Bug 82044 - runtime signed integer overflow in check_mem_read_rtx() and all_positions_needed_p() in dse.c
Summary: runtime signed integer overflow in check_mem_read_rtx() and all_positions_nee...
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: rtl-optimization (show other bugs)
Version: 8.0
: P3 normal
Target Milestone: ---
Assignee: Martin Liška
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2017-08-30 19:28 UTC by Martin Sebor
Modified: 2017-12-15 09:32 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work: 7.2.0, 8.0
Known to fail: 6.4.0
Last reconfirmed: 2017-09-11 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sebor 2017-08-30 19:28:55 UTC 
When compiled with today's top of trunk (GCC 8.0) configured for x86_64-linux --with-build-config=bootstrap-ubsan the following test case triggers a runtime error in the check_mem_read_rtx() and all_positions_needed_p() functions in dse.c.

$ cat t.c && gcc -O2 -S -Wall -ftracer t.c
typedef __SIZE_TYPE__ size_t;

extern void* memcpy (void* restrict, const void* restrict, size_t);

#define SSIZE_MAX   (__SIZE_MAX__ / 2)

void sink (void*);

void f (char *p, __SIZE_TYPE__ n)
{
  if (n < SSIZE_MAX - 2 || SSIZE_MAX < n)
    n = SSIZE_MAX - 2;

  memcpy (p, p + n, 3);
}
/src/gcc/git/gcc/dse.c:2122:18: runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long int'
/src/gcc/git/gcc/dse.c:1252:61: runtime error: shift exponent -1 is negative
Comment 1 Martin Sebor 2017-08-30 19:30:03 UTC 
The code is syntactically valid but has undefined behavior at runtime.

See also bug 82042 for other similar problems.
Comment 2 Martin Liška 2017-09-11 08:52:49 UTC 
I've got patch for that.
Comment 3 Martin Liška 2017-11-21 13:39:45 UTC 
Author: marxin
Date: Tue Nov 21 13:39:14 2017
New Revision: 255001

URL: https://gcc.gnu.org/viewcvs?rev=255001&root=gcc&view=rev
Log:
Fix UBSAN errors in dse.c (PR rtl-optimization/82044).

2017-11-21  Martin Liska  <mliska@suse.cz>

	PR rtl-optimization/82044
	PR tree-optimization/82042
	* dse.c (check_mem_read_rtx): Check for overflow.

Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/dse.c
Comment 4 Martin Liška 2017-11-21 13:40:21 UTC 
Fixed on trunk, planned for backports.
Comment 5 Martin Liška 2017-11-21 16:03:07 UTC 
Author: marxin
Date: Tue Nov 21 16:02:35 2017
New Revision: 255013

URL: https://gcc.gnu.org/viewcvs?rev=255013&root=gcc&view=rev
Log:
Backport r255001

2017-11-21  Martin Liska  <mliska@suse.cz>

	Backport from mainline
	2017-11-21  Martin Liska  <mliska@suse.cz>

	PR rtl-optimization/82044
	PR tree-optimization/82042
	* dse.c (check_mem_read_rtx): Check for overflow.

Modified:
    branches/gcc-7-branch/gcc/ChangeLog
    branches/gcc-7-branch/gcc/dse.c
Comment 6 Richard Biener 2017-11-22 09:05:19 UTC 
Author: rguenth
Date: Wed Nov 22 09:04:47 2017
New Revision: 255046

URL: https://gcc.gnu.org/viewcvs?rev=255046&root=gcc&view=rev
Log:
2017-11-22  Richard Biener  <rguenther@suse.de>

	Revert
	2017-11-21  Martin Liska  <mliska@suse.cz>
 
	Backport from mainline
	2017-11-21  Martin Liska  <mliska@suse.cz>

	PR rtl-optimization/82044
	PR tree-optimization/82042
	* dse.c (check_mem_read_rtx): Check for overflow.

Modified:
    branches/gcc-7-branch/gcc/ChangeLog
    branches/gcc-7-branch/gcc/dse.c
Comment 7 Jakub Jelinek 2017-11-22 09:08:55 UTC 
Author: jakub
Date: Wed Nov 22 09:08:23 2017
New Revision: 255048

URL: https://gcc.gnu.org/viewcvs?rev=255048&root=gcc&view=rev
Log:
	PR rtl-optimization/82044
	PR tree-optimization/82042
	* dse.c (record_store): Check for overflow.
	(check_mem_read_rtx): Properly check for overflow if width == -1, call
	add_wild_read instead of clear_rhs_from_active_local_stores on
	overflow and log it into dump_file.

Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/dse.c
Comment 8 Jakub Jelinek 2017-12-15 09:32:56 UTC 
Fixed.