I think we’re talking cross-purposes at this point. Let me try to step
back and concisely restate what I’m trying to do:
- I am writing a frontend for a high-level language and I emit LLVM IR.
- I control the TBAA tree. I don’t use it to express the high-level
doesn’t have types. But by the time my compiler is generating LLVM IR, it
will have come up with meaningful constraints on aliasing and those
constraints are naturally expressed using TBAA.
- Some calls that I emit in LLVM IR are neither readnone/readonly nor do
they clobber the world - instead they clobber a known set of memory
locations, and that set of memory locations is already expressible in the
TBAA representation that I control.
Which part of the above do you disagree with?
I disagree that just because you control the TBAA tree generation, that you
should shoehorn something that is neither what the langref claims it should
be, or what other producers produce, just because the datastructure may
kinda-sorta work for your purpose.
TBAA on loads and stores is super useful for conveying high-level type
knowledge to LLVM transformations. But often translating a high-level
language into LLVM IR will result in runtime calls that are known at the
high level to only affect (either by reading or by writing) some restricted
subset of the heap. These aren't read-only calls; that is often too strong
of a guarantee. A great example would be a GC barrier or GC allocation
that may arise if LLVM is used as a backend for a compiler for a
higher-level language. There are probably other examples that arise in
high-level languages, but let's use allocation as an example for now. I
can envision two ways of representing allocation in LLVM IR:
%object = call @runtime_allocate(... /* pass size and/or other
... ; code preceding the allocation
%objectFast = ... ; IR for the inlined allocation fast path,
which produces %objectFast but may yield null if the fast path fails and we
need to take slow path
%didFail = icmp eq %objectFast, null
br %didFail, label %AllocationSlowPath, label &Continue
%objectSlow = call @runtime_allocate_slow_path(... /* pass size
and/or other data */)
br label %Continue
%object = phi [%objectFast, SomeBlock], [%objectSlow,
In both of these cases, the call instruction will appear to clobber the
world leading to more pessimistic optimization. Moreover, it's not always
correct to mark the allocation as being readonly; it may read or write
observable state. But if you don't like the allocation example then you
can imagine that a GC store barrier would have an almost identical pattern
to #2 and it would definitely not be readonly. Anyway, such a pattern
would lead to fewer loads being eliminated or hoisted, fewer stores being
eliminated or sunk, etc - all due to those pesky calls. But the high-level
code generator that produces this IR will know for sure that
@runtime_allocate or @runtime_allocate_slow_path can only affect a very
narrow subset of the heap: namely, it will only read and write the GC's
data structures. So most of the loads and stores surrounding the
allocation, that arose from source-level loads and stores, would definitely
not have any interference with the call and this would !
be easy to convey using TBAA.
Hence if we could decorate the calls to these runtime functions as only
reading or writing certain TBAA types,
Out of curiosity, why is this tied to TBAA types, rather than variables or
IE what analysis are you performing that gives you type answers instead of
answers in terms of local/global variables?
reasoning about user-facing types, but for creating what you could
alternatively think of as an “abstract heaps”. TBAA is perfect for this.
No. A nested hierarchy that describes conflicts among possible
abstract heap locations is perfect for this. TBAA is not quite the
same. See below.
For example I might know that a certain function clobbers a field called
‘foo’. In my frontend I create an "abstract heap" for each field name, and
this gets lowered to LLVM TBAA.
So let's start simple.
You are representing an abstract set of heap locations. Are they
actually in any way related to the *existing type tree* that is being
created for TBAA?
Yes. Because I am also creating the TBAA type tree. I control it
So then the answer is really "no", in the sense that what you want to
produce is unlike any of the current producers or what is actually
Or are you adding new values to it that are not
really part of a type hierarchy at all, but represent some other
relation among abstract heaps?
From your description (you create new things that represent abstract
heap locations and lower that into a nested tree), it sounds like the
answer is "you are adding new locations that represent a different
tree than the existing TBAA”.
What do you mean by “the existing TBAA”? To my understanding, LLVM itself
never creates TBAA nodes; they arise entirely out of the frontend that
emits LLVM IR. I control the frontend in this case.
If that is not true, what is the actual relation to the existing
TBAA in the LLVM compiler, at least as currently produced, while
theoretically compatible with this scheme , is not quite the same.
