This is an archive of the discontinued LLVM Phabricator instance.

Differential D64451

[PoisonChecking] Validate inbounds annotation on getelementptr where possible
AbandonedPublic

Authored by reames on Jul 9 2019, 2:49 PM.

Details

Reviewers
sanjoy
nlopes
jdoerfert
aqjune
Summary

The rules for inbounds are a bit subtle, so I'd appreciate another set of eyes. Please review the usage of getUnderlyingObject and getObjectSize carefully; my intent is to factor this out for use in inferring inbounds from the optimizer in the near future, so having it be correct is important.

Diff Detail

Event Timeline

reames created this revision.Jul 9 2019, 2:49 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 9 2019, 2:49 PM
Herald added subscribers: bollu, mcrosier. · View Herald Transcript
jdoerfert added a comment.Jul 9 2019, 8:31 PM

Three comments, though I need to look at it when I'm actually awake.

lib/Transforms/Instrumentation/PoisonChecking.cpp
208

GlobalVariable is another easy one, and isMallocLikeFn.

213

You use GetUnderlyingObject to get a base which is used in checks later but you look at the indices of this GEP only.

I think that is not OK, e.g., if you have two geps, one all positive indices and the one before negative ones.

234

The in bounds addresses for an allocated object are all the addresses that point into the object, plus the address one byte past the end.

You might need to adjust SizeInBytes by one, though it's late.

fhahn added a subscriber: fhahn.Jul 10 2019, 9:23 AM
nlopes added inline comments.Jul 10 2019, 9:33 AM
lib/Transforms/Instrumentation/PoisonChecking.cpp
237

Doing these pointer comparisons isn't legal, and LLVM can fold "out_of_bonds_ptr >= valid_ptr" to poison.
You need to cast those pointers to integers and do the comparison there: offset >= 0 && offset <= obj_size. You may want to lower the GEP in IR right away (there's a function for that in ValueTracking or somewhere else, I forget)?

reames planned changes to this revision.Jul 10 2019, 10:04 AM
reames marked 4 inline comments as done.
reames added inline comments.
lib/Transforms/Instrumentation/PoisonChecking.cpp
208

GlobalVariable was a bit unclear to me since I haven't studied the rules for conflicting definitions in different modules.

isMallocLikeFn is definitely valid, but requires TLI (which this pass currently doesn't have). I was planning on doing that in a follow up.

213

Good catch! Yeah, definitely needs fixed.

234

This should be handled by using UGT not UGE right?

237

Can you cite where in the LangRef it says this? I think you're quite possibly right, but a) I didn't find the wording with a quick search and b) the output seems to survive the optimizer in simple cases which is maybe a hint we don't implement it that way?

reames updated this revision to Diff 209008.Jul 10 2019, 10:16 AM

Fix bug caught in review. Thanks!

jdoerfert added inline comments.Jul 10 2019, 10:32 AM
lib/Transforms/Instrumentation/PoisonChecking.cpp
208

That is fine with me.

217

While I now thing this is correct, we might want to make it less restrictive using existing functionality to accumulate and strip pointer stuff, e.g., along the lines of:

const Value *Base = GEP->stripAndAccumulateConstantOffsets(const DataLayout &DL,
                                                 APInt &Offset,
                                                 bool AllowNonInbounds);
IsNonNegativeOffset = (Base == Obj) && Offset >= 0;
234

Yes. An offset of one in the right direction, compared to what you have now, is required. Either change is fine.

237

I would have thought the reasoning described by @nlopes is only valid for inbounds GEPs. "Normal" GEPs should be allowed to go out-of-bounds without producing poison (IMHO).

aqjune added inline comments.Jul 14 2019, 1:34 PM
lib/Transforms/Instrumentation/PoisonChecking.cpp
234

Is this case covered as well?

a = alloca i32 // 4 bytes
p1 = gep a, -1
p2 = gep inbounds p1, 2

p2 is poison because p1 is not in-bounds pointer.
UpperCheck will succeed because Addr is smaller than a + 4.

