[llubi] Add initial support for llubi (#180022)

dtcxzyw · web-flow · commit a29f0dd09680 · 2026-02-10T01:54:34.000+08:00
This patch implements the initial support for upstreaming [llubi](https://github.com/dtcxzyw/llvm-ub-aware-interpreter). It only provides the minimal functionality to run a simple main function. I hope we can focus on the interface design in this PR, rather than trivial implementations for each instruction. RFC link: https://discourse.llvm.org/t/rfc-upstreaming-llvm-ub-aware-interpreter/89645 Excluding the driver `llubi.cpp`, this patch contains three components for better decoupling: + `Value.h/cpp`: Value representation + `Context.h/cpp`: Global state management (e.g., memory) and interpreter configuration + `Interpreter.cpp`: The main interpreter loop Compared to the out-of-tree version, the major differences are listed below: + The interpreter logic always returns the control to its caller, i.e., it never calls `exit/abort` when immediate UBs are triggered. + `EventHandler` provides an interface to dump the trace. It also allows callers to inspect the actual value and verify the correctness of analysis passes (e.g, KnownBits/SCEV). + The context is designed to be reentrant. That is, you can call `runFunction` multiple times. But its usefulness remains in doubt due to side effects made by previous calls. + `runFunction` handles function calls with a loop, instead of calling itself recursively. This makes it no longer bounded by the stack depth. + Uninitialized memory is planned to be approximated by returning random values each time an uninitialized byte is loaded.
diff --git a/llvm/docs/CommandGuide/index.rst b/llvm/docs/CommandGuide/index.rst
@@ -17,6 +17,7 @@ Basic Commands
    dsymutil
    llc
    lli
+   llubi
    llvm-as
    llvm-cgdata
    llvm-config
diff --git a/llvm/docs/CommandGuide/llubi.rst b/llvm/docs/CommandGuide/llubi.rst
@@ -0,0 +1,79 @@
+llubi - LLVM UB-aware Interpreter
+=================================
+
+.. program:: llubi
+
+SYNOPSIS
+--------
+
+:program:`llubi` [*options*] [*filename*] [*program args*]
+
+DESCRIPTION
+-----------
+
+:program:`llubi` directly executes programs in LLVM bitcode format and tracks values in LLVM IR semantics.
+Unlike :program:`lli`, :program:`llubi` is designed to be aware of undefined behaviors during execution.
+It detects immediate undefined behaviors such as integer division by zero, and respects poison generating flags
+like `nsw` and `nuw`. As it captures most of the guardable undefined behaviors, it is highly suitable for
+constructing an interesting-ness test for miscompilation bugs.
+
+If `filename` is not specified, then :program:`llubi` reads the LLVM bitcode for the
+program from standard input.
+
+The optional *args* specified on the command line are passed to the program as
+arguments.
+
+GENERAL OPTIONS
+---------------
+
+.. option:: -fake-argv0=executable
+
+ Override the ``argv[0]`` value passed into the executing program.
+
+.. option:: -entry-function=function
+
+ Specify the name of the function to execute as the program's entry point.
+ By default, :program:`llubi` uses the function named ``main``.
+
+.. option:: -help
+
+ Print a summary of command line options.
+
+.. option:: -verbose
+
+ Print results for each instruction executed.
+
+.. option:: -version
+
+ Print out the version of :program:`llubi` and exit without doing anything else.
+
+INTERPRETER OPTIONS
+-------------------
+
+.. option:: -max-mem=N
+
+  Limit the amount of memory (in bytes) that can be allocated by the program, including
+  stack, heap, and global variables. If the limit is exceeded, execution will be terminated.
+  By default, there is no limit (N = 0).
+
+.. option:: -max-stack-depth=N
+
+  Limit the maximum stack depth to N. If the limit is exceeded, execution will be terminated.
+  The default limit is 256. Set N to 0 to disable the limit.
+
+.. option:: -max-steps=N
+
+  Limit the number of instructions executed to N. If the limit is reached, execution will
+  be terminated. By default, there is no limit (N = 0).
+
+.. option:: -vscale=N
+
+  Set the value of `llvm.vscale` to N. The default value is 4.
+
+EXIT STATUS
+-----------
+
+If :program:`llubi` fails to load the program, or an error occurs during execution (e.g, an immediate undefined
+behavior is triggered), it will exit with an exit code of 1.
+If the return type of entry function is not an integer type, it will return 0.
+Otherwise, it will return the exit code of the program.
diff --git a/llvm/test/CMakeLists.txt b/llvm/test/CMakeLists.txt
@@ -76,6 +76,7 @@ set(LLVM_TEST_DEPENDS
   llc
   lli
   lli-child-target
+  llubi
   llvm-addr2line
   llvm-ar
   llvm-as
diff --git a/llvm/test/lit.cfg.py b/llvm/test/lit.cfg.py
@@ -235,6 +235,7 @@ def get_asan_rtlib():
         "dsymutil",
         "lli",
         "lli-child-target",
+        "llubi",
         "llvm-ar",
         "llvm-as",
         "llvm-addr2line",
diff --git a/llvm/test/tools/llubi/main.ll b/llvm/test/tools/llubi/main.ll
@@ -0,0 +1,11 @@
+; RUN: llubi --verbose < %s 2>&1 | FileCheck %s
+
+define i32 @main(i32 %argc, ptr %argv) {
+  ret i32 0
+}
+
+; CHECK: Entering function: main
+; CHECK:   i32 %argc = i32 1
+; CHECK:   ptr %argv = ptr 0x8 [argv]
+; CHECK:   ret i32 0
+; CHECK: Exiting function: main
diff --git a/llvm/test/tools/llubi/main2.ll b/llvm/test/tools/llubi/main2.ll
@@ -0,0 +1,9 @@
+; RUN: llubi --verbose < %s 2>&1 | FileCheck %s
+
+define i32 @main() {
+  ret i32 0
+}
+
+; CHECK: Entering function: main
+; CHECK:   ret i32 0
+; CHECK: Exiting function: main
diff --git a/llvm/test/tools/llubi/poison.ll b/llvm/test/tools/llubi/poison.ll
@@ -0,0 +1,11 @@
+; RUN: not llubi --verbose < %s 2>&1 | FileCheck %s
+
+define i32 @main(i32 %argc, ptr %argv) {
+  ret i32 poison
+}
+; CHECK: Entering function: main
+; CHECK:   i32 %argc = i32 1
+; CHECK:   ptr %argv = ptr 0x8 [argv]
+; CHECK:   ret i32 poison
+; CHECK: Exiting function: main
+; CHECK: error: Execution of function 'main' resulted in poison return value.
diff --git a/llvm/tools/llubi/CMakeLists.txt b/llvm/tools/llubi/CMakeLists.txt
@@ -0,0 +1,17 @@
+set(LLVM_LINK_COMPONENTS
+  Analysis
+  Core
+  IRPrinter
+  IRReader
+  Support
+  )
+
+add_llvm_tool(llubi
+  llubi.cpp
+
+  DEPENDS
+  intrinsics_gen
+  )
+
+add_subdirectory(lib)
+target_link_libraries(llubi PRIVATE LLVMUBAwareInterpreter)
diff --git a/llvm/tools/llubi/lib/CMakeLists.txt b/llvm/tools/llubi/lib/CMakeLists.txt
@@ -0,0 +1,12 @@
+set(LLVM_LINK_COMPONENTS
+  Analysis
+  Core
+  Support
+  )
+
+add_llvm_library(LLVMUBAwareInterpreter
+  STATIC
+  Context.cpp
+  Interpreter.cpp
+  Value.cpp
+  )
diff --git a/llvm/tools/llubi/lib/Context.cpp b/llvm/tools/llubi/lib/Context.cpp
@@ -0,0 +1,129 @@
+//===- Context.cpp - State Tracking for llubi -----------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This file tracks the global states (e.g., memory) of the interpreter.
+//
+//===----------------------------------------------------------------------===//
+
+#include "Context.h"
+#include "llvm/Support/MathExtras.h"
+
+namespace llvm::ubi {
+
+Context::Context(Module &M)
+    : Ctx(M.getContext()), M(M), DL(M.getDataLayout()),
+      TLIImpl(M.getTargetTriple()) {}
+
+Context::~Context() = default;
+
+AnyValue Context::getConstantValueImpl(Constant *C) {
+  if (isa<PoisonValue>(C))
+    return AnyValue::getPoisonValue(*this, C->getType());
+
+  // TODO: Handle ConstantInt vector.
