[Bug target/100236] New: arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[Bug target/100236] New: arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[acoplan at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

            Bug ID: 100236
           Summary: arm: UB in arm_compute_save_core_reg_mask (shift
                    exponent 4294967295 is too large for 32-bit type
                    'int')
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: acoplan at gcc dot gnu.org
  Target Milestone: ---

$ cat test.c
void a() {
  void b() {}
  b();
}
$ ./arm-eabi-gcc -c -fpic test.c
/data_sdb/toolchain/src/gcc/gcc/config/arm/arm.c:21008:27: runtime error: shift
exponent 4294967295 is too large for 32-bit type 'int'
    #0 0x2a07eee in arm_compute_save_core_reg_mask
/data_sdb/toolchain/src/gcc/gcc/config/arm/arm.c:21008
    #1 0x2a07eee in arm_compute_frame_layout
/data_sdb/toolchain/src/gcc/gcc/config/arm/arm.c:22629
    #2 0x1a9b56e in set_initial_elim_offsets
/data_sdb/toolchain/src/gcc/gcc/reload1.c:3766
    #3 0x1abe973 in calculate_elim_costs_all_insns()
/data_sdb/toolchain/src/gcc/gcc/reload1.c:1559
    #4 0x158e870 in ira_costs()
/data_sdb/toolchain/src/gcc/gcc/ira-costs.c:2296
    #5 0x157369e in ira_build()
/data_sdb/toolchain/src/gcc/gcc/ira-build.c:3426
    #6 0x155714d in ira /data_sdb/toolchain/src/gcc/gcc/ira.c:5655
    #7 0x155714d in execute /data_sdb/toolchain/src/gcc/gcc/ira.c:5978
    #8 0x192438e in execute_one_pass(opt_pass*)
/data_sdb/toolchain/src/gcc/gcc/passes.c:2567
    #9 0x1926e3a in execute_pass_list_1
/data_sdb/toolchain/src/gcc/gcc/passes.c:2656
    #10 0x1926df8 in execute_pass_list_1
/data_sdb/toolchain/src/gcc/gcc/passes.c:2657
    #11 0x1926e95 in execute_pass_list(function*, opt_pass*)
/data_sdb/toolchain/src/gcc/gcc/passes.c:2667
    #12 0xc22f30 in cgraph_node::expand()
/data_sdb/toolchain/src/gcc/gcc/cgraphunit.c:1830
    #13 0xc23e50 in cgraph_order_sort::process()
/data_sdb/toolchain/src/gcc/gcc/cgraphunit.c:2069
    #14 0xc2979a in output_in_order
/data_sdb/toolchain/src/gcc/gcc/cgraphunit.c:2137
    #15 0xc2979a in symbol_table::compile()
/data_sdb/toolchain/src/gcc/gcc/cgraphunit.c:2355
    #16 0xc3433a in symbol_table::finalize_compilation_unit()
/data_sdb/toolchain/src/gcc/gcc/cgraphunit.c:2539
    #17 0x1cc8e7f in compile_file /data_sdb/toolchain/src/gcc/gcc/toplev.c:482
    #18 0x1ccf7bf in do_compile /data_sdb/toolchain/src/gcc/gcc/toplev.c:2201
    #19 0x1ccf7bf in toplev::main(int, char**)
/data_sdb/toolchain/src/gcc/gcc/toplev.c:2340
    #20 0x432625c in main /data_sdb/toolchain/src/gcc/gcc/main.c:39
    #21 0x7ffff6740bf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #22 0x645e69 in _start
(/data_sdb/toolchain/build-arm-eabi-armv8.1-m.main+mve/install/libexec/gcc/arm-eabi/11.0.1/cc1+0x645e69)

[Bug target/100236] arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[acoplan at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

--- Comment #1 from Alex Coplan <acoplan at gcc dot gnu.org> ---
GCC compiled with UBSan here. I should have mentioned it needs
-march=armv8.1-m.main.

[Bug target/100236] arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[rearnsha at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

Richard Earnshaw <rearnsha at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-04-26
             Status|UNCONFIRMED                 |NEW

--- Comment #2 from Richard Earnshaw <rearnsha at gcc dot gnu.org> ---
Confirmed.  The macro THUMB2_WORK_REGS expands to

(0xff & ~(  (1 << THUMB_HARD_FRAME_POINTER_REGNUM) \
                                   | (1 << SP_REGNUM) | (1 << PC_REGNUM) \
                                   | (1 << PIC_OFFSET_TABLE_REGNUM)))

But PIC_OFFSET_TABLE_REGNUM in turn expands to

arm_pic_register

which may be INVALID_REGNUM (~0) in some circumstances.

[Bug target/100236] arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Earnshaw <rearnsha@gcc.gnu.org>:

https://gcc.gnu.org/g:01d0bda8bdf3cd804e1e00915d432ad0cdc49399

commit r12-148-g01d0bda8bdf3cd804e1e00915d432ad0cdc49399
Author: Richard Earnshaw <rearnsha@arm.com>
Date:   Tue Apr 27 12:25:30 2021 +0100

    arm: fix UB when compiling thumb2 with PIC [PR100236]

    arm_compute_save_core_reg_mask contains UB in that the saved PIC
    register number is used to create a bit mask. However, for some target
    options this register is undefined and we end up with a shift of ~0.

    On native compilations this is benign since the shift will still be
    large enough to move the bit outside of the range of the mask, but if
    cross compiling from a system that truncates out-of-range shifts to
    zero (or worse, raises a trap for such values) we'll get potentially
    wrong code (or a fault).

    gcc:
            PR target/100236
            * config/arm/arm.c (THUMB2_WORK_REGS): Check
PIC_OFFSET_TABLE_REGNUM
            is valid before including it in the mask.

[Bug target/100236] arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[rearnsha at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

--- Comment #4 from Richard Earnshaw <rearnsha at gcc dot gnu.org> ---
Fixed on master so far.

[Bug target/100236] arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-11 branch has been updated by Richard Earnshaw
<rearnsha@gcc.gnu.org>:

https://gcc.gnu.org/g:100cc845cda3843e87f152f845b11b70fee3d7bc

commit r11-8315-g100cc845cda3843e87f152f845b11b70fee3d7bc
Author: Richard Earnshaw <rearnsha@arm.com>
Date:   Tue Apr 27 12:25:30 2021 +0100

    arm: fix UB when compiling thumb2 with PIC [PR100236]

    arm_compute_save_core_reg_mask contains UB in that the saved PIC
    register number is used to create a bit mask. However, for some target
    options this register is undefined and we end up with a shift of ~0.

    On native compilations this is benign since the shift will still be
    large enough to move the bit outside of the range of the mask, but if
    cross compiling from a system that truncates out-of-range shifts to
    zero (or worse, raises a trap for such values) we'll get potentially
    wrong code (or a fault).

    gcc:
            PR target/100236
            * config/arm/arm.c (THUMB2_WORK_REGS): Check
PIC_OFFSET_TABLE_REGNUM
            is valid before including it in the mask.
    (cherry picked from commit 01d0bda8bdf3cd804e1e00915d432ad0cdc49399)

[Bug target/100236] arm: UB in arm_compute_save_core_reg_mask (shift exponent 4294967295 is too large for 32-bit type 'int')

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100236

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED