[llvm-bugs] [Bug 34548] New: InstCombine cannot blindly assume that inttoptr(ptrtoint x) -> x

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Sep 11 03:08:39 PDT 2017 

https://bugs.llvm.org/show_bug.cgi?id=34548

            Bug ID: 34548
           Summary: InstCombine cannot blindly assume that
                    inttoptr(ptrtoint x) -> x
           Product: libraries
           Version: trunk
          Hardware: All
                OS: All
            Status: NEW
          Keywords: miscompilation
          Severity: normal
          Priority: P
         Component: Scalar Optimizations
          Assignee: unassignedbugs at nondot.org
          Reporter: nunoplopes at sapo.pt
                CC: david.majnemer at gmail.com, davide at freebsd.org,
                    davidxl at google.com, dberlin at dberlin.org,
                    efriedma at codeaurora.org, gil.hur at sf.snu.ac.kr,
                    hfinkel at anl.gov, juneyoung.lee at sf.snu.ac.kr,
                    llvm-bugs at lists.llvm.org, regehr at cs.utah.edu,
                    sanjoy at playingwithpointers.com, wmi at google.com

Example of an end-to-end miscompilation by clang of the following code
involving ptrtoint:

$ cat c.c
#include <stdio.h>

void f(int*, int*);

int main()
{
  int a=0, y[1], x = 0;
  uintptr_t pi = (uintptr_t) &x;
  uintptr_t yi = (uintptr_t) (y+1);
  uintptr_t n = pi != yi;

  if (n) {
    a = 100;
    pi = yi;
  }

  if (n) {
    a = 100;
    pi = (uintptr_t) y;
  }

  *(int *)pi = 15;

  printf("a=%d x=%d\n", a, x);

  f(&x,y);

  return 0;
}


$ cat b.c
void f(int*x, int*y) {}


$ clang -O2 c.c b.c -o foo

$ ./foo
a=0 x=0

This result is wrong.  The two possible outcomes are: a=0 x=15, and a=100 x=0.

The bug is in Instcombine that treats inttoptr(ptrtoint(x)) == x, which is
incorrect.  This transformation can only be done if x is dereferenceable for
the accesses through inttoptr.
Compare the following:
clang -O0 -S -emit-llvm -o - c.c | opt -S -sroa
clang -O0 -S -emit-llvm -o - c.c | opt -S -sroa -instcombine

Integer compares are replaces with pointer compares (wrong) and load/stores are
changed from inttoptr to pointers directly (also wrong).

Test case by Gil Hur.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170911/7e9a5ecb/attachment.html>

More information about the llvm-bugs mailing list