The langref says "metadata is added to the IR to describe a type
system of a higher level language.”
My understanding is that LLVM doesn’t produce TBAA. It consumes TBAA.
Hence it’s more meaningful to reason about TBAA in terms of its semantics
rather than hypothesizing about how and why someone would produce it.
That would be great, but it's not what the langref says, nor does it match
up with the name of the thing you are creating, nor does it necessarily
have optimal semantics, nor would it be great for future producers or the
ability to do other analyses in those producers.
We agree that TBAA is a nested set structure that describes heap
Though note that it is bidirectional which is actually probably non-optimal
for describing heap locations that are unrelated to types.
I’m observing that it would be useful to express bounds on what heap
locations that calls read or write. Therefore, TBAA can be used to convey
I do not disagree that it can, i disagree that it *should*.
If you are adding a new tree just to represent new abstract heap
location info, you are essentially reusing it simply because it
represents a nested set structure. I don't see a lot of value in
that sort of conflation, hence the question.
If we agree that it would be good to have a system for bounding what a
call reads or writes using nested sets, then we have two choices:
- Reuse TBAA, which can already be used to express nested sets of memory
Depending upon the properties of those sets, yes, I agree.
- Invent a whole new type system that is structurally identical to TBAA
but that goes by a different name.
Why would it necessarily be structurally identical?
TBAA is a good approximation for your particular analysis, but it's nested
set representation will not necessarily be optimal in the end for what else
people produce for call based info
By shoving one into the other, you force this representation on everyone,
essentially until someone else is going to come along and untangle them
You also force all producers that want to represent the output of some kind
of analyses around calls, *and* actual type based alias info, to combine
both into a single tree.
Are you seriously proposing the latter?
Yes, I am seriously proposing that you do not shoehorn something
completely different than what the langref describes, and the code expects,
into an existing structure.
If you want to change the langref, all the tests, the name, etc, first, I
would object, but that would certainly be less ugly to do that in addition
to your proposal.
If not, can you describe in more detail how you are generating this info?
Because that is what i get from your description.
The information you are talking about here is traditional mod/ref info
that is completely independent of TBAA.
You lost me. I’m writing a compiler that generates LLVM IR. I have
high-level knowledge that allows me to prove the set of abstract heap
locations that may be read or written by any call, load, or store.
What do you suggest as a mechanism by which I can communicate that
information to LLVM?
I'm suggesting you create an attribute that deals with abstract heap
locations that you are describing, instead of overloading and tying it
into an existing set of information that has a different purpose
(TBAA, which at least in the current world, represents a nested type
tree that describes access rules of a language).
So, you’re suggesting inventing a new representation for type hierarchies,
I assume you mean abstract heap locations.
that would have the following properties:
- The same rules as TBAA for load/store.
For starters, yes.
Note that the bidirectional (both up and down the tree) check does TBAA is
not necessarily needed, depending on how you formulate it.
- The same rules as what I propose for call.
- Identical to TBAA in all other respects, except that it would have a
Am I understanding your proposal correctly?
You are understanding where I suggest you start, yes. I expect it will
slowly grow to be quite different than the existing TBAA tree.
Are you saying that such a mechanism already exists and that I should use
As far as I can tell, TBAA is the cleanest such mechanism that I have
found thus far and its only shortcoming is that I cannot use it to annotate
The fact that some other mechanism is kinda-sorta-like-what-you-want
does not necessarily mean it should be tied into it
Hence, I am trying to understand the actual relation between the TBAA
tree as it exists now
What TBAA tree?
The one produced by the only current producers.
The one whose purpose is described by the langref, and even the comments in
Are you referring to the TBAA format as described in
http://llvm.org/docs/LangRef.html#tbaa-metadata, or some specific TBAA
tree that exists for some specific frontend for some specific language?
Let's say "both".
Since the TBAA tree produced by other producers all fall into the category
of "actual high level type hierarchy info", as the langref describes.
, and what you are suggesting creating.
For example, i could perform pointer analysis in clang and generate a
TBAA tree from that. It would work. It would be easy. It doesn't
mean it is necessarily a great approach.
Would your pointer analysis generate either disjoint sets, or nested sets?