300

A silly question: where is the poison-ness of operands of GEP checked at?

jdoerfert added inline comments.Jul 14 2019, 4:56 PM
lib/Transforms/Instrumentation/PoisonChecking.cpp
300

I think this is relates to your other question: nowhere yet (I think)

Though, this is a really good point. The check for an inbound gep could include one to ensure a valid base pointer. How to do that is tricky though. If the base allocation is known, one can substract the base pointer from the base allocation and do diff >= 0 && diff <= length. If the base allocation is not known, we would need to track more information throughout the program. There are different ways to do this but I guess the first case should be covered next.

reames planned changes to this revision.Jul 30 2019, 11:25 AM

Just indicating in the review state that the next action item here is mine. Probably not going to get back to this for a bit, so want that to be clear to reviewers.

reames marked 3 inline comments as done.Aug 21 2019, 1:20 PM

Address comments in advance of patch refresh.

lib/Transforms/Instrumentation/PoisonChecking.cpp
217

Your proposal is less powerful than the existing code as it's restricted to constants where the current code is didn't. Did you have a particular missed case in mind?

234

Hadn't been handled in the original patch, see forthcoming refresh.

300

I think nlopes question was actually about one of the operands being directly poison. Which is handled via the propagatesFullPoison code.

reames updated this revision to Diff 216464.Aug 21 2019, 1:35 PM

Address the out of bounds base point brought up in review.

jdoerfert added inline comments.Aug 21 2019, 3:52 PM
lib/Transforms/Instrumentation/PoisonChecking.cpp
217

I think, though I don't quite remember, I wanted to simplify the code. It was only a suggestion anyway.

reames abandoned this revision.Oct 15 2021, 11:59 AM

Abandoning an old review I'm not going to return to any time soon.

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
82 lines
test/
Instrumentation/
PoisonChecking/
109 lines

Diff 216464

lib/Transforms/Instrumentation/PoisonChecking.cpp

Show First 20 LinesShow All 176 Lines▼ Show 20 Lines Value *ShiftCheck =
ConstantInt::get(RHS->getType(), ConstantInt::get(RHS->getType(),
LHS->getType()->getScalarSizeInBits())); LHS->getType()->getScalarSizeInBits()));
Checks.push_back(ShiftCheck); Checks.push_back(ShiftCheck);
break; break;
} }
}; };
} }
/// Generate checks which evaluate to true if we can tell that the given
/// pointer is out of bounds for the allocation on which it is based.
static void generateAddressBoundsChecks(IRBuilder<> &B,
Value *Ptr, const DataLayout& DL,
SmallVector<Value*, 2> &Checks) {
assert(Ptr->getType()->isPointerTy());
Value *Obj = GetUnderlyingObject(Ptr, DL);
if (!Obj)
return;
// CAUTION: At this point we know that Obj is *some* pointer w/in
// Allocation A, but we do NOT know that A.start == Obj. As such, there
// may be inbounds addresses between the unknown A.start and Obj. We also do
// not know if Obj <= I.getPointerOperand().
// Even if we know the distance between Obj and A.end, we still don't know
// the offset of Obj w/in A.
uint64_t SizeInBytes;
const bool GenUpperCheck = getObjectSize(Obj, SizeInBytes, DL, nullptr);
// Is this known to the be the start of some allocation? If we know that Obj
// is actually a start an an allocation, than any address below that must be
// out of bounds.
// TODO: expand this and integrate w/MemoryBuiltins.h
bool isKnownAllocationStart = isa<AllocaInst>(Obj);
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

GlobalVariable is another easy one, and isMallocLikeFn.

jdoerfert: `GlobalVariable` is another easy one, and `isMallocLikeFn`.
reamesAuthorUnsubmitted
Done
ReplyInline Actions

GlobalVariable was a bit unclear to me since I haven't studied the rules for conflicting definitions in different modules.

isMallocLikeFn is definitely valid, but requires TLI (which this pass currently doesn't have). I was planning on doing that in a follow up.

reames: GlobalVariable was a bit unclear to me since I haven't studied the rules for conflicting…
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

That is fine with me.

jdoerfert: That is fine with me.
const bool GenLowerCheck = isKnownAllocationStart;
if (!GenUpperCheck && !GenLowerCheck)
return;
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

You use GetUnderlyingObject to get a base which is used in checks later but you look at the indices of this GEP only.

