From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <redi@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2181)
 id DF9623857C43; Tue, 26 Apr 2022 13:11:59 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DF9623857C43
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: Jonathan Wakely <redi@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org, libstdc++-cvs@gcc.gnu.org
Subject: [gcc r10-10562] libstdc++: Avoid overflow in ranges::advance(i, n,
 bound)
X-Act-Checkin: gcc
X-Git-Author: Jonathan Wakely <jwakely@redhat.com>
X-Git-Refname: refs/heads/releases/gcc-10
X-Git-Oldrev: 4c91bfc5f9b64310b437797eae97d7602745e409
X-Git-Newrev: 486adf83b0ad75f330651000fd640c6b9d86a97f
Message-Id: <20220426131159.DF9623857C43@sourceware.org>
Date: Tue, 26 Apr 2022 13:11:59 +0000 (GMT)
X-BeenThere: libstdc++-cvs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libstdc++-cvs mailing list <libstdc++-cvs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/libstdc++-cvs>,
 <mailto:libstdc++-cvs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/libstdc++-cvs/>
List-Help: <mailto:libstdc++-cvs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/libstdc++-cvs>,
 <mailto:libstdc++-cvs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 13:12:00 -0000

https://gcc.gnu.org/g:486adf83b0ad75f330651000fd640c6b9d86a97f

commit r10-10562-g486adf83b0ad75f330651000fd640c6b9d86a97f
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Wed Jan 26 16:08:51 2022 +0000

    libstdc++: Avoid overflow in ranges::advance(i, n, bound)
    
    When (bound - i) or n is the most negative value of its type, the
    negative of the value will overflow. Instead of abs(n) >= abs(bound - i)
    use n >= (bound - i) when positive and n <= (bound - i) when negative.
    The function has a precondition that they must have the same sign, so
    this works correctly. The precondition check can be moved into the else
    branch, and simplified.
    
    The standard requires calling ranges::advance(i, bound) even if i==bound
    is already true, which is technically observable, but that's pointless.
    We can just return n in that case. Similarly, for i!=bound but n==0 we
    are supposed to call ranges::advance(i, n), but that's pointless. An LWG
    issue to allow omitting the pointless calls is expected to be filed.
    
    libstdc++-v3/ChangeLog:
    
            * include/bits/range_access.h (ranges::advance): Avoid signed
            overflow. Do nothing if already equal to desired result.
            * testsuite/24_iterators/range_operations/advance_overflow.cc:
            New test.
    
    (cherry picked from commit f21f22d1baf7e90f3edbfc48040c76fb14103803)

Diff:
---
 libstdc++-v3/include/bits/range_access.h           | 24 +++++++-------
 .../range_operations/advance_overflow.cc           | 37 ++++++++++++++++++++++
 2 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/libstdc++-v3/include/bits/range_access.h b/libstdc++-v3/include/bits/range_access.h
index bf46f366486..36bc55e6559 100644
--- a/libstdc++-v3/include/bits/range_access.h
+++ b/libstdc++-v3/include/bits/range_access.h
@@ -1011,25 +1011,27 @@ namespace ranges
 	  {
 	    const auto __diff = __bound - __it;
 
-#ifdef __cpp_lib_is_constant_evaluated
-	    if (std::is_constant_evaluated()
-		&& !(__n == 0 || __diff == 0 || (__n < 0 == __diff < 0)))
-	      throw "inconsistent directions for distance and bound";
-#endif
-	    // n and bound must not lead in opposite directions:
-	    __glibcxx_assert(__n == 0 || __diff == 0 || (__n < 0 == __diff < 0));
-	    const auto __absdiff = __diff < 0 ? -__diff : __diff;
-	    const auto __absn = __n < 0 ? -__n : __n;;
-	    if (__absn >= __absdiff)
+	    if (__diff == 0)
+	      return __n;
+	    else if (__diff > 0 ? __n >= __diff : __n <= __diff)
 	      {
 		(*this)(__it, __bound);
 		return __n - __diff;
 	      }
-	    else
+	    else if (__n != 0) [[likely]]
 	      {
+#ifdef __cpp_lib_is_constant_evaluated
+		if (std::is_constant_evaluated() && !(__n < 0 == __diff < 0))
+		  throw "inconsistent directions for distance and bound";
+#endif
+		// n and bound must not lead in opposite directions:
+		__glibcxx_assert(__n < 0 == __diff < 0);
+
 		(*this)(__it, __n);
 		return 0;
 	      }
+	    else
+	      return 0;
 	  }
 	else if (__it == __bound || __n == 0)
 	  return __n;
diff --git a/libstdc++-v3/testsuite/24_iterators/range_operations/advance_overflow.cc b/libstdc++-v3/testsuite/24_iterators/range_operations/advance_overflow.cc
new file mode 100644
index 00000000000..0fadcd6e99a
--- /dev/null
+++ b/libstdc++-v3/testsuite/24_iterators/range_operations/advance_overflow.cc
@@ -0,0 +1,37 @@
+// { dg-options "-std=gnu++20" }
+// { dg-do compile { target c++20 } }
+
+// Public domain testcase from Casey Carter, send to LWG list on 2021-07-24.
+//
+// Here's a compile-only test case for which n is INT_MIN, which will overflow
+// if simply negated to get |n|: https://godbolt.org/z/M7Wz1nW58.
+
+#include <cassert>
+#include <iterator>
+#include <limits>
+
+struct I {
+    using difference_type = int;
+    using value_type = int;
+
+    int x;
+
+    constexpr int operator*() const { return x; }
+    constexpr I& operator++() { ++x; return *this; }
+    constexpr I operator++(int) { ++x; return {x - 1}; }
+    constexpr bool operator==(const I&) const = default;
+
+    constexpr int operator-(const I& that) const { return x - that.x; }
+
+    constexpr I& operator--() { --x; return *this; }
+    constexpr I operator--(int) { --x; return {x - 1}; }
+};
+static_assert(std::bidirectional_iterator<I>);
+static_assert(std::sized_sentinel_for<I, I>);
+
+constexpr bool test() {
+    using L = std::numeric_limits<int>;
+    I i{-2};
+    return std::ranges::advance(i, L::min(), I{-4}) == L::min() + 2;
+}
+static_assert(test());