guardable UB: flag mem access of poison/undef ptrs

AliveToolkit · Aug 22, 2023 · 4bd483b · 4bd483b
1 parent 2e57d13
commit 4bd483b
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 2 deletions.
diff --git a/ir/instr.cpp b/ir/instr.cpp
@@ -3215,7 +3215,7 @@ StateValue Assume::toSMT(State &s) const {
     // assume(ptr)
     const auto &vptr = s.getAndAddPoisonUB(*args[0]);
     Pointer ptr(s.getMemory(), vptr.value);
-    s.addUB(!ptr.isNull());
+    s.addGuardableUB(!ptr.isNull());
     break;
   }
   }

diff --git a/ir/state.cpp b/ir/state.cpp
@@ -588,7 +588,11 @@ State::getAndAddPoisonUB(const Value &val, bool undef_ub_too,
     }
 
     // If val is an aggregate, all elements should be non-poison
-    addUB(not_poison_except_padding(val.getType(), sv.non_poison));
+    expr np = not_poison_except_padding(val.getType(), sv.non_poison);
+    if (ptr_compare)
+      addGuardableUB(std::move(np));
+    else
+      addUB(std::move(np));
   }
 
   check_enough_tmp_slots();

diff --git a/tests/alive-tv/non-ub-exploitation/nonnull_metadata.srctgt.ll b/tests/alive-tv/non-ub-exploitation/nonnull_metadata.srctgt.ll
@@ -0,0 +1,16 @@
+; TEST-ARGS: -disallow-ub-exploitation
+; SKIP-IDENTITY
+
+define i1 @src(ptr %x) {
+  %y = load ptr, ptr %x, !nonnull !1
+  %c = icmp eq ptr %y, null
+  ret i1 %c
+}
+
+define i1 @tgt(ptr %x) {
+  ret i1 false
+}
+
+!1 = !{}
+
+; ERROR: Source has guardable UB
diff --git a/tests/alive-tv/non-ub-exploitation/range_metadata.srctgt.ll b/tests/alive-tv/non-ub-exploitation/range_metadata.srctgt.ll
@@ -0,0 +1,16 @@
+; TEST-ARGS: -disallow-ub-exploitation
+; SKIP-IDENTITY
+
+define i1 @src(ptr %x) {
+  %y = load i8, ptr %x, !range !1
+  %c = icmp eq i8 %y, 9
+  ret i1 %c
+}
+
+define i1 @tgt(ptr %x) {
+  ret i1 false
+}
+
+!1 = !{i8 0, i8 5}
+
+; ERROR: Source returns poison