[Tinycc-devel] [fix] UB in constant folding of double -> signed integer conversion

Sat, 14 Sep 2024 05:57:09 -0700 

bug report: https://savannah.nongnu.org/bugs/?66214

turn out a one-liner fix is adequate, so I added a patch: 
https://repo.or.cz/tinycc.git/commitdiff/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95

diff --git 
a/tccgen.c<https://repo.or.cz/tinycc.git/blob/57bc493f2bef310fe24853ae6e854e6410c37be0?f=tccgen.c>
 
b/tccgen.c<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tccgen.c>
index 
57bc493<https://repo.or.cz/tinycc.git/blob/57bc493f2bef310fe24853ae6e854e6410c37be0?f=tccgen.c>..9431582<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tccgen.c>
 100644 (file)
--- 
a/tccgen.c<https://repo.or.cz/tinycc.git/blob/57bc493f2bef310fe24853ae6e854e6410c37be0?f=tccgen.c>
+++ 
b/tccgen.c<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tccgen.c>
@@ 
-3249,7<https://repo.or.cz/tinycc.git/blob/57bc493f2bef310fe24853ae6e854e6410c37be0?f=tccgen.c#l3249>
 
+3249,10<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tccgen.c#l3249>
 @@ error:
                 vtop->c.i = (vtop->c.ld != 0);
             } else {
                 if(sf)
-                    vtop->c.i = vtop->c.ld;
+                    /* the range of [int64_t] is enough to hold the integer 
part of any float value.
+                       Meanwhile, converting negative double to unsigned 
integer is UB.
+                       So first convert to [int64_t] here. */
+                    vtop->c.i = (int64_t)vtop->c.ld;
                 else if (sbt_bt == VT_LLONG || (PTR_SIZE == 8 && sbt == 
VT_PTR))
                     ;
                 else if (sbt & VT_UNSIGNED)
diff --git a/tests/tests2/134_double_to_signed.c 
b/tests/tests2/134_double_to_signed.c<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.c>
new file mode 100644 (file)
index 
0000000..a9f5e0e<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.c>
--- /dev/null
+++ 
b/tests/tests2/134_double_to_signed.c<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.c>
@@ -0,0 
+1,10<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.c#l1>
 @@
+#include <stdio.h>
+int main() {
+  printf("%d\n", (int)-1.0);
+  double d = -1.0;
+  printf("%d\n", (int)d);
+
+  printf("%d\n", (int)-2147483648.0);
+  d = -2147483648.0;
+  printf("%d\n", (int)d);
+}
diff --git a/tests/tests2/134_double_to_signed.expect 
b/tests/tests2/134_double_to_signed.expect<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.expect>
new file mode 100644 (file)
index 
0000000..468a382<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.expect>
--- /dev/null
+++ 
b/tests/tests2/134_double_to_signed.expect<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.expect>
@@ -0,0 
+1,4<https://repo.or.cz/tinycc.git/blob/b8b6a5fd7b4e8cab8e5a5d01064cf5bf2b5eed95:/tests/tests2/134_double_to_signed.expect#l1>
 @@
+-1
+-1
+-2147483648
+-2147483648

The UB happens to have correct behavior on x86, so the bug can only be 
reproduced on other platforms, for example arm64. I tested the fix on amd64 and 
arm64(M2).

_______________________________________________
Tinycc-devel mailing list
Tinycc-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/tinycc-devel

Reply via email to