We ICE on this testcase in
9812 /* Transform x * -C into -x * C if x is easily negatable. */
9813 if (TREE_CODE (op1) == INTEGER_CST
9814 && tree_int_cst_sgn (op1) == -1
9815 && negate_expr_p (op0)
9816 && (tem = negate_expr (op1)) != op1
9817 && ! TREE_OVERFLOW (tem))
because fold_negate_expr returns NULL_TREE for INT_MIN, so negate_expr just
wrapped in into a NEGATE_EXPR, creating NEGATE_EXPR <INT_MIN>. TREE_OVERFLOW
crashes on that. I thought it made sense to check whether we can negate OP1
first, as done in the patch below.
Bootstrapped/regtested on x86_64-linux, ok for trunk and 7?
2017-05-25 Marek Polacek <pola...@redhat.com>
PR sanitizer/80875
* fold-const.c (fold_binary_loc) <case MULT_EXPR>: Check if OP1
can be negated.
* c-c++-common/ubsan/pr80875.c: New test.
diff --git gcc/fold-const.c gcc/fold-const.c
index efc0b10..911ae36 100644
--- gcc/fold-const.c
+++ gcc/fold-const.c
@@ -9813,6 +9813,7 @@ fold_binary_loc (location_t loc,
if (TREE_CODE (op1) == INTEGER_CST
&& tree_int_cst_sgn (op1) == -1
&& negate_expr_p (op0)
+ && negate_expr_p (op1)
&& (tem = negate_expr (op1)) != op1
&& ! TREE_OVERFLOW (tem))
return fold_build2_loc (loc, MULT_EXPR, type,
diff --git gcc/testsuite/c-c++-common/ubsan/pr80875.c
gcc/testsuite/c-c++-common/ubsan/pr80875.c
index e69de29..e679452 100644
--- gcc/testsuite/c-c++-common/ubsan/pr80875.c
+++ gcc/testsuite/c-c++-common/ubsan/pr80875.c
@@ -0,0 +1,9 @@
+/* PR sanitizer/80875 */
+/* { dg-do compile } */
+/* { dg-options "-fsanitize=undefined" } */
+
+int
+foo (void)
+{
+ return ~__INT_MAX__ * (0 / 0); /* { dg-warning "division by zero" } */
+}
Marek
