From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27309 invoked by alias); 8 Nov 2017 16:31:13 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 27300 invoked by uid 89); 8 Nov 2017 16:31:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-11.9 required=5.0 tests=BAYES_00,GIT_PATCH_2,GIT_PATCH_3,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=H*M:1990, risk, sum X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 08 Nov 2017 16:31:06 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7DD99C04AC53; Wed, 8 Nov 2017 16:31:05 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0C33E5FFE3; Wed, 8 Nov 2017 16:31:03 +0000 (UTC) Subject: Re: [PATCH] Fix UBSAN errors in dse.c (PR rtl-optimization/82044). To: =?UTF-8?Q?Martin_Li=c5=a1ka?= , Jakub Jelinek Cc: gcc-patches@gcc.gnu.org References: <20170920081519.GU1701@tucnak> <7cff6742-bd7a-5ea2-80fb-aca74610f591@suse.cz> From: Jeff Law Message-ID: <7e976ae2-4aab-9abd-1990-94b9804db8f9@redhat.com> Date: Wed, 08 Nov 2017 16:42:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <7cff6742-bd7a-5ea2-80fb-aca74610f591@suse.cz> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2017-11/txt/msg00615.txt.bz2 On 11/02/2017 07:15 AM, Martin Liška wrote: > PING^1 I don't see an updated patch in this thread? THe last message I see is this one where you indicate you're going to tweak the patch and re-test. Jeff > > On 10/19/2017 01:36 PM, Martin Liška wrote: >> On 09/20/2017 10:15 AM, Jakub Jelinek wrote: >>> On Wed, Sep 20, 2017 at 09:50:32AM +0200, Martin Liška wrote: >>>> Hello. >>>> >>>> Following patch handles UBSAN (overflow) in dce.c. >>> >>> dse.c ;) >>> >>>> --- a/gcc/dse.c >>>> +++ b/gcc/dse.c >>>> @@ -929,7 +929,9 @@ set_usage_bits (group_info *group, HOST_WIDE_INT offset, HOST_WIDE_INT width, >>>> { >>>> HOST_WIDE_INT i; >>>> bool expr_escapes = can_escape (expr); >>>> - if (offset > -MAX_OFFSET && offset + width < MAX_OFFSET) >>>> + if (offset > -MAX_OFFSET >>>> + && offset < MAX_OFFSET >>>> + && offset + width < MAX_OFFSET) >>> >>> This can still overflow if width is close to HOST_WIDE_INT_MAX. >>> Anyway, I don't remember this code too much, but wonder if either offset or >>> width or their sum is outside of the -MAX_OFFSET, MAX_OFFSET range if we >>> still don't want to record usage bits at least in the intersection of >>> -MAX_OFFSET, MAX_OFFSET and offset, offset + width (the latter performed >>> with infinite precision; though, if record_store is changed as suggested >>> below, offset + width shouldn't overflow). >>> >>>> for (i=offset; i>>> { >>>> bitmap store1; >>>> @@ -1536,7 +1538,11 @@ record_store (rtx body, bb_info_t bb_info) >>>> } >>>> store_info->group_id = group_id; >>>> store_info->begin = offset; >>>> - store_info->end = offset + width; >>>> + if (offset > HOST_WIDE_INT_MAX - width) >>>> + store_info->end = HOST_WIDE_INT_MAX; >>>> + else >>>> + store_info->end = offset + width; >>> >>> If offset + width overflows, I think we risk wrong-code by doing this, plus >>> there are 3 other offset + width computations earlier in record_store >>> before we reach this. I think instead we should treat such cases as wild >>> stores early, i.e.: >>> if (!canon_address (mem, &group_id, &offset, &base)) >>> { >>> clear_rhs_from_active_local_stores (); >>> return 0; >>> } >>> >>> if (GET_MODE (mem) == BLKmode) >>> width = MEM_SIZE (mem); >>> else >>> width = GET_MODE_SIZE (GET_MODE (mem)); >>> >>> + if (offset > HOST_WIDE_INT_MAX - width) >>> + { >>> + clear_rhs_from_active_local_stores (); >>> + return 0; >>> + } >>> >>> or so. >>> >>>> + >>>> store_info->is_set = GET_CODE (body) == SET; >>>> store_info->rhs = rhs; >>>> store_info->const_rhs = const_rhs; >>>> @@ -1976,6 +1982,14 @@ check_mem_read_rtx (rtx *loc, bb_info_t bb_info) >>>> return; >>>> } >>>> >>>> + if (offset > MAX_OFFSET) >>>> + { >>>> + if (dump_file && (dump_flags & TDF_DETAILS)) >>>> + fprintf (dump_file, " reaches MAX_OFFSET.\n"); >>>> + add_wild_read (bb_info); >>>> + return; >>>> + } >>>> + >> >> Hi. >> >> The later one works for me. I'm going to regtest that. >> >> Ready after it survives regression tests? >> >> Thanks, >> Martin >> >>> >>> Is offset > MAX_OFFSET really problematic (and not just the width != -1 && >>> offset + width overflowing case)? >>> >>>> if (GET_MODE (mem) == BLKmode) >>>> width = -1; >>>> else >>>> >>> >>> >>> Jakub >>> >> >