[llvm-dev] Possible soundness issue with available_externally (split from "RFC: Add guard intrinsics")
Sanjoy Das via llvm-dev
llvm-dev at lists.llvm.org
Sat Feb 27 17:21:25 PST 2016
On Sat, Feb 27, 2016 at 4:21 PM, Xinliang David Li <xinliangli at gmail.com> wrote:
> So in this case, ptr[0] = 10 is propagated into one copy of maybe_devide (in
> source a), and ptr[0]=10 in caller_a is DSEed ?
`ptr[0] = 10` is not really propagated anywhere. What happens is that
`source-a` 's copy of `maybe_divide` gets optimized to a `ret
(unsigned) ptr` (after inlining in the body of `always_false`)[1], so
it is able to DSE the store `ptr[0] = 10`. But `source-b` s copy of
`maybe_divide` still has the load and the division (since it does not
have access to `always_false` 's body), so if `caller_a` ends up
calling that implementation of `maybe_divide`, we get a `SIGFPE`.
[1]: For reference, after inlining `always_false`, the `maybe_divide`
becomes
unsigned maybe_divide(unsigned *ptr) {
unsigned val = 500 / ptr[0]; // dead value
if (false)
return val;
return (unsigned)((intptr_t)ptr);
}
-- Sanjoy
More information about the llvm-dev
mailing list