Taints the non-acquire RMW's store address with the load part

[oota-llvm.git] / lib / CodeGen / TaintRelaxedAtomicsUtils.cpp

//===- TaintRelaxedAtomicsUtil.cpp - Utils for tainting relaxed atomics --------===//
//
//                     The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//

#include "TaintRelaxedAtomicsUtils.h"
#include "llvm/CodeGen/Passes.h"
#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/SetVector.h"
#include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/InstructionSimplify.h"
#include "llvm/Analysis/MemoryLocation.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/Analysis/TargetTransformInfo.h"
#include "llvm/Analysis/ValueTracking.h"
#include "llvm/IR/CallSite.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h"
#include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/Dominators.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/GetElementPtrTypeIterator.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h"
#include "llvm/IR/InstIterator.h"
#include "llvm/IR/InstrTypes.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/MDBuilder.h"
#include "llvm/IR/NoFolder.h"
#include "llvm/IR/PatternMatch.h"
#include "llvm/IR/Statepoint.h"
#include "llvm/IR/ValueHandle.h"
#include "llvm/IR/ValueMap.h"
#include "llvm/Pass.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/Target/TargetLowering.h"
#include "llvm/Target/TargetSubtargetInfo.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/Transforms/Utils/BuildLibCalls.h"
#include "llvm/Transforms/Utils/BypassSlowDivision.h"
#include "llvm/Transforms/Utils/Local.h"
#include "llvm/Transforms/Utils/SimplifyLibCalls.h"
using namespace llvm;
using namespace llvm::PatternMatch;

#define DEBUG_TYPE "taintrelaxedatomics"

namespace llvm {

// The depth we trace down a variable to look for its dependence set.
const unsigned kDependenceDepth = 4;

// Recursively looks for variables that 'Val' depends on at the given depth
// 'Depth', and adds them in 'DepSet'. If 'InsertOnlyLeafNodes' is true, only
// inserts the leaf node values; otherwise, all visited nodes are included in
// 'DepSet'. Note that constants will be ignored.
template <typename SetType>
void recursivelyFindDependence(SetType* DepSet, Value* Val,
                               bool InsertOnlyLeafNodes = false,
                               unsigned Depth = kDependenceDepth) {
  if (Val == nullptr) {
    return;
  }
  if (!InsertOnlyLeafNodes && !isa<Constant>(Val)) {
    DepSet->insert(Val);
  }
  if (Depth == 0) {
    // Cannot go deeper. Insert the leaf nodes.
    if (InsertOnlyLeafNodes && !isa<Constant>(Val)) {
      DepSet->insert(Val);
    }
    return;
  }

  // Go one step further to explore the dependence of the operands.
  Instruction* I = nullptr;
  if ((I = dyn_cast<Instruction>(Val))) {
    if (isa<LoadInst>(I)) {
      // A load is considerd the leaf load of the dependence tree. Done.
      DepSet->insert(Val);
      return;
    } else if (I->isBinaryOp()) {
      BinaryOperator* I = dyn_cast<BinaryOperator>(Val);
      Value *Op0 = I->getOperand(0), *Op1 = I->getOperand(1);
      recursivelyFindDependence(DepSet, Op0, InsertOnlyLeafNodes, Depth - 1);
      recursivelyFindDependence(DepSet, Op1, InsertOnlyLeafNodes, Depth - 1);
    } else if (I->isCast()) {
      Value* Op0 = I->getOperand(0);
      recursivelyFindDependence(DepSet, Op0, InsertOnlyLeafNodes, Depth - 1);
    } else if (I->getOpcode() == Instruction::Select) {
      Value* Op0 = I->getOperand(0);
      Value* Op1 = I->getOperand(1);
      Value* Op2 = I->getOperand(2);
      recursivelyFindDependence(DepSet, Op0, InsertOnlyLeafNodes, Depth - 1);
      recursivelyFindDependence(DepSet, Op1, InsertOnlyLeafNodes, Depth - 1);
      recursivelyFindDependence(DepSet, Op2, InsertOnlyLeafNodes, Depth - 1);
    } else if (I->getOpcode() == Instruction::GetElementPtr) {
      for (unsigned i = 0; i < I->getNumOperands(); i++) {
        recursivelyFindDependence(DepSet, I->getOperand(i), InsertOnlyLeafNodes,
                                  Depth - 1);
      }
    } else if (I->getOpcode() == Instruction::Store) {
      auto* SI = dyn_cast<StoreInst>(Val);
      recursivelyFindDependence(DepSet, SI->getPointerOperand(),
                                InsertOnlyLeafNodes, Depth - 1);
      recursivelyFindDependence(DepSet, SI->getValueOperand(),
                                InsertOnlyLeafNodes, Depth - 1);
    } else {
      Value* Op0 = nullptr;
      Value* Op1 = nullptr;
      switch (I->getOpcode()) {
        case Instruction::ICmp:
        case Instruction::FCmp: {
          Op0 = I->getOperand(0);
          Op1 = I->getOperand(1);
          recursivelyFindDependence(DepSet, Op0, InsertOnlyLeafNodes,
                                    Depth - 1);
          recursivelyFindDependence(DepSet, Op1, InsertOnlyLeafNodes,
                                    Depth - 1);
          break;
        }
        case Instruction::PHI: {
          for (unsigned i = 0; i < I->getNumOperands(); i++) {
            auto* op = I->getOperand(i);
            if (DepSet->count(op) == 0) {
              recursivelyFindDependence(DepSet, I->getOperand(i),
                                        InsertOnlyLeafNodes, Depth - 1);
            }
          }
          break;
        }
        default: {
          // Be conservative. Add it and be done with it.
          DepSet->insert(Val);
          return;
        }
      }
    }
  } else if (isa<Constant>(Val)) {
    // Not interested in constant values. Done.
    return;
  } else {
    // Be conservative. Add it and be done with it.
    DepSet->insert(Val);
    return;
  }
}

