From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 123918 invoked by alias); 19 Oct 2017 11:37:01 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 123904 invoked by uid 89); 19 Oct 2017 11:37:00 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-11.9 required=5.0 tests=BAYES_00,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.2 spammy=risk, sum, HContent-Transfer-Encoding:8bit X-HELO: mx2.suse.de Received: from mx2.suse.de (HELO mx2.suse.de) (195.135.220.15) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 19 Oct 2017 11:36:59 +0000 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 2C76FAE55; Thu, 19 Oct 2017 11:36:57 +0000 (UTC) Subject: Re: [PATCH] Fix UBSAN errors in dse.c (PR rtl-optimization/82044). To: Jakub Jelinek Cc: gcc-patches@gcc.gnu.org References: <20170920081519.GU1701@tucnak> From: =?UTF-8?Q?Martin_Li=c5=a1ka?= Message-ID: Date: Thu, 19 Oct 2017 11:58:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20170920081519.GU1701@tucnak> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2017-10/txt/msg01254.txt.bz2 On 09/20/2017 10:15 AM, Jakub Jelinek wrote: > On Wed, Sep 20, 2017 at 09:50:32AM +0200, Martin Liška wrote: >> Hello. >> >> Following patch handles UBSAN (overflow) in dce.c. > > dse.c ;) > >> --- a/gcc/dse.c >> +++ b/gcc/dse.c >> @@ -929,7 +929,9 @@ set_usage_bits (group_info *group, HOST_WIDE_INT offset, HOST_WIDE_INT width, >> { >> HOST_WIDE_INT i; >> bool expr_escapes = can_escape (expr); >> - if (offset > -MAX_OFFSET && offset + width < MAX_OFFSET) >> + if (offset > -MAX_OFFSET >> + && offset < MAX_OFFSET >> + && offset + width < MAX_OFFSET) > > This can still overflow if width is close to HOST_WIDE_INT_MAX. > Anyway, I don't remember this code too much, but wonder if either offset or > width or their sum is outside of the -MAX_OFFSET, MAX_OFFSET range if we > still don't want to record usage bits at least in the intersection of > -MAX_OFFSET, MAX_OFFSET and offset, offset + width (the latter performed > with infinite precision; though, if record_store is changed as suggested > below, offset + width shouldn't overflow). > >> for (i=offset; i> { >> bitmap store1; >> @@ -1536,7 +1538,11 @@ record_store (rtx body, bb_info_t bb_info) >> } >> store_info->group_id = group_id; >> store_info->begin = offset; >> - store_info->end = offset + width; >> + if (offset > HOST_WIDE_INT_MAX - width) >> + store_info->end = HOST_WIDE_INT_MAX; >> + else >> + store_info->end = offset + width; > > If offset + width overflows, I think we risk wrong-code by doing this, plus > there are 3 other offset + width computations earlier in record_store > before we reach this. I think instead we should treat such cases as wild > stores early, i.e.: > if (!canon_address (mem, &group_id, &offset, &base)) > { > clear_rhs_from_active_local_stores (); > return 0; > } > > if (GET_MODE (mem) == BLKmode) > width = MEM_SIZE (mem); > else > width = GET_MODE_SIZE (GET_MODE (mem)); > > + if (offset > HOST_WIDE_INT_MAX - width) > + { > + clear_rhs_from_active_local_stores (); > + return 0; > + } > > or so. > >> + >> store_info->is_set = GET_CODE (body) == SET; >> store_info->rhs = rhs; >> store_info->const_rhs = const_rhs; >> @@ -1976,6 +1982,14 @@ check_mem_read_rtx (rtx *loc, bb_info_t bb_info) >> return; >> } >> >> + if (offset > MAX_OFFSET) >> + { >> + if (dump_file && (dump_flags & TDF_DETAILS)) >> + fprintf (dump_file, " reaches MAX_OFFSET.\n"); >> + add_wild_read (bb_info); >> + return; >> + } >> + Hi. The later one works for me. I'm going to regtest that. Ready after it survives regression tests? Thanks, Martin > > Is offset > MAX_OFFSET really problematic (and not just the width != -1 && > offset + width overflowing case)? > >> if (GET_MODE (mem) == BLKmode) >> width = -1; >> else >> > > > Jakub >