public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed
From: Marek Polacek <polacek@redhat.com>
To: Richard Biener <rguenther@suse.de>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] Prevent extract_muldiv from introducing an overflow (PR sanitizer/80800)
Date: Fri, 19 May 2017 10:43:00 -0000	[thread overview]
Message-ID: <20170519103754.GA3335@redhat.com> (raw)
In-Reply-To: <alpine.LSU.2.20.1705190955370.20726@zhemvz.fhfr.qr>

On Fri, May 19, 2017 at 09:58:45AM +0200, Richard Biener wrote:
> On Fri, 19 May 2017, Marek Polacek wrote:
> 
> > extract_muldiv folds 
> > 
> >   (n * 10000 * z) * 50
> > 
> > to
> > 
> >   (n * 500000) * z
> > 
> > which is a wrong transformation to do, because it may introduce an overflow.
> > This resulted in a ubsan false positive.  So we should just disable this
> > folding altogether.  Does the approach I took make sense?
> > 
> > Bootstrapped/regtested on x86_64-linux, ok for trunk?
> 
> Didn't dig very far to identify extract_muldiv, but I guess it's either
> of the following recursions that trigger?
> 
>       /* If we can extract our operation from the LHS, do so and return a
>          new operation.  Likewise for the RHS from a MULT_EXPR.  
> Otherwise,
>          do something only if the second operand is a constant.  */
>       if (same_p
>           && (t1 = extract_muldiv (op0, c, code, wide_type,
>                                    strict_overflow_p)) != 0)
>         return fold_build2 (tcode, ctype, fold_convert (ctype, t1),
>                             fold_convert (ctype, op1));
>       else if (tcode == MULT_EXPR && code == MULT_EXPR
>                && (t1 = extract_muldiv (op1, c, code, wide_type,
>                                         strict_overflow_p)) != 0)
>         return fold_build2 (tcode, ctype, fold_convert (ctype, op0),
>                             fold_convert (ctype, t1));

Exactly.  extract_muldiv first gets (n * 10000 * z) * 50 so it tries
to fold 50 with (subexpressions) of (n * 10000 * z).  So it then tries
(n * 10000) * 50, and then n * 50 and then 10000 * 50 which finally
works out, so it uses 50000 and removes the outermost multiplication.

> thus I'd simply guard them with TYPE_OVERFLOW_WRAPS ().

That works, too.  I was afraid it'd disable too much folding.

> In the end I think the whole extract_muldiv mess should be truncated
> down to what its name suggest - identifying and removing mul-div
> cancellations.

Would be nice.  I had trouble wrapping my head around it.

> It's for example not clear whether the recursion above assumes
> TYPE_OVERFLOW_UNDEFINED (it passes a wide_type .. widening is only
> ok if there's no overflow).

Bootstrapped/regtested on x86_64-linux, ok for trunk?

2017-05-19  Marek Polacek  <polacek@redhat.com>

	PR sanitizer/80800
	* fold-const.c (extract_muldiv_1) <case TRUNC_DIV_EXPR>: Add
	TYPE_OVERFLOW_WRAPS checks.

	* c-c++-common/ubsan/pr80800.c: New test.
	* c-c++-common/Wduplicated-branches-1.c: Adjust an expression.


diff --git gcc/fold-const.c gcc/fold-const.c
index 19aa722..736552c 100644
--- gcc/fold-const.c
+++ gcc/fold-const.c
@@ -6281,11 +6281,13 @@ extract_muldiv_1 (tree t, tree c, enum tree_code code, tree wide_type,
 	 new operation.  Likewise for the RHS from a MULT_EXPR.  Otherwise,
 	 do something only if the second operand is a constant.  */
       if (same_p
+	  && TYPE_OVERFLOW_WRAPS (ctype)
 	  && (t1 = extract_muldiv (op0, c, code, wide_type,
 				   strict_overflow_p)) != 0)
 	return fold_build2 (tcode, ctype, fold_convert (ctype, t1),
 			    fold_convert (ctype, op1));
       else if (tcode == MULT_EXPR && code == MULT_EXPR
+	       && TYPE_OVERFLOW_WRAPS (ctype)
 	       && (t1 = extract_muldiv (op1, c, code, wide_type,
 					strict_overflow_p)) != 0)
 	return fold_build2 (tcode, ctype, fold_convert (ctype, op0),
diff --git gcc/testsuite/c-c++-common/Wduplicated-branches-1.c gcc/testsuite/c-c++-common/Wduplicated-branches-1.c
index c0b93fc..7c5062d 100644
--- gcc/testsuite/c-c++-common/Wduplicated-branches-1.c
+++ gcc/testsuite/c-c++-common/Wduplicated-branches-1.c
@@ -89,7 +89,7 @@ f (int i, int *p)
   if (i == 8) /* { dg-warning "this condition has identical branches" } */
     return i * 8 * i * 8;
   else
-    return 8 * i * 8 * i;
+    return i * 8 * i * 8;
 
 
   if (i == 9) /* { dg-warning "this condition has identical branches" } */
diff --git gcc/testsuite/c-c++-common/ubsan/pr80800.c gcc/testsuite/c-c++-common/ubsan/pr80800.c
index e69de29..992c136 100644
--- gcc/testsuite/c-c++-common/ubsan/pr80800.c
+++ gcc/testsuite/c-c++-common/ubsan/pr80800.c
@@ -0,0 +1,25 @@
+/* PR sanitizer/80800 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=undefined -fsanitize-undefined-trap-on-error" } */
+
+int n = 20000;
+int z = 0;
+
+int
+fn1 (void)
+{
+  return (n * 10000 * z) * 50;
+}
+
+int
+fn2 (void)
+{
+  return (10000 * n * z) * 50;
+}
+
+int
+main ()
+{
+  fn1 ();
+  fn2 ();
+}

	Marek

  reply	other threads:[~2017-05-19 10:38 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-19  7:21 Marek Polacek
2017-05-19  8:21 ` Richard Biener
2017-05-19 10:43   ` Marek Polacek [this message]
2017-05-19 10:57     ` Richard Biener
2017-05-19 10:59       ` Alexander Monakov
2017-05-19 15:36         ` Marek Polacek
2017-05-19 15:51           ` Alexander Monakov
2017-05-19 16:18             ` Richard Biener
2017-05-19 18:45             ` Joseph Myers
2017-05-19 20:06               ` Alexander Monakov
2017-05-24  8:11                 ` Richard Biener

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170519103754.GA3335@redhat.com \
    --to=polacek@redhat.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=rguenther@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).