xtensa: Fix out-of-bounds array access

Message ID	9871cd37-f2da-ad03-3083-22ff70422ddc@yahoo.co.jp
State	New
Headers	show Return-Path: <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org> DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 321DD3856DE2 Message-ID: <9871cd37-f2da-ad03-3083-22ff70422ddc@yahoo.co.jp> Date: Wed, 26 Oct 2022 15:27:51 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Subject: [PATCH] xtensa: Fix out-of-bounds array access To: GCC Patches <gcc-patches@gcc.gnu.org> References: <7e3fe210-6dbc-fc29-dbb8-b951e89cf7e9@yahoo.co.jp> <mptzggkmj83.fsf@arm.com> <87f124f0-8a10-6c3b-6b12-cabf855e2e4b@yahoo.co.jp> <bae72550-da78-7ef7-dc3e-71ff28b7ec7f@gmail.com> <3296b387-083a-40cf-1bb5-40269e804f52@yahoo.co.jp> <CAMo8BfJqVu320Qh1ahnWsU_2gsUYJFgZgsa4=dBzALM1CmT83w@mail.gmail.com> <b1609279-d845-30a1-1ec6-ed0ca6c60a68@yahoo.co.jp> <CAMo8BfJOUHfuQHrk4jVsVVZCPZi5TC7_G+BHbevWvPspqJ159Q@mail.gmail.com> <CAMo8BfKmaALam+7rMcuCOfAu14mom8CS=vgbYX06byK12RVXxw@mail.gmail.com> <3054719f-6688-211c-da07-93c0fbf7c038@yahoo.co.jp> <20221025200957.v5yjre2fsbxqby43@lug-owl.de> In-Reply-To: <20221025200957.v5yjre2fsbxqby43@lug-owl.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list From: Takayuki 'January June' Suwa via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Takayuki 'January June' Suwa <jjsuwa_sys3175@yahoo.co.jp> Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org>
Series	xtensa: Fix out-of-bounds array access \| expand xtensa: Fix out-of-bounds array access

Message ID

9871cd37-f2da-ad03-3083-22ff70422ddc@yahoo.co.jp

State

New

Headers

DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 321DD3856DE2
Message-ID: <9871cd37-f2da-ad03-3083-22ff70422ddc@yahoo.co.jp>
Date: Wed, 26 Oct 2022 15:27:51 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.4.0
Subject: [PATCH] xtensa: Fix out-of-bounds array access
To: GCC Patches <gcc-patches@gcc.gnu.org>
References: <7e3fe210-6dbc-fc29-dbb8-b951e89cf7e9@yahoo.co.jp>
 <mptzggkmj83.fsf@arm.com> <87f124f0-8a10-6c3b-6b12-cabf855e2e4b@yahoo.co.jp>
 <bae72550-da78-7ef7-dc3e-71ff28b7ec7f@gmail.com>
 <3296b387-083a-40cf-1bb5-40269e804f52@yahoo.co.jp>
 <CAMo8BfJqVu320Qh1ahnWsU_2gsUYJFgZgsa4=dBzALM1CmT83w@mail.gmail.com>
 <b1609279-d845-30a1-1ec6-ed0ca6c60a68@yahoo.co.jp>
 <CAMo8BfJOUHfuQHrk4jVsVVZCPZi5TC7_G+BHbevWvPspqJ159Q@mail.gmail.com>
 <CAMo8BfKmaALam+7rMcuCOfAu14mom8CS=vgbYX06byK12RVXxw@mail.gmail.com>
 <3054719f-6688-211c-da07-93c0fbf7c038@yahoo.co.jp>
 <20221025200957.v5yjre2fsbxqby43@lug-owl.de>
In-Reply-To: <20221025200957.v5yjre2fsbxqby43@lug-owl.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
From: Takayuki 'January June' Suwa via Gcc-patches <gcc-patches@gcc.gnu.org>
Reply-To: Takayuki 'January June' Suwa <jjsuwa_sys3175@yahoo.co.jp>
Errors-To: gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org
Sender: "Gcc-patches"
 <gcc-patches-bounces+incoming=patchwork.ozlabs.org@gcc.gnu.org>

Series

xtensa: Fix out-of-bounds array access | expand

Commit Message

Takayuki 'January June' Suwa Oct. 26, 2022, 6:27 a.m. UTC

On 2022/10/26 5:09, Jan-Benedict Glaw wrote:
> I didn't yet actually check the warning, it may be bogus.