I think that is not OK, e.g., if you have two geps, one all positive indices and the one before negative ones.

jdoerfert: You use `GetUnderlyingObject` to get a base which is used in checks later but you look at the…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Good catch! Yeah, definitely needs fixed.

reames: Good catch! Yeah, definitely needs fixed.
auto *I8PtrTy = B.getInt8PtrTy(Ptr->getType()->getPointerAddressSpace());
auto *Addr = B.CreateBitCast(Ptr, I8PtrTy);
auto *Base = B.CreateBitCast(Obj, I8PtrTy, "lower.limit");
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

While I now thing this is correct, we might want to make it less restrictive using existing functionality to accumulate and strip pointer stuff, e.g., along the lines of:

const Value *Base = GEP->stripAndAccumulateConstantOffsets(const DataLayout &DL,
                                                 APInt &Offset,
                                                 bool AllowNonInbounds);
IsNonNegativeOffset = (Base == Obj) && Offset >= 0;
jdoerfert: While I now thing this is correct, we might want to make it less restrictive using existing…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Your proposal is less powerful than the existing code as it's restricted to constants where the current code is didn't. Did you have a particular missed case in mind?

reames: Your proposal is less powerful than the existing code as it's restricted to constants where the…
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

I think, though I don't quite remember, I wanted to simplify the code. It was only a suggestion anyway.

jdoerfert: I think, though I don't quite remember, I wanted to simplify the code. It was only a suggestion…
if (GenUpperCheck) {
auto *UpperLimit = B.CreateGEP(Base, B.getInt64(SizeInBytes),
"upper.limit");
Checks.push_back(B.CreateICmp(ICmpInst::ICMP_UGT, Addr, UpperLimit));
}
if (GenLowerCheck)
Checks.push_back(B.CreateICmp(ICmpInst::ICMP_ULT, Addr, Base));
}
static void generatePoisonChecksForInboundsGEP(IRBuilder<> &B,
GetElementPtrInst& GEP,
SmallVector<Value*, 2> &Checks) {
assert(GEP.isInBounds());
if (GEP.getType()->isVectorTy())
return;
auto &DL = GEP.getModule()->getDataLayout();
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

The in bounds addresses for an allocated object are all the addresses that point into the object, plus the address one byte past the end.

You might need to adjust SizeInBytes by one, though it's late.

jdoerfert: > The in bounds addresses for an allocated object are all the addresses that point into the…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

This should be handled by using UGT not UGE right?

reames: This should be handled by using UGT not UGE right?
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

Yes. An offset of one in the right direction, compared to what you have now, is required. Either change is fine.

jdoerfert: Yes. An offset of one in the right direction, compared to what you have now, is required.
aqjuneUnsubmitted
Not Done
ReplyInline Actions

Is this case covered as well?

a = alloca i32 // 4 bytes
p1 = gep a, -1
p2 = gep inbounds p1, 2

p2 is poison because p1 is not in-bounds pointer.
UpperCheck will succeed because Addr is smaller than a + 4.

aqjune: Is this case covered as well? ``` a = alloca i32 // 4 bytes p1 = gep a, -1 p2 = gep inbounds p1…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Hadn't been handled in the original patch, see forthcoming refresh.

reames: Hadn't been handled in the original patch, see forthcoming refresh.
Type *I8PtrTy = B.getInt8PtrTy(GEP.getType()->getPointerAddressSpace());
Value *Base = B.CreateBitCast(GEP.getPointerOperand(), I8PtrTy, "base.i8");
// First, check that the base pointer is in bounds for the allocation. If it
nlopesUnsubmitted
Not Done
ReplyInline Actions

Doing these pointer comparisons isn't legal, and LLVM can fold "out_of_bonds_ptr >= valid_ptr" to poison.
You need to cast those pointers to integers and do the comparison there: offset >= 0 && offset <= obj_size. You may want to lower the GEP in IR right away (there's a function for that in ValueTracking or somewhere else, I forget)?

nlopes: Doing these pointer comparisons isn't legal, and LLVM can fold "out_of_bonds_ptr >= valid_ptr"…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Can you cite where in the LangRef it says this? I think you're quite possibly right, but a) I didn't find the wording with a quick search and b) the output seems to survive the optimizer in simple cases which is maybe a hint we don't implement it that way?

reames: Can you cite where in the LangRef it says this? I think you're quite possibly right, but a) I…
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

I would have thought the reasoning described by @nlopes is only valid for inbounds GEPs. "Normal" GEPs should be allowed to go out-of-bounds without producing poison (IMHO).