// Helper function to create a Cast instruction.
template <typename BuilderTy>
Value* createCast(BuilderTy& Builder, Value* DepVal,
                  Type* TargetIntegerType) {
  Instruction::CastOps CastOp = Instruction::BitCast;
  switch (DepVal->getType()->getTypeID()) {
    case Type::IntegerTyID: {
      assert(TargetIntegerType->getTypeID() == Type::IntegerTyID);
      auto* FromType = dyn_cast<IntegerType>(DepVal->getType());
      auto* ToType = dyn_cast<IntegerType>(TargetIntegerType);
      assert(FromType && ToType);
      if (FromType->getBitWidth() <= ToType->getBitWidth()) {
        CastOp = Instruction::ZExt;
      } else {
        CastOp = Instruction::Trunc;
      }
      break;
    }
    case Type::FloatTyID:
    case Type::DoubleTyID: {
      CastOp = Instruction::FPToSI;
      break;
    }
    case Type::PointerTyID: {
      CastOp = Instruction::PtrToInt;
      break;
    }
    default: { break; }
  }

  return Builder.CreateCast(CastOp, DepVal, TargetIntegerType);
}

// Given a value, if it's a tainted address, this function returns the
// instruction that ORs the "dependence value" with the "original address".
// Otherwise, returns nullptr.  This instruction is the first OR instruction
// where one of its operand is an AND instruction with an operand being 0.
//
// E.g., it returns '%4 = or i32 %3, %2' given 'CurrentAddress' is '%5'.
// %0 = load i32, i32* @y, align 4, !tbaa !1
// %cmp = icmp ne i32 %0, 42  // <== this is like the condition
// %1 = sext i1 %cmp to i32
// %2 = ptrtoint i32* @x to i32
// %3 = and i32 %1, 0
// %4 = or i32 %3, %2
// %5 = inttoptr i32 %4 to i32*
// store i32 1, i32* %5, align 4
Instruction* getOrAddress(Value* CurrentAddress) {
  // Is it a cast from integer to pointer type.
  Instruction* OrAddress = nullptr;
  Instruction* AndDep = nullptr;
  Constant* ZeroConst = nullptr;

  const Instruction* CastToPtr = dyn_cast<Instruction>(CurrentAddress);
  if (CastToPtr && CastToPtr->getOpcode() == Instruction::IntToPtr) {
    // Is it an OR instruction: %1 = or %and, %actualAddress.
    if ((OrAddress = dyn_cast<Instruction>(CastToPtr->getOperand(0))) &&
        OrAddress->getOpcode() == Instruction::Or) {
      // The first operand should be and AND instruction.
      AndDep = dyn_cast<Instruction>(OrAddress->getOperand(0));
      if (AndDep && AndDep->getOpcode() == Instruction::And) {
        // Also make sure its first operand of the "AND" is 0, or the "AND" is
        // marked explicitly by "NoInstCombine".
        if ((ZeroConst = dyn_cast<Constant>(AndDep->getOperand(1))) &&
            ZeroConst->isNullValue()) {
          return OrAddress;
        }
      }
    }
  }
  // Looks like it's not been tainted.
  return nullptr;
}

// Given a value, if it's a tainted address, this function returns the
// instruction that taints the "dependence value". Otherwise, returns nullptr.
// This instruction is the last AND instruction where one of its operand is 0.
// E.g., it returns '%3' given 'CurrentAddress' is '%5'.
// %0 = load i32, i32* @y, align 4, !tbaa !1
// %cmp = icmp ne i32 %0, 42  // <== this is like the condition
// %1 = sext i1 %cmp to i32
// %2 = ptrtoint i32* @x to i32
// %3 = and i32 %1, 0
// %4 = or i32 %3, %2
// %5 = inttoptr i32 %4 to i32*
// store i32 1, i32* %5, align 4
Instruction* getAndDependence(Value* CurrentAddress) {
  // If 'CurrentAddress' is tainted, get the OR instruction.
  auto* OrAddress = getOrAddress(CurrentAddress);
  if (OrAddress == nullptr) {
    return nullptr;
  }

  // No need to check the operands.
  auto* AndDepInst = dyn_cast<Instruction>(OrAddress->getOperand(0));
  assert(AndDepInst);
  return AndDepInst;
}

// Given a value, if it's a tainted address, this function returns
// the "dependence value", which is the first operand in the AND instruction.
// E.g., it returns '%1' given 'CurrentAddress' is '%5'.
// %0 = load i32, i32* @y, align 4, !tbaa !1
// %cmp = icmp ne i32 %0, 42  // <== this is like the condition
// %1 = sext i1 %cmp to i32
// %2 = ptrtoint i32* @x to i32
// %3 = and i32 %1, 0
// %4 = or i32 %3, %2
// %5 = inttoptr i32 %4 to i32*
// store i32 1, i32* %5, align 4
Value* getDependence(Value* CurrentAddress) {
  auto* AndInst = getAndDependence(CurrentAddress);
  if (AndInst == nullptr) {
    return nullptr;
  }
  return AndInst->getOperand(0);
}

// Given an address that has been tainted, returns the only condition it depends
// on, if any; otherwise, returns nullptr.
Value* getConditionDependence(Value* Address) {
  auto* Dep = getDependence(Address);
  if (Dep == nullptr) {
    // 'Address' has not been dependence-tainted.
    return nullptr;
  }

  Value* Operand = Dep;
  while (true) {
    auto* Inst = dyn_cast<Instruction>(Operand);
    if (Inst == nullptr) {
      // Non-instruction type does not have condition dependence.
      return nullptr;
    }
    if (Inst->getOpcode() == Instruction::ICmp) {
      return Inst;
    } else {
      if (Inst->getNumOperands() != 1) {
        return nullptr;
      } else {
        Operand = Inst->getOperand(0);
      }
    }
  }
}

// Conservatively decides whether the dependence set of 'Val1' includes the
// dependence set of 'Val2'. If 'ExpandSecondValue' is false, we do not expand
// 'Val2' and use that single value as its dependence set.
// If it returns true, it means the dependence set of 'Val1' includes that of
// 'Val2'; otherwise, it only means we cannot conclusively decide it.
bool dependenceSetInclusion(Value* Val1, Value* Val2,
                            int Val1ExpandLevel = 2 * kDependenceDepth,
                            int Val2ExpandLevel = kDependenceDepth) {
  typedef SmallSet<Value*, 8> IncludingSet;
  typedef SmallSet<Value*, 4> IncludedSet;

  IncludingSet DepSet1;
  IncludedSet DepSet2;
  // Look for more depths for the including set.
  recursivelyFindDependence(&DepSet1, Val1, false /*Insert all visited nodes*/,
                            Val1ExpandLevel);
  recursivelyFindDependence(&DepSet2, Val2, true /*Only insert leaf nodes*/,
                            Val2ExpandLevel);

  auto set_inclusion = [](IncludingSet FullSet, IncludedSet Subset) {
    for (auto* Dep : Subset) {
      if (0 == FullSet.count(Dep)) {
        return false;
      }
    }
    return true;
  };
  bool inclusion = set_inclusion(DepSet1, DepSet2);
  DEBUG(dbgs() << "[dependenceSetInclusion]: " << inclusion << "\n");
  DEBUG(dbgs() << "Including set for: " << *Val1 << "\n");
  DEBUG(for (const auto* Dep : DepSet1) { dbgs() << "\t\t" << *Dep << "\n"; });
  DEBUG(dbgs() << "Included set for: " << *Val2 << "\n");
  DEBUG(for (const auto* Dep : DepSet2) { dbgs() << "\t\t" << *Dep << "\n"; });

  return inclusion;
}

// Recursively iterates through the operands spawned from 'DepVal'. If there
// exists a single value that 'DepVal' only depends on, we call that value the
// root dependence of 'DepVal' and return it. Otherwise, return 'DepVal'.
Value* getRootDependence(Value* DepVal) {
  SmallSet<Value*, 8> DepSet;
  for (unsigned depth = kDependenceDepth; depth > 0; --depth) {
    recursivelyFindDependence(&DepSet, DepVal, true /*Only insert leaf nodes*/,
                              depth);
    if (DepSet.size() == 1) {
      return *DepSet.begin();
    }
    DepSet.clear();
  }
  return DepVal;
}

