From patchwork Tue Mar 30 11:04:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Biener X-Patchwork-Id: 1460003 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=8.43.85.97; helo=sourceware.org; envelope-from=gcc-patches-bounces@gcc.gnu.org; receiver=) Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4F8mn73G9Hz9sRf for ; Tue, 30 Mar 2021 22:04:58 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 554BC3851C39; Tue, 30 Mar 2021 11:04:56 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by sourceware.org (Postfix) with ESMTPS id D5EED3857C61 for ; Tue, 30 Mar 2021 11:04:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D5EED3857C61 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=rguenther@suse.de X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id B21ABB258 for ; Tue, 30 Mar 2021 11:04:52 +0000 (UTC) Date: Tue, 30 Mar 2021 13:04:52 +0200 (CEST) From: Richard Biener To: gcc-patches@gcc.gnu.org Subject: [PATCH] tree-optimization/99824 - avoid excessive integer type precision in VN Message-ID: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 X-Spam-Status: No, score=-11.4 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gcc-patches-bounces@gcc.gnu.org Sender: "Gcc-patches" VN sometimes builds new integer types to handle accesss where precision of the access type does not match the access size. The way ao_ref_init_from_vn_reference is computing the access size ignores the access type in case the ref operands have an outermost COMPONENT_REF which, in case it is an array for example, can be way larger than the access size. This can cause us to try building an integer type with precision larger than WIDE_INT_MAX_PRECISION eventually leading to memory corruption. The following adjusts ao_ref_init_from_vn_reference to only lower access sizes via the outermost COMPONENT_REF but otherwise honor the access size as specified by the access type. It also places an assert in integer type building that we remain in the limits of WIDE_INT_MAX_PRECISION. I chose the shared code where we set TYPE_MIN/MAX_VALUE because that will immediately cross the wide_ints capacity otherwise. Bootstrapped and tested on x86_64-unknown-linux-gnu on trunk, regtest ongoing on the branch. On trunk the issue does not reproduce but is latent to some extent. 2021-03-30 Richard Biener PR tree-optimization/99824 * stor-layout.c (set_min_and_max_values_for_integral_type): Assert the precision is within the bounds of WIDE_INT_MAX_PRECISION. * tree-ssa-sccvn.c (ao_ref_init_from_vn_reference): Use the outermost component ref only to lower the access size and initialize that from the access type. * gcc.dg/torture/pr99824.c: New testcase. --- gcc/stor-layout.c | 2 ++ gcc/testsuite/gcc.dg/torture/pr99824.c | 33 ++++++++++++++++++++++++++ gcc/tree-ssa-sccvn.c | 24 +++++++++++-------- 3 files changed, 49 insertions(+), 10 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/torture/pr99824.c diff --git a/gcc/stor-layout.c b/gcc/stor-layout.c index 784f131ebb8..94b8b21c7a8 100644 --- a/gcc/stor-layout.c +++ b/gcc/stor-layout.c @@ -2838,6 +2838,8 @@ set_min_and_max_values_for_integral_type (tree type, if (precision < 1) return; + gcc_assert (precision <= WIDE_INT_MAX_PRECISION); + TYPE_MIN_VALUE (type) = wide_int_to_tree (type, wi::min_value (precision, sgn)); TYPE_MAX_VALUE (type) diff --git a/gcc/testsuite/gcc.dg/torture/pr99824.c b/gcc/testsuite/gcc.dg/torture/pr99824.c new file mode 100644 index 00000000000..9022d4a4b8e --- /dev/null +++ b/gcc/testsuite/gcc.dg/torture/pr99824.c @@ -0,0 +1,33 @@ +/* { dg-do compile } */ + +unsigned int +strlenx(char *s) +{ + char *orig_s = s; + for (; *s; ++s) + ; + return s - orig_s; +} + +struct i2c_adapter { + char name[48]; +}; + +struct { + int instance; + struct i2c_adapter i2c_adap[]; +} * init_cx18_i2c_cx; + +const struct i2c_adapter cx18_i2c_adap_template = {""}; +int init_cx18_i2c___trans_tmp_1; + +void +init_cx18_i2c() +{ + int i = 0; + for (;; i++) { + init_cx18_i2c_cx->i2c_adap[i] = cx18_i2c_adap_template; + init_cx18_i2c___trans_tmp_1 + = strlenx(init_cx18_i2c_cx->i2c_adap[i].name); + } +} diff --git a/gcc/tree-ssa-sccvn.c b/gcc/tree-ssa-sccvn.c index 1c0500ce61e..0567a2e9ff5 100644 --- a/gcc/tree-ssa-sccvn.c +++ b/gcc/tree-ssa-sccvn.c @@ -1002,22 +1002,26 @@ ao_ref_init_from_vn_reference (ao_ref *ref, poly_offset_int size = -1; tree size_tree = NULL_TREE; - /* First get the final access size from just the outermost expression. */ + machine_mode mode = TYPE_MODE (type); + if (mode == BLKmode) + size_tree = TYPE_SIZE (type); + else + size = GET_MODE_BITSIZE (mode); + if (size_tree != NULL_TREE + && poly_int_tree_p (size_tree)) + size = wi::to_poly_offset (size_tree); + + /* Lower the final access size from the outermost expression. */ op = &ops[0]; + size_tree = NULL_TREE; if (op->opcode == COMPONENT_REF) size_tree = DECL_SIZE (op->op0); else if (op->opcode == BIT_FIELD_REF) size_tree = op->op0; - else - { - machine_mode mode = TYPE_MODE (type); - if (mode == BLKmode) - size_tree = TYPE_SIZE (type); - else - size = GET_MODE_BITSIZE (mode); - } if (size_tree != NULL_TREE - && poly_int_tree_p (size_tree)) + && poly_int_tree_p (size_tree) + && (!known_size_p (size) + || known_lt (wi::to_poly_offset (size_tree), size))) size = wi::to_poly_offset (size_tree); /* Initially, maxsize is the same as the accessed element size.