[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1031982: marked as done (bullseye-pu: package gcc-10/10.2.1-6+deb11u1)



Your message dated Sun, 7 Jul 2024 19:41:40 +0100
with message-id <ZorhZGSH_41hmRgM@powdarrmonkey.net>
and subject line Re: Bug#1031982: bullseye-pu: package gcc-10/10.2.1-6+deb11u1
has caused the Debian Bug report #1031982,
regarding bullseye-pu: package gcc-10/10.2.1-6+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1031982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031982
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gcc-10@packages.debian.org, jmm@debian.org, doko@ubuntu.com, dianne@skoll.ca, hans@knorrie.org, 1027456@bugs.debian.org, carnil@debian.org
Control: affects -1 + src:gcc-10

Dear stable release managers, hi Matthias,

When compiling 6.1.y kernel with gcc-10 (relevant for backports).
It was back reported at
https://lore.kernel.org/stable/187e8f10-2b73-3a18-d9ad-48b2d84bd6b9@pm.kalamlacki.eu/
and in #1027456. It can be shown as well with a reduced testcase:

----cut---------cut---------cut---------cut---------cut---------cut-----
unsigned int
strlen(char *s) {
  for (; *s;)
    ;
}

struct i2c_adapter {
  char name[48];
};

struct {
  int instance;
  struct i2c_adapter i2c_adap[];
} * init_cx18_i2c_cx;

const struct i2c_adapter cx18_i2c_adap_template = {""};
int init_cx18_i2c___trans_tmp_1;

void
init_cx18_i2c() {
  int i = 0;
  for (;; i++) {
    init_cx18_i2c_cx->i2c_adap[i] = cx18_i2c_adap_template;
    init_cx18_i2c___trans_tmp_1 = strlen(init_cx18_i2c_cx->i2c_adap[i].name);
  }
}
----cut---------cut---------cut---------cut---------cut---------cut-----

and in gcc upstream at
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99824 .

The debdiff attached cherry-picks the upstream commit and was verified
for both the testcase above and through Hans van Kranenburg as well
for the kernel, in https://bugs.debian.org/1027456#61

So in order to make for bullseye-backports the 6.1.y kernel possible
we need something to move forward.

Matthias, comments?

Regards,
Salvatore
diff -Nru gcc-10-10.2.1/debian/changelog gcc-10-10.2.1/debian/changelog
--- gcc-10-10.2.1/debian/changelog	2021-01-10 12:35:39.000000000 +0100
+++ gcc-10-10.2.1/debian/changelog	2023-02-23 14:29:15.000000000 +0100
@@ -1,3 +1,11 @@
+gcc-10 (10.2.1-6+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * tree-optimization/99824 - avoid excessive integer type precision in VN
+    (Closes: #1027456)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 23 Feb 2023 14:29:15 +0100
+
 gcc-10 (10.2.1-6) unstable; urgency=medium
 
