[PATCH PR67921]Use sizetype for CHREC_RIGHT when building pointer type CHREC

[Bin Cheng]

Hi,
As analyzed in PR67921, I think the issue is caused by fold_binary_loc which
folds:
  4 - (sizetype) &c - (sizetype) ((int *) p1_8(D) + ((sizetype) a_23 * 24 +
4))
into below form:
  ((sizetype) -((int *) p1_8(D) + ((sizetype) a_23 * 24 + 4)) - (sizetype)
&c) + 4

Look the minus sizetype expression is folded as negative pointer expression,
which seems incorrect.  Apart from this, The direct reason of this ICE is in
CHREC because of an overlook.  In general CHREC supports NEGATE_EXPR for
CHREC, the only problem is it uses pointer type for CHREC_RIGHT, rather than
sizetype, when building pointer type CHREC.

This simple patch fixes the ICE issue.  Bootstrap and test on x86 & x86_64.

Is it OK?

Note, I do think the associate logic in fold_binary_loc needs fix, but that
should be another patch.


2015-10-20  Bin Cheng  <bin.ch...@arm.com>

        PR tree-optimization/67921
        * tree-chrec.c (chrec_fold_multiply): Use sizetype for CHREC_RIGHT
if
        type is pointer type.

2015-10-20  Bin Cheng  <bin.ch...@arm.com>

        PR tree-optimization/67921
        * gcc.dg/ubsan/pr67921.c: New test.

diff --git a/gcc/tree-chrec.c b/gcc/tree-chrec.c
index 649c9fe..ef7b70b 100644
--- a/gcc/tree-chrec.c
+++ b/gcc/tree-chrec.c
@@ -436,7 +436,8 @@ chrec_fold_multiply (tree type,
          return build_polynomial_chrec
            (CHREC_VARIABLE (op0),
             chrec_fold_multiply (type, CHREC_LEFT (op0), op1),
-            chrec_fold_multiply (type, CHREC_RIGHT (op0), op1));
+            chrec_fold_multiply (POINTER_TYPE_P (type) ? sizetype : type,
+                                 CHREC_RIGHT (op0), op1));
        }
 
     CASE_CONVERT:
@@ -459,7 +460,8 @@ chrec_fold_multiply (tree type,
          return build_polynomial_chrec
            (CHREC_VARIABLE (op1),
             chrec_fold_multiply (type, CHREC_LEFT (op1), op0),
-            chrec_fold_multiply (type, CHREC_RIGHT (op1), op0));
+            chrec_fold_multiply (POINTER_TYPE_P (type) ? sizetype : type,
+                                 CHREC_RIGHT (op1), op0));
 
        CASE_CONVERT:
          if (tree_contains_chrecs (op1, NULL))
diff --git a/gcc/testsuite/gcc.dg/ubsan/pr67921.c 
b/gcc/testsuite/gcc.dg/ubsan/pr67921.c
new file mode 100644
index 0000000..5e7d707
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/ubsan/pr67921.c
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fsanitize=undefined" } */
+
+typedef struct {
+  int a;
+  int arr[][6];
+}st;
+
+void bar (int);
+void foo (st *p)
+{
+  int a;
+  for (; a < 2; a++)
+    for (; p->a;)
+      {
+       int *b = p->arr[a];
+       int c[66];
+       int j = 0;
+       for (; j < 56; j++)
+         bar (b[j] - c[j]);
+      }
+}