[PATCH] Fix UBSAN errors in dse.c (PR rtl-optimization/82044).

Jakub Jelinek jakub@redhat.com
Wed Sep 20 08:15:00 GMT 2017


On Wed, Sep 20, 2017 at 09:50:32AM +0200, Martin Liška wrote:
> Hello.
> 
> Following patch handles UBSAN (overflow) in dce.c.

dse.c ;)

> --- a/gcc/dse.c
> +++ b/gcc/dse.c
> @@ -929,7 +929,9 @@ set_usage_bits (group_info *group, HOST_WIDE_INT offset, HOST_WIDE_INT width,
>  {
>    HOST_WIDE_INT i;
>    bool expr_escapes = can_escape (expr);
> -  if (offset > -MAX_OFFSET && offset + width < MAX_OFFSET)
> +  if (offset > -MAX_OFFSET
> +      && offset < MAX_OFFSET
> +      && offset + width < MAX_OFFSET)

This can still overflow if width is close to HOST_WIDE_INT_MAX.
Anyway, I don't remember this code too much, but wonder if either offset or
width or their sum is outside of the -MAX_OFFSET, MAX_OFFSET range if we
still don't want to record usage bits at least in the intersection of
-MAX_OFFSET, MAX_OFFSET and offset, offset + width (the latter performed
with infinite precision; though, if record_store is changed as suggested
below, offset + width shouldn't overflow).

>      for (i=offset; i<offset+width; i++)
>        {
>  	bitmap store1;
> @@ -1536,7 +1538,11 @@ record_store (rtx body, bb_info_t bb_info)
>      }
>    store_info->group_id = group_id;
>    store_info->begin = offset;
> -  store_info->end = offset + width;
> +  if (offset > HOST_WIDE_INT_MAX - width)
> +    store_info->end = HOST_WIDE_INT_MAX;
> +  else
> +    store_info->end = offset + width;

If offset + width overflows, I think we risk wrong-code by doing this, plus
there are 3 other offset + width computations earlier in record_store
before we reach this.  I think instead we should treat such cases as wild
stores early, i.e.:
   if (!canon_address (mem, &group_id, &offset, &base))
     {
       clear_rhs_from_active_local_stores ();
       return 0;
     }
 
   if (GET_MODE (mem) == BLKmode)
     width = MEM_SIZE (mem);
   else
     width = GET_MODE_SIZE (GET_MODE (mem));

+  if (offset > HOST_WIDE_INT_MAX - width)
+    {
+      clear_rhs_from_active_local_stores ();
+      return 0;
+    }

or so.

> +
>    store_info->is_set = GET_CODE (body) == SET;
>    store_info->rhs = rhs;
>    store_info->const_rhs = const_rhs;
> @@ -1976,6 +1982,14 @@ check_mem_read_rtx (rtx *loc, bb_info_t bb_info)
>        return;
>      }
>  
> +  if (offset > MAX_OFFSET)
> +    {
> +      if (dump_file && (dump_flags & TDF_DETAILS))
> +	fprintf (dump_file, " reaches MAX_OFFSET.\n");
> +      add_wild_read (bb_info);
> +      return;
> +    }
> +

Is offset > MAX_OFFSET really problematic (and not just the width != -1 &&
offset + width overflowing case)?

>    if (GET_MODE (mem) == BLKmode)
>      width = -1;
>    else
> 


	Jakub



More information about the Gcc-patches mailing list