   * Update to git 20210110 from the gcc-10 branch.
diff -Nru gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff
--- gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff	1970-01-01 01:00:00.000000000 +0100
+++ gcc-10-10.2.1/debian/patches/tree-optimization-99824-avoid-excessive-integer-type.diff	2023-02-23 14:29:15.000000000 +0100
@@ -0,0 +1,140 @@
+From: Richard Biener <rguenther@suse.de>
+Date: Tue, 30 Mar 2021 11:22:52 +0200
+Subject: tree-optimization/99824 - avoid excessive integer type precision in
+ VN
+Origin: https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=ee15832c53d52656e562c29110f2be1cfb66c450
+Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99824
+Bug-Debian: https://bugs.debian.org/1027456
+
+VN sometimes builds new integer types to handle accesss where precision
+of the access type does not match the access size.  The way
+ao_ref_init_from_vn_reference is computing the access size ignores
+the access type in case the ref operands have an outermost
+COMPONENT_REF which, in case it is an array for example, can be
+way larger than the access size.  This can cause us to try
+building an integer type with precision larger than WIDE_INT_MAX_PRECISION
+eventually leading to memory corruption.
+
+The following adjusts ao_ref_init_from_vn_reference to only lower
+access sizes via the outermost COMPONENT_REF but otherwise honor
+the access size as specified by the access type.
+
+It also places an assert in integer type building that we remain
+in the limits of WIDE_INT_MAX_PRECISION.  I chose the shared code
+where we set TYPE_MIN/MAX_VALUE because that will immediately
+cross the wide_ints capacity otherwise.
+
+2021-03-30  Richard Biener  <rguenther@suse.de>
+
+	PR tree-optimization/99824
+	* stor-layout.c (set_min_and_max_values_for_integral_type):
+	Assert the precision is within the bounds of
+	WIDE_INT_MAX_PRECISION.
+	* tree-ssa-sccvn.c (ao_ref_init_from_vn_reference): Use
+	the outermost component ref only to lower the access size
+	and initialize that from the access type.
+
+	* gcc.dg/torture/pr99824.c: New testcase.
+---
+ gcc/stor-layout.c                      |  2 ++
+ gcc/testsuite/gcc.dg/torture/pr99824.c | 33 ++++++++++++++++++++++++++
+ gcc/tree-ssa-sccvn.c                   | 24 +++++++++++--------
+ 3 files changed, 49 insertions(+), 10 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.dg/torture/pr99824.c
+
+diff --git a/src/gcc/stor-layout.c b/src/gcc/stor-layout.c
+index bde6fa22b58a..57c8a2516d95 100644
+--- a/src/gcc/stor-layout.c
++++ b/src/gcc/stor-layout.c
+@@ -2816,6 +2816,8 @@ set_min_and_max_values_for_integral_type (tree type,
+   if (precision < 1)
+     return;
+ 
++  gcc_assert (precision <= WIDE_INT_MAX_PRECISION);
++
+   TYPE_MIN_VALUE (type)
+     = wide_int_to_tree (type, wi::min_value (precision, sgn));
+   TYPE_MAX_VALUE (type)
+diff --git a/src/gcc/testsuite/gcc.dg/torture/pr99824.c b/src/gcc/testsuite/gcc.dg/torture/pr99824.c
+new file mode 100644
+index 000000000000..9022d4a4b8e7
+--- /dev/null
++++ b/src/gcc/testsuite/gcc.dg/torture/pr99824.c
+@@ -0,0 +1,33 @@
++/* { dg-do compile } */
++
++unsigned int
++strlenx(char *s)
++{
++  char *orig_s = s;
++  for (; *s; ++s)
++    ;
++  return s - orig_s;
++}
++
++struct i2c_adapter {
++    char name[48];
++};
++
++struct {
++    int instance;
++    struct i2c_adapter i2c_adap[];
++} * init_cx18_i2c_cx;
++
++const struct i2c_adapter cx18_i2c_adap_template = {""};
++int init_cx18_i2c___trans_tmp_1;
++
++void
++init_cx18_i2c()
++{
++  int i = 0;
++  for (;; i++) {
++      init_cx18_i2c_cx->i2c_adap[i] = cx18_i2c_adap_template;
++      init_cx18_i2c___trans_tmp_1
++	= strlenx(init_cx18_i2c_cx->i2c_adap[i].name);
++  }
++}
+diff --git a/src/gcc/tree-ssa-sccvn.c b/src/gcc/tree-ssa-sccvn.c
+index 4b280f21006e..926b4a976aec 100644
+--- a/src/gcc/tree-ssa-sccvn.c
++++ b/src/gcc/tree-ssa-sccvn.c
+@@ -996,22 +996,26 @@ ao_ref_init_from_vn_reference (ao_ref *ref,
+   poly_offset_int size = -1;
+   tree size_tree = NULL_TREE;
+ 
+-  /* First get the final access size from just the outermost expression.  */
++  machine_mode mode = TYPE_MODE (type);
++  if (mode == BLKmode)
++    size_tree = TYPE_SIZE (type);
++  else
++    size = GET_MODE_BITSIZE (mode);
++  if (size_tree != NULL_TREE
++      && poly_int_tree_p (size_tree))
++    size = wi::to_poly_offset (size_tree);
++
++  /* Lower the final access size from the outermost expression.  */
+   op = &ops[0];
++  size_tree = NULL_TREE;
+   if (op->opcode == COMPONENT_REF)
+     size_tree = DECL_SIZE (op->op0);
+   else if (op->opcode == BIT_FIELD_REF)
+     size_tree = op->op0;
+-  else
+-    {
+-      machine_mode mode = TYPE_MODE (type);
+-      if (mode == BLKmode)
+-	size_tree = TYPE_SIZE (type);
+-      else
+-	size = GET_MODE_BITSIZE (mode);
+-    }
+   if (size_tree != NULL_TREE
+-      && poly_int_tree_p (size_tree))
++      && poly_int_tree_p (size_tree)
++      && (!known_size_p (size)
++	  || known_lt (wi::to_poly_offset (size_tree), size)))
+     size = wi::to_poly_offset (size_tree);
+ 
+   /* Initially, maxsize is the same as the accessed element size.
+-- 
+2.39.2
+
diff -Nru gcc-10-10.2.1/debian/rules.patch gcc-10-10.2.1/debian/rules.patch
--- gcc-10-10.2.1/debian/rules.patch	2021-01-10 12:35:39.000000000 +0100
+++ gcc-10-10.2.1/debian/rules.patch	2023-02-23 14:28:37.000000000 +0100
@@ -83,6 +83,7 @@
 	pr97250-3 \
 	pr97250-4 \
 	pr97714 \
+	tree-optimization-99824-avoid-excessive-integer-type \
 
 ifneq (,$(filter $(distrelease),wheezy jessie stretch buster lucid precise trusty xenial bionic cosmic disco eoan))
   debian_patches += pr85678-revert

--- End Message ---
--- Begin Message ---
Hi,

Without input from Matthias, closing this.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- End Message ---

Reply to: