From patchwork Fri Mar 21 20:32:54 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jakub Jelinek <jakub@redhat.com>
X-Patchwork-Id: 332742
Return-Path: 
 <gcc-patches-return-363729-incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 0FEB72C00B3
	for <incoming@patchwork.ozlabs.org>;
	Sat, 22 Mar 2014 07:33:16 +1100 (EST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:date
	:from:to:cc:subject:message-id:reply-to:mime-version
	:content-type; q=dns; s=default; b=VA1VD+MFfZMRqeZIKhLf1o9dhMcOP
	fB8KZ92jNVip+nqsfyrgcCsSAOLajwXQhTQsbtiX9kMmt7LW0acFnfCC9m7Zx+Y/
	H/MmD+GyzOnsnS4q2YDcMSbaoZRtiwswi2YvqV4MUO93ygH9UeTPIfZoheadCkoV
	ilvybgfKuM8FwU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:date
	:from:to:cc:subject:message-id:reply-to:mime-version
	:content-type; s=default; bh=VEKgx8vXljlo9Rdf2it21qjh92k=; b=SB3
	dtEyDEZMZSnUkYcJIXMo+B2PCUCU2n5KV8XY3xUYqHEw4kA0vIUKsBQ0+NQxn/rY
	elxqzHAptIcH/7/UxfqFZWMZ9v/bVelSjQgraxUkueopRWzTcZgkBz2xAl4AxG3R
	wcB2h38kyYsVh0cFyskSSbvaSvCnHI8agrEul6Z0=
Received: (qmail 24735 invoked by alias); 21 Mar 2014 20:33:02 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Unsubscribe: 
 <mailto:gcc-patches-unsubscribe-incoming=patchwork.ozlabs.org@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Delivered-To: mailing list gcc-patches@gcc.gnu.org
Received: (qmail 24726 invoked by uid 89); 21 Mar 2014 20:33:01 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.6 required=5.0 tests=AWL, BAYES_00,
	SPF_HELO_PASS, SPF_PASS,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by
	sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Fri, 21 Mar 2014 20:33:00 +0000
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
	(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])	by
	mx1.redhat.com (8.14.4/8.14.4) with ESMTP id
	s2LKWxFM032011	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=OK); Fri, 21 Mar 2014 16:32:59 -0400
Received: from tucnak.zalov.cz (ovpn-116-51.ams2.redhat.com
	[10.36.116.51])	by int-mx12.intmail.prod.int.phx2.redhat.com
	(8.14.4/8.14.4) with ESMTP id
	s2LKWvJv024460	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO); Fri, 21 Mar 2014 16:32:58 -0400
Received: from tucnak.zalov.cz (localhost [127.0.0.1])	by tucnak.zalov.cz
	(8.14.8/8.14.7) with ESMTP id s2LKWtD4025632;
	Fri, 21 Mar 2014 21:32:55 +0100
Received: (from jakub@localhost)	by tucnak.zalov.cz (8.14.8/8.14.8/Submit)
	id s2LKWsKQ025631; Fri, 21 Mar 2014 21:32:54 +0100
Date: Fri, 21 Mar 2014 21:32:54 +0100
From: Jakub Jelinek <jakub@redhat.com>
To: Richard Biener <rguenther@suse.de>
Cc: gcc-patches@gcc.gnu.org
Subject: [PATCH] Fix ubsan expansion (PR sanitizer/60613)
Message-ID: <20140321203254.GW1817@tucnak.redhat.com>
Reply-To: Jakub Jelinek <jakub@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-IsSubscribed: yes

Hi!

As MINUS_EXPR is not commutative, we really can't swap op0 with op1
for testing whether subtraction overflowed, that is only possible for
PLUS_EXPR, for MINUS_EXPR we really have to know if op1 is constant
or negative or non-negative and have to compare result with op0 depending on
that.

Bootstrapped/regtested on x86_64-linux and i686-linux, i686-linux
extra --with-build-config=bootstrap-ubsan bootstrap ongoing.

Ok for trunk?

2014-03-21  Jakub Jelinek  <jakub@redhat.com>

	PR sanitizer/60613
	* interna-fn.c (ubsan_expand_si_overflow_addsub_check): For
	code == MINUS_EXPR, never swap op0 with op1.

