MemorySSA¶
Introduction¶
MemorySSA
is an analysis that allows us to cheaply reason about the
interactions between various memory operations. Its goal is to replace
MemoryDependenceAnalysis
for most (if not all) use-cases. This is because,
unless you’re very careful, use of MemoryDependenceAnalysis
can easily
result in quadratic-time algorithms in LLVM. Additionally, MemorySSA
doesn’t
have as many arbitrary limits as MemoryDependenceAnalysis
, so you should get
better results, too.
At a high level, one of the goals of MemorySSA
is to provide an SSA based
form for memory, complete with def-use and use-def chains, which
enables users to quickly find may-def and may-uses of memory operations.
It can also be thought of as a way to cheaply give versions to the complete
state of heap memory, and associate memory operations with those versions.
This document goes over how MemorySSA
is structured, and some basic
intuition on how MemorySSA
works.
A paper on MemorySSA (with notes about how it’s implemented in GCC) can be found here. Though, it’s relatively out-of-date; the paper references multiple heap partitions, but GCC eventually swapped to just using one, like we now have in LLVM. Like GCC’s, LLVM’s MemorySSA is intraprocedural.
MemorySSA Structure¶
MemorySSA is a virtual IR. After it’s built, MemorySSA
will contain a
structure that maps Instruction
s to MemoryAccess
es, which are
MemorySSA
’s parallel to LLVM Instruction
s.
Each MemoryAccess
can be one of three types:
MemoryPhi
MemoryUse
MemoryDef
MemoryPhi
s are PhiNode
s, but for memory operations. If at any
point we have two (or more) MemoryDef
s that could flow into a
BasicBlock
, the block’s top MemoryAccess
will be a
MemoryPhi
. As in LLVM IR, MemoryPhi
s don’t correspond to any
concrete operation. As such, BasicBlock
s are mapped to MemoryPhi
s
inside MemorySSA
, whereas Instruction
s are mapped to MemoryUse
s
and MemoryDef
s.
Note also that in SSA, Phi nodes merge must-reach definitions (that is, definitions that must be new versions of variables). In MemorySSA, PHI nodes merge may-reach definitions (that is, until disambiguated, the versions that reach a phi node may or may not clobber a given variable).
MemoryUse
s are operations which use but don’t modify memory. An example of
a MemoryUse
is a load
, or a readonly
function call.
MemoryDef
s are operations which may either modify memory, or which
introduce some kind of ordering constraints. Examples of MemoryDef
s
include store
s, function calls, load
s with acquire
(or higher)
ordering, volatile operations, memory fences, etc.
Every function that exists has a special MemoryDef
called liveOnEntry
.
It dominates every MemoryAccess
in the function that MemorySSA
is being
run on, and implies that we’ve hit the top of the function. It’s the only
MemoryDef
that maps to no Instruction
in LLVM IR. Use of
liveOnEntry
implies that the memory being used is either undefined or
defined before the function begins.
An example of all of this overlaid on LLVM IR (obtained by running opt
-passes='print<memoryssa>' -disable-output
on an .ll
file) is below. When
viewing this example, it may be helpful to view it in terms of clobbers. The
operands of a given MemoryAccess
are all (potential) clobbers of said
MemoryAccess, and the value produced by a MemoryAccess
can act as a clobber
for other MemoryAccess
es. Another useful way of looking at it is in
terms of heap versions. In that view, operands of a given
MemoryAccess
are the version of the heap before the operation, and
if the access produces a value, the value is the new version of the heap
after the operation.
define void @foo() {
entry:
%p1 = alloca i8
%p2 = alloca i8
%p3 = alloca i8
; 1 = MemoryDef(liveOnEntry)
store i8 0, i8* %p3
br label %while.cond
while.cond:
; 6 = MemoryPhi({%0,1},{if.end,4})
br i1 undef, label %if.then, label %if.else
if.then:
; 2 = MemoryDef(6)
store i8 0, i8* %p1
br label %if.end
if.else:
; 3 = MemoryDef(6)
store i8 1, i8* %p2
br label %if.end
if.end:
; 5 = MemoryPhi({if.then,2},{if.else,3})
; MemoryUse(5)
%1 = load i8, i8* %p1
; 4 = MemoryDef(5)
store i8 2, i8* %p2
; MemoryUse(1)
%2 = load i8, i8* %p3
br label %while.cond
}
The MemorySSA
IR is shown in comments that precede the instructions they map
to (if such an instruction exists). For example, 1 = MemoryDef(liveOnEntry)
is a MemoryAccess
(specifically, a MemoryDef
), and it describes the LLVM
instruction store i8 0, i8* %p3
. Other places in MemorySSA
refer to this
particular MemoryDef
as 1
(much like how one can refer to load i8, i8*
%p1
in LLVM with %1
). Again, MemoryPhi
s don’t correspond to any LLVM
Instruction, so the line directly below a MemoryPhi
isn’t special.
