From: Jakub Ciolek <jakub@ciolek.dev>
Date: Wed, 19 Nov 2025 10:17:47 +0000 (+0100)
Subject: cmd/compile: fix integer overflow in prove pass
X-Git-Tag: go1.26rc1~212
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=f87aaec53d943eb2b5a6b9be9e4af284543c4004;p=gostls13.git

cmd/compile: fix integer overflow in prove pass

The detectSliceLenRelation function incorrectly deduced lower bounds
for "len(s) - i" without checking if the subtraction could overflow
(e.g. when i is negative). This led to incorrect elimination of
bounds checks.

Fixes: #76355
Change-Id: I30ada0e5f1425929ddd8ae1b66e55096ec209b5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/721920
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Keith Randall <khr@google.com>
---

diff --git a/src/cmd/compile/internal/ssa/prove.go b/src/cmd/compile/internal/ssa/prove.go
index d4e7ed14b1..4ffab848ba 100644
--- a/src/cmd/compile/internal/ssa/prove.go
+++ b/src/cmd/compile/internal/ssa/prove.go
@@ -2051,8 +2051,11 @@ func (ft *factsTable) detectSliceLenRelation(v *Value) {
 		return
 	}
 
-	slice := v.Args[0].Args[0]
 	index := v.Args[1]
+	if !ft.isNonNegative(index) {
+		return
+	}
+	slice := v.Args[0].Args[0]
 
 	for o := ft.orderings[index.ID]; o != nil; o = o.next {
 		if o.d != signed {
diff --git a/test/prove.go b/test/prove.go
index e8acaf5928..1f893938e3 100644
--- a/test/prove.go
+++ b/test/prove.go
@@ -2650,6 +2650,17 @@ func subLengths2(b []byte, i int) {
 	}
 }
 
+func issue76355(s []int, i int) int {
+    var a [10]int
+    if i <= len(s)-1 {
+        v := len(s) - i
+        if v < 10 {
+            return a[v]
+        }
+    }
+    return 0
+}
+
 //go:noinline
 func prove(x int) {
 }