// This function actually taints 'DepVal' to the address to 'SI'. If the
// address
// of 'SI' already depends on whatever 'DepVal' depends on, this function
// doesn't do anything and returns false. Otherwise, returns true.
//
// This effect forces the store and any stores that comes later to depend on
// 'DepVal'. For example, we have a condition "cond", and a store instruction
// "s: STORE addr, val". If we want "s" (and any later store) to depend on
// "cond", we do the following:
// %conv = sext i1 %cond to i32
// %addrVal = ptrtoint i32* %addr to i32
// %andCond = and i32 conv, 0;
// %orAddr = or i32 %andCond, %addrVal;
// %NewAddr = inttoptr i32 %orAddr to i32*;
//
// This is a more concrete example:
// ------
// %0 = load i32, i32* @y, align 4, !tbaa !1
// %cmp = icmp ne i32 %0, 42  // <== this is like the condition
// %1 = sext i1 %cmp to i32
// %2 = ptrtoint i32* @x to i32
// %3 = and i32 %1, 0
// %4 = or i32 %3, %2
// %5 = inttoptr i32 %4 to i32*
// store i32 1, i32* %5, align 4
bool taintStoreAddress(StoreInst* SI, Value* DepVal) {
  // Set the insertion point right after the 'DepVal'.
  IRBuilder<true, NoFolder> Builder(SI);
  BasicBlock* BB = SI->getParent();
  Value* Address = SI->getPointerOperand();
  Type* TargetIntegerType =
      IntegerType::get(Address->getContext(),
                       BB->getModule()->getDataLayout().getPointerSizeInBits());

  // Does SI's address already depends on whatever 'DepVal' depends on?
  if (StoreAddressDependOnValue(SI, DepVal)) {
    return false;
  }

  // Figure out if there's a root variable 'DepVal' depends on. For example, we
  // can extract "getelementptr inbounds %struct, %struct* %0, i64 0, i32 123"
  // to be "%struct* %0" since all other operands are constant.
  auto* RootVal = getRootDependence(DepVal);
  auto* RootInst = dyn_cast<Instruction>(RootVal);
  auto* DepValInst = dyn_cast<Instruction>(DepVal);
  if (RootInst && DepValInst &&
      RootInst->getParent() == DepValInst->getParent()) {
    DepVal = RootVal;
  }

  // Is this already a dependence-tainted store?
  Value* OldDep = getDependence(Address);
  if (OldDep) {
    // The address of 'SI' has already been tainted.  Just need to absorb the
    // DepVal to the existing dependence in the address of SI.
    Instruction* AndDep = getAndDependence(Address);
    IRBuilder<true, NoFolder> Builder(AndDep);
    Value* NewDep = nullptr;
    if (DepVal->getType() == AndDep->getType()) {
      NewDep = Builder.CreateAnd(OldDep, DepVal);
    } else {
      NewDep = Builder.CreateAnd(
          OldDep, createCast(Builder, DepVal, TargetIntegerType));
    }

    // Use the new AND instruction as the dependence
    AndDep->setOperand(0, NewDep);
    return true;
  }

  // SI's address has not been tainted. Now taint it with 'DepVal'.
  Value* CastDepToInt = createCast(Builder, DepVal, TargetIntegerType);
  Value* PtrToIntCast = Builder.CreatePtrToInt(Address, TargetIntegerType);
  Value* AndDepVal =
      Builder.CreateAnd(CastDepToInt, ConstantInt::get(TargetIntegerType, 0));
  // XXX-comment: The original IR InstCombiner would change our and instruction
  // to a select and then the back end optimize the condition out.  We attach a
  // flag to instructions and set it here to inform the InstCombiner to not to
  // touch this and instruction at all.
  Value* OrAddr = Builder.CreateOr(AndDepVal, PtrToIntCast);
  Value* NewAddr = Builder.CreateIntToPtr(OrAddr, Address->getType());

  DEBUG(dbgs() << "[taintStoreAddress]\n"
               << "Original store: " << *SI << '\n');
  SI->setOperand(1, NewAddr);

  // Debug output.
  DEBUG(dbgs() << "\tTargetIntegerType: " << *TargetIntegerType << '\n'
               << "\tCast dependence value to integer: " << *CastDepToInt
               << '\n'
               << "\tCast address to integer: " << *PtrToIntCast << '\n'
               << "\tAnd dependence value: " << *AndDepVal << '\n'
               << "\tOr address: " << *OrAddr << '\n'
               << "\tCast or instruction to address: " << *NewAddr << "\n\n");

  return true;
}

// Given the load part result of a RMW 'LoadPart', taints the address of the store
// exclusive 'Addr' and returns it.
Value* taintRMWStoreAddressWithLoadPart(IRBuilder<>& Builder, Value* Address, Instruction* LoadPart) {
  auto* BB = LoadPart->getParent();

  Type* TargetIntegerType =
      IntegerType::get(Address->getContext(),
                       BB->getModule()->getDataLayout().getPointerSizeInBits());

  // SI's address has not been tainted. Now taint it with 'DepVal'.
  Value* CastDepToInt = createCast(Builder, LoadPart, TargetIntegerType);
  Value* PtrToIntCast = Builder.CreatePtrToInt(Address, TargetIntegerType);
  Value* AndDepVal =
      Builder.CreateAnd(CastDepToInt, ConstantInt::get(TargetIntegerType, 0));
  Value* OrAddr = Builder.CreateOr(AndDepVal, PtrToIntCast);
  Value* NewAddr = Builder.CreateIntToPtr(OrAddr, Address->getType());

  DEBUG(dbgs() << "[taintStoreAddressOfRMWStorePart]\n"
               << "Original address: " << *Address << '\n');

  // Debug output.
  DEBUG(dbgs() << "\tTargetIntegerType: " << *TargetIntegerType << '\n'
               << "\tCast dependence value to integer: " << *CastDepToInt
               << '\n'
               << "\tCast address to integer: " << *PtrToIntCast << '\n'
               << "\tAnd dependence value: " << *AndDepVal << '\n'
               << "\tOr address: " << *OrAddr << '\n'
               << "\tCast or instruction to address: " << *NewAddr << "\n\n");

  return NewAddr;
}

// Looks for the previous store in the if block --- 'BrBB', which makes the
// speculative store 'StoreToHoist' safe.
Value* getSpeculativeStoreInPrevBB(StoreInst* StoreToHoist, BasicBlock* BrBB) {
  assert(StoreToHoist && "StoreToHoist must be a real store");

