[llvm] Bail out when meeting pointer with negative offset instead of …

llvm/lib/Analysis/MemoryBuiltins.cpp

@@ -838,9 +838,9 @@ OffsetSpan ObjectSizeOffsetVisitor::computeImpl(Value *V) {
 
   // We end up pointing on a location that's outside of the original object.
   if (ORT.knownBefore() && ORT.Before.isNegative()) {
-    // This means that we *may* be accessing memory before the allocation. It's
-    // unsure though, so bail out instead of returning a potentially misleading
-    // result.
+    // This means that we *may* be accessing memory before the allocation.
+    // Conservatively return an unknown size.
+    //
     // TODO: working with ranges instead of value would make it possible to take
     // a better decision.
     if (Options.EvalMode == ObjectSizeOpts::Mode::Min ||

llvm/test/Transforms/LowerConstantIntrinsics/builtin-object-size-range.ll

@@ -107,8 +107,8 @@ define i64 @select_gep_offsets(i1 %cond) {
   ret i64 %res
 }
 
-define i64 @select_gep_oob_offsets(i1 %cond) {
-; CHECK-LABEL: @select_gep_oob_offsets(
+define i64 @select_gep_oob_overapproximated_offsets(i1 %cond) {
+; CHECK-LABEL: @select_gep_oob_overapproximated_offsets(
 ; CHECK-NEXT:    [[BASE1:%.*]] = alloca [288 x i8], align 16
 ; CHECK-NEXT:    [[SELECT0:%.*]] = select i1 [[COND:%.*]], i64 -4, i64 -64
 ; CHECK-NEXT:    [[SELECT1:%.*]] = select i1 [[COND]], i64 16, i64 64
@@ -119,6 +119,8 @@ define i64 @select_gep_oob_offsets(i1 %cond) {
   %base1 = alloca [288 x i8], align 16
   %select0 = select i1 %cond, i64 -4, i64 -64
   %select1 = select i1 %cond, i64 16, i64 64
+; This nevers actually goes oob, but because we approcimate each select
+; independently, this actually ranges in [16 - 64 ; 64 - 4] instead of [64 - 64; 16 - 4]
   %gep0 = getelementptr inbounds nuw i8, ptr %base1, i64 %select1
   %gep1 = getelementptr inbounds i8, ptr %gep0, i64 %select0
   %call = call i64 @llvm.objectsize.i64.p0(ptr %gep1, i1 false, i1 true, i1 false)