Going from the top down:
6 = MemoryPhi({entry,1},{if.end,4})
notes that, when enteringwhile.cond
, the reaching definition for it is either1
or4
. ThisMemoryPhi
is referred to in the textual IR by the number6
.2 = MemoryDef(6)
notes thatstore i8 0, i8* %p1
is a definition, and its reaching definition before it is6
, or theMemoryPhi
afterwhile.cond
. (See the Build-time use optimization and Precision sections below for why thisMemoryDef
isn’t linked to a separate, disambiguatedMemoryPhi
.)3 = MemoryDef(6)
notes thatstore i8 0, i8* %p2
is a definition; its reaching definition is also6
.5 = MemoryPhi({if.then,2},{if.else,3})
notes that the clobber before this block could either be2
or3
.MemoryUse(5)
notes thatload i8, i8* %p1
is a use of memory, and that it’s clobbered by5
.4 = MemoryDef(5)
notes thatstore i8 2, i8* %p2
is a definition; it’s reaching definition is5
.MemoryUse(1)
notes thatload i8, i8* %p3
is just a user of memory, and the last thing that could clobber this use is abovewhile.cond
(e.g. the store to%p3
). In heap versioning parlance, it really only depends on the heap version 1, and is unaffected by the new heap versions generated since then.
As an aside, MemoryAccess
is a Value
mostly for convenience; it’s not
meant to interact with LLVM IR.
Design of MemorySSA¶
MemorySSA
is an analysis that can be built for any arbitrary function. When
it’s built, it does a pass over the function’s IR in order to build up its
mapping of MemoryAccess
es. You can then query MemorySSA
for things
like the dominance relation between MemoryAccess
es, and get the
MemoryAccess
for any given Instruction
.
When MemorySSA
is done building, it also hands you a MemorySSAWalker
that you can use (see below).
The walker¶
A structure that helps MemorySSA
do its job is the MemorySSAWalker
, or
the walker, for short. The goal of the walker is to provide answers to clobber
queries beyond what’s represented directly by MemoryAccess
es. For example,
given:
define void @foo() {
%a = alloca i8
%b = alloca i8
; 1 = MemoryDef(liveOnEntry)
store i8 0, i8* %a
; 2 = MemoryDef(1)
store i8 0, i8* %b
}
The store to %a
is clearly not a clobber for the store to %b
. It would
be the walker’s goal to figure this out, and return liveOnEntry
when queried
for the clobber of MemoryAccess
2
.
By default, MemorySSA
provides a walker that can optimize MemoryDef
s
and MemoryUse
s by consulting whatever alias analysis stack you happen to
be using. Walkers were built to be flexible, though, so it’s entirely reasonable
(and expected) to create more specialized walkers (e.g. one that specifically
queries GlobalsAA
, one that always stops at MemoryPhi
nodes, etc).
Locating clobbers yourself¶
If you choose to make your own walker, you can find the clobber for a
MemoryAccess
by walking every MemoryDef
that dominates said
MemoryAccess
. The structure of MemoryDef
s makes this relatively simple;
they ultimately form a linked list of every clobber that dominates the
MemoryAccess
that you’re trying to optimize. In other words, the
definingAccess
of a MemoryDef
is always the nearest dominating
MemoryDef
or MemoryPhi
of said MemoryDef
.
Build-time use optimization¶
MemorySSA
will optimize some MemoryAccess
es at build-time.
Specifically, we optimize the operand of every MemoryUse
to point to the
actual clobber of said MemoryUse
. This can be seen in the above example; the
second MemoryUse
in if.end
has an operand of 1
, which is a
MemoryDef
from the entry block. This is done to make walking,
value numbering, etc, faster and easier.
