--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package gcc-10/10.2.1-6+deb11u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 26 Feb 2023 11:39:02 +0100
- Message-id: <167740794259.67981.1699446641137182590.reportbug@eldamar.lan>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gcc-10@packages.debian.org, jmm@debian.org, doko@ubuntu.com, dianne@skoll.ca, hans@knorrie.org, 1027456@bugs.debian.org, carnil@debian.org
Control: affects -1 + src:gcc-10
Dear stable release managers, hi Matthias,
When compiling 6.1.y kernel with gcc-10 (relevant for backports).
It was back reported at
https://lore.kernel.org/stable/187e8f10-2b73-3a18-d9ad-48b2d84bd6b9@pm.kalamlacki.eu/
and in #1027456. It can be shown as well with a reduced testcase:
----cut---------cut---------cut---------cut---------cut---------cut-----
unsigned int
strlen(char *s) {
for (; *s;)
;
}
struct i2c_adapter {
char name[48];
};
struct {
int instance;
struct i2c_adapter i2c_adap[];
} * init_cx18_i2c_cx;
const struct i2c_adapter cx18_i2c_adap_template = {""};
int init_cx18_i2c___trans_tmp_1;
void
init_cx18_i2c() {
int i = 0;
for (;; i++) {
init_cx18_i2c_cx->i2c_adap[i] = cx18_i2c_adap_template;
init_cx18_i2c___trans_tmp_1 = strlen(init_cx18_i2c_cx->i2c_adap[i].name);
}
}
----cut---------cut---------cut---------cut---------cut---------cut-----
and in gcc upstream at
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99824 .
The debdiff attached cherry-picks the upstream commit and was verified
for both the testcase above and through Hans van Kranenburg as well
for the kernel, in https://bugs.debian.org/1027456#61
So in order to make for bullseye-backports the 6.1.y kernel possible
we need something to move forward.
Matthias, comments?
Regards,
Salvatore
diff -Nru gcc-10-10.2.1/debian/changelog gcc-10-10.2.1/debian/changelog
--- gcc-10-10.2.1/debian/changelog 2021-01-10 12:35:39.000000000 +0100
+++ gcc-10-10.2.1/debian/changelog 2023-02-23 14:29:15.000000000 +0100
@@ -1,3 +1,11 @@
+gcc-10 (10.2.1-6+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * tree-optimization/99824 - avoid excessive integer type precision in VN
+ (Closes: #1027456)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 23 Feb 2023 14:29:15 +0100
+
gcc-10 (10.2.1-6) unstable; urgency=medium
* Update to git 20210110 from the gcc-10 branch.
diff -Nru gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff
--- gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff 1970-01-01 01:00:00.000000000 +0100
+++ gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff 2023-02-23 14:29:15.000000000 +0100
@@ -0,0 +1,140 @@
+From: Richard Biener <rguenther@suse.de>
+Date: Tue, 30 Mar 2021 11:22:52 +0200
+Subject: tree-optimization/99824 - avoid excessive integer type precision in
+ VN
+Origin: https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=ee15832c53d52656e562c29110f2be1cfb66c450
+Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99824
+Bug-Debian: https://bugs.debian.org/1027456
+
+VN sometimes builds new integer types to handle accesss where precision
+of the access type does not match the access size. The way
+ao_ref_init_from_vn_reference is computing the access size ignores
+the access type in case the ref operands have an outermost
+COMPONENT_REF which, in case it is an array for example, can be
+way larger than the access size. This can cause us to try
+building an integer type with precision larger than WIDE_INT_MAX_PRECISION
+eventually leading to memory corruption.
+
+The following adjusts ao_ref_init_from_vn_reference to only lower
+access sizes via the outermost COMPONENT_REF but otherwise honor
+the access size as specified by the access type.
+
+It also places an assert in integer type building that we remain
+in the limits of WIDE_INT_MAX_PRECISION. I chose the shared code
+where we set TYPE_MIN/MAX_VALUE because that will immediately
+cross the wide_ints capacity otherwise.
+
+2021-03-30 Richard Biener <rguenther@suse.de>
+
+ PR tree-optimization/99824
+ * stor-layout.c (set_min_and_max_values_for_integral_type):
+ Assert the precision is within the bounds of
+ WIDE_INT_MAX_PRECISION.
+ * tree-ssa-sccvn.c (ao_ref_init_from_vn_reference): Use
+ the outermost component ref only to lower the access size
+ and initialize that from the access type.
+
+ * gcc.dg/torture/pr99824.c: New testcase.
