[PATCH] D60047: [CaptureTracking] Don't let comparisons against null escape inbounds pointers

[Johannes Doerfert via Phabricator via llvm-commits]

jdoerfert added a comment.

In D60047#1492865 <https://reviews.llvm.org/D60047#1492865>, @sanjoy wrote:

> In D60047#1491978 <https://reviews.llvm.org/D60047#1491978>, @jdoerfert wrote:
>
> > Left is only the single guess that is just right which I would not count as escaping because the program could just as well
> >  take the guessed value and pretend it is the pointer value without the check.
>
>
> I don't think it could have done the same without the check.  One way to think about this is `foo` and `bar` are "colluding", `foo` knows that it will get a pointer that is at offset `4` from a valid pointer, so *if* it gets `null` then it knows that `-4` is a valid pointer.  This is just a more stylized way of doing:
>
>   int* ptr = ...;
>   int* ptr2 = (int*) 0x42000;
>   if (ptr == ptr2) {  // Escapes ptr
>     use ptr2;
>   }
>


I don't see it and your example misses the very important `dereferenceable_or_null` part.

Even if they are colluding, the behavior is undefined if the "guessed" (= modified) pointer is outside the dereferenceable range and not null. 
So, assuming the pointer is initially not known and not null. Furthermore, it is `B` bytes dereferenceable and `O` bytes "away" from `null`.
All checks with a positive offset `<= B` are, as mentioned before, useless.
Any check with an offset `> B` that is not equivalent to the `O` offset will cause UB.
Only "guessing" the `O` offset will not cause UB. Now if you could do that, you could also not do the comparison at all and simply go with `ptr + O`.

So I don't see how there can be any guessing, colluding, or similar thing without triggering UB almost inevitable or knowing the pointer value beforehand.


Repository:
  rL LLVM

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D60047/new/

https://reviews.llvm.org/D60047