jdoerfert: I would have thought the reasoning described by @nlopes is only valid for `inbounds` GEPs.
// isn't, an inbounds gep unconditionally produces UB.
generateAddressBoundsChecks(B, Base, DL, Checks);
// Second, check that the result of the GEP is inbounds for the allocation.
auto *NewGEP = cast<GetElementPtrInst>(GEP.clone());
NewGEP->setIsInBounds(false);
NewGEP->insertBefore(&GEP);
Value *Addr = B.CreateBitCast(NewGEP, I8PtrTy, "addr.i8");
generateAddressBoundsChecks(B, Addr, DL, Checks);
// Third, check that GEP >= GEP.base for non-negative offsets. This catches
// the case where a) we can't find the underlying allocation above, or b) we
// wrapped all the way around and ended up back in bounds of the same
// allocation (and no allocation can wrap around, thus poison!).
bool IsNonNegativeOffset = true;
for (unsigned i = 1; i < GEP.getNumOperands() && IsNonNegativeOffset; i++)
IsNonNegativeOffset &= isKnownNonNegative(GEP.getOperand(i), DL);
if (IsNonNegativeOffset)
Checks.push_back(B.CreateICmp(ICmpInst::ICMP_ULT, Addr, Base));
}
static Value* generatePoisonChecks(Instruction &I) { static Value* generatePoisonChecks(Instruction &I) {
IRBuilder<> B(&I); IRBuilder<> B(&I);
SmallVector<Value*, 2> Checks; SmallVector<Value*, 2> Checks;
if (isa<BinaryOperator>(I) && !I.getType()->isVectorTy()) if (isa<BinaryOperator>(I) && !I.getType()->isVectorTy())
generatePoisonChecksForBinOp(I, Checks); generatePoisonChecksForBinOp(I, Checks);
// Handle non-binops seperately // Handle non-binops seperately
switch (I.getOpcode()) { switch (I.getOpcode()) {
Show All 18 Lines case Instruction::InsertElement: {
Value *Idx = I.getOperand(2); Value *Idx = I.getOperand(2);
unsigned NumElts = Vec->getType()->getVectorNumElements(); unsigned NumElts = Vec->getType()->getVectorNumElements();
Value *Check = Value *Check =
B.CreateICmp(ICmpInst::ICMP_UGE, Idx, B.CreateICmp(ICmpInst::ICMP_UGE, Idx,
ConstantInt::get(Idx->getType(), NumElts)); ConstantInt::get(Idx->getType(), NumElts));
Checks.push_back(Check); Checks.push_back(Check);
break; break;
} }
case Instruction::GetElementPtr: {
auto &GEP = cast<GetElementPtrInst>(I);
if (!GEP.isInBounds())
break;
generatePoisonChecksForInboundsGEP(B, GEP, Checks);
break;
}
aqjuneUnsubmitted
Not Done
ReplyInline Actions

A silly question: where is the poison-ness of operands of GEP checked at?

aqjune: A silly question: where is the poison-ness of operands of GEP checked at?
jdoerfertUnsubmitted
Not Done
ReplyInline Actions

I think this is relates to your other question: nowhere yet (I think)

Though, this is a really good point. The check for an inbound gep could include one to ensure a valid base pointer. How to do that is tricky though. If the base allocation is known, one can substract the base pointer from the base allocation and do diff >= 0 && diff <= length. If the base allocation is not known, we would need to track more information throughout the program. There are different ways to do this but I guess the first case should be covered next.

jdoerfert: I think this is relates to your other question: nowhere yet (I think) Though, this is a really…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

I think nlopes question was actually about one of the operands being directly poison. Which is handled via the propagatesFullPoison code.

reames: I think nlopes question was actually about one of the operands being directly poison. Which is…
}; };
return buildOrChain(B, Checks); return buildOrChain(B, Checks);
} }
static Value *getPoisonFor(DenseMap<Value *, Value *> &ValToPoison, Value *V) { static Value *getPoisonFor(DenseMap<Value *, Value *> &ValToPoison, Value *V) {
auto Itr = ValToPoison.find(V); auto Itr = ValToPoison.find(V);
if (Itr != ValToPoison.end()) if (Itr != ValToPoison.end())
return Itr->second; return Itr->second;
▲ Show 20 LinesShow All 131 LinesShow Last 20 Lines

