<div dir="ltr">I think you are spot-on!<div><br></div><div>From <a href="http://en.cppreference.com/w/c/memory/malloc">http://en.cppreference.com/w/c/memory/malloc</a>,</div><div><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">A previous call to </span><span class="gmail-t-lc" style="color:rgb(0,0,0);font-size:12.8px;font-family:dejavusansmono,"dejavu sans mono",courier,monospace"><a href="http://en.cppreference.com/w/c/memory/free" title="c/memory/free" style="text-decoration:none;color:rgb(11,0,128);background-image:none;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:initial">free</a></span><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px"> or </span><span class="gmail-t-lc" style="color:rgb(0,0,0);font-size:12.8px;font-family:dejavusansmono,"dejavu sans mono",courier,monospace"><a href="http://en.cppreference.com/w/c/memory/realloc" title="c/memory/realloc" style="text-decoration:none;color:rgb(11,0,128);background-image:none;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;background-color:initial">realloc</a></span><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px"> that deallocates a region of memory </span><i style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">synchronizes-with</i><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px"> a call to </span><span class="gmail-t-lc" style="color:rgb(0,0,0);font-size:12.8px;font-family:dejavusansmono,"dejavu sans mono",courier,monospace"><strong class="gmail-selflink">malloc</strong></span><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">that allocates the same or a part of the same region of memory. This synchronization occurs after any access to the memory by the deallocating function and before any access to the memory by </span><code style="color:rgb(0,0,0);font-size:12.8px;font-family:dejavusansmono,"dejavu sans mono",courier,monospace">malloc</code><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">. There is a single total order of all allocation and deallocation functions operating on each particular region of memory.</span><br></div><div><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">So only "non-freed" malloc pointers are No-Alias which makes it flow-sensitive. There is no reason why malloc couldn't return previously freed location.</span></div><div><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">Regards,</span></div><div><span style="color:rgb(0,0,0);font-family:dejavusans,"dejavu sans",arial,sans-serif;font-size:12.8px">Kevin</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 11, 2017 at 3:32 PM, Sanjoy Das via llvm-dev <span dir="ltr"><<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I think I've spotted a semantic issue with marking @malloc and<br>
@realloc as noalias. Say we have the program:<br>
<br>
int f() {<br>
int* p0 = malloc(size of(int));<br>
free(p0);<br>
int* p1 = malloc(sizeof(int));<br>
if (!p1) return 20;<br>
int value = 0;<br>
for (int i = 0; i < 1; i++) {<br>
*p1 = 20;<br>
value = *p1;<br>
if (false) // "false" is obscured in a way the compiler can't fathom<br>
if (p0 == p1)<br>
a();<br>
else<br>
b();<br>
}<br>
return result;<br>
}<br>
<br>
The program above is well defined, and will always return 20.<br>
However, if we first unswitch loops:<br>
<br>
int f() {<br>
int* p0 = malloc(size of(int));<br>
free(p0);<br>
int* p1 = malloc(sizeof(int));<br>
if (!p1) return 20;<br>
int value = 0;<br>
if (p0 == p1) {<br>
for (int i = 0; i < 1; i++) {<br>
*p1 = 20;<br>
value = *p1;<br>
if (false)<br>
a();<br>
}<br>
} else {<br>
// Other copy of the loop that calls b() in dead code<br>
}<br>
return result;<br>
}<br>
<br>
and then run GVN::propgateEquality that replaces one use of p1 with p0<br>
but not the other (for some reason, say the other use was obscured<br>
behind a function call):<br>
<br>
int f() {<br>
int* p0 = malloc(size of(int));<br>
free(p0);<br>
int* p1 = malloc(sizeof(int));<br>
if (!p1) return 20;<br>
int value = 0;<br>
if (p0 == p1) {<br>
for (int i = 0; i < 1; i++) {<br>
*p0 = 20; // S0<br>
value = *p1; // L0<br>
if (false)<br>
a();<br>
}<br>
} else {<br>
// Other copy of the loop that calls b() in dead code<br>
}<br>
return result;<br>
}<br>
<br>
<br>
Now we have a problem -- since p0 NoAlias p1 (distinct @malloc()<br>
calls), we can reorder S0 and L0 (or LICM L0):<br>
<br>
<br>
int f() {<br>
int* p0 = malloc(size of(int));<br>
free(p0);<br>
int* p1 = malloc(sizeof(int));<br>
if (!p1) return 20;<br>
int value = 0;<br>
if (p0 == p1) {<br>
for (int i = 0; i < 1; i++) {<br>
value = *p1; // L0<br>
*p0 = 20; // S0<br>
if (false)<br>
a();<br>
}<br>
} else {<br>
// Other copy of the loop that calls b() in dead code<br>
}<br>
return result;<br>
}<br>
<br>
and we'll now return garbage if p0 == p1 (likely) and p1 is not null<br>
(also likely).<br>
<br>
I do not yet have a solution for this. Let me know what you think!<br>
<br>
Thanks,<br>
-- Sanjoy<br>
______________________________<wbr>_________________<br>
LLVM Developers mailing list<br>
<a href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-dev</a><br>
</blockquote></div><br></div>