[llvm-bugs] [Bug 44313] New: Wrong optimizations for pointers: `if (q == p) use p` -> `if (q == p) use q`

Mon Dec 16 06:59:10 PST 2019

https://bugs.llvm.org/show_bug.cgi?id=44313

            Bug ID: 44313
           Summary: Wrong optimizations for pointers: `if (q == p) use p`
                    -> `if (q == p) use q`
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: ch3root at openwall.com
                CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org

It seems clang's optimizer changes `if (q == p) use p` to `if (q == p) use q`.
This is quite natural but unfortunately is wrong when `p` and `q` are pointers
with different provenance (similar to -0. and +0. in floating point numbers).

Most examples of equal pointers differing in provenance involve a past-the-end
pointer which usually leads discussions into wrong directions. For a change,
below are two somewhat different examples.

Example with restrict:

----------------------------------------------------------------------
#include <stdio.h>

static void g(int *p, int *q)
{
    if (q == p)
        *p = 2;
}

static int f(int *restrict p, int *restrict q)
{
    *p = 1;
    g(p, q);
    return *p;
}

int main()
{
    int x;
    printf("%d\n", f(&x, &x));
}

----------------------------------------------------------------------
$ clang -std=c11 -Weverything test.c && ./a.out
2
$ clang -std=c11 -Weverything -O3 test.c && ./a.out
1
----------------------------------------------------------------------

Example with dead allocated memory:

----------------------------------------------------------------------
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

__attribute__((__optnone__)) // imagine it in a separate TU
static void expose(int *p)
{
    (void)p;
}

int main()
{
    char w[sizeof(int *)];

    int *q = malloc(sizeof(int));
    expose(q);
    memcpy(&w, &q, sizeof(int *));
    free(q);

    int *p = malloc(sizeof(int));
    expose(p);
    *p = 1;

    int been_there = 0;
    if (memcmp(&w, &p, sizeof(int *)) == 0) {
        been_there = 1;
        *p = 2;
    }
    printf("%d %d\n", been_there, *p);
}
----------------------------------------------------------------------
$ clang -std=c11 -Weverything test.c && ./a.out
1 2
$ clang -std=c11 -Weverything -O3 test.c && ./a.out
1 1
----------------------------------------------------------------------

clang x86-64 version: clang version 10.0.0
(https://github.com/llvm/llvm-project.git
755a66ebdeda38669f5498565cbc6af331b47bad)

Please note that these examples are designed not to involve any controversial
parts of the C standard, e.g., all accesses are via `p`, there are no accesses
via the "wrong" pointer `q`.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191216/3b43955d/attachment.html>