test/Instrumentation/PoisonChecking/basic-flag-validation.ll

Show First 20 LinesShow All 314 Lines▼ Show 20 Lines
; CHECK-NEXT: [[TMP2:%.*]] = xor i1 [[TMP1]], true ; CHECK-NEXT: [[TMP2:%.*]] = xor i1 [[TMP1]], true
; CHECK-NEXT: call void @__poison_checker_assert(i1 [[TMP2]]) ; CHECK-NEXT: call void @__poison_checker_assert(i1 [[TMP2]])
; CHECK-NEXT: ret <4 x i32> [[RES]] ; CHECK-NEXT: ret <4 x i32> [[RES]]
; ;
%res = insertelement <4 x i32> %v, i32 %val, i32 %idx %res = insertelement <4 x i32> %v, i32 %val, i32 %idx
ret <4 x i32> %res ret <4 x i32> %res
} }
define void @gep_inbounds_generic(i8* %base, i32 %n) {
; CHECK-LABEL: @gep_inbounds_generic(
; CHECK-NEXT: [[TMP1:%.*]] = getelementptr i8, i8* [[BASE:%.*]], i32 [[N:%.*]]
; CHECK-NEXT: [[P:%.*]] = getelementptr inbounds i8, i8* [[BASE]], i32 [[N]]
; CHECK-NEXT: store i8 0, i8* [[P]]
; CHECK-NEXT: ret void
;
%p = getelementptr inbounds i8, i8* %base, i32 %n
store i8 0, i8* %p
ret void
}
define void @gep_inbounds_positive_offset(i8* %base) {
; CHECK-LABEL: @gep_inbounds_positive_offset(
; CHECK-NEXT: [[TMP1:%.*]] = getelementptr i8, i8* [[BASE:%.*]], i32 10
; CHECK-NEXT: [[TMP2:%.*]] = icmp ult i8* [[TMP1]], [[BASE]]
; CHECK-NEXT: [[P:%.*]] = getelementptr inbounds i8, i8* [[BASE]], i32 10
; CHECK-NEXT: [[TMP3:%.*]] = xor i1 [[TMP2]], true
; CHECK-NEXT: call void @__poison_checker_assert(i1 [[TMP3]])
; CHECK-NEXT: store i8 0, i8* [[P]]
; CHECK-NEXT: ret void
;
%p = getelementptr inbounds i8, i8* %base, i32 10
store i8 0, i8* %p
ret void
}
define void @gep_inbounds_hidden_negative_offset(i8* %base) {
; CHECK-LABEL: @gep_inbounds_hidden_negative_offset(
; CHECK-NEXT: [[TMP1:%.*]] = getelementptr i8, i8* [[BASE:%.*]], i32 -20
; CHECK-NEXT: [[P1:%.*]] = getelementptr inbounds i8, i8* [[BASE]], i32 -20
; CHECK-NEXT: [[TMP2:%.*]] = getelementptr i8, i8* [[P1]], i32 10
; CHECK-NEXT: [[TMP3:%.*]] = icmp ult i8* [[TMP2]], [[P1]]
; CHECK-NEXT: [[P:%.*]] = getelementptr inbounds i8, i8* [[P1]], i32 10
; CHECK-NEXT: [[TMP4:%.*]] = xor i1 [[TMP3]], true
; CHECK-NEXT: call void @__poison_checker_assert(i1 [[TMP4]])
; CHECK-NEXT: store i8 0, i8* [[P]]
; CHECK-NEXT: ret void
;
%p1 = getelementptr inbounds i8, i8* %base, i32 -20
%p = getelementptr inbounds i8, i8* %p1, i32 10
store i8 0, i8* %p
ret void
}
define void @gep_inbounds_known_base_and_size(i32 %n) {
; CHECK-LABEL: @gep_inbounds_known_base_and_size(
; CHECK-NEXT: [[ALLOCA:%.*]] = alloca [200 x i8]
; CHECK-NEXT: [[BASE:%.*]] = bitcast [200 x i8]* [[ALLOCA]] to i8*
; CHECK-NEXT: [[LOWER_LIMIT:%.*]] = bitcast [200 x i8]* [[ALLOCA]] to i8*
; CHECK-NEXT: [[UPPER_LIMIT:%.*]] = getelementptr i8, i8* [[LOWER_LIMIT]], i64 200
