cmd/compile: fix integer overflow in prove pass

The detectSliceLenRelation function incorrectly deduced lower bounds
for "len(s) - i" without checking if the subtraction could overflow
(e.g. when i is negative). This led to incorrect elimination of
bounds checks.

Fixes: #76355
Change-Id: I30ada0e5f1425929ddd8ae1b66e55096ec209b5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/721920
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Keith Randall <khr@google.com>

diff --git a/src/cmd/compile/internal/ssa/prove.go b/src/cmd/compile/internal/ssa/prove.go
index d4e7ed14b168fea50a9dc82b59f196e3243732ef..4ffab848ba968cd12037d8040b53bb17a7898660 100644 (file)
--- a/src/cmd/compile/internal/ssa/prove.go
+++ b/src/cmd/compile/internal/ssa/prove.go
@@ -2051,8 +2051,11 @@ func (ft *factsTable) detectSliceLenRelation(v *Value) {
                return
        }
 
-       slice := v.Args[0].Args[0]
        index := v.Args[1]
+       if !ft.isNonNegative(index) {
+               return
+       }
+       slice := v.Args[0].Args[0]
 
        for o := ft.orderings[index.ID]; o != nil; o = o.next {
                if o.d != signed {

diff --git a/test/prove.go b/test/prove.go
index e8acaf5928e07851ea00e4a14be8627827707ca6..1f893938e3ec7abf595514f919458b9f47db0bd8 100644 (file)
--- a/test/prove.go
+++ b/test/prove.go
@@ -2650,6 +2650,17 @@ func subLengths2(b []byte, i int) {
        }
 }
 
+func issue76355(s []int, i int) int {
+    var a [10]int
+    if i <= len(s)-1 {
+        v := len(s) - i
+        if v < 10 {
+            return a[v]
+        }
+    }
+    return 0
+}
+
 //go:noinline
 func prove(x int) {
 }