[llvm] [LAA] Be more careful when evaluating AddRecs at symbolic max BTC. (PR #128061)

David Sherwood via llvm-commits llvm-commits at lists.llvm.org
Thu Mar 27 08:03:20 PDT 2025 

================
@@ -188,9 +188,56 @@ RuntimeCheckingPtrGroup::RuntimeCheckingPtrGroup(
   Members.push_back(Index);
 }
 
+/// Return true, if evaluating \p AR at \p MaxBTC cannot wrap, because \p AR at
+/// \p MaxBTC is guaranteed inbounds of the accessed object.
+static bool evaluateAddRecAtMaxBTCWillNotWrap(const SCEVAddRecExpr *AR,
+                                              const SCEV *MaxBTC,
+                                              ScalarEvolution &SE,
+                                              const DataLayout &DL) {
+  auto *PointerBase = SE.getPointerBase(AR->getStart());
+  auto *StartPtr = dyn_cast<SCEVUnknown>(PointerBase);
+  if (!StartPtr)
+    return false;
+  bool CheckForNonNull, CheckForFreed;
+  uint64_t DerefBytes = StartPtr->getValue()->getPointerDereferenceableBytes(
+      DL, CheckForNonNull, CheckForFreed);
+
+  if (CheckForNonNull || CheckForFreed)
+    return false;
+
+  const SCEV *Step = AR->getStepRecurrence(SE);
+  Type *WiderTy = SE.getWiderType(MaxBTC->getType(), Step->getType());
+  Step = SE.getNoopOrSignExtend(Step, WiderTy);
+  MaxBTC = SE.getNoopOrSignExtend(MaxBTC, WiderTy);
+  if (SE.isKnownPositive(Step)) {
+    // For positive steps, check if (AR->getStart() - StartPtr) + MaxBTC <=
----------------
david-arm wrote:

I checked out this patch and dumped out `AR` to see what units it uses - it seems they are in units of bytes.

If `AR->getStart()` and `StartPtr` are pointers then isn't the difference also in units of bytes? So shouldn't we actually be doing

`(AR->getStart() - StartPtr) + (MaxBTC * Step) <= DerefBytes`?

I'm not sure we can use an expression such as `((AR->getStart() - StartPtr) / Step) + MaxBTC <= DerefBytes` because the start offset may not be a multiple of `Step`.

I assume the reason you're not including the element size of the loaded value in the calculation is because you only care about the actual pointer wrapping, not whether `ptr + ElementSize - 1` could wrap?

https://github.com/llvm/llvm-project/pull/128061

More information about the llvm-commits mailing list