; CHECK-NEXT: [[TMP1:%.*]] = icmp ugt i8* [[BASE]], [[UPPER_LIMIT]]
; CHECK-NEXT: [[TMP2:%.*]] = icmp ult i8* [[BASE]], [[LOWER_LIMIT]]
; CHECK-NEXT: [[TMP3:%.*]] = getelementptr i8, i8* [[BASE]], i32 [[N:%.*]]
; CHECK-NEXT: [[LOWER_LIMIT1:%.*]] = bitcast [200 x i8]* [[ALLOCA]] to i8*
; CHECK-NEXT: [[UPPER_LIMIT2:%.*]] = getelementptr i8, i8* [[LOWER_LIMIT1]], i64 200
; CHECK-NEXT: [[TMP4:%.*]] = icmp ugt i8* [[TMP3]], [[UPPER_LIMIT2]]
; CHECK-NEXT: [[TMP5:%.*]] = icmp ult i8* [[TMP3]], [[LOWER_LIMIT1]]
; CHECK-NEXT: [[TMP6:%.*]] = or i1 [[TMP1]], [[TMP2]]
; CHECK-NEXT: [[TMP7:%.*]] = or i1 [[TMP6]], [[TMP4]]
; CHECK-NEXT: [[TMP8:%.*]] = or i1 [[TMP7]], [[TMP5]]
; CHECK-NEXT: [[P:%.*]] = getelementptr inbounds i8, i8* [[BASE]], i32 [[N]]
; CHECK-NEXT: [[TMP9:%.*]] = xor i1 [[TMP8]], true
; CHECK-NEXT: call void @__poison_checker_assert(i1 [[TMP9]])
; CHECK-NEXT: store i8 0, i8* [[P]]
; CHECK-NEXT: ret void
;
%alloca = alloca [200 x i8]
%base = bitcast [200 x i8]* %alloca to i8*
%p = getelementptr inbounds i8, i8* %base, i32 %n
store i8 0, i8* %p
ret void
}
define void @gep_inbounds_known_base_and_size_out_of_bounds_origin(i32 %n) {
; CHECK-LABEL: @gep_inbounds_known_base_and_size_out_of_bounds_origin(
; CHECK-NEXT: [[ALLOCA:%.*]] = alloca [200 x i8]
; CHECK-NEXT: [[BASE:%.*]] = bitcast [200 x i8]* [[ALLOCA]] to i8*
; CHECK-NEXT: [[P1:%.*]] = getelementptr i8, i8* [[BASE]], i32 202
; CHECK-NEXT: [[LOWER_LIMIT:%.*]] = bitcast [200 x i8]* [[ALLOCA]] to i8*
; CHECK-NEXT: [[UPPER_LIMIT:%.*]] = getelementptr i8, i8* [[LOWER_LIMIT]], i64 200
; CHECK-NEXT: [[TMP1:%.*]] = icmp ugt i8* [[P1]], [[UPPER_LIMIT]]
; CHECK-NEXT: [[TMP2:%.*]] = icmp ult i8* [[P1]], [[LOWER_LIMIT]]
; CHECK-NEXT: [[TMP3:%.*]] = getelementptr i8, i8* [[P1]], i32 [[N:%.*]]
; CHECK-NEXT: [[LOWER_LIMIT1:%.*]] = bitcast [200 x i8]* [[ALLOCA]] to i8*
; CHECK-NEXT: [[UPPER_LIMIT2:%.*]] = getelementptr i8, i8* [[LOWER_LIMIT1]], i64 200
; CHECK-NEXT: [[TMP4:%.*]] = icmp ugt i8* [[TMP3]], [[UPPER_LIMIT2]]
; CHECK-NEXT: [[TMP5:%.*]] = icmp ult i8* [[TMP3]], [[LOWER_LIMIT1]]
; CHECK-NEXT: [[TMP6:%.*]] = or i1 [[TMP1]], [[TMP2]]
; CHECK-NEXT: [[TMP7:%.*]] = or i1 [[TMP6]], [[TMP4]]
; CHECK-NEXT: [[TMP8:%.*]] = or i1 [[TMP7]], [[TMP5]]
; CHECK-NEXT: [[P:%.*]] = getelementptr inbounds i8, i8* [[P1]], i32 [[N]]
; CHECK-NEXT: [[TMP9:%.*]] = xor i1 [[TMP8]], true
; CHECK-NEXT: call void @__poison_checker_assert(i1 [[TMP9]])
; CHECK-NEXT: store i8 0, i8* [[P]]
; CHECK-NEXT: ret void
;
%alloca = alloca [200 x i8]
%base = bitcast [200 x i8]* %alloca to i8*
%p1 = getelementptr i8, i8* %base, i32 202
%p = getelementptr inbounds i8, i8* %p1, i32 %n
store i8 0, i8* %p
ret void
}