It is not possible to optimize MemoryDef
in the same way, as we
restrict MemorySSA
to one heap variable and, thus, one Phi node
per block.
Invalidation and updating¶
Because MemorySSA
keeps track of LLVM IR, it needs to be updated whenever
the IR is updated. “Update”, in this case, includes the addition, deletion, and
motion of Instructions
. The update API is being made on an as-needed basis.
If you’d like examples, GVNHoist
is a user of MemorySSA
s update API.
Phi placement¶
MemorySSA
only places MemoryPhi
s where they’re actually
needed. That is, it is a pruned SSA form, like LLVM’s SSA form. For
example, consider:
define void @foo() {
entry:
%p1 = alloca i8
%p2 = alloca i8
%p3 = alloca i8
; 1 = MemoryDef(liveOnEntry)
store i8 0, i8* %p3
br label %while.cond
while.cond:
; 3 = MemoryPhi({%0,1},{if.end,2})
br i1 undef, label %if.then, label %if.else
if.then:
br label %if.end
if.else:
br label %if.end
if.end:
; MemoryUse(1)
%1 = load i8, i8* %p1
; 2 = MemoryDef(3)
store i8 2, i8* %p2
; MemoryUse(1)
%2 = load i8, i8* %p3
br label %while.cond
}
Because we removed the stores from if.then
and if.else
, a MemoryPhi
for if.end
would be pointless, so we don’t place one. So, if you need to
place a MemoryDef
in if.then
or if.else
, you’ll need to also create
a MemoryPhi
for if.end
.
If it turns out that this is a large burden, we can just place MemoryPhi
s
everywhere. Because we have Walkers that are capable of optimizing above said
phis, doing so shouldn’t prohibit optimizations.
Non-Goals¶
MemorySSA
is meant to reason about the relation between memory
operations, and enable quicker querying.
It isn’t meant to be the single source of truth for all potential memory-related
optimizations. Specifically, care must be taken when trying to use MemorySSA
to reason about atomic or volatile operations, as in:
define i8 @foo(i8* %a) {
entry:
br i1 undef, label %if.then, label %if.end
if.then:
; 1 = MemoryDef(liveOnEntry)
%0 = load volatile i8, i8* %a
br label %if.end
if.end:
%av = phi i8 [0, %entry], [%0, %if.then]
ret i8 %av
}
Going solely by MemorySSA
’s analysis, hoisting the load
to entry
may
seem legal. Because it’s a volatile load, though, it’s not.
Design tradeoffs¶
Precision¶
MemorySSA
in LLVM deliberately trades off precision for speed.
Let us think about memory variables as if they were disjoint partitions of the
heap (that is, if you have one variable, as above, it represents the entire
heap, and if you have multiple variables, each one represents some
disjoint portion of the heap)
First, because alias analysis results conflict with each other, and each result may be what an analysis wants (IE TBAA may say no-alias, and something else may say must-alias), it is not possible to partition the heap the way every optimization wants. Second, some alias analysis results are not transitive (IE A noalias B, and B noalias C, does not mean A noalias C), so it is not possible to come up with a precise partitioning in all cases without variables to represent every pair of possible aliases. Thus, partitioning precisely may require introducing at least N^2 new virtual variables, phi nodes, etc.
Each of these variables may be clobbered at multiple def sites.
To give an example, if you were to split up struct fields into individual variables, all aliasing operations that may-def multiple struct fields, will may-def more than one of them. This is pretty common (calls, copies, field stores, etc).
Experience with SSA forms for memory in other compilers has shown that it is simply not possible to do this precisely, and in fact, doing it precisely is not worth it, because now all the optimizations have to walk tons and tons of virtual variables and phi nodes.
So we partition. At the point at which you partition, again, experience has shown us there is no point in partitioning to more than one variable. It simply generates more IR, and optimizations still have to query something to disambiguate further anyway.
As a result, LLVM partitions to one variable.
Use Optimization¶
Unlike other partitioned forms, LLVM’s MemorySSA
does make one
useful guarantee - all loads are optimized to point at the thing that
actually clobbers them. This gives some nice properties. For example,
for a given store, you can find all loads actually clobbered by that
store by walking the immediate uses of the store.