Don't create out-of-bounds BIT_FIELD_REF.

2013-11-27  Tom de Vries  <tom@codesourcery.com>
	    Marc Glisse  <marc.glisse@inria.fr>

	PR middle-end/59037
	* semantics.c (cxx_fold_indirect_ref): Don't create out-of-bounds
	BIT_FIELD_REF.

	* fold-const.c (fold_indirect_ref_1): Don't create out-of-bounds
	BIT_FIELD_REF.
	* gimple-fold.c (gimple_fold_indirect_ref): Same.
	* tree-cfg.c (verify_expr): Give error if BIT_FIELD_REF is
	out-of-bounds.

	* c-c++-common/pr59037.c: New testcase.

Co-Authored-By: Marc Glisse <marc.glisse@inria.fr>

From-SVN: r205438

gcc/ChangeLog

@@ -1,3 +1,13 @@
+2013-11-27  Tom de Vries  <tom@codesourcery.com>
+	    Marc Glisse  <marc.glisse@inria.fr>
+
+	PR middle-end/59037
+	* fold-const.c (fold_indirect_ref_1): Don't create out-of-bounds
+	BIT_FIELD_REF.
+	* gimple-fold.c (gimple_fold_indirect_ref): Same.
+	* tree-cfg.c (verify_expr): Give error if BIT_FIELD_REF is
+	out-of-bounds.
+
 2013-11-27  Eric Botcazou  <ebotcazou@adacore.com>
 
 	PR middle-end/59138

gcc/cp/ChangeLog

@@ -1,3 +1,10 @@
+2013-11-27  Tom de Vries  <tom@codesourcery.com>
+	    Marc Glisse  <marc.glisse@inria.fr>
+
+	PR middle-end/59037
+	* semantics.c (cxx_fold_indirect_ref): Don't create out-of-bounds
+	BIT_FIELD_REF.
+
 2013-11-26  Jakub Jelinek  <jakub@redhat.com>
 
 	PR c++/58874

gcc/cp/semantics.c

@@ -9122,7 +9122,7 @@ cxx_fold_indirect_ref (location_t loc, tree type, tree op0, bool *empty_base)
 	      unsigned HOST_WIDE_INT indexi = offset * BITS_PER_UNIT;
 	      tree index = bitsize_int (indexi);
 
-	      if (offset/part_widthi <= TYPE_VECTOR_SUBPARTS (op00type))
+	      if (offset / part_widthi < TYPE_VECTOR_SUBPARTS (op00type))
 		return fold_build3_loc (loc,
 					BIT_FIELD_REF, type, op00,
 					part_width, index);

gcc/fold-const.c

@@ -16720,7 +16720,7 @@ fold_indirect_ref_1 (location_t loc, tree type, tree op0)
 	      unsigned HOST_WIDE_INT indexi = offset * BITS_PER_UNIT;
 	      tree index = bitsize_int (indexi);
 
-	      if (offset/part_widthi <= TYPE_VECTOR_SUBPARTS (op00type))
+	      if (offset / part_widthi < TYPE_VECTOR_SUBPARTS (op00type))
 		return fold_build3_loc (loc,
 					BIT_FIELD_REF, type, op00,
 					part_width, index);

gcc/gimple-fold.c

@@ -3418,7 +3418,7 @@ gimple_fold_indirect_ref (tree t)
           unsigned HOST_WIDE_INT indexi = offset * BITS_PER_UNIT;
           tree index = bitsize_int (indexi);
           if (offset / part_widthi
-              <= TYPE_VECTOR_SUBPARTS (TREE_TYPE (addrtype)))
+	      < TYPE_VECTOR_SUBPARTS (TREE_TYPE (addrtype)))
             return fold_build3 (BIT_FIELD_REF, type, TREE_OPERAND (addr, 0),
                                 part_width, index);
 	}

gcc/testsuite/ChangeLog

@@ -1,3 +1,9 @@
+2013-11-27  Tom de Vries  <tom@codesourcery.com>
+	    Marc Glisse  <marc.glisse@inria.fr>
+
+	PR middle-end/59037
+	* c-c++-common/pr59037.c: New testcase.
+
 2013-11-27  Eric Botcazou  <ebotcazou@adacore.com>
 
 	* gcc.c-torture/execute/20131127-1.c: New test.

gcc/testsuite/c-c++-common/pr59037.c

@@ -0,0 +1,12 @@
+/* { dg-do compile } */
+/* { dg-options "-O3" } */
+
+typedef int v4si __attribute__ ((vector_size (16)));
+
+int
+main (int argc, char** argv)
+{
+  v4si x = {0,1,2,3};
+  x = (v4si) {(x)[3], (x)[2], (x)[1], (x)[0]};
+  return x[4];
+}

gcc/tree-cfg.c

@@ -2712,15 +2712,29 @@ verify_expr (tree *tp, int *walk_subtrees, void *data ATTRIBUTE_UNUSED)
 
       if (TREE_CODE (t) == BIT_FIELD_REF)
 	{
-	  if (!tree_fits_uhwi_p (TREE_OPERAND (t, 1))
-	      || !tree_fits_uhwi_p (TREE_OPERAND (t, 2)))
+	  tree t0 = TREE_OPERAND (t, 0);
+	  tree t1 = TREE_OPERAND (t, 1);
+	  tree t2 = TREE_OPERAND (t, 2);
+	  tree t0_type = TREE_TYPE (t0);
+	  unsigned HOST_WIDE_INT t0_size = 0;
+
+	  if (tree_fits_uhwi_p (TYPE_SIZE (t0_type)))
+	    t0_size = tree_to_uhwi (TYPE_SIZE (t0_type));
+	  else 
+	    {
+	      HOST_WIDE_INT t0_max_size = max_int_size_in_bytes (t0_type);
+	      if (t0_max_size > 0)
+		t0_size = t0_max_size * BITS_PER_UNIT;
+	    }
+	  if (!tree_fits_uhwi_p (t1)
+	      || !tree_fits_uhwi_p (t2))
 	    {
 	      error ("invalid position or size operand to BIT_FIELD_REF");
 	      return t;
 	    }
 	  if (INTEGRAL_TYPE_P (TREE_TYPE (t))
 	      && (TYPE_PRECISION (TREE_TYPE (t))
-		  != tree_to_uhwi (TREE_OPERAND (t, 1))))
+		  != tree_to_uhwi (t1)))
 	    {
 	      error ("integral result type precision does not match "
 		     "field size of BIT_FIELD_REF");
@@ -2729,12 +2743,19 @@ verify_expr (tree *tp, int *walk_subtrees, void *data ATTRIBUTE_UNUSED)
 	  else if (!INTEGRAL_TYPE_P (TREE_TYPE (t))
 		   && TYPE_MODE (TREE_TYPE (t)) != BLKmode
 		   && (GET_MODE_PRECISION (TYPE_MODE (TREE_TYPE (t)))
-		       != tree_to_uhwi (TREE_OPERAND (t, 1))))
+		       != tree_to_uhwi (t1)))
 	    {
 	      error ("mode precision of non-integral result does not "
 		     "match field size of BIT_FIELD_REF");
 	      return t;
 	    }
+	  if (t0_size != 0
+	      && tree_to_uhwi (t1) + tree_to_uhwi (t2) > t0_size)
+	    {
+	      error ("position plus size exceeds size of referenced object in "
+		     "BIT_FIELD_REF");
+	      return t;
+	    }
 	}
       t = TREE_OPERAND (t, 0);