg->getType()->isPointerTy())
+      continue;
+    unsigned ArgIdx = I.index();
+    MemoryLocation ArgLoc = getMemLocForArgument(Call, ArgIdx);
+    AliasResult ArgAlias = VMAAResult::alias(ArgLoc, Loc, AAQI, Call);
+    if (ArgAlias != AliasResult::NoAlias)
+      Result |= getArgModRefInfo(Call, ArgIdx);
+  }
+
+  return Result;
+}
+
 EVMAAWrapperPass::EVMAAWrapperPass() : ImmutablePass(ID) {
   initializeEVMAAWrapperPassPass(*PassRegistry::getPassRegistry());
 }
@@ -45,16 +149,10 @@ void EVMAAWrapperPass::getAnalysisUsage(AnalysisUsage &AU) const {
 }
 
 bool EVMAAWrapperPass::doInitialization(Module &M) {
-  SmallDenseSet<unsigned> StorageAS = {EVMAS::AS_STORAGE, EVMAS::AS_TSTORAGE};
-  SmallDenseSet<unsigned> HeapAS = {EVMAS::AS_HEAP};
-  Result = std::make_unique<VMAAResult>(M.getDataLayout(), StorageAS, HeapAS,
-                                        EVMAS::MAX_ADDRESS);
+  Result = std::make_unique<EVMAAResult>(M.getDataLayout());
   return false;
 }
 
-VMAAResult EVMAA::run(Function &F, AnalysisManager<Function> &AM) {
-  SmallDenseSet<unsigned> StorageAS = {EVMAS::AS_STORAGE, EVMAS::AS_TSTORAGE};
-  SmallDenseSet<unsigned> HeapAS = {EVMAS::AS_HEAP};
-  return VMAAResult(F.getParent()->getDataLayout(), StorageAS, HeapAS,
-                    EVMAS::MAX_ADDRESS);
+EVMAAResult EVMAA::run(Function &F, AnalysisManager<Function> &AM) {
+  return EVMAAResult(F.getParent()->getDataLayout());
 }

llvm/lib/Target/EVM/EVMAliasAnalysis.cpp

@@ -16,28 +16,45 @@
 #include "llvm/Analysis/VMAliasAnalysis.h"
 
 namespace llvm {
+
+/// EVM-specific AA result. Note that we override certain non-virtual methods
+/// from AAResultBase, as clarified in its documentation.
+class EVMAAResult : public VMAAResult {
+public:
+  explicit EVMAAResult(const DataLayout &DL);
+
+  ModRefInfo getModRefInfo(const CallBase *Call, const MemoryLocation &Loc,
+                           AAQueryInfo &AAQI);
+
+  ModRefInfo getArgModRefInfo(const CallBase *Call, unsigned ArgIdx);
+
+  ModRefInfo getModRefInfo(const CallBase *Call1, const CallBase *Call2,
+                           AAQueryInfo &AAQI) {
+    return AAResultBase::getModRefInfo(Call1, Call2, AAQI);
+  }
+};
+
 /// Analysis pass providing a never-invalidated alias analysis result.
 class EVMAA : public AnalysisInfoMixin<EVMAA> {
   friend AnalysisInfoMixin<EVMAA>;
 
   static AnalysisKey Key;
 
 public:
-  using Result = VMAAResult;
-  VMAAResult run(Function &F, AnalysisManager<Function> &AM);
+  using Result = EVMAAResult;
+  EVMAAResult run(Function &F, AnalysisManager<Function> &AM);
 };
 
-/// Legacy wrapper pass to provide the VMAAResult object.
+/// Legacy wrapper pass to provide the EVMAAResult object.
 class EVMAAWrapperPass : public ImmutablePass {
-  std::unique_ptr<VMAAResult> Result;
+  std::unique_ptr<EVMAAResult> Result;
 
 public:
   static char ID;
 
   EVMAAWrapperPass();
 
-  VMAAResult &getResult() { return *Result; }
-  const VMAAResult &getResult() const { return *Result; }
+  EVMAAResult &getResult() { return *Result; }
 
   bool doFinalization(Module &M) override {
     Result.reset();