	* c-c++-common/ubsan/pr60613-1.c: New test.
	* c-c++-common/ubsan/pr60613-2.c: New test.


	Jakub

--- gcc/internal-fn.c.jj	2014-03-18 12:27:10.000000000 +0100
+++ gcc/internal-fn.c	2014-03-21 15:41:39.116303973 +0100
@@ -221,14 +221,15 @@ ubsan_expand_si_overflow_addsub_check (t
       res = expand_binop (mode, code == PLUS_EXPR ? add_optab : sub_optab,
 			  op0, op1, NULL_RTX, false, OPTAB_LIB_WIDEN);
 
-      /* If we can prove one of the arguments is always non-negative
-	 or always negative, we can do just one comparison and
-	 conditional jump instead of 2 at runtime, 3 present in the
+      /* If we can prove one of the arguments (for MINUS_EXPR only
+	 the second operand, as subtraction is not commutative) is always
+	 non-negative or always negative, we can do just one comparison
+	 and conditional jump instead of 2 at runtime, 3 present in the
 	 emitted code.  If one of the arguments is CONST_INT, all we
 	 need is to make sure it is op1, then the first
 	 emit_cmp_and_jump_insns will be just folded.  Otherwise try
 	 to use range info if available.  */
-      if (CONST_INT_P (op0))
+      if (code == PLUS_EXPR && CONST_INT_P (op0))
 	{
 	  rtx tem = op0;
 	  op0 = op1;
@@ -236,7 +237,7 @@ ubsan_expand_si_overflow_addsub_check (t
 	}
       else if (CONST_INT_P (op1))
 	;
-      else if (TREE_CODE (arg0) == SSA_NAME)
+      else if (code == PLUS_EXPR && TREE_CODE (arg0) == SSA_NAME)
 	{
 	  double_int arg0_min, arg0_max;
 	  if (get_range_info (arg0, &arg0_min, &arg0_max) == VR_RANGE)
--- gcc/testsuite/c-c++-common/ubsan/pr60613-1.c.jj	2014-03-21 16:00:47.930272534 +0100
+++ gcc/testsuite/c-c++-common/ubsan/pr60613-1.c	2014-03-21 15:47:50.000000000 +0100
@@ -0,0 +1,33 @@
+/* PR sanitizer/60613 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=undefined" } */
+
+long long y;
+
+__attribute__((noinline, noclone)) long long
+foo (long long x)
+{
+  asm ("");
+  if (x >= 0 || x < -2040)
+    return 23;
+  x += 2040;
+  return x - y;
+}
+
+__attribute__((noinline, noclone)) long long
+bar (long long x)
+{
+  asm ("");
+  return 8LL - x;
+}
+
+int
+main ()
+{
+  y = 1;
+  if (foo (8 - 2040) != 8 - 1)
+    __builtin_abort ();
+  if (bar (1) != 8 - 1)
+    __builtin_abort ();
+  return 0;
+}
--- gcc/testsuite/c-c++-common/ubsan/pr60613-2.c.jj	2014-03-21 16:00:50.795259403 +0100
+++ gcc/testsuite/c-c++-common/ubsan/pr60613-2.c	2014-03-21 16:08:56.915733544 +0100
@@ -0,0 +1,36 @@
+/* PR sanitizer/60613 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=undefined" } */
+
+long long y;
+
+__attribute__((noinline, noclone)) long long
+foo (long long x)
+{
+  asm ("");
+  if (x >= 0 || x < -2040)
+    return 23;
+  x += 2040;
+  return x - y;
+}
+
+__attribute__((noinline, noclone)) long long
+bar (long long x)
+{
+  asm ("");
+  return 8LL - x;
+}
+
+int
+main ()
+{
+  y = -__LONG_LONG_MAX__ + 6;
+  if (foo (8 - 2040) != -__LONG_LONG_MAX__)
+    __builtin_abort ();
+  if (bar (-__LONG_LONG_MAX__ + 5) != -__LONG_LONG_MAX__ + 1)
+    __builtin_abort ();
+  return 0;
+}
+
+/* { dg-output "signed integer overflow: 8 \\- -9223372036854775801 cannot be represented in type 'long long int'(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*signed integer overflow: 8 \\- -9223372036854775802 cannot be represented in type 'long long int'" } */