This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
[PATCH] Prevent extract_muldiv from introducing an overflow (PR sanitizer/80800)
- From: Marek Polacek <polacek at redhat dot com>
- To: GCC Patches <gcc-patches at gcc dot gnu dot org>, Richard Biener <rguenther at suse dot de>
- Date: Fri, 19 May 2017 08:50:43 +0200
- Subject: [PATCH] Prevent extract_muldiv from introducing an overflow (PR sanitizer/80800)
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=polacek at redhat dot com
- Dkim-filter: OpenDKIM Filter v2.11.0 mx1.redhat.com F40E861B92
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com F40E861B92
extract_muldiv folds
(n * 10000 * z) * 50
to
(n * 500000) * z
which is a wrong transformation to do, because it may introduce an overflow.
This resulted in a ubsan false positive. So we should just disable this
folding altogether. Does the approach I took make sense?
Bootstrapped/regtested on x86_64-linux, ok for trunk?
2017-05-19 Marek Polacek <polacek@redhat.com>
PR sanitizer/80800
* fold-const.c (extract_muldiv_1): Don't fold ((X * C1) * Y) * C
to (X * C2) * Y.
* c-c++-common/ubsan/pr80800.c: New test.
* c-c++-common/Wduplicated-branches-1.c: Adjust an expression.
diff --git gcc/fold-const.c gcc/fold-const.c
index 19aa722..e525c2d 100644
--- gcc/fold-const.c
+++ gcc/fold-const.c
@@ -6260,6 +6260,17 @@ extract_muldiv_1 (tree t, tree c, enum tree_code code, tree wide_type,
break;
case MULT_EXPR:
+ /* ((X * C1) * Y) * C
+ cannot be reduced to
+ (X * C2) * Y (where C2 == C * C1)
+ because that can introduce an overflow. */
+ if (same_p
+ && op0 != NULL_TREE
+ && TREE_CODE (op0) == MULT_EXPR
+ && TREE_CODE (TREE_OPERAND (op0, 1)) == INTEGER_CST
+ && TYPE_OVERFLOW_UNDEFINED (TREE_TYPE (t)))
+ break;
+
/* We have a special case here if we are doing something like
(C * 8) % 4 since we know that's zero. */
if ((code == TRUNC_MOD_EXPR || code == CEIL_MOD_EXPR
diff --git gcc/testsuite/c-c++-common/Wduplicated-branches-1.c gcc/testsuite/c-c++-common/Wduplicated-branches-1.c
index c0b93fc..7c5062d 100644
--- gcc/testsuite/c-c++-common/Wduplicated-branches-1.c
+++ gcc/testsuite/c-c++-common/Wduplicated-branches-1.c
@@ -89,7 +89,7 @@ f (int i, int *p)
if (i == 8) /* { dg-warning "this condition has identical branches" } */
return i * 8 * i * 8;
else
- return 8 * i * 8 * i;
+ return i * 8 * i * 8;
if (i == 9) /* { dg-warning "this condition has identical branches" } */
diff --git gcc/testsuite/c-c++-common/ubsan/pr80800.c gcc/testsuite/c-c++-common/ubsan/pr80800.c
index e69de29..992c136 100644
--- gcc/testsuite/c-c++-common/ubsan/pr80800.c
+++ gcc/testsuite/c-c++-common/ubsan/pr80800.c
@@ -0,0 +1,25 @@
+/* PR sanitizer/80800 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=undefined -fsanitize-undefined-trap-on-error" } */
+
+int n = 20000;
+int z = 0;
+
+int
+fn1 (void)
+{
+ return (n * 10000 * z) * 50;
+}
+
+int
+fn2 (void)
+{
+ return (10000 * n * z) * 50;
+}
+
+int
+main ()
+{
+ fn1 ();
+ fn2 ();
+}
Marek