+---
+ gcc/stor-layout.c | 2 ++
+ gcc/testsuite/gcc.dg/torture/pr99824.c | 33 ++++++++++++++++++++++++++
+ gcc/tree-ssa-sccvn.c | 24 +++++++++++--------
+ 3 files changed, 49 insertions(+), 10 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.dg/torture/pr99824.c
+
+diff --git a/src/gcc/stor-layout.c b/src/gcc/stor-layout.c
+index bde6fa22b58a..57c8a2516d95 100644
+--- a/src/gcc/stor-layout.c
++++ b/src/gcc/stor-layout.c
+@@ -2816,6 +2816,8 @@ set_min_and_max_values_for_integral_type (tree type,
+ if (precision < 1)
+ return;
+
++ gcc_assert (precision <= WIDE_INT_MAX_PRECISION);
++
+ TYPE_MIN_VALUE (type)
+ = wide_int_to_tree (type, wi::min_value (precision, sgn));
+ TYPE_MAX_VALUE (type)
+diff --git a/src/gcc/testsuite/gcc.dg/torture/pr99824.c b/src/gcc/testsuite/gcc.dg/torture/pr99824.c
+new file mode 100644
+index 000000000000..9022d4a4b8e7
+--- /dev/null
++++ b/src/gcc/testsuite/gcc.dg/torture/pr99824.c
+@@ -0,0 +1,33 @@
++/* { dg-do compile } */
++
++unsigned int
++strlenx(char *s)
++{
++ char *orig_s = s;
++ for (; *s; ++s)
++ ;
++ return s - orig_s;
++}
++
++struct i2c_adapter {
++ char name[48];
++};
++
++struct {
++ int instance;
++ struct i2c_adapter i2c_adap[];
++} * init_cx18_i2c_cx;
++
++const struct i2c_adapter cx18_i2c_adap_template = {""};
++int init_cx18_i2c___trans_tmp_1;
++
++void
++init_cx18_i2c()
++{
++ int i = 0;
++ for (;; i++) {
++ init_cx18_i2c_cx->i2c_adap[i] = cx18_i2c_adap_template;
++ init_cx18_i2c___trans_tmp_1
++ = strlenx(init_cx18_i2c_cx->i2c_adap[i].name);
++ }
++}
+diff --git a/src/gcc/tree-ssa-sccvn.c b/src/gcc/tree-ssa-sccvn.c
+index 4b280f21006e..926b4a976aec 100644
+--- a/src/gcc/tree-ssa-sccvn.c
++++ b/src/gcc/tree-ssa-sccvn.c
+@@ -996,22 +996,26 @@ ao_ref_init_from_vn_reference (ao_ref *ref,
+ poly_offset_int size = -1;
+ tree size_tree = NULL_TREE;
+
+- /* First get the final access size from just the outermost expression. */
++ machine_mode mode = TYPE_MODE (type);
++ if (mode == BLKmode)
++ size_tree = TYPE_SIZE (type);
++ else
++ size = GET_MODE_BITSIZE (mode);
++ if (size_tree != NULL_TREE
++ && poly_int_tree_p (size_tree))
++ size = wi::to_poly_offset (size_tree);
++
++ /* Lower the final access size from the outermost expression. */
+ op = &ops[0];
++ size_tree = NULL_TREE;
+ if (op->opcode == COMPONENT_REF)
+ size_tree = DECL_SIZE (op->op0);
+ else if (op->opcode == BIT_FIELD_REF)
+ size_tree = op->op0;
+- else
+- {
+- machine_mode mode = TYPE_MODE (type);
+- if (mode == BLKmode)
+- size_tree = TYPE_SIZE (type);
+- else
+- size = GET_MODE_BITSIZE (mode);
+- }
+ if (size_tree != NULL_TREE
+- && poly_int_tree_p (size_tree))
++ && poly_int_tree_p (size_tree)
++ && (!known_size_p (size)
++ || known_lt (wi::to_poly_offset (size_tree), size)))
+ size = wi::to_poly_offset (size_tree);
+
+ /* Initially, maxsize is the same as the accessed element size.
+--
+2.39.2
+
diff -Nru gcc-10-10.2.1/debian/rules.patch gcc-10-10.2.1/debian/rules.patch
--- gcc-10-10.2.1/debian/rules.patch 2021-01-10 12:35:39.000000000 +0100
+++ gcc-10-10.2.1/debian/rules.patch 2023-02-23 14:28:37.000000000 +0100
@@ -83,6 +83,7 @@
pr97250-3 \
pr97250-4 \
pr97714 \
+ tree-optimization-99824-avoid-excessive-integer-type \
ifneq (,$(filter $(distrelease),wheezy jessie stretch buster lucid precise trusty xenial bionic cosmic disco eoan))
debian_patches += pr85678-revert
--- End Message ---