  Value* StorePtr = StoreToHoist->getPointerOperand();

  // Look for a store to the same pointer in BrBB.
  for (BasicBlock::reverse_iterator RI = BrBB->rbegin(), RE = BrBB->rend();
       RI != RE; ++RI) {
    Instruction* CurI = &*RI;

    StoreInst* SI = dyn_cast<StoreInst>(CurI);
    // Found the previous store make sure it stores to the same location.
    // XXX-update: If the previous store's original untainted address are the
    // same as 'StorePtr', we are also good to hoist the store.
    if (SI && (SI->getPointerOperand() == StorePtr ||
               GetUntaintedAddress(SI->getPointerOperand()) == StorePtr)) {
      // Found the previous store, return its value operand.
      return SI;
    }
  }

  assert(false &&
         "We should not reach here since this store is safe to speculate");
}

// XXX-comment: Returns true if it changes the code, false otherwise (the branch
// condition already depends on 'DepVal'.
bool taintConditionalBranch(BranchInst* BI, Value* DepVal) {
  assert(BI->isConditional());
  auto* Cond = BI->getOperand(0);
  if (dependenceSetInclusion(Cond, DepVal)) {
    // The dependence/ordering is self-evident.
    return false;
  }

  IRBuilder<true, NoFolder> Builder(BI);
  auto* AndDep =
      Builder.CreateAnd(DepVal, ConstantInt::get(DepVal->getType(), 0));
  auto* TruncAndDep =
      Builder.CreateTrunc(AndDep, IntegerType::get(DepVal->getContext(), 1));
  auto* OrCond = Builder.CreateOr(TruncAndDep, Cond);
  BI->setOperand(0, OrCond);

  // Debug output.
  DEBUG(dbgs() << "\tTainted branch condition:\n" << *BI->getParent());

  return true;
}

bool ConditionalBranchDependsOnValue(BranchInst* BI, Value* DepVal) {
  assert(BI->isConditional());
  auto* Cond = BI->getOperand(0);
  return dependenceSetInclusion(Cond, DepVal);
}

// XXX-update: For an instruction (e.g., a relaxed load) 'Inst', find the first
// immediate atomic store or the first conditional branch. Returns nullptr if
// there's no such immediately following store/branch instructions, which we can
// only enforce the load with 'acquire'. 'ChainedBB' contains all the blocks
// chained together with unconditional branches from 'BB' to the block with the
// first store/cond branch.
template <typename Vector>
Instruction* findFirstStoreCondBranchInst(Instruction* Inst, Vector* ChainedBB) {
  // In some situations, relaxed loads can be left as is:
  // 1. The relaxed load is used to calculate the address of the immediate
  // following store;
  // 2. The relaxed load is used as a condition in the immediate following
  // condition, and there are no stores in between. This is actually quite
  // common. E.g.,
  // int r1 = x.load(relaxed);
  // if (r1 != 0) {
  //   y.store(1, relaxed);
  // }
  // However, in this function, we don't deal with them directly. Instead, we
  // just find the immediate following store/condition branch and return it.

  assert(ChainedBB != nullptr && "Chained BB should not be nullptr");
  auto* BB = Inst->getParent();
  ChainedBB->push_back(BB);
  auto BE = BB->end();
  auto BBI = BasicBlock::iterator(Inst);
  BBI++;
  while (true) {
    for (; BBI != BE; BBI++) {
      Instruction* Inst = &*BBI;
      IntrinsicInst* II = dyn_cast<IntrinsicInst>(&*BBI);
      if (II && II->getIntrinsicID() == Intrinsic::aarch64_stlxr) {
        return II;
      } else if (Inst->getOpcode() == Instruction::Store) {
        return Inst;
      } else if (Inst->getOpcode() == Instruction::Br) {
        auto* BrInst = dyn_cast<BranchInst>(Inst);
        if (BrInst->isConditional()) {
          return Inst;
        } else {
          // Reinitialize iterators with the destination of the unconditional
          // branch.
          BB = BrInst->getSuccessor(0);
          ChainedBB->push_back(BB);
          BBI = BB->begin();
          BE = BB->end();
          break;
        }
      }
    }
    if (BBI == BE) {
      return nullptr;
    }
  }
}

// XXX-update: Find the next node of the last relaxed load from 'FromInst' to
// 'ToInst'. If none, return 'ToInst'.
Instruction* findLastLoadNext(Instruction* FromInst, Instruction* ToInst) {
  if (FromInst == ToInst) {
    return ToInst;
  }
  Instruction* LastLoad = ToInst;
  auto* BB = FromInst->getParent();
  auto BE = BB->end();
  auto BBI = BasicBlock::iterator(FromInst);
  BBI++;
  for (; BBI != BE && &*BBI != ToInst; BBI++) {
    auto* LI = dyn_cast<LoadInst>(&*BBI);
    if (LI == nullptr || !LI->isAtomic() || LI->getOrdering() != Monotonic) {
      continue;
    }
    LastLoad = LI;
    LastLoad = LastLoad->getNextNode();
  }
  return LastLoad;
}

// Inserts a fake conditional branch right after the instruction 'SplitInst',
// and the branch condition is 'Condition'. 'SplitInst' will be placed in the
// newly created block.
void AddFakeConditionalBranch(Instruction* SplitInst, Value* Condition) {
  auto* BB = SplitInst->getParent();
  TerminatorInst* ThenTerm = nullptr;
  TerminatorInst* ElseTerm = nullptr;
  SplitBlockAndInsertIfThenElse(Condition, SplitInst, &ThenTerm, &ElseTerm);
  assert(ThenTerm && ElseTerm &&
         "Then/Else terminators cannot be empty after basic block spliting");
  auto* ThenBB = ThenTerm->getParent();
  auto* ElseBB = ElseTerm->getParent();
  auto* TailBB = ThenBB->getSingleSuccessor();
  assert(TailBB && "Tail block cannot be empty after basic block spliting");

  ThenBB->disableCanEliminateBlock();
  ThenBB->disableCanEliminateBlock();
  TailBB->disableCanEliminateBlock();
  ThenBB->setName(BB->getName() + "Then.Fake");
  ElseBB->setName(BB->getName() + "Else.Fake");
  DEBUG(dbgs() << "Add fake conditional branch:\n"
               << "Then Block:\n"
               << *ThenBB << "Else Block:\n"
               << *ElseBB << "\n");
}

