[llvm] [llvm] Fix behavior of llvm.objectsize in presence of negative / large offset (PR #115504)

Mikael Holmén via llvm-commits llvm-commits at lists.llvm.org
Tue Nov 19 23:39:54 PST 2024 

mikaelholmen wrote:

Hi @serge-sans-paille ,

We also see a miscompile with this patch. I've tried to extract a reproducer and I think that we see it with:
```opt -passes="bounds-checking" bbi-101449.ll -S -o -```
Before this patch the above resulted in
```
@str = global [100 x i8] zeroinitializer, align 1

define i16 @main() {
entry:
  br label %for.cond

for.cond:                                         ; preds = %for.inc, %entry
  %i.0 = phi i8 [ 65, %entry ], [ %inc, %for.inc ]
  %exitcond.not = icmp eq i8 %i.0, 76
  br i1 %exitcond.not, label %for.end, label %for.inc

for.inc:                                          ; preds = %for.cond
  %i.0.c = sext i8 %i.0 to i64
  %0 = add i64 -65, %i.0.c
  %gep = getelementptr i8, ptr getelementptr (i8, ptr @str, i8 -65), i8 %i.0
  %1 = sub i64 100, %0
  store i8 %i.0, ptr %gep, align 1
  %inc = add nuw nsw i8 %i.0, 1
  br label %for.cond

for.end:                                          ; preds = %for.cond
  ret i16 0
}
```
which I think is ok, but with this patch we instead get
```
@str = global [100 x i8] zeroinitializer, align 1

define i16 @main() {
entry:
  br label %for.cond

for.cond:                                         ; preds = %4, %entry
  %i.0 = phi i8 [ 65, %entry ], [ %inc, %4 ]
  %exitcond.not = icmp eq i8 %i.0, 76
  br i1 %exitcond.not, label %for.end, label %for.inc

for.inc:                                          ; preds = %for.cond
  %i.0.c = sext i8 %i.0 to i64
  %0 = add i64 0, %i.0.c
  %gep = getelementptr i8, ptr getelementptr (i8, ptr @str, i8 -65), i8 %i.0
  %1 = sub i64 0, %0
  %2 = icmp ult i64 0, %0
  %3 = or i1 %2, false
  br i1 %3, label %trap, label %4

4:                                                ; preds = %for.inc
  store i8 %i.0, ptr %gep, align 1
  %inc = add nuw nsw i8 %i.0, 1
  br label %for.cond

for.end:                                          ; preds = %for.cond
  ret i16 0

trap:                                             ; preds = %for.inc
  call void @llvm.trap() #1
  unreachable
}
```
which I think is wrong as it makes execution end up at the trap.
[bbi-101449.ll.gz](https://github.com/user-attachments/files/17826832/bbi-101449.ll.gz)


https://github.com/llvm/llvm-project/pull/115504

More information about the llvm-commits mailing list