This is entirely possible, for example, all the andersens's will end up
All of context-sensitive will end up another way.
Is your suggestion that they then drop all this info because it can't be
shoehorned into the existing TBAA format?
And that someone else later disentangle this from the actual *type based
info* being produced by other frontends?
What if someone wants to produce both kinds of info?
Right now your description is essentially the output of an analysis that
can be run just as well in clang on C/C++
For producers that *also* want to convey type based alias info and abstract
heap location info for calls, it now requires combining multiple analysis
outputs into a single tree called, confusingly, a "TBAA tree".
Can you explain what, other than saving you the same amount of work that
was recently done for struct-tbaa, your proposal buys?
For example, if you did a Steensgaard-style pointer analysis then TBAA
*would* be the most ideal way of representing the results of such an
For a consumer, if it's static, the ideal representation for a *TBAA tree*
would be a simple list of nodes and dfs in/out numbers attached to those
nodes, produced from walking the tree as it exists in your frontend. There
is no reason to explicitly represent the actual child/parent relationships
among the nodes.
You can then check ancestry by doing what we do elsewhere (for example,
dominates(a, b) checking), and use the DFS numbers to check ancestry.
There is no need to actually represent the tree, or walk it, as LLVM does
now. This method will give you constant time and less space usage than
what you have now.
If the TBAA tree does not really represent anything in particular, giving
it explicit structure when it's structure means nothing is entirely
In the case of steensgaard in particular, if you are just asking aliases(x,
y) questions, you actually don't need the points-to relationships as
represented by ECR's, only something much simpler - whether two things are
in the same disjoint set. You don't need the union find structure to do
this once you've finished the algorithm, you could just number the
equivalence classes and go from there.
Of course, more complex queries about the relationships between the ECR's
themselves (IE the points-to graph), you'd need parent-child relationships.
But this is all besides the point, except to point out it's not actually
optimal for what you are suggesting representing
One way to view my front end’s aliasing knowledge is that I’m doing
something like a unification-based analysis. I actually end up with a
three-level TBAA hierarchy (the world, with subtypes for my disjoint sets
of heap locations; some of those sets then have further subtypes).
The more specific the info you can get from the metadata, the better off
you are eliminating loads/stores
Otherwise, yes, it's certainly incredibly helpful to the other
However, unless there is a good reason, i'd suggest you just make it
generic call read/write metadata that talks about values (be they incoming
arguments, alloca'd memory, or whatever else).
You lost me. How does this help a high-level compiler convey to LLVM that
a particular call and a particular load or store don’t have any dependency?
You add the modref info to the calls. You add attributes to the the
loads/stores. It becomes another disambiguation method to tell
whether the load/store and the call have a dependency.
Are you suggesting that I override AliasAnalysis?
I’m trying to make it possible for a frontend to convey this information
using LLVM IR, rather than having to override internal LLVM classes in
order to provide this information.
Can you explain what the benefit of doing so is, past some amount of work
( that was even done recently in a similar contextwithout much fanfare in a
I think i've described the downsides adequately:
It's not an ideal representation depending on the analysis
For producers that *also* want to convey type based alias info in addition
to this type of info, it requires combining multiple analysis outputs into
a single tree. This gets messy, quickly.
It overloads something with a pretty well-defined meaning right now.
It's not actually optimal as a representation for the output of most kinds
It confuses a certain type of mod/ref information with actual type-based
Hence there is a question of what format to use. I’m arguing that TBAA is
My proposal achieves this, albeit using a coarse-grained at a
coarse-grained level: you have to express your knowledge of dependencies
using a hierarchy of abstract sets of heap locations (i.e. exactly what
TBAA gives you).
TBAA does not actually give you that. It gives you a tree that
describes a type hierarchy according to the memory access rules of
It’s true that this is one use-case for TBAA, but that’s not how I use it.
I don’t believe that I’m under any obligation to use it that way.
Then feel free to update langref, the tests, all the comments, and the
I would strongly suggest you not choose this path. It sucks for the future
for all the reasons I mentioned.
TBAA is just a format that LLVM consumes, that can be used by a producer
of LLVM IR to convey aliasing information.
Again, I will repeat: Just because something can be done, doesn't mean it