// Returns true if the code is changed, and false otherwise.
void TaintRelaxedLoads(Instruction* UsageInst, Instruction* InsertPoint) {
  // For better performance, we can add a "AND X 0" instruction before the
  // condition.
  auto* BB = UsageInst->getParent();
  if (InsertPoint == nullptr) {
    InsertPoint = UsageInst->getNextNode();
  }
  // Insert instructions after PHI nodes.
  while (dyn_cast<PHINode>(InsertPoint)) {
    InsertPoint = InsertPoint->getNextNode();
  }
  // First thing is to cast 'UsageInst' to an integer type if necessary.
  Value* AndTarget = nullptr;
  Type* TargetIntegerType =
      IntegerType::get(UsageInst->getContext(),
                       BB->getModule()->getDataLayout().getPointerSizeInBits());

  // Check whether InsertPoint is a added fake conditional branch.
  BranchInst* BI = nullptr;
  if ((BI = dyn_cast<BranchInst>(InsertPoint)) && BI->isConditional()) {
    auto* Cond = dyn_cast<Instruction>(BI->getOperand(0));
    if (Cond && Cond->getOpcode() == Instruction::ICmp) {
      auto* CmpInst = dyn_cast<ICmpInst>(Cond);
      auto* Op0 = dyn_cast<Instruction>(Cond->getOperand(0));
      auto* Op1 = dyn_cast<ConstantInt>(Cond->getOperand(1));
      // %tmp = And X, 0
      // %cmp = ICMP_NE %tmp, 0
      // Br %cmp
      // =>
      // %tmp1 = And X, NewTaintedVal
      // %tmp2 = And %tmp1, 0
      // %cmp = ICMP_NE %tmp2, 0
      // Br %cmp
      if (CmpInst && CmpInst->getPredicate() == CmpInst::ICMP_NE && Op0 &&
          Op0->getOpcode() == Instruction::And && Op1 && Op1->isZero()) {
        auto* Op01 = dyn_cast<ConstantInt>(Op0->getOperand(1));
        if (Op01 && Op01->isZero()) {
          // Now we have a previously added fake cond branch.
          auto* Op00 = Op0->getOperand(0);
          IRBuilder<true, NoFolder> Builder(CmpInst);
          if (Op00->getType() == UsageInst->getType()) {
            AndTarget = UsageInst;
          } else {
            AndTarget = createCast(Builder, UsageInst, Op00->getType());
          }
          AndTarget = Builder.CreateAnd(Op00, AndTarget);
          auto* AndZero = dyn_cast<Instruction>(Builder.CreateAnd(
              AndTarget, Constant::getNullValue(AndTarget->getType())));
          CmpInst->setOperand(0, AndZero);
          return;
        }
      }
    }
  }

  IRBuilder<true, NoFolder> Builder(InsertPoint);
  if (IntegerType::classof(UsageInst->getType())) {
    AndTarget = UsageInst;
  } else {
    AndTarget = createCast(Builder, UsageInst, TargetIntegerType);
  }
  auto* AndZero = dyn_cast<Instruction>(
      Builder.CreateAnd(AndTarget, Constant::getNullValue(AndTarget->getType())));
  auto* FakeCondition = dyn_cast<Instruction>(Builder.CreateICmp(
      CmpInst::ICMP_NE, AndZero, Constant::getNullValue(AndTarget->getType())));
  AddFakeConditionalBranch(FakeCondition->getNextNode(), FakeCondition);
}

// Taints the 'Inst' (i.e., adds a fake conditional block that uses the 'Inst')
// at the beginning of basic block 'BB'. Note that we need to add an appropriate
// PHI node and taint the PHI node. Returns true if the code is changed, and
// false otherwise.
void TaintAtBlockBeginning(Instruction* Inst, BasicBlock* BB) {
  auto* CurBB = Inst->getParent();
  auto* FirstInst = BB->getFirstNonPHI();
  IRBuilder<true, NoFolder> Builder(FirstInst);
  auto* Phi = Builder.CreatePHI(Inst->getType(), 0, Inst->getName() + ".phi");
  // Multiple blocks going to BB. We should add a PHI node w.r.t. 'Inst'.
  for (auto* Pred : predecessors(BB)) {
    Value* Val = nullptr;
    if (Pred == CurBB) {
      Val = Inst;
    } else {
      // We don't care what value other paths are.
      Val = UndefValue::get(Inst->getType());
    }
    Phi->addIncoming(Val, Pred);
  }
  return TaintRelaxedLoads(Phi, Phi);
}

// XXX-comment: Finds the appropriate Value derived from an atomic load.
// 'ChainedBB' contains all the blocks chained together with unconditional
// branches from LI's parent BB to the block with the first store/cond branch.
// If we don't find any, it means 'LI' is not used at all (which should not
// happen in practice). We can simply set 'LI' to be acquire just to be safe.
template <typename Vector>
Instruction* findMostRecentDependenceUsage(LoadInst* LI, Instruction* LaterInst,
                                           Vector* ChainedBB,
                                           DominatorTree* DT) {
  typedef SmallSet<Instruction*, 8> UsageSet;
  typedef DenseMap<BasicBlock*, std::unique_ptr<UsageSet>> UsageMap;
  assert(ChainedBB->size() >= 1 && "ChainedBB must have >=1 size");
  // Mapping from basic block in 'ChainedBB' to the set of dependence usage of
  // 'LI' in each block.
  UsageMap usage_map;
  auto* LoadBB = LI->getParent();
  usage_map[LoadBB] = make_unique<UsageSet>();
  usage_map[LoadBB]->insert(LI);

  for (auto* BB : *ChainedBB) {
    if (usage_map[BB] == nullptr) {
      usage_map[BB] = make_unique<UsageSet>();
    }
    auto& usage_set = usage_map[BB];
    if (usage_set->size() == 0) {
      // The value has not been used.
      return nullptr;
    }
    // Calculate the usage in the current BB first.
    std::list<Value*> bb_usage_list;
    std::copy(usage_set->begin(), usage_set->end(),
              std::back_inserter(bb_usage_list));
    for (auto list_iter = bb_usage_list.begin();
         list_iter != bb_usage_list.end(); list_iter++) {
      auto* val = *list_iter;
      for (auto* U : val->users()) {
        Instruction* Inst = nullptr;
        if (!(Inst = dyn_cast<Instruction>(U))) {
          continue;
        }
        assert(Inst && "Usage value must be an instruction");
        auto iter =
            std::find(ChainedBB->begin(), ChainedBB->end(), Inst->getParent());
        if (iter == ChainedBB->end()) {
          // Only care about usage within ChainedBB.
          continue;
        }
        auto* UsageBB = *iter;
        if (UsageBB == BB) {
          // Current BB.
          if (!usage_set->count(Inst)) {
            bb_usage_list.push_back(Inst);
            usage_set->insert(Inst);
          }
        } else {
          // A following BB.
          if (usage_map[UsageBB] == nullptr) {
            usage_map[UsageBB] = make_unique<UsageSet>();
          }
          usage_map[UsageBB]->insert(Inst);
        }
      }
    }
  }

