https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79170
Bug ID: 79170
Summary: memcmp builtin expansion sequence can overflow
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: target
Assignee: acsawdey at gcc dot gnu.org
Reporter: acsawdey at gcc dot gnu.org
CC: segher at gcc dot gnu.org, wschmidt at gcc dot gnu.org
Target Milestone: ---
Target: powerpc64*-*-*
The sequence generated for memcmp() builtin expansion can overflow in the subf
and produce the wrong result.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <limits.h>
#define SIZE 16
int main ()
{
unsigned char buffer1[SIZE] = { 0,0,0,0,0,0,0,1 };
unsigned char buffer2[SIZE] = { 0x80,0,0,0,0,0,0,3 };
asm(" ");
int n = memcmp(buffer1,buffer2, SIZE);
printf("%d\n", n);
}
produces
ldbrx 9,0,6
ldbrx 4,0,8
subf. 4,4,9
bne 0,.L2
addi 10,1,120
ldbrx 9,0,10
addi 10,1,104
ldbrx 4,0,10
subf 4,4,9
.L2:
cntlzd 4,4
addis 3,2,.LC0@toc@ha
addi 3,3,.LC0@toc@l
addi 4,4,-1
xori 4,4,0x3f
bl printf
If the subf result overflows such that the sign bit is not set in r4, then the
wrong result is produced.
