From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 54547 invoked by alias); 2 Nov 2017 13:15:45 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 54532 invoked by uid 89); 2 Nov 2017 13:15:45 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-11.9 required=5.0 tests=BAYES_00,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.2 spammy=intersection, 9297, risk, sum X-HELO: mx2.suse.de Received: from mx2.suse.de (HELO mx2.suse.de) (195.135.220.15) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 02 Nov 2017 13:15:44 +0000 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B993FABF6; Thu, 2 Nov 2017 13:15:41 +0000 (UTC) Subject: Re: [PATCH] Fix UBSAN errors in dse.c (PR rtl-optimization/82044). From: =?UTF-8?Q?Martin_Li=c5=a1ka?= To: Jakub Jelinek Cc: gcc-patches@gcc.gnu.org References: <20170920081519.GU1701@tucnak> Message-ID: <7cff6742-bd7a-5ea2-80fb-aca74610f591@suse.cz> Date: Thu, 02 Nov 2017 13:15:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2017-11/txt/msg00090.txt.bz2 PING^1 On 10/19/2017 01:36 PM, Martin Liška wrote: > On 09/20/2017 10:15 AM, Jakub Jelinek wrote: >> On Wed, Sep 20, 2017 at 09:50:32AM +0200, Martin Liška wrote: >>> Hello. >>> >>> Following patch handles UBSAN (overflow) in dce.c. >> >> dse.c ;) >> >>> --- a/gcc/dse.c >>> +++ b/gcc/dse.c >>> @@ -929,7 +929,9 @@ set_usage_bits (group_info *group, HOST_WIDE_INT offset, HOST_WIDE_INT width, >>> { >>> HOST_WIDE_INT i; >>> bool expr_escapes = can_escape (expr); >>> - if (offset > -MAX_OFFSET && offset + width < MAX_OFFSET) >>> + if (offset > -MAX_OFFSET >>> + && offset < MAX_OFFSET >>> + && offset + width < MAX_OFFSET) >> >> This can still overflow if width is close to HOST_WIDE_INT_MAX. >> Anyway, I don't remember this code too much, but wonder if either offset or >> width or their sum is outside of the -MAX_OFFSET, MAX_OFFSET range if we >> still don't want to record usage bits at least in the intersection of >> -MAX_OFFSET, MAX_OFFSET and offset, offset + width (the latter performed >> with infinite precision; though, if record_store is changed as suggested >> below, offset + width shouldn't overflow). >> >>> for (i=offset; i>> { >>> bitmap store1; >>> @@ -1536,7 +1538,11 @@ record_store (rtx body, bb_info_t bb_info) >>> } >>> store_info->group_id = group_id; >>> store_info->begin = offset; >>> - store_info->end = offset + width; >>> + if (offset > HOST_WIDE_INT_MAX - width) >>> + store_info->end = HOST_WIDE_INT_MAX; >>> + else >>> + store_info->end = offset + width; >> >> If offset + width overflows, I think we risk wrong-code by doing this, plus >> there are 3 other offset + width computations earlier in record_store >> before we reach this. I think instead we should treat such cases as wild >> stores early, i.e.: >> if (!canon_address (mem, &group_id, &offset, &base)) >> { >> clear_rhs_from_active_local_stores (); >> return 0; >> } >> >> if (GET_MODE (mem) == BLKmode) >> width = MEM_SIZE (mem); >> else >> width = GET_MODE_SIZE (GET_MODE (mem)); >> >> + if (offset > HOST_WIDE_INT_MAX - width) >> + { >> + clear_rhs_from_active_local_stores (); >> + return 0; >> + } >> >> or so. >> >>> + >>> store_info->is_set = GET_CODE (body) == SET; >>> store_info->rhs = rhs; >>> store_info->const_rhs = const_rhs; >>> @@ -1976,6 +1982,14 @@ check_mem_read_rtx (rtx *loc, bb_info_t bb_info) >>> return; >>> } >>> >>> + if (offset > MAX_OFFSET) >>> + { >>> + if (dump_file && (dump_flags & TDF_DETAILS)) >>> + fprintf (dump_file, " reaches MAX_OFFSET.\n"); >>> + add_wild_read (bb_info); >>> + return; >>> + } >>> + > > Hi. > > The later one works for me. I'm going to regtest that. > > Ready after it survives regression tests? > > Thanks, > Martin > >> >> Is offset > MAX_OFFSET really problematic (and not just the width != -1 && >> offset + width overflowing case)? >> >>> if (GET_MODE (mem) == BLKmode) >>> width = -1; >>> else >>> >> >> >> Jakub >> >