[PATCH 2/2] gdb/dwarf: fix UBsan crash in read_subrange_type

[Simon Marchi <simon.marchi@efficios.com>]

When running gdb.ada/arrayptr.exp (and others) on Ubuntu 22.04, with the
`gnat-11` package installed (not `gnat`), with UBSan activated, I get:

    (gdb) break foo.adb:40
    /home/smarchi/src/binutils-gdb/gdb/dwarf2/read.c:17689:20: runtime error: shift exponent 127 is too large for 64-bit type 'long unsigned int'

The problematic DIEs are:

    0x00001460:       DW_TAG_subrange_type
                        DW_AT_lower_bound [DW_FORM_data1]   (0x00)
                        DW_AT_upper_bound [DW_FORM_data16]  (ffffffffffffffff3f00000000000000)
                        DW_AT_name [DW_FORM_strp]   ("foo__packed_array___XP7___XDLU_0__1180591620717411303423")
                        DW_AT_type [DW_FORM_ref4]   (0x0000153f "long_long_long_unsigned")
                        DW_AT_GNAT_descriptive_type [DW_FORM_ref4]  (0x0000147e)
                        DW_AT_artificial [DW_FORM_flag_present]     (true)

    0x0000153f:   DW_TAG_base_type
                    DW_AT_byte_size [DW_FORM_data1] (0x10)
                    DW_AT_encoding [DW_FORM_data1]  (DW_ATE_unsigned)
                    DW_AT_name [DW_FORM_strp]       ("long_long_long_unsigned")
                    DW_AT_artificial [DW_FORM_flag_present] (true)

When processed by this code:

    negative_mask =
      -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
    if (low.kind () == PROP_CONST
        && !base_type->is_unsigned () && (low.const_val () & negative_mask))
      low.set_const_val (low.const_val () | negative_mask);

When the base type's length (16 bytes in this case) is larger than a
ULONGEST (typically 8 bytes), the bit shift is too large.

My obvious fix is just to skip the fixup for base types larger than a
ULONGEST (8 bytes).  I don't think we really handle constant attribute
values larger than 8 bytes anyway, so this is part of a much larger
problem.

Add a test that replicates this situation, but uses bounds that fit in a
signed 64 bit, so we get a sensible result.

Change-Id: I8d0a24f3edd83b44e0761a0ce38922d3e2e112fb
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29386
---
 gdb/dwarf2/read.c                     | 29 ++++++++++++++++++---------
 gdb/testsuite/gdb.dwarf2/subrange.exp | 22 ++++++++++++++++++++
 2 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c
index 44b54f77de9..87846788604 100644
--- a/gdb/dwarf2/read.c
+++ b/gdb/dwarf2/read.c
@@ -17588,7 +17588,6 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
   int low_default_is_valid;
   int high_bound_is_count = 0;
   const char *name;
-  ULONGEST negative_mask;
 
   orig_base_type = read_subrange_index_type (die, cu);
 
@@ -17684,15 +17683,25 @@ read_subrange_type (struct die_info *die, struct dwarf2_cu *cu)
      with GCC, for instance, where the ambiguous DW_FORM_dataN form
      is used instead.  To work around that ambiguity, we treat
      the bounds as signed, and thus sign-extend their values, when
-     the base type is signed.  */
-  negative_mask =
-    -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
-  if (low.kind () == PROP_CONST
-      && !base_type->is_unsigned () && (low.const_val () & negative_mask))
-    low.set_const_val (low.const_val () | negative_mask);
-  if (high.kind () == PROP_CONST
-      && !base_type->is_unsigned () && (high.const_val () & negative_mask))
-    high.set_const_val (high.const_val () | negative_mask);
+     the base type is signed.
+
+     Skip it if the base type's length is largest than ULONGEST, to avoid
+     the undefined behavior of a too large left shift.  We don't really handle
+     constants larger than 8 bytes anyway, at the moment.  */
+
+  if (base_type->length () <= sizeof (ULONGEST))
+    {
+      ULONGEST negative_mask
+	= -((ULONGEST) 1 << (base_type->length () * TARGET_CHAR_BIT - 1));
+
+      if (low.kind () == PROP_CONST
+	  && !base_type->is_unsigned () && (low.const_val () & negative_mask))
+	low.set_const_val (low.const_val () | negative_mask);
+
+      if (high.kind () == PROP_CONST
+	  && !base_type->is_unsigned () && (high.const_val () & negative_mask))
+	high.set_const_val (high.const_val () | negative_mask);
+    }
 
   /* Check for bit and byte strides.  */
   struct dynamic_prop byte_stride_prop;
diff --git a/gdb/testsuite/gdb.dwarf2/subrange.exp b/gdb/testsuite/gdb.dwarf2/subrange.exp
index 8a8443f31a8..556422629a3 100644
--- a/gdb/testsuite/gdb.dwarf2/subrange.exp
+++ b/gdb/testsuite/gdb.dwarf2/subrange.exp
@@ -77,6 +77,26 @@ Dwarf::assemble $asm_file {
 		{name subrange_with_buggy_negative_bounds_variable}
 		{type :$subrange_with_buggy_negative_bounds_label}
 	    }
+
+	    # This subrange's base type is 16-bytes long (although the bounds fit in
+	    # signed 64-bit).  This is to test the fix for PR 29386.
+	    declare_labels a_16_byte_integer_label a_16_byte_subrange_label
+
+	    a_16_byte_integer_label: base_type {
+		{byte_size 16 udata}
+		{encoding @DW_ATE_signed}
+	    }
+
+	    a_16_byte_subrange_label: subrange_type {
+		{lower_bound -9223372036854775808 DW_FORM_sdata}
+		{upper_bound 9223372036854775807 DW_FORM_sdata}
+		{type :$a_16_byte_integer_label}
+	    }
+
+	    DW_TAG_variable {
+		{name a_16_byte_subrange_variable}
+		{type :$a_16_byte_subrange_label}
+	    }
 	}
     }
 }
@@ -92,3 +112,5 @@ gdb_test "ptype TByteArray" \
     "type = array \\\[0\\.\\.191\\\] of byte"
 gdb_test "ptype subrange_with_buggy_negative_bounds_variable" \
     "type = -16..-12"
+gdb_test "ptype a_16_byte_subrange_variable" \
+    "type = -9223372036854775808..9223372036854775807"
-- 
2.39.1