From 8692b15ae7c05e3224f285069e070c009d9f6efe Mon Sep 17 00:00:00 2001 From: Jakub Jelinek Date: Wed, 4 Jan 2023 10:52:49 +0100 Subject: [PATCH] ubsan: Avoid narrowing of multiply for -fsanitize=signed-integer-overflow [PR108256] We shouldn't narrow multiplications originally done in signed types, because the original multiplication might overflow but the narrowed one will be done in unsigned arithmetics and will never overflow. 2023-01-04 Jakub Jelinek PR sanitizer/108256 * convert.cc (do_narrow): Punt for MULT_EXPR if original type doesn't wrap around and -fsanitize=signed-integer-overflow is on. * fold-const.cc (fold_unary_loc) : Likewise. * c-c++-common/ubsan/pr108256.c: New test. --- gcc/convert.cc | 8 ++++++ gcc/fold-const.cc | 4 ++- gcc/testsuite/c-c++-common/ubsan/pr108256.c | 27 +++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 gcc/testsuite/c-c++-common/ubsan/pr108256.c diff --git a/gcc/convert.cc b/gcc/convert.cc index a882c67d7c1..fe85bcb3323 100644 --- a/gcc/convert.cc +++ b/gcc/convert.cc @@ -384,6 +384,14 @@ do_narrow (location_t loc, && sanitize_flags_p (SANITIZE_SI_OVERFLOW)) return NULL_TREE; + /* Similarly for multiplication, but in that case it can be + problematic even if typex is unsigned type - 0xffff * 0xffff + overflows in int. */ + if (ex_form == MULT_EXPR + && !TYPE_OVERFLOW_WRAPS (TREE_TYPE (expr)) + && sanitize_flags_p (SANITIZE_SI_OVERFLOW)) + return NULL_TREE; + /* But now perhaps TYPEX is as wide as INPREC. In that case, do nothing special here. (Otherwise would recurse infinitely in convert. */ diff --git a/gcc/fold-const.cc b/gcc/fold-const.cc index 9ab76fb1079..9aaea71a2fc 100644 --- a/gcc/fold-const.cc +++ b/gcc/fold-const.cc @@ -9574,7 +9574,9 @@ fold_unary_loc (location_t loc, enum tree_code code, tree type, tree op0) if (INTEGRAL_TYPE_P (type) && TREE_CODE (op0) == MULT_EXPR && INTEGRAL_TYPE_P (TREE_TYPE (op0)) - && TYPE_PRECISION (type) < TYPE_PRECISION (TREE_TYPE (op0))) + && TYPE_PRECISION (type) < TYPE_PRECISION (TREE_TYPE (op0)) + && (TYPE_OVERFLOW_WRAPS (TREE_TYPE (op0)) + || !sanitize_flags_p (SANITIZE_SI_OVERFLOW))) { /* Be careful not to introduce new overflows. */ tree mult_type; diff --git a/gcc/testsuite/c-c++-common/ubsan/pr108256.c b/gcc/testsuite/c-c++-common/ubsan/pr108256.c new file mode 100644 index 00000000000..c4054aa0832 --- /dev/null +++ b/gcc/testsuite/c-c++-common/ubsan/pr108256.c @@ -0,0 +1,27 @@ +/* PR sanitizer/108256 */ +/* { dg-do run { target { lp64 || ilp32 } } } */ +/* { dg-options "-fsanitize=signed-integer-overflow" } */ + +unsigned short +foo (unsigned short x, unsigned short y) +{ + return x * y; +} + +unsigned short +bar (unsigned short x, unsigned short y) +{ + int r = x * y; + return r; +} + +int +main () +{ + volatile unsigned short a = foo (0xffff, 0xffff); + volatile unsigned short b = bar (0xfffe, 0xfffe); + return 0; +} + +/* { dg-output "signed integer overflow: 65535 \\\* 65535 cannot be represented in type 'int'\[^\n\r]*(\n|\r\n|\r)" } */ +/* { dg-output "\[^\n\r]*signed integer overflow: 65534 \\\* 65534 cannot be represented in type 'int'" } */