re PR sanitizer/80348 (UBSAN: compile time crash in ubsan_instrument_division)

PR sanitizer/80348 * typeck.c (cp_build_binary_op): Use NULL_TREE instead of NULL. Set ORIG_TYPE earlier and not only when shortening. * g++.dg/ubsan/div-by-zero-3.C: New test. From-SVN: r246812
2017-04-10 17:18:15 +00:00 · 2017-04-10 17:18:15 +00:00 · 98a7a34e26
parent 46bf3f84b6
commit 98a7a34e26
4 changed files with 43 additions and 11 deletions
--- a/gcc/cp/ChangeLog
+++ b/gcc/cp/ChangeLog
@ -1,3 +1,9 @@
+2017-04-10  Marek Polacek  <polacek@redhat.com>
+
+	PR sanitizer/80348
+	* typeck.c (cp_build_binary_op): Use NULL_TREE instead of NULL.  Set
+	ORIG_TYPE earlier and not only when shortening.
+
 2017-04-07  Jason Merrill  <jason@redhat.com>

 	PR c++/80356 - ICE with reference to function template argument.
--- a/gcc/cp/typeck.c
+++ b/gcc/cp/typeck.c
@ -4105,7 +4105,7 @@ cp_build_binary_op (location_t location,

  /* Data type in which the computation is to be performed.
     In the simplest cases this is the common type of the arguments.  */
-  tree result_type = NULL;
+  tree result_type = NULL_TREE;

  /* Nonzero means operands have already been type-converted
     in whatever way is necessary.
@ -4121,7 +4121,6 @@ cp_build_binary_op (location_t location,
  tree final_type = 0;

  tree result, result_ovl;
-  tree orig_type = NULL;

  /* Nonzero if this is an operation like MIN or MAX which can
     safely be computed in short if both args are promoted shorts.
@ -4153,7 +4152,7 @@ cp_build_binary_op (location_t location,
  bool doing_shift = false;

  /* Tree holding instrumentation expression.  */
-  tree instrument_expr = NULL;
+  tree instrument_expr = NULL_TREE;

  if (code == TRUTH_AND_EXPR || code == TRUTH_ANDIF_EXPR
      || code == TRUTH_OR_EXPR || code == TRUTH_ORIF_EXPR
@ -5042,6 +5041,10 @@ cp_build_binary_op (location_t location,
      return tmp;
    }

+  /* Remember the original type; RESULT_TYPE might be changed later on
+     by shorten_binary_op.  */
+  tree orig_type = result_type;
+
  if (arithmetic_types_p)
    {
      bool first_complex = (code0 == COMPLEX_TYPE);
@ -5138,7 +5141,6 @@ cp_build_binary_op (location_t location,

      if (shorten && none_complex)
 	{
-	  orig_type = result_type;
 	  final_type = result_type;
 	  result_type = shorten_binary_op (result_type, op0, op1,
 					   shorten == -1);
@ -5218,13 +5220,10 @@ cp_build_binary_op (location_t location,
 	     original result_type.  */
 	  tree cop0 = op0;
 	  tree cop1 = op1;
-	  if (orig_type != NULL_TREE)
-	    {
-	      if (TREE_TYPE (cop0) != orig_type)
-		cop0 = cp_convert (orig_type, op0, complain);
-	      if (TREE_TYPE (cop1) != orig_type)
-		cop1 = cp_convert (orig_type, op1, complain);
-	    }
+	  if (TREE_TYPE (cop0) != orig_type)
+	    cop0 = cp_convert (orig_type, op0, complain);
+	  if (TREE_TYPE (cop1) != orig_type)
+	    cop1 = cp_convert (orig_type, op1, complain);
 	  instrument_expr = ubsan_instrument_division (location, cop0, cop1);
 	}
      else if (doing_shift && (flag_sanitize & SANITIZE_SHIFT))
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@ -1,3 +1,8 @@
+2017-04-10  Marek Polacek  <polacek@redhat.com>
+
+	PR sanitizer/80348
+	* g++.dg/ubsan/div-by-zero-3.C: New test.
+
 2017-04-10  Bin Cheng  <bin.cheng@arm.com>

 	PR tree-optimization/80153
--- a/gcc/testsuite/g++.dg/ubsan/div-by-zero-3.C
+++ b/gcc/testsuite/g++.dg/ubsan/div-by-zero-3.C
@ -0,0 +1,22 @@
+// PR sanitizer/80348
+// { dg-do compile }
+// { dg-options "-fsanitize=integer-divide-by-zero" }
+
+extern long long int i;
+void
+fn1 ()
+{
+  (0 >= 10253361740180 >= long (0 >= 0)) % i;
+}
+
+void
+fn2 ()
+{
+  0 / unsigned (!(0 - 3) >= (0 > 0));
+}
+
+void
+fn3 ()
+{
+  (0 < 0 >= (0 < 0 < 0)) % (unsigned (2) << 0);
+}