[Bug c/112112] New: Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[Bug c/112112] New: Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[22s302h0659 at sonline20 dot sen.go.kr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

            Bug ID: 112112
           Summary: Improper Arithmetic Type Conversion in
                    s390x-linux-gnu-gcc
           Product: gcc
           Version: 11.4.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: 22s302h0659 at sonline20 dot sen.go.kr
  Target Milestone: ---

### Environment

- Compiler: s390x-linux-gnu-gcc (64bit)
- Version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
- Platform: Windows 11_5.15.90.1-microsoft-standard-WSL2
- Build Optimization Options: O0, O1, O2, O3

I installed the s390x-linux-gnu toolchain using the 'apt' package manager in
Ubuntu and utilized s390x-linux-gnu-gcc (version 11.4.0) from it.

### Summary

Using the legacy C code generator 'csmith' to generate test cases, I am
performing fuzzing on the GCC compiler for various architectures and
optimization options. I have discovered a bug specific to the s390x
architecture, and I will be reporting it.

### Source Code

I have prepared an 'binarys.zip' archive containing two versions of the bug PoC
code, along with '[c.sh](http://c.sh/)' for compiling them and
'[r.sh](http://r.sh/)' for running them

```bash
1 // bug_Poc1.c
2 #include <stdio.h>
3 char v1 = -1;
4 short v2 = 1;
5 int main()
6 {   
7     printf("bug = %d\n", v1 <= v2);
8     return 0;
9 }
```

```bash
// result
bug_O0 = 0
bug_O1 = 0
bug_O2 = 1
bug_O3 = 1
```

Line 7 yields a correct result of 1 for the normal comparison operation.
However, with the O0 and O1 optimization options, it returns 0. With O2 and O3,
it correctly returns 1. I conducted tests to confirm the possibility of this
bug occurring in cross-compilers for the same version but different
architectures, but it consistently output the correct value of 1.

```bash
1 // bug_Poc2.c
2 #include <stdio.h>
3 char v1 = -1;
4 short v2 = 1;
5 int main()
6 {   
7     printf("bug = %d\n", v1 >= v2);
8     return 0;
9 }
```

```bash
// result
bug_O0 = 1
bug_O1 = 1
bug_O2 = 0
bug_O3 = 0
```

On the 7th line, the normal comparison operation results in 0. However, with
the O0 and O1 optimization options, it returns 01. With O2 and O3, it correctly
returns 0. I conducted tests to confirm the possibility of this bug occurring
in cross-compilers for the same version but different architectures, but it
consistently output the correct value of 0.

### Coclusion

The commonality in the two bug code examples above appears to be the treatment
of -1 as unsigned rather than signed. My suspicion is that there might be an
issue with the integer arithmetic types or instructions on the s390x
architecture.

[Bug c/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[22s302h0659 at sonline20 dot sen.go.kr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #1 from 김대영 <22s302h0659 at sonline20 dot sen.go.kr> ---
Created attachment 56320
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56320&action=edit
bug_Poc Codes.

[Bug c/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
One thing you should note (most likely not an issue here) is that plain char
can default to signed or unsigned depending on the arch/abi .

[Bug c/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
*** Bug 112111 has been marked as a duplicate of this bug. ***

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[22s302h0659 at sonline20 dot sen.go.kr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #4 from 김대영 <22s302h0659 at sonline20 dot sen.go.kr> ---
From your perspective, do you think this could be a compiler bug? When tested
with various compiler options following the GCC bug reporting guidelines, the
binary compiles without any warnings, yet exhibits these behaviors

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[tkoenig at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

Thomas Koenig <tkoenig at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tkoenig at gcc dot gnu.org

--- Comment #5 from Thomas Koenig <tkoenig at gcc dot gnu.org> ---
(In reply to 김대영 from comment #4)
> From your perspective, do you think this could be a compiler bug? When
> tested with various compiler options following the GCC bug reporting
> guidelines, the binary compiles without any warnings, yet exhibits these
> behaviors

It definitely sounds wrong, there should be consistent results.

Just to make the effect of the signs clear: Could you maybe run the
program

$ cat a.c
#include <stdio.h>
SIGN char v1 = -1;
short v2 = 1;
int main()
{   
    printf("result for " OPT " \"" STR "\" = %d\n", v1 <= v2);
    return 0;
}

with the shell script

$ cat do_all.sh 
for s in signed unsigned ""
do
    for o in -O0 -O1 -O2 -O3
    do
        gcc $o -DOPT='"'$o'"' -DSTR='"'$s'"' -DSIGN=$s a.c && ./a.out
    done
done

and post the results?  For reference, on x86_64 (which has signed
chars) this gets

result for -O0 "signed" = 1
result for -O1 "signed" = 1
result for -O2 "signed" = 1
result for -O3 "signed" = 1
result for -O0 "unsigned" = 0
result for -O1 "unsigned" = 0
result for -O2 "unsigned" = 0
result for -O3 "unsigned" = 0
result for -O0 "" = 1
result for -O1 "" = 1
result for -O2 "" = 1
result for -O3 "" = 1