  // Pick one usage that is in LaterInst's block and that dominates 'LaterInst'.
  auto* LaterBB = LaterInst->getParent();
  auto& usage_set = usage_map[LaterBB];
  Instruction* usage_inst = nullptr;
  for (auto* inst : *usage_set) {
    if (DT->dominates(inst, LaterInst)) {
      usage_inst = inst;
      break;
    }
  }

  assert(usage_inst && "The usage instruction in the same block but after the "
                       "later instruction");
  return usage_inst;
}

// XXX-comment: For an instruction (e.g., a load) 'Inst', and the first upcoming
// store/conditional branch instruction 'FirstInst', returns whether there are
// any intermediate instructions I (including 'FirstInst') that satisfy:
// 1. I is a load/store, and its address depends on 'Inst'.
// 2. I is a conditional branch whose condition depends on 'Inst'.
// Note that 'Inst' and 'FirstInst' can be in different basic blocks, but Inst's
// basic block can unconditionally jumps (by steps) to FirstInst's block.
bool NeedExtraConstraints(Instruction* Inst, Instruction* FirstInst) {
  if (!FirstInst) {
    return true;
  }
  auto BBI = Inst->getIterator();
  BBI++;
  while (true) {
    auto* I = &*BBI;
    BBI++;
    BranchInst *BI = dyn_cast<BranchInst>(I);
    if (BI && BI->isUnconditional()) {
      BasicBlock *DestBB = BI->getSuccessor(0);
      BBI = DestBB->begin();
      continue;
    }

    if (I->getOpcode() == Instruction::Store) {
      return !StoreAddressDependOnValue(dyn_cast<StoreInst>(I), Inst);
    } else if (I->getOpcode() == Instruction::Load) {
      if (I->isAtomic() &&
          LoadAddressDependOnValue(dyn_cast<LoadInst>(I), Inst)) {
        // Normal loads are subject to be reordered by the backend, so we only
        // rely on atomic loads.
        return false;
      }
    } else if (I->getOpcode() == Instruction::Br) {
      return !ConditionalBranchDependsOnValue(dyn_cast<BranchInst>(I), Inst);
    }
    if (I == FirstInst) {
      return true;
    }
  }
  return true;
}

// XXX-comment: For an instruction (e.g., a load) 'Inst', returns whether there
// are any intermediate instructions I (including 'FirstInst') that satisfy:
// 1. There are no reachable store/conditional branch before 'I'.
// 2. I is a load/store, and its address depends on 'Inst'.
// 3. I is a conditional branch whose condition depends on 'Inst'.
// Note that 'Inst' and 'FirstInst' can be in different basic blocks, but Inst's
// basic block can unconditionally jumps (by steps) to FirstInst's block.
bool NeedExtraConstraints(Instruction* Inst) {
  SmallVector<BasicBlock*, 2> ChainedBB;
  auto* FirstInst = findFirstStoreCondBranchInst(Inst, &ChainedBB);
  return NeedExtraConstraints(Inst, FirstInst);
}

// XXX-comment: Returns whether the code has been changed.
bool AddFakeConditionalBranchAfterMonotonicLoads(
    SmallSet<LoadInst*, 1>& MonotonicLoadInsts, DominatorTree* DT) {
  bool Changed = false;
  while (!MonotonicLoadInsts.empty()) {
    auto* LI = *MonotonicLoadInsts.begin();
    MonotonicLoadInsts.erase(LI);
    SmallVector<BasicBlock*, 2> ChainedBB;
    auto* FirstInst = findFirstStoreCondBranchInst(LI, &ChainedBB);

    // First check whether existing load-store ordering constraints exist.
    if (FirstInst != nullptr && !NeedExtraConstraints(LI, FirstInst)) {
      continue;
    }

    // We really need to process the relaxed load now. First see if we can delay
    // the tainting.
    if (FirstInst) {
      auto* FirstInstBBTerm = FirstInst->getParent()->getTerminator();
      while (FirstInst != FirstInstBBTerm) {
        if (!CanDelayTainting(LI, FirstInst)) {
          break;
        }
        FirstInst = FirstInst->getNextNode();
      }
    }

    StoreInst* SI = nullptr;
    IntrinsicInst* II = nullptr;
    if (FirstInst) {
      SI = dyn_cast<StoreInst>(FirstInst);
      II = dyn_cast<IntrinsicInst>(FirstInst);
    }
    if (FirstInst &&
        (SI || (II && II->getIntrinsicID() == Intrinsic::aarch64_stlxr))) {
      // For immediately coming stores, taint the address of the store.
      if (FirstInst->getParent() == LI->getParent() ||
          DT->dominates(LI, FirstInst)) {
        TaintRelaxedLoads(LI, FirstInst);
        Changed = true;
      } else {
        auto* Inst =
            findMostRecentDependenceUsage(LI, FirstInst, &ChainedBB, DT);
        if (!Inst) {
          LI->setOrdering(Acquire);
          Changed = true;
        } else {
          TaintRelaxedLoads(Inst, FirstInst);
          Changed = true;
        }
      }
    } else {
      // No upcoming branch
      if (!FirstInst) {
        TaintRelaxedLoads(LI, nullptr);
        Changed = true;
      } else {
        // For immediately coming branch, directly add a fake branch.
        if (FirstInst->getParent() == LI->getParent() ||
            DT->dominates(LI, FirstInst)) {
          TaintRelaxedLoads(LI, FirstInst);
          Changed = true;
        } else {
          auto* Inst =
              findMostRecentDependenceUsage(LI, FirstInst, &ChainedBB, DT);
          if (Inst) {
            TaintRelaxedLoads(Inst, FirstInst);
          } else {
            LI->setOrdering(Acquire);
          }
          Changed = true;
        }
      }
    }
  }
  return Changed;
}

/**** Implementations of public methods for dependence tainting ****/
Value* GetUntaintedAddress(Value* CurrentAddress) {
  auto* OrAddress = getOrAddress(CurrentAddress);
  if (OrAddress == nullptr) {
    // Is it tainted by a select instruction?
    auto* Inst = dyn_cast<Instruction>(CurrentAddress);
    if (nullptr != Inst && Inst->getOpcode() == Instruction::Select) {
      // A selection instruction.
      if (Inst->getOperand(1) == Inst->getOperand(2)) {
        return Inst->getOperand(1);
      }
    }

    return CurrentAddress;
  }

  auto* CastToInt = dyn_cast<Instruction>(OrAddress->getOperand(1));
  if (CastToInt && CastToInt->getOpcode() == Instruction::PtrToInt) {
    return CastToInt->getOperand(0);
  } else {
    // This should be a IntToPtr constant expression.
    ConstantExpr* PtrToIntExpr =
        dyn_cast<ConstantExpr>(OrAddress->getOperand(1));
    if (PtrToIntExpr && PtrToIntExpr->getOpcode() == Instruction::PtrToInt) {
      return PtrToIntExpr->getOperand(0);
    }
  }

