Index: llvm/docs/LangRef.rst =================================================================== --- llvm/docs/LangRef.rst +++ llvm/docs/LangRef.rst @@ -9765,17 +9765,31 @@ } If the ``inbounds`` keyword is present, the result value of the -``getelementptr`` is a :ref:`poison value ` if the base -pointer is not an *in bounds* address of an allocated object, or if any -of the addresses that would be formed by successive addition of the -offsets implied by the indices to the base address with infinitely -precise signed arithmetic are not an *in bounds* address of that -allocated object. The *in bounds* addresses for an allocated object are -all the addresses that point into the object, plus the address one byte -past the end. The only *in bounds* address for a null pointer in the -default address-space is the null pointer itself. In cases where the -base is a vector of pointers the ``inbounds`` keyword applies to each -of the computations element-wise. +``getelementptr`` is a :ref:`poison value ` if one of the +following rules is violated: + +* The base pointer is an *in bounds* address of an allocated object, which + means that it points into an allocated object, or to its end (which is one + byte past the last byte contained in the object). The only *in bounds* + address for a null pointer in the default address-space is the null pointer + itself. +* If the type of an index is larger than than the pointer index type, the + truncation to the pointer index type preserves the signed value. +* The multiplication of an index by the type size does not wrap the pointer + index type in a signed sense (``nsw``). +* The successive addition of offsets (without adding the base address) does + not wrap the pointer index type in a signed sense (``nsw``). +* The successive addition of the current address, interpreted as an unsigned + number, and an offset, interpreted as a signed number, does not wrap the + unsigned address space and remains *in bounds* of the allocated object. + As a corollary, if the added offset is non-negative, the addition does not + wrap in an unsigned sense (``nuw``). +* In cases where the base is a vector of pointers, the ``inbounds`` keyword + applies to each of the computations element-wise. + +These rules are based on the assumption that no allocated object may cross +the unsigned address space boundary, and no allocated object may be larger +than half the pointer index type space. If the ``inbounds`` keyword is not present, the offsets are added to the base address with silently-wrapping two's complement arithmetic. If the