Fix possible overflow in ipa-fnsummary

Martin Jambor mjambor@suse.cz
Wed Oct 14 14:04:43 GMT 2020 

Hi,

On Wed, Oct 14 2020, Jan Hubicka wrote:
> Hi,
> while looking into jump functions I noticed that offset_map in
> ipa-fnsummary is array of integers while everywhere else the offsets are
> HOST_WIDE_INTs (for good reason since the offsets are pointer
> adjustments moreover multplied by UNIT_SIZE)
>
> Bootstrapped/regtested x86_64-linux, will commit it shortly.
>
> gcc/ChangeLog:
>
> 2020-10-14  Jan Hubicka  <hubicka@ucw.cz>
>
> 	* ipa-fnsummary.c (remap_edge_summaries): Make offset_map HOST_WIDE_INT.
> 	(remap_freqcounting_predicate): Likewise.
> 	(ipa_merge_fn_summary_after_inlining): Likewise.
> 	* ipa-predicate.c (predicate::remap_after_inlining): Likewise
> 	* ipa-predicate.h (remap_after_inlining): Update.
>
>
> diff --git a/gcc/ipa-fnsummary.c b/gcc/ipa-fnsummary.c
> index 771f432ebec..9e3eda4d3cb 100644
> --- a/gcc/ipa-fnsummary.c
> +++ b/gcc/ipa-fnsummary.c
> @@ -3896,7 +3896,7 @@ remap_edge_summaries (struct cgraph_edge *inlined_edge,
>  		      class ipa_node_params *params_summary,
>  		      class ipa_fn_summary *callee_info,
>  		      vec<int> operand_map,
> -		      vec<int> offset_map,
> +		      vec<HOST_WIDE_INT> offset_map,
>  		      clause_t possible_truths,
>  		      predicate *toplev_predicate)
>  {
> @@ -3957,7 +3957,7 @@ remap_freqcounting_predicate (class ipa_fn_summary *info,
>  			      class ipa_fn_summary *callee_info,
>  			      vec<ipa_freqcounting_predicate, va_gc> *v,
>  			      vec<int> operand_map,
> -			      vec<int> offset_map,
> +			      vec<HOST_WIDE_INT> offset_map,
>  			      clause_t possible_truths,
>  			      predicate *toplev_predicate)
>  
> @@ -3987,7 +3987,7 @@ ipa_merge_fn_summary_after_inlining (struct cgraph_edge *edge)
>    clause_t clause = 0;	/* not_inline is known to be false.  */
>    size_time_entry *e;
>    auto_vec<int, 8> operand_map;
> -  auto_vec<int, 8> offset_map;
> +  auto_vec<HOST_WIDE_INT, 8> offset_map;


if you want to do this, I suppose you also want to remove the INT_MAX
check from:

	      if (offset >= 0 && offset < INT_MAX)
		{
		  map = ipa_get_jf_ancestor_formal_id (jfunc);
		  if (!ipa_get_jf_ancestor_agg_preserved (jfunc))
		    offset = -1;
		  offset_map[i] = offset;
		}

further down in this function.  

Martin

More information about the Gcc-patches mailing list