+  if (auto *CI = dyn_cast<ConstantInt>(C))
+    return CI->getValue();
+
+  llvm_unreachable("Unrecognized constant");
+}
+
+const AnyValue &Context::getConstantValue(Constant *C) {
+  auto It = ConstCache.find(C);
+  if (It != ConstCache.end())
+    return It->second;
+
+  return ConstCache.emplace(C, getConstantValueImpl(C)).first->second;
+}
+
+MemoryObject::~MemoryObject() = default;
+MemoryObject::MemoryObject(uint64_t Addr, uint64_t Size, StringRef Name,
+                           unsigned AS, MemInitKind InitKind)
+    : Address(Addr), Size(Size), Name(Name), AS(AS),
+      State(InitKind != MemInitKind::Poisoned ? MemoryObjectState::Alive
+                                              : MemoryObjectState::Dead) {
+  switch (InitKind) {
+  case MemInitKind::Zeroed:
+    Bytes.resize(Size, Byte{0, ByteKind::Concrete});
+    break;
+  case MemInitKind::Uninitialized:
+    Bytes.resize(Size, Byte{0, ByteKind::Undef});
+    break;
+  case MemInitKind::Poisoned:
+    Bytes.resize(Size, Byte{0, ByteKind::Poison});
+    break;
+  }
+}
+
+IntrusiveRefCntPtr<MemoryObject> Context::allocate(uint64_t Size,
+                                                   uint64_t Align,
+                                                   StringRef Name, unsigned AS,
+                                                   MemInitKind InitKind) {
+  if (MaxMem != 0 && SaturatingAdd(UsedMem, Size) >= MaxMem)
+    return nullptr;
+  uint64_t AlignedAddr = alignTo(AllocationBase, Align);
+  auto MemObj =
+      makeIntrusiveRefCnt<MemoryObject>(AlignedAddr, Size, Name, AS, InitKind);
+  MemoryObjects[AlignedAddr] = MemObj;
+  AllocationBase = AlignedAddr + Size;
+  UsedMem += Size;
+  return MemObj;
+}
+
+bool Context::free(uint64_t Address) {
+  auto It = MemoryObjects.find(Address);
+  if (It == MemoryObjects.end())
+    return false;
+  UsedMem -= It->second->getSize();
+  It->second->markAsFreed();
+  MemoryObjects.erase(It);
+  return true;
+}
+
+Pointer Context::deriveFromMemoryObject(IntrusiveRefCntPtr<MemoryObject> Obj) {
+  assert(Obj && "Cannot determine the address space of a null memory object");
+  return Pointer(
+      Obj,
+      APInt(DL.getPointerSizeInBits(Obj->getAddressSpace()), Obj->getAddress()),
+      /*Offset=*/0);
+}
+
+void MemoryObject::markAsFreed() {
+  State = MemoryObjectState::Freed;
+  Bytes.clear();
+}
+
+void MemoryObject::writeRawBytes(uint64_t Offset, const void *Data,
+                                 uint64_t Length) {
+  assert(SaturatingAdd(Offset, Length) <= Size && "Write out of bounds");
+  const uint8_t *ByteData = static_cast<const uint8_t *>(Data);
+  for (uint64_t I = 0; I < Length; ++I)
+    Bytes[Offset + I].set(ByteData[I]);
+}
+
+void MemoryObject::writeInteger(uint64_t Offset, const APInt &Int,
+                                const DataLayout &DL) {
+  uint64_t BitWidth = Int.getBitWidth();
+  uint64_t IntSize = divideCeil(BitWidth, 8);
+  assert(SaturatingAdd(Offset, IntSize) <= Size && "Write out of bounds");
+  for (uint64_t I = 0; I < IntSize; ++I) {
+    uint64_t ByteIndex = DL.isLittleEndian() ? I : (IntSize - 1 - I);
+    uint64_t Bits = std::min(BitWidth - ByteIndex * 8, uint64_t(8));
+    Bytes[Offset + I].set(Int.extractBitsAsZExtValue(Bits, ByteIndex * 8));
+  }
+}
+void MemoryObject::writeFloat(uint64_t Offset, const APFloat &Float,
+                              const DataLayout &DL) {
+  writeInteger(Offset, Float.bitcastToAPInt(), DL);
+}
+void MemoryObject::writePointer(uint64_t Offset, const Pointer &Ptr,
+                                const DataLayout &DL) {
+  writeInteger(Offset, Ptr.address(), DL);
+  // TODO: provenance
+}
+
+} // namespace llvm::ubi
diff --git a/llvm/tools/llubi/lib/Context.h b/llvm/tools/llubi/lib/Context.h
diff --git a/llvm/tools/llubi/lib/Interpreter.cpp b/llvm/tools/llubi/lib/Interpreter.cpp
diff --git a/llvm/tools/llubi/lib/Value.cpp b/llvm/tools/llubi/lib/Value.cpp
diff --git a/llvm/tools/llubi/lib/Value.h b/llvm/tools/llubi/lib/Value.h
diff --git a/llvm/tools/llubi/llubi.cpp b/llvm/tools/llubi/llubi.cpp
