Bug 80349 - [6 Regression] UBSAN: compile time crash with "type mismatch in binary expression" message
Summary: [6 Regression] UBSAN: compile time crash with "type mismatch in binary expres...
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: sanitizer (show other bugs)
Version: 7.0
: P3 normal
Target Milestone: 6.4
Assignee: Jakub Jelinek
URL:
Keywords: ice-checking
Depends on:
Blocks: yarpgen
  Show dependency treegraph
 
Reported: 2017-04-06 23:23 UTC by Dmitry Babokin
Modified: 2021-11-01 23:07 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail: 6.3.1, 7.0.1
Last reconfirmed: 2017-04-07 00:00:00


Attachments
gcc7-pr80349.patch (618 bytes, patch)
2017-04-11 18:43 UTC, Jakub Jelinek
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Babokin 2017-04-06 23:23:06 UTC
Top of the trunk gcc on x86_64

> cat f.cpp
extern const long long int var_20;
void foo() { int((var_20 & 50 | 051UL) << 0) << 0; }

> g++ -fsanitize=undefined -w -O0 -c f.cpp
f.cpp: In function ‘void foo()’:
f.cpp:2:6: error: type mismatch in binary expression
 void foo() { int((var_20 & 50 | 051UL) << 0) << 0; }
      ^~~
long long unsigned int

long long int

long long unsigned int

_11 = var_20.2_10 & 18;
f.cpp:2:6: internal compiler error: verify_gimple failed
0xdae9ad verify_gimple_in_seq(gimple*)
	../../gcc_svn_intel/gcc/tree-cfg.c:4934
0xafe2bd gimplify_body(tree_node*, bool)
	../../gcc_svn_intel/gcc/gimplify.c:12500
0xafe624 gimplify_function_tree(tree_node*)
	../../gcc_svn_intel/gcc/gimplify.c:12590
0x96e9df cgraph_node::analyze()
	../../gcc_svn_intel/gcc/cgraphunit.c:657
0x9719c9 analyze_functions
	../../gcc_svn_intel/gcc/cgraphunit.c:1118
0x972a82 symbol_table::finalize_compilation_unit()
	../../gcc_svn_intel/gcc/cgraphunit.c:2603
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
Comment 1 Richard Biener 2017-04-07 08:24:30 UTC
Confirmed.
Comment 2 Martin Liška 2017-04-07 08:37:18 UTC
Same as PR80348, started with r230365 (Merge C++ delayed folding branch.).
Comment 3 Dmitry Babokin 2017-04-10 18:58:45 UTC
PR80348 is fixed, but this still fails.
Comment 4 Jakub Jelinek 2017-04-11 18:43:06 UTC
Created attachment 41178 [details]
gcc7-pr80349.patch

Untested fix.
Comment 5 Jakub Jelinek 2017-04-12 06:13:35 UTC
Author: jakub
Date: Wed Apr 12 06:12:26 2017
New Revision: 246865

URL: https://gcc.gnu.org/viewcvs?rev=246865&root=gcc&view=rev
Log:
	PR sanitizer/80349
	* fold-const.c (fold_binary_loc) <case BIT_IOR_EXPR>: Convert arg0's
	first argument to type.

	* g++.dg/ubsan/pr80349.C: New test.

Added:
    trunk/gcc/testsuite/g++.dg/ubsan/pr80349.C
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/fold-const.c
    trunk/gcc/testsuite/ChangeLog
Comment 6 Jakub Jelinek 2017-04-12 07:14:06 UTC
Fixed on the trunk so far.
Comment 7 Dmitry Babokin 2017-04-21 19:35:44 UTC
One more. GCC r247062.

> cat f.cpp
unsigned long int ll;
int foo() {
  return (2036854775807 >> ll & char(207648476159223) | 502810590243120797UL) << 0;
}

> g++ -fsanitize=undefined -O0 -c f.cpp
f.cpp: In function ‘int foo()’:
f.cpp:2:5: error: type mismatch in binary expression
 int foo() {
     ^~~
long unsigned int

long int

long unsigned int

D.2746 = _2 | 502810590243120797;
f.cpp:2:5: internal compiler error: verify_gimple failed
Comment 8 Dmitry Babokin 2017-04-24 18:20:18 UTC
I also see crashes reporting problems with ^ operator.
Comment 9 Marek Polacek 2017-04-25 14:58:31 UTC
I've got a fix for Comment 7.

(In reply to Dmitry Babokin from comment #8)
> I also see crashes reporting problems with ^ operator.

Please provide a complete testcase, I've been unable to reproduce another crash with modified Comment 7 testcase.
Comment 10 Marek Polacek 2017-04-25 16:40:29 UTC
Author: mpolacek
Date: Tue Apr 25 16:39:57 2017
New Revision: 247257

URL: https://gcc.gnu.org/viewcvs?rev=247257&root=gcc&view=rev
Log:
	PR sanitizer/80349
	* fold-const.c (fold_binary_loc) <case BIT_IOR_EXPR>: Convert arg0's
	first argument to type.

	* g++.dg/ubsan/pr80349-2.C: New test.

