<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=http://email.email.llvm.org/c/eJzNVsFy2zYQ_RrpgrFGokSJOugQ2-PUMz017aRXkFyKaECAAUAp6tf3LUDKkpvk0ktnGEckFrtv375doLT15fCZRDU4Ryboi2jliYQUnfKV7XqlSSiDxwevul6r5rIQ4veWRO9sqakTyovQyiDO2OXwz_uhU-aYPkojBkO-kj3VQmptKxmUNaLCgrFBlCTo6yC1CBYxT1IPJLSVNawbZzs4IXHUtpQ6RkWs6L-PTs4SrzXblrL6wjCz5WorTkoKQO9UEJt1vaNVVTZNvd0uZsvn2fJD-vuHaawLg5GB9GWWPSHSvfPako8QW6trBH814kiGnNTJmsSv0hx_oyamdfaitKEVsyw7DuThydSiaqn6gi8RUR9csMoE3s2L-F456709kUu5GpKuvAhb_kVV4G1IryNpvADUeyYnm10kwHFAEFhyqXyPFWLEt-l-VCcyEbVFep36m1zc3Tiimnm2QGs9F74l2QstL3YIwjZCBc9LqiJGDk7PdtC18ETdte5RMsZOkkBsVhQQR8lcEq2UzBnDbQiw7oeqneRyEYm_DhoQjVTav8vkF3umE6MfS9ayCGAZIKJGyzOXqmFQnfyCkGcrQF5noczomDzvxPIs-9ANHhx-EI7C4Ixg1RivfEAf4JsfdBilfuUMaA14C6nmKASzznWXs2w_pZmKwwFGa47ByY2V-nOSQPmDTe_t74QLHb6iGZ9sVypDYzKxABXarxk0XkytuQPPLWp-fVNV13uuaGrDpKpIIbTmYYFOH6AAN2i4zdhzOcTyHm1Ihmdn4Yj3xQq-9bO_gxj7FI8jWPBAcZEoSIZ7tHeyCpATy_t2rIiz0hoCQ4sFSvOgUd_Acc9tg-YLgdPoUBbVAytPJ-mUR3Rmy5qKi1qod4XspDEsl_2oykm9KSPuTGuIaWFhnuDQDj7uR1Vc5IvpdkPFeX4asU7kvMYZxFNCQvgM-uyQARAE8gEVAZ8kvdIYmnciJkex_zhoyab0TXac1Ss-o5aNHUw9W4_ms-1yfNLrZvlRzNbP2AS2DISfRqRQBaRzG6emBiIRJ6swcDZLZRTEWLDsZrvHZILuyvLUc-wSVAfIHUrfbkRerPeb5ZLzunEthA_cT_HTdXecDtGIPwLhZIzuigBGXLvnW4B3MNWKN7akey5YcfXf_wwwnxZT4PcIuM-0OhpR8M9ZtjLWmAEqw0_2N2GJLtEeiQH-QV_FbfintzRvsmK8cd93U6up0vKNps2yi_3Cia3RXfsfEsDS-W6VEr5Kav19p2Jzdfv_ICltyG5g_6TCN5sw9u6jXIlOQdjpvwuBXe8Lcd83cS5NjebbOAmkPsuLn44A9DlhTjzyudQInE-Yhobn42KWvaAtxMMnjuTFQzOYOBEeZAgYEw-3k2ycnjziQzseu7cDE_Mz3i4wB4c4IXstK4pmqZxiPCfTiVWLacxOJ3AclAhIqOqIvJHaM3Sw-pnHh66ncqF54yK2hZZPXLzYaJFuabeTlL2qmtFyhfjkHNlevBNs-juvD-t6v97LuRzg2x16jPyO_Hxw-tCG0HseYdkLniOCD-UCofCi9Wn67wF3hnSXeVE4Cfl4fskxc7J5e1htslW-kkVNu7ygqtwWdb5fFdVylZfNrsjnWpak_WGWP4JyQ2cRXTD9-fP8vyNQh2yZ8bNeLvPNuljsd-tNQcVuW1a7Os930DJ1uKMs2M_CuuPcHaLLcjh6LGqcQf5tEUc9-oxoBDySNcINKui4cqek_BnHT2VxN8flIFYVB9JdvU5Wn7iQb5fDpKF5TOYQM_kHAp3KwQ>54002</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [instsimplify] Incorrect fold of comparison involving unescaped malloc
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
            preames
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          preames
      </td>
    </tr>
</table>

<pre>
    We currently have a miscompile in instsimplify.  The problem is that we are assuming that an unescaped allocation can not be equal to a value loaded from the global.  This assumption was added back in 2016 via commit 43d7e1cbffd66.

Unfortunately, this assumption does not hold.  In general, the LangRef allows both "guess and check" via ptrtoint, and "crossover from nearby object" as means for an unescaped object's address to be inspected.  

Given the optimizer's freedom to chose a heap layout of its choice, it would seem that we have no problem.  We can simply assume that the heap layout is such that any guess made fails.  

However, this has a fatal flaw.  If we make two or more guesses, we *must* return a consistent result.  The optimizer isn't allowed to both a) assume object *isn't* at address X, and b) assume object *is* at address X.

In InstCombine, we have careful handling when handling icmps of allocas for this "single use rule", but we got this wrong for heap allocations.

