[llvm] Fix behavior of llvm.objectsize in presence of negative offset

serge-sans-paille · serge-sans-paille · commit 677b4f097e85 · 2024-11-13T22:05:19.000+01:00
When an object is located before it's allocation point, e.g.

   char a[10];
   char* b = a[-3];

If we ask for the maximum amount of memory addressable from `b` through

   __builtin_object_size(b, 0)

It is better to return -1, even if we actually know everything about the
allocation point, than to return 0, which we currently do and that leads
to sanitizer raising invalid/incorrect diagnostic.
diff --git a/llvm/lib/Analysis/MemoryBuiltins.cpp b/llvm/lib/Analysis/MemoryBuiltins.cpp
@@ -564,8 +564,13 @@ Value *llvm::getFreedOperand(const CallBase *CB, const TargetLibraryInfo *TLI) {
 static APInt getSizeWithOverflow(const SizeOffsetAPInt &Data) {
   APInt Size = Data.Size;
   APInt Offset = Data.Offset;
-  if (Offset.isNegative() || Size.ult(Offset))
-    return APInt(Size.getBitWidth(), 0);
+
+  assert(!Offset.isNegative() &&
+         "size for a pointer before the allocated object is ambiguous");
+
+  if (Size.ult(Offset))
+    return APInt::getZero(Size.getBitWidth());
+
   return Size - Offset;
 }
 
@@ -749,6 +754,13 @@ OffsetSpan ObjectSizeOffsetVisitor::computeImpl(Value *V) {
     if (Overflow)
       ORT.After = APInt();
   }
+
+  // We end up pointing on a location that's outside of the original object.
+  // This is UB, and we'd rather return an empty location then.
+  if (ORT.knownBefore() && ORT.Before.isNegative()) {
+    ORT.Before = APInt::getZero(ORT.Before.getBitWidth());
+    ORT.After = APInt::getZero(ORT.Before.getBitWidth());
+  }
   return ORT;
 }
 
diff --git a/llvm/test/Transforms/LowerConstantIntrinsics/builtin-object-size-phi.ll b/llvm/test/Transforms/LowerConstantIntrinsics/builtin-object-size-phi.ll
@@ -131,6 +131,40 @@ define dso_local i64 @pick_max_large(i1 %c) local_unnamed_addr {
 
 }
 
+define dso_local i64 @pick_max_one_oob(i1 %c0, i1 %c1) {
+; CHECK-LABEL: @pick_max_one_oob(
+; CHECK-NEXT:    [[P:%.*]] = alloca [2 x i8], align 1
+; CHECK-NEXT:    br i1 [[C0:%.*]], label [[IF_THEN:%.*]], label [[IF_ELSE:%.*]]
+; CHECK:       if.then:
+; CHECK-NEXT:    [[P_THEN:%.*]] = getelementptr inbounds [2 x i8], ptr [[P]], i64 0, i64 1
+; CHECK-NEXT:    br label [[IF_END:%.*]]
+; CHECK:       if.else:
+; CHECK-NEXT:    [[P_ELSE:%.*]] = getelementptr inbounds [2 x i8], ptr [[P]], i64 0, i64 -1
+; CHECK-NEXT:    br label [[IF_END]]
+; CHECK:       if.end:
+; CHECK-NEXT:    [[P_END:%.*]] = phi ptr [ [[P_ELSE]], [[IF_ELSE]] ], [ [[P_THEN]], [[IF_THEN]] ]
+; CHECK-NEXT:    [[OBJSIZE:%.*]] = select i1 [[C1:%.*]], i64 1, i64 0
+; CHECK-NEXT:    ret i64 [[OBJSIZE]]
+;
+  %p = alloca [2 x i8], align 1
+  br i1 %c0, label %if.then, label %if.else
+
+if.then:
+  %p.then = getelementptr inbounds [2 x i8], ptr %p, i64 0, i64 1
+  br label %if.end
+
+if.else:
+  %p.else = getelementptr inbounds [2 x i8], ptr %p, i64 0, i64 -1
+  br label %if.end
+
+if.end:
+  %p.end = phi ptr [%p.else, %if.else], [%p.then, %if.then]
+  %objsize.max = call i64 @llvm.objectsize.i64.p0(ptr %p.end, i1 false, i1 true, i1 false)
+  %objsize.min = call i64 @llvm.objectsize.i64.p0(ptr %p.end, i1 true, i1 true, i1 false)
+  %objsize = select i1 %c1, i64 %objsize.max, i64 %objsize.min
+  ret i64 %objsize
+}
+
 
