re PR sanitizer/82072 (sanitizer does not detect an overflow from LLONG_MIN)

PR sanitizer/82072 * convert.c (do_narrow): When sanitizing signed integer overflows, bail out for signed types. (convert_to_integer_1) <case NEGATE_EXPR>: Likewise. * c-c++-common/ubsan/pr82072.c: New test. From-SVN: r251651

re PR sanitizer/82072 (sanitizer does not detect an overflow from LLONG_MIN)
PR sanitizer/82072 * convert.c (do_narrow): When sanitizing signed integer overflows, bail out for signed types. (convert_to_integer_1) <case NEGATE_EXPR>: Likewise. * c-c++-common/ubsan/pr82072.c: New test. From-SVN: r251651
8d2b48ae · Marek Polacek · Marek Polacek · e910a9b1 · 8d2b48ae · 8d2b48ae
Commit 8d2b48ae authored Sep 04, 2017 by Marek Polacek Committed by Marek Polacek Sep 04, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 1 deletions

gcc/ChangeLog
+7 -0

gcc/convert.c
+13 -1

gcc/testsuite/ChangeLog
+5 -0

gcc/testsuite/c-c++-common/ubsan/pr82072.c
+19 -0

No files found.
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
+2017-09-04  Marek Polacek  <polacek@redhat.com>
+
+	PR sanitizer/82072
+	* convert.c (do_narrow): When sanitizing signed integer overflows,
+	bail out for signed types.
+	(convert_to_integer_1) <case NEGATE_EXPR>: Likewise.
+
 2017-09-04  Richard Biener  <rguenther@suse.de>

 	PR tree-optimization/82060

--- a/gcc/convert.c
+++ b/gcc/convert.c
@@ -434,6 +434,13 @@ do_narrow (location_t loc,
    typex = lang_hooks.types.type_for_size (TYPE_PRECISION (typex),
 					    TYPE_UNSIGNED (typex));

+  /* The type demotion below might cause doing unsigned arithmetic
+     instead of signed, and thus hide overflow bugs.  */
+  if ((ex_form == PLUS_EXPR || ex_form == MINUS_EXPR)
+      && !TYPE_UNSIGNED (typex)
+      && sanitize_flags_p (SANITIZE_SI_OVERFLOW))
+    return NULL_TREE;
+
  /* But now perhaps TYPEX is as wide as INPREC.
     In that case, do nothing special here.
     (Otherwise would recurse infinitely in convert.  */
@@ -895,7 +902,12 @@ convert_to_integer_1 (tree type, tree expr, bool dofold)
 						    TYPE_UNSIGNED (typex));

 	      if (!TYPE_UNSIGNED (typex))
-		typex = unsigned_type_for (typex);
+		{
+		  /* Using unsigned arithmetic may hide overflow bugs.  */
+		  if (sanitize_flags_p (SANITIZE_SI_OVERFLOW))
+		    break;
+		  typex = unsigned_type_for (typex);
+		}
 	      return convert (type,
 			      fold_build1 (ex_form, typex,
 					   convert (typex,

--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
+2017-09-04  Marek Polacek  <polacek@redhat.com>
+
+	PR sanitizer/82072
+	* c-c++-common/ubsan/pr82072.c: New test.
+
 2017-09-04  Richard Biener  <rguenther@suse.de>

 	PR tree-optimization/82060

--- a/gcc/testsuite/c-c++-common/ubsan/pr82072.c
+++ b/gcc/testsuite/c-c++-common/ubsan/pr82072.c
+/* PR sanitizer/82072 */
+/* { dg-do run } */
+/* { dg-options "-fsanitize=signed-integer-overflow" } */
+
+int
+main ()
+{
+  long long l = -__LONG_LONG_MAX__ - 1;
+  int i = 0;
+  asm volatile ("" : "+r" (i));
+  i -= l;
+  asm volatile ("" : "+r" (i));
+  i = -l;
+  asm volatile ("" : "+r" (i));
+  return 0;
+}
+
+/* { dg-output "signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long long int'\[^\n\r]*(\n|\r\n|\r)" } */
+/* { dg-output "\[^\n\r]*negation of -9223372036854775808 cannot be represented in type 'long long int'\[^\n\r]*; cast to an unsigned type to negate this value to itself" } */