  // Looks like it's not been dependence-tainted. Returns itself.
  return CurrentAddress;
}

MemoryLocation GetUntaintedMemoryLocation(StoreInst* SI) {
  AAMDNodes AATags;
  SI->getAAMetadata(AATags);
  const auto& DL = SI->getModule()->getDataLayout();
  const auto* OriginalAddr = GetUntaintedAddress(SI->getPointerOperand());
  DEBUG(if (OriginalAddr != SI->getPointerOperand()) {
    dbgs() << "[GetUntaintedMemoryLocation]\n"
           << "Storing address: " << *SI->getPointerOperand()
           << "\nUntainted address: " << *OriginalAddr << "\n";
  });
  return MemoryLocation(OriginalAddr,
                        DL.getTypeStoreSize(SI->getValueOperand()->getType()),
                        AATags);
}

bool TaintDependenceToStore(StoreInst* SI, Value* DepVal) {
  if (dependenceSetInclusion(SI, DepVal)) {
    return false;
  }

  bool tainted = taintStoreAddress(SI, DepVal);
  assert(tainted);
  return tainted;
}

bool TaintDependenceToStoreAddress(StoreInst* SI, Value* DepVal) {
  if (dependenceSetInclusion(SI->getPointerOperand(), DepVal)) {
    return false;
  }

  bool tainted = taintStoreAddress(SI, DepVal);
  assert(tainted);
  return tainted;
}

bool CompressTaintedStore(BasicBlock* BB) {
  // This function looks for windows of adajcent stores in 'BB' that satisfy the
  // following condition (and then do optimization):
  // *Addr(d1) = v1, d1 is a condition and is the only dependence the store's
  //                 address depends on && Dep(v1) includes Dep(d1);
  // *Addr(d2) = v2, d2 is a condition and is the only dependnece the store's
  //                 address depends on && Dep(v2) includes Dep(d2) &&
  //                 Dep(d2) includes Dep(d1);
  // ...
  // *Addr(dN) = vN, dN is a condition and is the only dependence the store's
  //                 address depends on && Dep(dN) includes Dep(d"N-1").
  //
  // As a result, Dep(dN) includes [Dep(d1) V ... V Dep(d"N-1")], so we can
  // safely transform the above to the following. In between these stores, we
  // can omit untainted stores to the same address 'Addr' since they internally
  // have dependence on the previous stores on the same address.
  // =>
  // *Addr = v1
  // *Addr = v2
  // *Addr(d3) = v3
  for (auto BI = BB->begin(), BE = BB->end(); BI != BE; BI++) {
    // Look for the first store in such a window of adajacent stores.
    auto* FirstSI = dyn_cast<StoreInst>(&*BI);
    if (!FirstSI) {
      continue;
    }

    // The first store in the window must be tainted.
    auto* UntaintedAddress = GetUntaintedAddress(FirstSI->getPointerOperand());
    if (UntaintedAddress == FirstSI->getPointerOperand()) {
      continue;
    }

    // The first store's address must directly depend on and only depend on a
    // condition.
    auto* FirstSIDepCond = getConditionDependence(FirstSI->getPointerOperand());
    if (nullptr == FirstSIDepCond) {
      continue;
    }

    // Dep(first store's storing value) includes Dep(tainted dependence).
    if (!dependenceSetInclusion(FirstSI->getValueOperand(), FirstSIDepCond)) {
      continue;
    }

    // Look for subsequent stores to the same address that satisfy the condition
    // of "compressing the dependence".
    SmallVector<StoreInst*, 8> AdajacentStores;
    AdajacentStores.push_back(FirstSI);
    auto BII = BasicBlock::iterator(FirstSI);
    for (BII++; BII != BE; BII++) {
      auto* CurrSI = dyn_cast<StoreInst>(&*BII);
      if (!CurrSI) {
        if (BII->mayHaveSideEffects()) {
          // Be conservative. Instructions with side effects are similar to
          // stores.
          break;
        }
        continue;
      }

      auto* OrigAddress = GetUntaintedAddress(CurrSI->getPointerOperand());
      auto* CurrSIDepCond = getConditionDependence(CurrSI->getPointerOperand());
      // All other stores must satisfy either:
      // A. 'CurrSI' is an untainted store to the same address, or
      // B. the combination of the following 5 subconditions:
      // 1. Tainted;
      // 2. Untainted address is the same as the group's address;
      // 3. The address is tainted with a sole value which is a condition;
      // 4. The storing value depends on the condition in 3.
      // 5. The condition in 3 depends on the previous stores dependence
      // condition.

      // Condition A. Should ignore this store directly.
      if (OrigAddress == CurrSI->getPointerOperand() &&
          OrigAddress == UntaintedAddress) {
        continue;
      }
      // Check condition B.
      if (OrigAddress == CurrSI->getPointerOperand() ||
          OrigAddress != UntaintedAddress || CurrSIDepCond == nullptr ||
          !dependenceSetInclusion(CurrSI->getValueOperand(), CurrSIDepCond)) {
        // Check condition 1, 2, 3 & 4.
        break;
      }

      // Check condition 5.
      StoreInst* PrevSI = AdajacentStores[AdajacentStores.size() - 1];
      auto* PrevSIDepCond = getConditionDependence(PrevSI->getPointerOperand());
      assert(PrevSIDepCond &&
             "Store in the group must already depend on a condtion");
      if (!dependenceSetInclusion(CurrSIDepCond, PrevSIDepCond)) {
        break;
      }

      AdajacentStores.push_back(CurrSI);
    }

    if (AdajacentStores.size() == 1) {
      // The outer loop should keep looking from the next store.
      continue;
    }

    // Now we have such a group of tainted stores to the same address.
    DEBUG(dbgs() << "[CompressTaintedStore]\n");
    DEBUG(dbgs() << "Original BB\n");
    DEBUG(dbgs() << *BB << '\n');
    auto* LastSI = AdajacentStores[AdajacentStores.size() - 1];
    for (unsigned i = 0; i < AdajacentStores.size() - 1; ++i) {
      auto* SI = AdajacentStores[i];

      // Use the original address for stores before the last one.
      SI->setOperand(1, UntaintedAddress);

