From: Alexander Monakov <amonakov@ispras.ru>
To: Richard Biener <rguenther@suse.de>
Cc: Marek Polacek <polacek@redhat.com>,
GCC Patches <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] Prevent extract_muldiv from introducing an overflow (PR sanitizer/80800)
Date: Fri, 19 May 2017 10:59:00 -0000 [thread overview]
Message-ID: <alpine.LNX.2.20.13.1705191353470.32526@monopod.intra.ispras.ru> (raw)
In-Reply-To: <alpine.LSU.2.20.1705191243530.20726@zhemvz.fhfr.qr>
On Fri, 19 May 2017, Richard Biener wrote:
> On Fri, 19 May 2017, Marek Polacek wrote:
>
> > On Fri, May 19, 2017 at 09:58:45AM +0200, Richard Biener wrote:
> > > On Fri, 19 May 2017, Marek Polacek wrote:
> > >
> > > > extract_muldiv folds
> > > >
> > > > (n * 10000 * z) * 50
> > > >
> > > > to
> > > >
> > > > (n * 500000) * z
> > > >
> > > > which is a wrong transformation to do, because it may introduce an overflow.
> > > > This resulted in a ubsan false positive. So we should just disable this
> > > > folding altogether. Does the approach I took make sense?
I think it's possible to keep this folding, note that it's valid to transform to
(n * 1 * z) * 500000
(i.e. accumulate multiplications on the outermost factor)
> > > >
> > > > Bootstrapped/regtested on x86_64-linux, ok for trunk?
> > >
> > > Didn't dig very far to identify extract_muldiv, but I guess it's either
> > > of the following recursions that trigger?
> > >
> > > /* If we can extract our operation from the LHS, do so and return a
> > > new operation. Likewise for the RHS from a MULT_EXPR.
> > > Otherwise,
> > > do something only if the second operand is a constant. */
> > > if (same_p
> > > && (t1 = extract_muldiv (op0, c, code, wide_type,
> > > strict_overflow_p)) != 0)
> > > return fold_build2 (tcode, ctype, fold_convert (ctype, t1),
> > > fold_convert (ctype, op1));
> > > else if (tcode == MULT_EXPR && code == MULT_EXPR
> > > && (t1 = extract_muldiv (op1, c, code, wide_type,
> > > strict_overflow_p)) != 0)
> > > return fold_build2 (tcode, ctype, fold_convert (ctype, op0),
> > > fold_convert (ctype, t1));
> >
> > Exactly. extract_muldiv first gets (n * 10000 * z) * 50 so it tries
> > to fold 50 with (subexpressions) of (n * 10000 * z). So it then tries
> > (n * 10000) * 50, and then n * 50 and then 10000 * 50 which finally
> > works out, so it uses 50000 and removes the outermost multiplication.
so would it be possible to adjust things here to remove the innermost
multiplication instead?
Alexander
next prev parent reply other threads:[~2017-05-19 10:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 7:21 Marek Polacek
2017-05-19 8:21 ` Richard Biener
2017-05-19 10:43 ` Marek Polacek
2017-05-19 10:57 ` Richard Biener
2017-05-19 10:59 ` Alexander Monakov [this message]
2017-05-19 15:36 ` Marek Polacek
2017-05-19 15:51 ` Alexander Monakov
2017-05-19 16:18 ` Richard Biener
2017-05-19 18:45 ` Joseph Myers
2017-05-19 20:06 ` Alexander Monakov
2017-05-24 8:11 ` Richard Biener
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.20.13.1705191353470.32526@monopod.intra.ispras.ru \
--to=amonakov@ispras.ru \
--cc=gcc-patches@gcc.gnu.org \
--cc=polacek@redhat.com \
--cc=rguenther@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).