[i386] : Fix out-of-bound array access in i386.c

Submitter	Uros Bizjak
Date	Aug. 5, 2010, 7:11 a.m.
Message ID	<AANLkTik0-EeoRCY_d6Vy9coYo9NwB2iaDkXF1CkKHfPQ@mail.gmail.com>
Download	mbox \| patch
Permalink	/patch/60927/
State	New
Headers	show Return-Path: <gcc-patches-return-269854-incoming=patchwork.ozlabs.org@gcc.gnu.org> MIME-Version: 1.0 Date: Thu, 5 Aug 2010 09:11:31 +0200 Message-ID: <AANLkTik0-EeoRCY_d6Vy9coYo9NwB2iaDkXF1CkKHfPQ@mail.gmail.com> Subject: [PATCH, i386]: Fix out-of-bound array access in i386.c From: Uros Bizjak <ubizjak@gmail.com> To: gcc-patches@gcc.gnu.org Content-Type: text/plain; charset=ISO-8859-1 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org

Comments

Uros Bizjak - Aug. 5, 2010, 7:11 a.m.

Hello!

Attached patch fixes out-of-bound array access, reported in [1],
fixing the first item in:

<../../gcc/config/i386/i386.c, (10253:10)> : Reason : The current
index is greater than array size!
<../../gcc/config/i386/i386.c, (16316:17)> : Op: -, Reason : Signed
Subtraction Overflow, BINARY OPERATION: left (int32): 0 right (int32):
-2147483648
<../../gcc/config/i386/i386.c, (16362:18)> : Op: -, Reason : Signed
Subtraction Overflow, BINARY OPERATION: left (int32): 0 right (int32):
-2147483648
<../../gcc/config/i386/i386.c, (16473:11)> : Op: -, Reason : Signed
Subtraction Overflow, UNARY OPERATION: right (int32): -2147483648

2010-08-05  Uros Bizjak  <ubizjak@gmail.com>

	* config/i386/i386.c (ix86_decompose_address): Check for SI_REG
	using REGNO of base_reg directly.

As seen from the patch, quite interesting way of checking for SI_REG regno ;)

Patch was tested on x86_64-linux-gnu, committed to mainline SVN.

BTW: The other three failures are all in ix86_expand_int_movcc, where:

      HOST_WIDE_INT ct = INTVAL (operands[2]);
      HOST_WIDE_INT cf = INTVAL (operands[3]);
      HOST_WIDE_INT diff;

      diff = ct - cf;

...

	  diff = -diff;

I don't know what is the proper way to fix these. Any hints?

Uros.

[1] http://gcc.gnu.org/ml/gcc/2010-08/msg00039.html

Richard Henderson - Aug. 5, 2010, 8 p.m.

On 08/05/2010 12:11 AM, Uros Bizjak wrote:
>       HOST_WIDE_INT ct = INTVAL (operands[2]);
>       HOST_WIDE_INT cf = INTVAL (operands[3]);
>       HOST_WIDE_INT diff;
> 
>       diff = ct - cf;
> 
> ...
> 
> 	  diff = -diff;
> 
> I don't know what is the proper way to fix these. Any hints?

Probably by simply making these (and a few other temporary) variables
unsigned, so that we have defined 2s compliment arithmetic.  It will
require at least one cast here:

>       if (diff < 0)

but there may be a few others.

r~

Patch

Index: i386.c
===================================================================
--- i386.c	(revision 162897)
+++ i386.c	(working copy)
@@ -10417,8 +10417,7 @@  ix86_decompose_address (rtx addr, struct
      to test cfun for being non-NULL. */
   if (TARGET_K6 && cfun && optimize_function_for_speed_p (cfun)
       && base_reg && !index_reg && !disp
-      && REG_P (base_reg)
-      && REGNO_REG_CLASS (REGNO (base_reg)) == SIREG)
+      && REG_P (base_reg) && REGNO (base_reg) == SI_REG)
     disp = const0_rtx;

   /* Special case: encode reg+reg instead of reg*2.  */

Patchwork [i386] : Fix out-of-bound array access in i386.c

Comments

Patch