This is really hard to see in practice as instsimplify will iterate to a fixed point getting multiple comparisons at once (in a consistent manner).  We could see this via one of the various consumers of InstructionSimplify, but I was not able to write a test case easily. 

Here's the best example I've found:
```
@G = external global i8*

define void @init() {
  %guess = inttoptr i64 5839400 to i8*
  store i8* %guess, i8** @G
  ret void
}


define i1 @helper(i8* %p) {
  %guess = load i8*, i8** @G, align 8, !nonnull !{}
  %cmp = icmp eq i8* %p, %guess
  ret i1 %cmp
}

declare i8* @malloc(i32)

define i1 @test() {
  %p = call i8* @malloc(i32 4)
  %guess = load i8*, i8** @G, align 8, !nonnull !{}
  %cmp = icmp eq i8* %p, %guess
  %cmp2 = call i1 @helper(i8* %p)
  %res = icmp eq i1 %cmp, %cmp2
  ret i1 %res
}
```
This example should always return true.  But if you run "./opt -S %s -function-attrs -instsimplify", and then the heap allocator does actually place the malloc at the guessed location, it will instead return false.  (We fold %cmp to false without also folding the comparison inside helper or %cmp2.)



</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzNVk1z2zYQ_TXSBWMNTUmWdNAhtsepZ3pq2kmvILkU0YAAgw8p6q_vW4CUJefj3BnGEcn9eLv79oGVbc77zyTq6ByZoM-ik0cSUvTK17YflCahDC4fvOoHrdrzQog_OxKDs5WmXigvQieDOMHL4Z_3sVfmkB9KI6IhX8uBGiG1trUMyhpR44WxQVQk6GuUWgSLnEepIwltZQPr1tkeQUgctK2kTlmRK8UfUpCTxG3DtpWsvzDMsrh_EEclBaD3KojVstnQfV21bfPwsJgVz7PiQ_77l2mtC9HIQPo8K5-Q6TZ4Y8kniJ3VDZK_GnEgQ07qbE3id2kOf1Cbyjp5UdnQiVlZHiJ5RDKNqDuqv-BJQjQEF6wygb35JZ7Xznpvj-RyrYakq87CVv9QHdgN5fUkjReAetvJyWaTGuA4IRpY8aj8gDfEiK_L_aiOZBJqi_J69S-55N06oob7bIHWeh58R3IQWp5tDMK2QgXPr1RNjBw9PdmoG-GJ-svcE2WMnSiB3MwoIE6UOee2UjZnDNcp0HUf626iy1nk_vXggGil0v5dJb_ZEx0Z_TiyjkkAywAStVqeeFQtg-rlF6Q8WYHm9RbMTIHJsydez8oPffTo4QfhKERnBLPGeOUD9gDPfNRhpPqlZ0Br0LeQZ45BcNd57nJW7qYy83A4wWjNObi4cVJ_TxSofuL03v6GuODhK5bxyfaVMjQWkwZQY_3aqHFjGs0beOow88udqvvB80TzGmZWpRaCax4W2PQIBrioEbbkyFVM4z3YkA1PziIQ-6UJvu2zv4GY9hSXI1iwoLjUKFCGd3Rwsg6gE9P7WlbESWkNgmHFAmU9aNU39HjgtcHyhcBl9BiLGoCV1Uk65ZGdu2VNzUPdqneD7KUxTJfdyMqJvbki3kxriNvCxDwioI0--WMqLvWL2-1izXV-GrFOzXlNGsQqIUF8Bn1yqAAIAvmAiaCfJL3SEM0bEpOjtH-ctGJT-iZ7ruoVjzHL1kbTzJaj-eyhGK98uyo-itnyGU7olgHxs0QKtQV1rvM01IIk4mgVBGdVKKNAxi3TbrZ5zCbYrnKdd45DotUBdAfTH1ZivV3uVkXBdV2FFsIH3qf06OKd1CEZ8UMgnIyxXQnAiGvzfA3wBqa6Z8eO9MAD217iD78CzKfFlPg9At4zrQ5GbPnnrLw31pgIluEnx5uwpJBYj9wB_kFfxXX6p7cyr6pivMnvh6U1VGv51qZV0ad94cKW2K7dTxvA1PnhlDK-Wmr946BidQn7_2hSdiivYP9iwldOkL3bLJdG5yQc9PtBwOv9IG73JunStGi-S0og9Ume_XQEYM8JOvHI51IrcD5BDQ3r42JWvmAtxN0nzuTFXRtNUoQ7GQJk4u5ayUb1ZIkP3XjsXgsm9DN9XUAHY1LIQcuaklkepxjPyXxiNWKS2ekETkKJhISpjshbqT1DR1c_s3zoZhoXlje9hFvo-MTFjU0W-SvtWkk5qmoYLU-IT86x24t3hM1_581-2eyWOzkPKmjaz9aPN31YP0M8a4svSxxtCRPk9Cbb0eojw3j7tMkdmEen910Ig2cRLF9wHQA_Vgu440br4_TfHb468tfQi8JZygf8yxqqVc67_bamoqpkWVSr7X3dLsvVbr3eVbt1W1e7ZrWea1mR9gwcQzN0EikED3D9PFf7sij5WhbFerXcLnab5WpL281DVW-a9XoDLlOPb5QF41hYd5i7fYJUxYPHS40zyL-9xFGPPSMa0w04H3uGm5LJiOm4_fhwnnDsUx3_AWk4teA">