cmd/compile: fix integer overflow in prove pass

The detectSliceLenRelation function incorrectly deduced lower bounds for "len(s) - i" without checking if the subtraction could overflow (e.g. when i is negative). This led to incorrect elimination of bounds checks. Fixes: #76355 Change-Id: I30ada0e5f1425929ddd8ae1b66e55096ec209b5b Reviewed-on: https://go-review.googlesource.com/c/go/+/721920 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Keith Randall <khr@google.com>
2025-12-08 06:10:04 +00:00 · 2025-11-19 11:17:47 +01:00 · 2025-11-19 11:17:47 +01:00 · f87aaec53d
commit f87aaec53d
parent dbd2ab9992
2 changed files with 15 additions and 1 deletions
--- a/src/cmd/compile/internal/ssa/prove.go
+++ b/src/cmd/compile/internal/ssa/prove.go
@ -2051,8 +2051,11 @@ func (ft *factsTable) detectSliceLenRelation(v *Value) {
 		return
 	}

-	slice := v.Args[0].Args[0]
 	index := v.Args[1]
+	if !ft.isNonNegative(index) {
+		return
+	}
+	slice := v.Args[0].Args[0]

 	for o := ft.orderings[index.ID]; o != nil; o = o.next {
 		if o.d != signed {
--- a/test/prove.go
+++ b/test/prove.go
@ -2650,6 +2650,17 @@ func subLengths2(b []byte, i int) {
 	}
 }

+func issue76355(s []int, i int) int {
+    var a [10]int
+    if i <= len(s)-1 {
+        v := len(s) - i
+        if v < 10 {
+            return a[v]
+        }
+    }
+    return 0
+}
+
 //go:noinline
 func prove(x int) {
 }