Re: [PATCH] strlen: Fix another spot that can create invalid ranges [PR114293]

[Richard Biener]

On Tue, 12 Mar 2024, Jakub Jelinek wrote:

> Hi!
> 
> This PR is similar to PR110603 fixed with r14-8487, except in a different
> spot.  From the memset with -1 size of non-zero value we determine minimum
> of (size_t) -1 and the code uses PTRDIFF_MAX - 2 (not really sure I
> understand why it is - 2 and not - 1, e.g. heap allocated array
> with PTRDIFF_MAX char elements which contain '\0' in the last element
> should be fine, no?  One can still represent arr[PTRDIFF_MAX] - arr[0]
> and arr[0] - arr[PTRDIFF_MAX] in ptrdiff_t and
> strlen (arr) == PTRDIFF_MAX - 1) as the maximum, so again invalid range.
> As in the other case, it is just UB that can lead to that, and we have
> choice to only keep the min and use +inf for max, or only keep max
> and use 0 for min, or not set the range at all, or use [min, min] or
> [max, max] etc.  The following patch uses [min, +inf].
> 
> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

OK.

Richard.

> 2024-03-12  Jakub Jelinek  <ja...@redhat.com>
> 
>       PR tree-optimization/114293
>       * tree-ssa-strlen.cc (strlen_pass::handle_builtin_strlen): If
>       max is smaller than min, set max to ~(size_t)0.
> 
>       * gcc.dg/pr114293.c: New test.
> 
> --- gcc/tree-ssa-strlen.cc.jj 2024-01-30 09:57:58.361809262 +0100
> +++ gcc/tree-ssa-strlen.cc    2024-03-11 10:35:04.305650520 +0100
> @@ -2341,6 +2341,8 @@ strlen_pass::handle_builtin_strlen ()
>                 wide_int min = wi::to_wide (old);
>                 wide_int max
>                   = wi::to_wide (TYPE_MAX_VALUE (ptrdiff_type_node)) - 2;
> +               if (wi::gtu_p (min, max))
> +                 max = wi::to_wide (TYPE_MAX_VALUE (TREE_TYPE (lhs)));
>                 set_strlen_range (lhs, min, max);
>               }
>             else
> --- gcc/testsuite/gcc.dg/pr114293.c.jj        2024-03-11 10:41:04.375708877 
> +0100
> +++ gcc/testsuite/gcc.dg/pr114293.c   2024-03-11 10:40:50.355895196 +0100
> @@ -0,0 +1,10 @@
> +/* PR tree-optimization/114293 */
> +/* { dg-do compile } */
> +/* { dg-options "-O2 -w" } */
> +
> +int
> +foo (int x)
> +{
> +  __builtin_memset (&x, 5, -1);
> +  return __builtin_strlen ((char *) &x);
> +}
> 
>       Jakub
> 
> 

-- 
Richard Biener <rguent...@suse.de>
SUSE Software Solutions Germany GmbH,
Frankenstrasse 146, 90461 Nuernberg, Germany;
GF: Ivo Totev, Andrew McDonald, Werner Knoblich; (HRB 36809, AG Nuernberg)