From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-patches-return-410793-listarch-gcc-patches=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 27137 invoked by alias); 21 Oct 2015 04:46:46 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Received: (qmail 27125 invoked by uid 89); 21 Oct 2015 04:46:45 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.2
X-HELO: eu-smtp-delivery-143.mimecast.com
Received: from eu-smtp-delivery-143.mimecast.com (HELO eu-smtp-delivery-143.mimecast.com) (207.82.80.143) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 21 Oct 2015 04:46:44 +0000
Received: from cam-owa2.Emea.Arm.com (fw-tnat.cambridge.arm.com [217.140.96.140]) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-10-WplpkiaNS0WDrh-9Gu3wcg-1; Wed, 21 Oct 2015 05:46:38 +0100
Received: from shawin233 ([10.1.2.79]) by cam-owa2.Emea.Arm.com with Microsoft SMTPSVC(6.0.3790.3959);	 Wed, 21 Oct 2015 05:46:38 +0100
From: "Bin Cheng" <bin.cheng@arm.com>
To: <gcc-patches@gcc.gnu.org>
Subject: [PATCH PR67921]Use sizetype for CHREC_RIGHT when building pointer type CHREC
Date: Wed, 21 Oct 2015 04:58:00 -0000
Message-ID: <000001d10bbb$765ef6e0$631ce4a0$@arm.com>
MIME-Version: 1.0
X-MC-Unique: WplpkiaNS0WDrh-9Gu3wcg-1
Content-Type: multipart/mixed;	boundary="----=_NextPart_000_0001_01D10BFE.84859240"
X-IsSubscribed: yes
X-SW-Source: 2015-10/txt/msg02014.txt.bz2

This is a multipart message in MIME format.
------=_NextPart_000_0001_01D10BFE.84859240
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-length: 1085

Hi,
As analyzed in PR67921, I think the issue is caused by fold_binary_loc which
folds:
  4 - (sizetype) &c - (sizetype) ((int *) p1_8(D) + ((sizetype) a_23 * 24 +
4))
into below form:
  ((sizetype) -((int *) p1_8(D) + ((sizetype) a_23 * 24 + 4)) - (sizetype)
&c) + 4

Look the minus sizetype expression is folded as negative pointer expression,
which seems incorrect.  Apart from this, The direct reason of this ICE is in
CHREC because of an overlook.  In general CHREC supports NEGATE_EXPR for
CHREC, the only problem is it uses pointer type for CHREC_RIGHT, rather than
sizetype, when building pointer type CHREC.

This simple patch fixes the ICE issue.  Bootstrap and test on x86 & x86_64.

Is it OK?

Note, I do think the associate logic in fold_binary_loc needs fix, but that
should be another patch.


2015-10-20  Bin Cheng  <bin.cheng@arm.com>

	PR tree-optimization/67921
	* tree-chrec.c (chrec_fold_multiply): Use sizetype for CHREC_RIGHT
if
	type is pointer type.

2015-10-20  Bin Cheng  <bin.cheng@arm.com>

	PR tree-optimization/67921
	* gcc.dg/ubsan/pr67921.c: New test.

------=_NextPart_000_0001_01D10BFE.84859240
Content-Type: text/plain; name=pr67921-20151020.txt
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="pr67921-20151020.txt"
Content-length: 1427

diff --git a/gcc/tree-chrec.c b/gcc/tree-chrec.c
index 649c9fe..ef7b70b 100644
--- a/gcc/tree-chrec.c
+++ b/gcc/tree-chrec.c
@@ -436,7 +436,8 @@ chrec_fold_multiply (tree type,
 	  return build_polynomial_chrec
 	    (CHREC_VARIABLE (op0),
 	     chrec_fold_multiply (type, CHREC_LEFT (op0), op1),
-	     chrec_fold_multiply (type, CHREC_RIGHT (op0), op1));
+	     chrec_fold_multiply (POINTER_TYPE_P (type) ? sizetype : type,
+				  CHREC_RIGHT (op0), op1));
 	}
=20
     CASE_CONVERT:
@@ -459,7 +460,8 @@ chrec_fold_multiply (tree type,
 	  return build_polynomial_chrec
 	    (CHREC_VARIABLE (op1),
 	     chrec_fold_multiply (type, CHREC_LEFT (op1), op0),
-	     chrec_fold_multiply (type, CHREC_RIGHT (op1), op0));
+	     chrec_fold_multiply (POINTER_TYPE_P (type) ? sizetype : type,
+				  CHREC_RIGHT (op1), op0));
=20
 	CASE_CONVERT:
 	  if (tree_contains_chrecs (op1, NULL))
diff --git a/gcc/testsuite/gcc.dg/ubsan/pr67921.c b/gcc/testsuite/gcc.dg/ub=
san/pr67921.c
new file mode 100644
index 0000000..5e7d707
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/ubsan/pr67921.c
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fsanitize=3Dundefined" } */
+
+typedef struct {
+  int a;
+  int arr[][6];
+}st;
+
+void bar (int);
+void foo (st *p)
+{
+  int a;
+  for (; a < 2; a++)
+    for (; p->a;)
+      {
+	int *b =3D p->arr[a];
+	int c[66];
+	int j =3D 0;
+	for (; j < 56; j++)
+	  bar (b[j] - c[j]);
+      }
+}

------=_NextPart_000_0001_01D10BFE.84859240--