Added:
    trunk/gcc/testsuite/g++.dg/ubsan/pr80349-2.C
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/fold-const.c
    trunk/gcc/testsuite/ChangeLog
Comment 11 Marek Polacek 2017-04-25 17:02:59 UTC
Author: mpolacek
Date: Tue Apr 25 17:02:27 2017
New Revision: 247260

URL: https://gcc.gnu.org/viewcvs?rev=247260&root=gcc&view=rev
Log:
	PR sanitizer/80349
	* fold-const.c (fold_binary_loc) <case BIT_IOR_EXPR>: Convert arg0's
	first argument to type.

	* g++.dg/ubsan/pr80349-2.C: New test.

Added:
    branches/gcc-7-branch/gcc/testsuite/g++.dg/ubsan/pr80349-2.C
Modified:
    branches/gcc-7-branch/gcc/ChangeLog
    branches/gcc-7-branch/gcc/fold-const.c
    branches/gcc-7-branch/gcc/testsuite/ChangeLog
Comment 12 Dmitry Babokin 2017-04-25 18:54:59 UTC
int var;
long a;
long foo() {
  int i = !(1 & 808U ^ 1 & var) >> 0;
  long l = 0 % ((a & 1) != (3053241240409UL & 1));
  return i+l;
}
Comment 13 Marek Polacek 2017-04-25 19:15:35 UTC
Thanks, reproduced, will look into it.
Comment 14 Marek Polacek 2017-04-25 20:00:33 UTC
I believe this all section needs fixing and new testcases:

10793           tree arg00 = TREE_OPERAND (arg0, 0);
10794           tree arg01 = TREE_OPERAND (arg0, 1);
10795           tree arg10 = TREE_OPERAND (arg1, 0);
10796           tree arg11 = TREE_OPERAND (arg1, 1);
10797           tree itype = TREE_TYPE (arg0);
10798 
10799           if (operand_equal_p (arg01, arg11, 0))
10800             return fold_build2_loc (loc, code, type,
10801                                 fold_build2_loc (loc, BIT_AND_EXPR, itype,
10802                                              fold_build2_loc (loc,
10803                                                           BIT_XOR_EXPR, itype,
10804                                                           arg00, arg10),
10805                                              arg01),
10806                                 build_zero_cst (itype));
10807 
10808           if (operand_equal_p (arg01, arg10, 0))
10809             return fold_build2_loc (loc, code, type,
10810                                 fold_build2_loc (loc, BIT_AND_EXPR, itype,
10811                                              fold_build2_loc (loc,
10812                                                           BIT_XOR_EXPR, itype,
10813                                                           arg00, arg11),
10814                                              arg01),
10815                                 build_zero_cst (itype));
10816 
10817           if (operand_equal_p (arg00, arg11, 0))
10818             return fold_build2_loc (loc, code, type,
10819                                 fold_build2_loc (loc, BIT_AND_EXPR, itype,
10820                                              fold_build2_loc (loc,
10821                                                           BIT_XOR_EXPR, itype,
10822                                                           arg01, arg10),
10823                                              arg00),
10824                                 build_zero_cst (itype));
10825 
10826           if (operand_equal_p (arg00, arg10, 0))
10827             return fold_build2_loc (loc, code, type,
10828                                 fold_build2_loc (loc, BIT_AND_EXPR, itype,
10829                                              fold_build2_loc (loc,
10830                                                           BIT_XOR_EXPR, itype,
10831                                                           arg01, arg11),
10832                                              arg00),
10833                                 build_zero_cst (itype));
Comment 15 Marek Polacek 2017-04-27 21:13:01 UTC
Author: mpolacek
Date: Thu Apr 27 21:12:29 2017
New Revision: 247352

URL: https://gcc.gnu.org/viewcvs?rev=247352&root=gcc&view=rev
Log:
	PR sanitizer/80349
	* fold-const.c (fold_binary_loc) <case EQ_EXPR, NE_EXPR>: Convert
	arg10 and arg11 to itype.

	* c-c++-common/ubsan/pr80349.c: New test.

Added:
    trunk/gcc/testsuite/c-c++-common/ubsan/pr80349.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/fold-const.c
    trunk/gcc/testsuite/ChangeLog
Comment 16 Jakub Jelinek 2017-05-05 21:56:01 UTC
Author: jakub
Date: Fri May  5 21:55:29 2017
New Revision: 247702

URL: https://gcc.gnu.org/viewcvs?rev=247702&root=gcc&view=rev
Log:
	Backported from mainline
	2017-04-12  Jakub Jelinek  <jakub@redhat.com>

	PR sanitizer/80349
	* fold-const.c (fold_binary_loc) <case BIT_IOR_EXPR>: Convert arg0's
	first argument to type.

	* g++.dg/ubsan/pr80349.C: New test.

Added:
    branches/gcc-6-branch/gcc/testsuite/g++.dg/ubsan/pr80349.C
Modified:
    branches/gcc-6-branch/gcc/ChangeLog
    branches/gcc-6-branch/gcc/fold-const.c
    branches/gcc-6-branch/gcc/testsuite/ChangeLog
Comment 17 Jakub Jelinek 2017-05-29 10:54:44 UTC
Fixed.