[PATCH] D60047: [CaptureTracking] Don't let comparisons against null escape inbounds pointers
Sanjoy Das via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue May 7 15:06:31 PDT 2019
sanjoy added a comment.
In D60047#1494198 <https://reviews.llvm.org/D60047#1494198>, @jdoerfert wrote:
> Could you explain this again with example code? I don't think I understand what you are saying, sorry.
void foo(int32* /*deref_or_null(4)*/ ptr) {
// Here "I" is the inner dialogue of function itself. :P
//
// I know that ptr-4 is a valid pointer so I can do this:
if (ptr == null) {
// It is not necessary that ptr == null. E.g. it isn't null when bar_1 calls
// me. So the check above is necessary.
int32* ptr_leaked = (int32*)(intptr_t)-4;
*global_ptr = ptr_leaked;
}
// I could have similarly done this:
//
// if (ptr == 0x424204) {
// int32* ptr_leaked = (int32*)(intptr_t)0x424200;
// *global_ptr = ptr_leaked;
// }
//
// in the same spirit.
}
void bar_0() {
int32* p = new int32;
// p happens to numerically be -4 == 2^64-4
int32* p_with_offset = p + 1; // non-inbounds GEP, evaluates to null
foo(p_with_offset);
// p has escaped
}
void bar_1() {
int32* p = new int32[1000];
// p is 0xff00
int32* p_with_offset = p + 1; // p_with_offset is 0xff04
foo(p_with_offset);
// p has not escaped
}
Repository:
rL LLVM
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D60047/new/
https://reviews.llvm.org/D60047
More information about the llvm-commits
mailing list