Re: [PATCH] Fix UBSAN errors in dse.c (PR rtl-optimization/82044).

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: "Martin Liška" <mliska@suse.cz>
To: Jakub Jelinek <jakub@redhat.com>
Cc: gcc-patches@gcc.gnu.org
Subject: Re: [PATCH] Fix UBSAN errors in dse.c (PR rtl-optimization/82044).
Date: Thu, 19 Oct 2017 11:58:00 -0000	[thread overview]
Message-ID: <d7a78f76-ab66-09ed-06da-257038bc58bb@suse.cz> (raw)
In-Reply-To: <20170920081519.GU1701@tucnak>

On 09/20/2017 10:15 AM, Jakub Jelinek wrote:
> On Wed, Sep 20, 2017 at 09:50:32AM +0200, Martin LiÅ¡ka wrote:
>> Hello.
>>
>> Following patch handles UBSAN (overflow) in dce.c.
> 
> dse.c ;)
> 
>> --- a/gcc/dse.c
>> +++ b/gcc/dse.c
>> @@ -929,7 +929,9 @@ set_usage_bits (group_info *group, HOST_WIDE_INT offset, HOST_WIDE_INT width,
>>  {
>>    HOST_WIDE_INT i;
>>    bool expr_escapes = can_escape (expr);
>> -  if (offset > -MAX_OFFSET && offset + width < MAX_OFFSET)
>> +  if (offset > -MAX_OFFSET
>> +      && offset < MAX_OFFSET
>> +      && offset + width < MAX_OFFSET)
> 
> This can still overflow if width is close to HOST_WIDE_INT_MAX.
> Anyway, I don't remember this code too much, but wonder if either offset or
> width or their sum is outside of the -MAX_OFFSET, MAX_OFFSET range if we
> still don't want to record usage bits at least in the intersection of
> -MAX_OFFSET, MAX_OFFSET and offset, offset + width (the latter performed
> with infinite precision; though, if record_store is changed as suggested
> below, offset + width shouldn't overflow).
> 
>>      for (i=offset; i<offset+width; i++)
>>        {
>>  	bitmap store1;
>> @@ -1536,7 +1538,11 @@ record_store (rtx body, bb_info_t bb_info)
>>      }
>>    store_info->group_id = group_id;
>>    store_info->begin = offset;
>> -  store_info->end = offset + width;
>> +  if (offset > HOST_WIDE_INT_MAX - width)
>> +    store_info->end = HOST_WIDE_INT_MAX;
>> +  else
>> +    store_info->end = offset + width;
> 
> If offset + width overflows, I think we risk wrong-code by doing this, plus
> there are 3 other offset + width computations earlier in record_store
> before we reach this.  I think instead we should treat such cases as wild
> stores early, i.e.:
>    if (!canon_address (mem, &group_id, &offset, &base))
>      {
>        clear_rhs_from_active_local_stores ();
>        return 0;
>      }
>  
>    if (GET_MODE (mem) == BLKmode)
>      width = MEM_SIZE (mem);
>    else
>      width = GET_MODE_SIZE (GET_MODE (mem));
> 
> +  if (offset > HOST_WIDE_INT_MAX - width)
> +    {
> +      clear_rhs_from_active_local_stores ();
> +      return 0;
> +    }
> 
> or so.
> 
>> +
>>    store_info->is_set = GET_CODE (body) == SET;
>>    store_info->rhs = rhs;
>>    store_info->const_rhs = const_rhs;
>> @@ -1976,6 +1982,14 @@ check_mem_read_rtx (rtx *loc, bb_info_t bb_info)
>>        return;
>>      }
>>  
>> +  if (offset > MAX_OFFSET)
>> +    {
>> +      if (dump_file && (dump_flags & TDF_DETAILS))
>> +	fprintf (dump_file, " reaches MAX_OFFSET.\n");
>> +      add_wild_read (bb_info);
>> +      return;
>> +    }
>> +

Hi.

The later one works for me. I'm going to regtest that.

Ready after it survives regression tests?

Thanks,
Martin

> 
> Is offset > MAX_OFFSET really problematic (and not just the width != -1 &&
> offset + width overflowing case)?
> 
>>    if (GET_MODE (mem) == BLKmode)
>>      width = -1;
>>    else
>>
> 
> 
> 	Jakub
>

next prev parent reply	other threads:[~2017-10-19 11:37 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-20  7:51 Martin Liška
2017-09-20  8:15 ` Jakub Jelinek
2017-10-19 11:58   ` Martin Liška [this message]
2017-11-02 13:15     ` Martin Liška
2017-11-08 16:42       ` Jeff Law
2017-11-15  7:34         ` Martin Liška
2017-11-17  0:57           ` Jeff Law
2017-11-22  0:27           ` [PATCH] Fix i?86 bootstrap " Jakub Jelinek
2017-11-22  8:01             ` Jakub Jelinek
2017-11-22  9:00               ` Richard Biener
2017-11-22  9:11                 ` Richard Biener
2017-12-19 11:26                   ` Martin Liška
2017-11-22  9:45             ` Eric Botcazou
2017-11-22  9:52               ` Jakub Jelinek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d7a78f76-ab66-09ed-06da-257038bc58bb@suse.cz \
    --to=mliska@suse.cz \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=jakub@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).