ICE with ~INT_MAX in fold-const.c (PR sanitizer/80875)

Message ID	20170525163346.GY3335@redhat.com
State	New
Headers	show Return-Path: <gcc-patches-return-454462-incoming=patchwork.ozlabs.org@gcc.gnu.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:date :from:to:subject:message-id:mime-version:content-type; q=dns; s= default; b=kRjnPn6+nPXbP74Qw6tvyXExQku8n/nXduWBFT429h1xVlLW+BPPA Q+s00u3ngKlBYLWz5dTAjjmDzt125rNt8oGnDLC/SUnyXJniFLLNm3Fc4JuaB3H3 ITqxGzpc+8+vTzn3CJ9SlkS9Jhp+V6v3fyhQXUoSqPz9gKoSlnPdXM= Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5B85E2D9FC0 Date: Thu, 25 May 2017 18:33:46 +0200 From: Marek Polacek <polacek@redhat.com> To: GCC Patches <gcc-patches@gcc.gnu.org> Subject: [PATCH] ICE with ~INT_MAX in fold-const.c (PR sanitizer/80875) Message-ID: <20170525163346.GY3335@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.0 (2017-02-23)

Message ID

20170525163346.GY3335@redhat.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:date
	:from:to:subject:message-id:mime-version:content-type; q=dns; s=
	default; b=kRjnPn6+nPXbP74Qw6tvyXExQku8n/nXduWBFT429h1xVlLW+BPPA
	Q+s00u3ngKlBYLWz5dTAjjmDzt125rNt8oGnDLC/SUnyXJniFLLNm3Fc4JuaB3H3
	ITqxGzpc+8+vTzn3CJ9SlkS9Jhp+V6v3fyhQXUoSqPz9gKoSlnPdXM=
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5B85E2D9FC0
Date: Thu, 25 May 2017 18:33:46 +0200
From: Marek Polacek <polacek@redhat.com>
To: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: [PATCH] ICE with ~INT_MAX in fold-const.c (PR sanitizer/80875)
Message-ID: <20170525163346.GY3335@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.8.0 (2017-02-23)

Commit Message

Marek Polacek May 25, 2017, 4:33 p.m. UTC

We ICE on this testcase in
 9812           /* Transform x * -C into -x * C if x is easily negatable.  */
 9813           if (TREE_CODE (op1) == INTEGER_CST
 9814               && tree_int_cst_sgn (op1) == -1
 9815               && negate_expr_p (op0)
 9816               && (tem = negate_expr (op1)) != op1
 9817               && ! TREE_OVERFLOW (tem))
because fold_negate_expr returns NULL_TREE for INT_MIN, so negate_expr just
wrapped in into a NEGATE_EXPR, creating NEGATE_EXPR <INT_MIN>.  TREE_OVERFLOW
crashes on that.  I thought it made sense to check whether we can negate OP1
first, as done in the patch below.

Bootstrapped/regtested on x86_64-linux, ok for trunk and 7?

2017-05-25  Marek Polacek  <polacek@redhat.com>

	PR sanitizer/80875
	* fold-const.c (fold_binary_loc) <case MULT_EXPR>: Check if OP1
	can be negated.

	* c-c++-common/ubsan/pr80875.c: New test.


	Marek

Comments

Richard Biener May 26, 2017, 8:59 a.m. UTC | #1

On Thu, May 25, 2017 at 6:33 PM, Marek Polacek <polacek@redhat.com> wrote:
> We ICE on this testcase in
>  9812           /* Transform x * -C into -x * C if x is easily negatable.  */
>  9813           if (TREE_CODE (op1) == INTEGER_CST
>  9814               && tree_int_cst_sgn (op1) == -1
>  9815               && negate_expr_p (op0)
>  9816               && (tem = negate_expr (op1)) != op1
>  9817               && ! TREE_OVERFLOW (tem))
> because fold_negate_expr returns NULL_TREE for INT_MIN, so negate_expr just
> wrapped in into a NEGATE_EXPR, creating NEGATE_EXPR <INT_MIN>.  TREE_OVERFLOW
> crashes on that.  I thought it made sense to check whether we can negate OP1
> first, as done in the patch below.
>
> Bootstrapped/regtested on x86_64-linux, ok for trunk and 7?

Ok.

> 2017-05-25  Marek Polacek  <polacek@redhat.com>
>
>         PR sanitizer/80875
>         * fold-const.c (fold_binary_loc) <case MULT_EXPR>: Check if OP1
>         can be negated.
>
>         * c-c++-common/ubsan/pr80875.c: New test.
>
> diff --git gcc/fold-const.c gcc/fold-const.c
> index efc0b10..911ae36 100644
> --- gcc/fold-const.c
> +++ gcc/fold-const.c
> @@ -9813,6 +9813,7 @@ fold_binary_loc (location_t loc,
>           if (TREE_CODE (op1) == INTEGER_CST
>               && tree_int_cst_sgn (op1) == -1
>               && negate_expr_p (op0)
> +             && negate_expr_p (op1)
>               && (tem = negate_expr (op1)) != op1
>               && ! TREE_OVERFLOW (tem))
>             return fold_build2_loc (loc, MULT_EXPR, type,
> diff --git gcc/testsuite/c-c++-common/ubsan/pr80875.c gcc/testsuite/c-c++-common/ubsan/pr80875.c
> index e69de29..e679452 100644
> --- gcc/testsuite/c-c++-common/ubsan/pr80875.c
> +++ gcc/testsuite/c-c++-common/ubsan/pr80875.c
> @@ -0,0 +1,9 @@
> +/* PR sanitizer/80875 */
> +/* { dg-do compile } */
> +/* { dg-options "-fsanitize=undefined" } */
> +
> +int
> +foo (void)
> +{
> +  return ~__INT_MAX__ * (0 / 0); /* { dg-warning "division by zero" } */
> +}
>
>         Marek

diff --git gcc/fold-const.c gcc/fold-const.c
index efc0b10..911ae36 100644
--- gcc/fold-const.c
+++ gcc/fold-const.c
@@ -9813,6 +9813,7 @@  fold_binary_loc (location_t loc,
 	  if (TREE_CODE (op1) == INTEGER_CST
 	      && tree_int_cst_sgn (op1) == -1
 	      && negate_expr_p (op0)
+	      && negate_expr_p (op1)
 	      && (tem = negate_expr (op1)) != op1
 	      && ! TREE_OVERFLOW (tem))
 	    return fold_build2_loc (loc, MULT_EXPR, type,
diff --git gcc/testsuite/c-c++-common/ubsan/pr80875.c gcc/testsuite/c-c++-common/ubsan/pr80875.c
index e69de29..e679452 100644
--- gcc/testsuite/c-c++-common/ubsan/pr80875.c
+++ gcc/testsuite/c-c++-common/ubsan/pr80875.c
@@ -0,0 +1,9 @@ 
+/* PR sanitizer/80875 */
+/* { dg-do compile } */
+/* { dg-options "-fsanitize=undefined" } */
+
+int
+foo (void)
+{
+  return ~__INT_MAX__ * (0 / 0); /* { dg-warning "division by zero" } */
+}