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[22s302h0659 at sonline20 dot sen.go.kr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #6 from 김대영 <22s302h0659 at sonline20 dot sen.go.kr> ---
```
z3rodae0@z3rodae0:~$ ./sh.sh
result for -O0 "signed" = 1
result for -O1 "signed" = 1
result for -O2 "signed" = 1
result for -O3 "signed" = 1
result for -O0 "unsigned" = 0
result for -O1 "unsigned" = 0
result for -O2 "unsigned" = 0
result for -O3 "unsigned" = 0
result for -O0 "" = 1
result for -O1 "" = 1
result for -O2 "" = 1
result for -O3 "" = 1
```

That's correct. I ran your code and script in my environment, and it produced
the same results

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[tkoenig at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

Thomas Koenig <tkoenig at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2023-11-01
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |WAITING

--- Comment #7 from Thomas Koenig <tkoenig at gcc dot gnu.org> ---
(In reply to 김대영 from comment #6)
> ```
> z3rodae0@z3rodae0:~$ ./sh.sh
> result for -O0 "signed" = 1
> result for -O1 "signed" = 1
> result for -O2 "signed" = 1
> result for -O3 "signed" = 1
> result for -O0 "unsigned" = 0
> result for -O1 "unsigned" = 0
> result for -O2 "unsigned" = 0
> result for -O3 "unsigned" = 0
> result for -O0 "" = 1
> result for -O1 "" = 1
> result for -O2 "" = 1
> result for -O3 "" = 1
> ```
> 
> That's correct. I ran your code and script in my environment, and it
> produced the same results

That is weird.

I don't see a meaningful difference between the version without signed or
unsigned and your program, and you get inconsistent results with your
original program and consistent results with the other one.

Or am I missing something?

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[22s302h0659 at sonline20 dot sen.go.kr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #8 from 김대영 <22s302h0659 at sonline20 dot sen.go.kr> ---
I'm sorry, I also didn't fully understand these bugs, my friend.

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[22s302h0659 at sonline20 dot sen.go.kr]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

--- Comment #9 from 김대영 <22s302h0659 at sonline20 dot sen.go.kr> ---
```
#include <stdio.h>
#define M_1      0xad5d6da      /* 1010110101011101011011011010 */
char g_1 = -1;
short g_2 = -1;

char v1 = -1;
short v2 = 1;

int main(){
        char l_1 = -1;
        short l_2 = -1;
        printf("char g_1   = %d\n", g_1);
        printf("char l_1   = %d\n", l_1);
        printf("(char)M_1  = %d\n\n\n", (char)M_1);

        printf("short g_2  = %d\n", g_2);
        printf("short l_2  = %d\n", l_2);
        printf("(short)M_1 = %d\n\n\n", (short)M_1);


        printf("(char)-1 <= (short)1 = %s \n\n", (char)-1 <= (short)1 ? "True"
: "False");

        printf("char v1    = %d\n", v1);
        printf("short  v2  = %d\n\n", v2);

        printf("v1 <= v2             = %s \n", v1 <= v2 ? "True" : "False");


        return 0;
}
```
I have been continuously investigating bugs recently. The above code proves
that it cannot reliably handle 'char' type as signed. Additionally, testing in
the s390x native environment with GCC versions 9, 11.4.0, and 12 consistently
revealed the same bug.

```
root@a92c2f395400:~# gcc -o test test.c -O0
root@a92c2f395400:~# ./test
char g_1   = 255
char l_1   = 255
(char)M_1  = 218


short g_2  = -1
short l_2  = -1
(short)M_1 = -10534


(char)-1 <= (short)1 = False

char v1    = 255
short  v2  = 1

v1 <= v2             = False
root@a92c2f395400:~# gcc -o test test.c -O2
root@a92c2f395400:~# ./test
char g_1   = 255
char l_1   = 255
(char)M_1  = 218


short g_2  = -1
short l_2  = -1
(short)M_1 = -10534


(char)-1 <= (short)1 = False

char v1    = 255
short  v2  = 1

v1 <= v2             = True
```

[Bug target/112112] Improper Arithmetic Type Conversion in s390x-linux-gnu-gcc

[xry111 at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112112

Xi Ruoyao <xry111 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |xry111 at gcc dot gnu.org
             Status|WAITING                     |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #10 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
Dup of a QEMU bug.

*** This bug has been marked as a duplicate of bug 112986 ***