This "problem" can occur in the following two places calling xtensa_split_DI_reg_imm():

- (define_expand "movdi") @ line 943-945
- (define_split) @ line 989

and the former causes the "real" problem:

[from gcc/insn-emit.cc (generated by building)]

> /* ../../gcc/config/xtensa/xtensa.md:932 */
> rtx
> gen_movdi (rtx operand0,
> 	rtx operand1)
> {
>   rtx_insn *_val = 0;
>   start_sequence ();
>   {
>     rtx operands[2];					// only 2 elements
>     operands[0] = operand0;
>     operands[1] = operand1;
> #define FAIL return (end_sequence (), _val)
> #define DONE return (_val = get_insns (), end_sequence (), _val)
> #line 936 "../../gcc/config/xtensa/xtensa.md"
> {
>   if (CONSTANT_P (operands[1]))
>     {
>       /* Split in halves if 64-bit Const-to-Reg moves
> 	 because of offering further optimization opportunities.  */
>       if (register_operand (operands[0], DImode))
> 	{
> 	  xtensa_split_DI_reg_imm (operands);		// out-of-bounds!
> 	  emit_move_insn (operands[0], operands[1]);
> 	  emit_move_insn (operands[2], operands[3]);	// out-of-bounds!
> 	  DONE;
> 	}

The latter is not a problem as the array is large enough (up to MAX_RECOG_OPERANDS-1).

===

gcc/ChangeLog:

	* config/xtensa/xtensa.md (movdi):
	Copy operands[0...1] to ops[0...3] and then use the latter before
	calling xtensa_split_DI_reg_imm() and emitting insns.
---
 gcc/config/xtensa/xtensa.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Max Filippov Oct. 26, 2022, 5:05 p.m. UTC | #1

On Tue, Oct 25, 2022 at 11:27 PM Takayuki 'January June' Suwa
<jjsuwa_sys3175@yahoo.co.jp> wrote:
>
> On 2022/10/26 5:09, Jan-Benedict Glaw wrote:
> > I didn't yet actually check the warning, it may be bogus.
>
> This "problem" can occur in the following two places calling xtensa_split_DI_reg_imm():
>
> - (define_expand "movdi") @ line 943-945
> - (define_split) @ line 989
>
> and the former causes the "real" problem:
>
> [from gcc/insn-emit.cc (generated by building)]
>
> > /* ../../gcc/config/xtensa/xtensa.md:932 */
> > rtx
> > gen_movdi (rtx operand0,
> >       rtx operand1)
> > {
> >   rtx_insn *_val = 0;
> >   start_sequence ();
> >   {
> >     rtx operands[2];                                  // only 2 elements
> >     operands[0] = operand0;
> >     operands[1] = operand1;
> > #define FAIL return (end_sequence (), _val)
> > #define DONE return (_val = get_insns (), end_sequence (), _val)
> > #line 936 "../../gcc/config/xtensa/xtensa.md"
> > {
> >   if (CONSTANT_P (operands[1]))
> >     {
> >       /* Split in halves if 64-bit Const-to-Reg moves
> >        because of offering further optimization opportunities.  */
> >       if (register_operand (operands[0], DImode))
> >       {
> >         xtensa_split_DI_reg_imm (operands);           // out-of-bounds!
> >         emit_move_insn (operands[0], operands[1]);
> >         emit_move_insn (operands[2], operands[3]);    // out-of-bounds!
> >         DONE;
> >       }
>
> The latter is not a problem as the array is large enough (up to MAX_RECOG_OPERANDS-1).
>
> ===
>
> gcc/ChangeLog:
>
>         * config/xtensa/xtensa.md (movdi):
>         Copy operands[0...1] to ops[0...3] and then use the latter before
>         calling xtensa_split_DI_reg_imm() and emitting insns.
> ---
>  gcc/config/xtensa/xtensa.md | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

Committed to master as obvious after cleaning up
the commit message.

diff --git a/gcc/config/xtensa/xtensa.md b/gcc/config/xtensa/xtensa.md
index 2e7f76ada5c..de9bcbf24f7 100644
--- a/gcc/config/xtensa/xtensa.md
+++ b/gcc/config/xtensa/xtensa.md
@@ -940,9 +940,10 @@ 
 	 because of offering further optimization opportunities.  */
       if (register_operand (operands[0], DImode))
 	{
-	  xtensa_split_DI_reg_imm (operands);
-	  emit_move_insn (operands[0], operands[1]);
-	  emit_move_insn (operands[2], operands[3]);
+	  rtx ops[4] = { operands[0], operands[1] };
+	  xtensa_split_DI_reg_imm (ops);
+	  emit_move_insn (ops[0], ops[1]);
+	  emit_move_insn (ops[2], ops[3]);
 	  DONE;
 	}