[PATCH] ICE with ~INT_MAX in fold-const.c (PR sanitizer/80875)

[PATCH] ICE with ~INT_MAX in fold-const.c (PR sanitizer/80875)

[Marek Polacek]

We ICE on this testcase in
 9812           /* Transform x * -C into -x * C if x is easily negatable.  */
 9813           if (TREE_CODE (op1) == INTEGER_CST
 9814               && tree_int_cst_sgn (op1) == -1
 9815               && negate_expr_p (op0)
 9816               && (tem = negate_expr (op1)) != op1
 9817               && ! TREE_OVERFLOW (tem))
because fold_negate_expr returns NULL_TREE for INT_MIN, so negate_expr just
wrapped in into a NEGATE_EXPR, creating NEGATE_EXPR <INT_MIN>.  TREE_OVERFLOW
crashes on that.  I thought it made sense to check whether we can negate OP1
first, as done in the patch below.

Bootstrapped/regtested on x86_64-linux, ok for trunk and 7?

2017-05-25  Marek Polacek  <polacek@redhat.com>

	PR sanitizer/80875
	* fold-const.c (fold_binary_loc) <case MULT_EXPR>: Check if OP1
	can be negated.

	* c-c++-common/ubsan/pr80875.c: New test.

diff --git gcc/fold-const.c gcc/fold-const.c
index efc0b10..911ae36 100644
--- gcc/fold-const.c
+++ gcc/fold-const.c
@@ -9813,6 +9813,7 @@ fold_binary_loc (location_t loc,
 	  if (TREE_CODE (op1) == INTEGER_CST
 	      && tree_int_cst_sgn (op1) == -1
 	      && negate_expr_p (op0)
+	      && negate_expr_p (op1)
 	      && (tem = negate_expr (op1)) != op1
 	      && ! TREE_OVERFLOW (tem))
 	    return fold_build2_loc (loc, MULT_EXPR, type,
diff --git gcc/testsuite/c-c++-common/ubsan/pr80875.c gcc/testsuite/c-c++-common/ubsan/pr80875.c
index e69de29..e679452 100644
--- gcc/testsuite/c-c++-common/ubsan/pr80875.c
+++ gcc/testsuite/c-c++-common/ubsan/pr80875.c
@@ -0,0 +1,9 @@
+/* PR sanitizer/80875 */
+/* { dg-do compile } */
+/* { dg-options "-fsanitize=undefined" } */
+
+int
+foo (void)
+{
+  return ~__INT_MAX__ * (0 / 0); /* { dg-warning "division by zero" } */
+}

	Marek

Re: [PATCH] ICE with ~INT_MAX in fold-const.c (PR sanitizer/80875)

[Richard Biener]

On Thu, May 25, 2017 at 6:33 PM, Marek Polacek <polacek@redhat.com> wrote:
> We ICE on this testcase in
>  9812           /* Transform x * -C into -x * C if x is easily negatable.  */
>  9813           if (TREE_CODE (op1) == INTEGER_CST
>  9814               && tree_int_cst_sgn (op1) == -1
>  9815               && negate_expr_p (op0)
>  9816               && (tem = negate_expr (op1)) != op1
>  9817               && ! TREE_OVERFLOW (tem))
> because fold_negate_expr returns NULL_TREE for INT_MIN, so negate_expr just
> wrapped in into a NEGATE_EXPR, creating NEGATE_EXPR <INT_MIN>.  TREE_OVERFLOW
> crashes on that.  I thought it made sense to check whether we can negate OP1
> first, as done in the patch below.
>
> Bootstrapped/regtested on x86_64-linux, ok for trunk and 7?

Ok.

> 2017-05-25  Marek Polacek  <polacek@redhat.com>
>
>         PR sanitizer/80875
>         * fold-const.c (fold_binary_loc) <case MULT_EXPR>: Check if OP1
>         can be negated.
>
>         * c-c++-common/ubsan/pr80875.c: New test.
>
> diff --git gcc/fold-const.c gcc/fold-const.c
> index efc0b10..911ae36 100644
> --- gcc/fold-const.c
> +++ gcc/fold-const.c
> @@ -9813,6 +9813,7 @@ fold_binary_loc (location_t loc,
>           if (TREE_CODE (op1) == INTEGER_CST
>               && tree_int_cst_sgn (op1) == -1
>               && negate_expr_p (op0)
> +             && negate_expr_p (op1)
>               && (tem = negate_expr (op1)) != op1
>               && ! TREE_OVERFLOW (tem))
>             return fold_build2_loc (loc, MULT_EXPR, type,
> diff --git gcc/testsuite/c-c++-common/ubsan/pr80875.c gcc/testsuite/c-c++-common/ubsan/pr80875.c
> index e69de29..e679452 100644
> --- gcc/testsuite/c-c++-common/ubsan/pr80875.c
> +++ gcc/testsuite/c-c++-common/ubsan/pr80875.c
> @@ -0,0 +1,9 @@
> +/* PR sanitizer/80875 */
> +/* { dg-do compile } */
> +/* { dg-options "-fsanitize=undefined" } */
> +
> +int
> +foo (void)
> +{
> +  return ~__INT_MAX__ * (0 / 0); /* { dg-warning "division by zero" } */
> +}
>
>         Marek