fix #1244: tail call check must be UB if ptr is poison

nunoplopes · nunoplopes · commit 0dcec5848fae · 2025-09-17T11:43:20.000+01:00
diff --git a/ir/attrs.cpp b/ir/attrs.cpp
@@ -672,10 +672,11 @@ void TailCallInfo::check(State &s, const Instr &i,
   // Exception: alloca or byval arg may be passed to the callee as byval
   for (const auto &arg : args) {
     Pointer ptr(s.getMemory(), arg.val.value);
-    s.addUB(arg.val.non_poison.implies(
+    // if the ptr is poison, it can be replaced by an alloca
+    s.addUB(arg.val.non_poison &&
       (ptr.isStackAllocated() || ptr.isByval()).implies(arg.byval != 0) &&
       true // TODO: check for !var_args
-    ));
+    );
   }
 
   if (type != TailCallInfo::MustTail)
diff --git a/tests/alive-tv/calls/tail-poison.srctgt.ll b/tests/alive-tv/calls/tail-poison.srctgt.ll
@@ -0,0 +1,19 @@
+define i32 @src() {
+entry:
+  %s = alloca i128, align 8
+  %x = getelementptr inbounds nuw i8, ptr %s, i64 8
+  store i32 0, ptr %x, align 8
+  %0 = load ptr, ptr %s, align 8
+  %call = tail call i32 @multiply(ptr %0, i32 0)
+  store ptr %s, ptr %s, align 8
+  %1 = load i32, ptr %x, align 8
+  ret i32 %1
+}
+
+define i32 @tgt() {
+  %s = alloca i128, align 8
+  %call = tail call i32 @multiply(ptr undef, i32 0)
+  ret i32 0
+}
+
+declare i32 @multiply(ptr, i32)
