How to know the CallInst is a virtual call ?

Hi

I know that a virtual call looks like this :

%4 = load %class.base*, %class.base** %1, align 8
%5 = bitcast %class.base* %4 to void (%class.base*)***
%6 = load void (%class.base*), void (%class.base*)* %5, align 8
%7 = getelementptr inbounds void (%class.base*), void (%class.base)** %6, i64 0
%8 = load void (%class.base*), void (%class.base)** %7, align 8
call void %8(%class.base* %4)

There may be some action to get function pointer on vtable .

But, when I scan a llvm ir file, if I just see a CallInst and it is an indirect call

Is there any way to know whether the CallInst is a virtual call or not ?

Thank you~

Not exactly, no - LLVM has no concept of virtual calls specifically -
they are "just" indirect calls through a vtable. LLVM optimizations
generally shouldn't be trying to reconstruct more high level semantics
than exist in LLVM IR - an optimization to improve virtual function
calls (using the existing IR - not accounting for some special cases
that might involve adding extra metadata, etc) should be framed in
terms of indirect calls in general (perhaps indirect calls from
functions in constant arrays - maybe that's the specific subcase you
want to target, etc).

- Dave

So if I want to know whether a CallInst is a C++ virtual call or not.

I have to get the information at frontend/Clang.

and then pass the information to middle-end/LLVM IR by myself.

Is it right?

Thank you

David Blaikie <dblaikie@gmail.com> 於 2020年6月19日 週五 上午1:26寫道:

So if I want to know whether a CallInst is a C++ virtual call or not.

I have to get the information at frontend/Clang.

and then pass the information to middle-end/LLVM IR by myself.

Is it right?

Yes... but you maybe shouldn't be? What do you plan to do with that information?

(not that there aren't/haven't been efforts to improve virtual call
performance - I think there's something using ThinLTO to do a whole
program analysis of virtual calls you could look into as examples of
optimizations on virtual function calls)

I read some paper from NDSS and USENIX Security about protecting C++ virtual calls.

So now I know maybe these paper implementation must modify front-end/Clang.

David Blaikie <dblaikie@gmail.com> 於 2020年6月19日 週五 上午2:16寫道:

I read some paper from NDSS and USENIX Security about protecting C++ virtual calls.

So now I know maybe these paper implementation must modify front-end/Clang.

Yeah, guess it depends on the compiler they did the research on,
whether the technique generalizes to indirect calls, etc...