 define i64 @pick_negative_offset(i32 %n) {
 ; CHECK-LABEL: @pick_negative_offset(
diff --git a/llvm/test/Transforms/LowerConstantIntrinsics/objectsize_basic.ll b/llvm/test/Transforms/LowerConstantIntrinsics/objectsize_basic.ll
@@ -195,9 +195,23 @@ define i64 @out_of_bound_gep() {
   ret i64 %objsize
 }
 
-define i64 @wrapping_gep() {
+define i64 @wrapping_gep(i1 %c) {
 ; CHECK-LABEL: @wrapping_gep(
 ; CHECK-NEXT:    [[OBJ:%.*]] = alloca i8, i64 4, align 1
+; CHECK-NEXT:    [[SLIDE:%.*]] = getelementptr i8, ptr [[OBJ]], i64 -9223372036854775807
+; CHECK-NEXT:    [[SLIDE_BIS:%.*]] = getelementptr i8, ptr [[SLIDE]], i64 -9223372036854775808
+; CHECK-NEXT:    ret i64 3
+;
+  %obj = alloca i8, i64 4
+  %slide = getelementptr i8, ptr %obj, i64 9223372036854775809
+  %slide.bis = getelementptr i8, ptr %slide, i64 9223372036854775808
+  %objsize = call i64 @llvm.objectsize.i64(ptr %slide.bis, i1 false, i1 false, i1 false)
+  ret i64 %objsize
+}
+
+define i64 @wrapping_gep_neg(i1 %c) {
+; CHECK-LABEL: @wrapping_gep_neg(
+; CHECK-NEXT:    [[OBJ:%.*]] = alloca i8, i64 4, align 1
 ; CHECK-NEXT:    [[SLIDE:%.*]] = getelementptr i8, ptr [[OBJ]], i64 9223372036854775807
 ; CHECK-NEXT:    [[SLIDE_BIS:%.*]] = getelementptr i8, ptr [[SLIDE]], i64 9223372036854775807
 ; CHECK-NEXT:    ret i64 0
@@ -209,8 +223,8 @@ define i64 @wrapping_gep() {
   ret i64 %objsize
 }
 
-define i64 @wrapping_gep_neg() {
-; CHECK-LABEL: @wrapping_gep_neg(
+define i64 @wrapping_gep_large_alloc(i1 %c) {
+; CHECK-LABEL: @wrapping_gep_large_alloc(
 ; CHECK-NEXT:    [[OBJ:%.*]] = alloca i8, i64 9223372036854775807, align 1
 ; CHECK-NEXT:    [[SLIDE:%.*]] = getelementptr i8, ptr [[OBJ]], i64 9223372036854775807
 ; CHECK-NEXT:    [[SLIDE_BIS:%.*]] = getelementptr i8, ptr [[SLIDE]], i64 3
@@ -251,7 +265,7 @@ define i64 @large_malloc() {
   ret i64 %objsize
 }
 
-define i64 @out_of_bound_negative_gep() {
+define i64 @out_of_bound_negative_gep(i1 %c) {
 ; CHECK-LABEL: @out_of_bound_negative_gep(
 ; CHECK-NEXT:    [[OBJ:%.*]] = alloca i8, i32 4, align 1
 ; CHECK-NEXT:    [[SLIDE:%.*]] = getelementptr i8, ptr [[OBJ]], i8 -8
