[PATCH] D60047: [CaptureTracking] Don't let comparisons against null escape inbounds pointers

[Sanjoy Das via Phabricator via llvm-commits]

sanjoy added a comment.

In D60047#1492884 <https://reviews.llvm.org/D60047#1492884>, @jdoerfert wrote:

> I don't see it and your example misses the very important `dereferenceable_or_null` part.
>
> Even if they are colluding, the behavior is undefined if the "guessed" (= modified) pointer is outside the dereferenceable range and not null. 
>  So, assuming the pointer is initially not known and not null. Furthermore, it is `B` bytes dereferenceable and `O` bytes "away" from `null`.
>  All checks with a positive offset `<= B` are, as mentioned before, useless.
>  Any check with an offset `> B` that is not equivalent to the `O` offset will cause UB.
>  Only "guessing" the `O` offset will not cause UB. Now if you could do that, you could also not do the comparison at all and simply go with `ptr + O`.


I don't think this is true.  `bar` could have allocated a buffer of size 1000, which happened to end up at address 42000 (numerically) and then (legally, without UB) passed in 42004 to `foo` (`42004` is dereferenceable(4)).  In such a case the null check would not pass and there would not be a valid object at `-4`.

The "collusion" is that whatever pointer `foo` gets, that pointer minus 4 is a valid pointer.  If it got `null` (as is allowed by `deref_or_null`) then `-4` is a valid pointer, if it got `100` then `96` is a valid pointer etc.  This sort of invariant is not that weird; even in the LLVM codebase `llvm::User` pointers point into the "middle" of an object by construction.

> So I don't see how there can be any guessing, colluding, or similar thing without triggering UB almost inevitable or knowing the pointer value beforehand.


Repository:
  rL LLVM

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D60047/new/

https://reviews.llvm.org/D60047