Skip to content

[llvm] Fix ObjectSizeOffsetVisitor behavior in exact mode upon negati… #116955

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 23, 2024
Merged

[llvm] Fix ObjectSizeOffsetVisitor behavior in exact mode upon negati… #116955

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions llvm/lib/Analysis/MemoryBuiltins.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,10 +565,7 @@ static APInt getSizeWithOverflow(const SizeOffsetAPInt &Data) {
APInt Size = Data.Size;
APInt Offset = Data.Offset;

assert(!Offset.isNegative() &&
"size for a pointer before the allocated object is ambiguous");

if (Size.ult(Offset))
if (Offset.isNegative() || Size.ult(Offset))
return APInt::getZero(Size.getBitWidth());

return Size - Offset;
Expand Down Expand Up @@ -844,10 +841,14 @@ OffsetSpan ObjectSizeOffsetVisitor::computeImpl(Value *V) {
}

// We end up pointing on a location that's outside of the original object.
// This is UB, and we'd rather return an empty location then.
if (ORT.knownBefore() && ORT.Before.isNegative()) {
ORT.Before = APInt::getZero(ORT.Before.getBitWidth());
ORT.After = APInt::getZero(ORT.Before.getBitWidth());
// This is UB, and we'd rather return an empty location then.
if (Options.EvalMode == ObjectSizeOpts::Mode::Min ||
Options.EvalMode == ObjectSizeOpts::Mode::Max) {
ORT.Before = APInt::getZero(ORT.Before.getBitWidth());
ORT.After = APInt::getZero(ORT.Before.getBitWidth());
}
// Otherwise it's fine, caller can handle negative offset.
}
return ORT;
}
Expand Down
45 changes: 45 additions & 0 deletions llvm/test/Instrumentation/BoundsChecking/negative.ll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
; NOTE: Assertions have been autogenerated by utils/update_test_checks.py
; Check that negative oob gep do not generate invalid check.
; RUN: opt < %s -passes=bounds-checking -S | FileCheck %s
target datalayout = "e-p:64:64:64-p1:16:16:16-p2:64:64:64:48-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"


@str = global [100 x i8] zeroinitializer, align 1

define i16 @main() {
; CHECK-LABEL: @main(
; CHECK-NEXT: entry:
; CHECK-NEXT: br label [[FOR_COND:%.*]]
; CHECK: for.cond:
; CHECK-NEXT: [[I_0:%.*]] = phi i8 [ 65, [[ENTRY:%.*]] ], [ [[INC:%.*]], [[TMP4:%.*]] ]
; CHECK-NEXT: [[EXITCOND_NOT:%.*]] = icmp eq i8 [[I_0]], 76
; CHECK-NEXT: br i1 [[EXITCOND_NOT]], label [[FOR_END:%.*]], label [[TMP4]]
; CHECK: for.inc:
; CHECK-NEXT: [[I_0_C:%.*]] = sext i8 [[I_0]] to i64
; CHECK-NEXT: [[TMP0:%.*]] = add i64 -65, [[I_0_C]]
; CHECK-NEXT: [[GEP:%.*]] = getelementptr i8, ptr getelementptr (i8, ptr @str, i8 -65), i8 [[I_0]]
; CHECK-NEXT: [[TMP1:%.*]] = sub i64 100, [[TMP0]]
; CHECK-NEXT: store i8 [[I_0]], ptr [[GEP]], align 1
; CHECK-NEXT: [[INC]] = add nuw nsw i8 [[I_0]], 1
; CHECK-NEXT: br label [[FOR_COND]]
; CHECK: for.end:
; CHECK-NEXT: ret i16 0
;
entry:
br label %for.cond

for.cond:
%i.0 = phi i8 [ 65, %entry ], [ %inc, %for.inc ]
%exitcond.not = icmp eq i8 %i.0, 76
br i1 %exitcond.not, label %for.end, label %for.inc

for.inc: ; preds = %for.cond
%gep = getelementptr i8, ptr getelementptr (i8, ptr @str, i8 -65), i8 %i.0
store i8 %i.0, ptr %gep, align 1
%inc = add nuw nsw i8 %i.0, 1
br label %for.cond

for.end:
ret i16 0
}

Loading