      DEBUG(dbgs() << "Store address has been reversed: " << *SI << '\n';);
    }
    // XXX-comment: Try to make the last store use fewer registers.
    // If LastSI's storing value is a select based on the condition with which
    // its address is tainted, transform the tainted address to a select
    // instruction, as follows:
    // r1 = Select Cond ? A : B
    // r2 = Cond & 0
    // r3 = Addr | r2
    // *r3 = r1
    // ==>
    // r1 = Select Cond ? A : B
    // r2 = Select Cond ? Addr : Addr
    // *r2 = r1
    // The idea is that both Select instructions depend on the same condition,
    // so hopefully the backend can generate two cmov instructions for them (and
    // this saves the number of registers needed).
    auto* LastSIDep = getConditionDependence(LastSI->getPointerOperand());
    auto* LastSIValue = dyn_cast<Instruction>(LastSI->getValueOperand());
    if (LastSIValue && LastSIValue->getOpcode() == Instruction::Select &&
        LastSIValue->getOperand(0) == LastSIDep) {
      // XXX-comment: Maybe it's better for us to just leave it as an and/or
      // dependence pattern.
      //      /*
      IRBuilder<true, NoFolder> Builder(LastSI);
      auto* Address =
          Builder.CreateSelect(LastSIDep, UntaintedAddress, UntaintedAddress);
      LastSI->setOperand(1, Address);
      DEBUG(dbgs() << "The last store becomes :" << *LastSI << "\n\n";);
      //      */
    }
  }

  return true;
}

bool PassDependenceToStore(Value* OldAddress, StoreInst* NewStore) {
  Value* OldDep = getDependence(OldAddress);
  // Return false when there's no dependence to pass from the OldAddress.
  if (!OldDep) {
    return false;
  }

  // No need to pass the dependence to NewStore's address if it already depends
  // on whatever 'OldAddress' depends on.
  if (StoreAddressDependOnValue(NewStore, OldDep)) {
    return false;
  }
  return taintStoreAddress(NewStore, OldAddress);
}

SmallSet<Value*, 8> FindDependence(Value* Val) {
  SmallSet<Value*, 8> DepSet;
  recursivelyFindDependence(&DepSet, Val, true /*Only insert leaf nodes*/);
  return DepSet;
}

bool StoreAddressDependOnValue(StoreInst* SI, Value* DepVal) {
  return dependenceSetInclusion(SI->getPointerOperand(), DepVal);
}

bool LoadAddressDependOnValue(LoadInst* LI, Value* DepVal) {
  return dependenceSetInclusion(LI->getPointerOperand(), DepVal);
}

bool StoreDependOnValue(StoreInst* SI, Value* Dep) {
  return dependenceSetInclusion(SI, Dep);
}

bool ValueDependOnValue(Value* Inst, Value* Dep) {
  return dependenceSetInclusion(Inst, Dep);
}

// XXX-update: Checks whether the relaxed load 'LI' has subsequent instructions
// that naturally prevents it from being reordered across later stores.
bool HasSubsequentOrderingProtection(LoadInst* LI) {
  auto* BB = LI->getParent();
  auto* Term = BB->getTerminator();
  for (auto Iter = BasicBlock::iterator(LI->getNextNode()); Iter != BB->end();
       Iter++) {
    Instruction* I = &*Iter;

    // Reaching the end of the block.
    if (I == Term) {
      auto* Branch = dyn_cast<BranchInst>(Term);
      // The last instruction isn't a branch, end of analysis.
      if (!Branch) {
        return false;
      }
      if (Branch->isConditional()) {
        if (ValueDependOnValue(Branch, LI)) {
          // 'LI' is used in the conditional branch.
          return true;
        } else {
          // Reach the end with a cond branch that doesn't use the result of
          // 'LI'.
          return false;
        }
      } else {
        // Reach the end with a unconditional branch, keep going to the next
        // block.
        BB = BB->getSingleSuccessor();
        Term = BB->getTerminator();
        Iter = BB->begin();
        continue;
      }
    }

    // 'I' is a CAS whose old value depends on 'LI'. We don't need to taint 'LI'
    // then.
    auto* CAS = dyn_cast<AtomicCmpXchgInst>(I);
    if (CAS) {
      if (ValueDependOnValue(CAS->getCompareOperand(), LI)) {
        return true;
      }
    }

    // fetch_* operations that have acquire-release semantics.
    auto* RMW = dyn_cast<AtomicRMWInst>(I);
    if (RMW) {
      auto Order = RMW->getOrdering();
      if (Order == AcquireRelease || Order == SequentiallyConsistent) {
        return true;
      }
    }

    // A load whose address depends on 'LI' prevents later stores from being
    // reordered.
    auto* LdInst = dyn_cast<LoadInst>(I);
    if (LdInst) {
      if (ValueDependOnValue(LdInst->getPointerOperand(), LI)) {
        return true;
      }
    }

    // Other instructions that don't affect the reordering.
    if (!I->mayHaveSideEffects()) {
      continue;
    }

    // A store whose address depends on 'LI' is also protection.
    auto* SI = dyn_cast<StoreInst>(I);
    if (SI) {
      if (ValueDependOnValue(SI->getPointerOperand(), LI)) {
        return true;
      }
    }

    // The following are store/store-like operations. They don't protect later
    // stores from being reordered across 'LI', but the analysis can go on if
    // they naturally can't be reordered across 'LI' themselves.
    {
      // Release (or stronger) store.
      if (SI) {
        auto Order = SI->getOrdering();
        if (Order == Release || Order == SequentiallyConsistent) {
          continue;
        }
      }

      // Release (or stronger) fetch_*.
      if (RMW) {
        auto Order = RMW->getOrdering();
        if (Order == Release || Order == AcquireRelease ||
            Order == SequentiallyConsistent) {
          continue;
        }
      }

      // The instruction naturally depends on 'LI'.
      if (ValueDependOnValue(I, LI)) {
        continue;
      }
    }
    // Otherwise, we need to taint 'LI'.
    // XXX-comment: It may be a good idea that we can delay the fake conditional
    // branch down to this instruction.
    return false;
  }

  // Just in case, the loop should never end without reaching a return.
  return false;
}

// XXX-update: Checks whether the tainting to instruction 'I' can be delayed
// with respects to the relaxed load 'LI'. This usually means 'I' itself already
// depends on the 'LI' or 'I' is a store/store-like atomic operation that has
// release semantics.
bool CanDelayTainting(LoadInst* LI, Instruction* I) {
  if (I == I->getParent()->getTerminator()) {
    return false;
  }

  if (!I->mayHaveSideEffects()) {
    return true;
  }

  // The following are store/store-like operations. They don't protect later
  // stores from being reordered across 'LI', but the analysis can go on if
  // they naturally can't be reordered across 'LI' themselves.

  // Release (or stronger) store.
  auto* SI = dyn_cast<StoreInst>(I);
  if (SI) {
    auto Order = SI->getOrdering();
    if (Order == Release || Order == SequentiallyConsistent) {
      return true;
    }
  }

  // Release (or stronger) fetch_*.
  auto* RMW = dyn_cast<AtomicRMWInst>(I);
  if (RMW) {
    auto Order = RMW->getOrdering();
    if (Order == Release || Order == AcquireRelease ||
        Order == SequentiallyConsistent) {
      return true;
    }
  }

  // The instruction naturally depends on 'LI'.
  if (ValueDependOnValue(I, LI)) {
    return true;
  }

  // Otherwise, be conservative and say no!
  return false;
}

} // namespace llvm