[Bug c/103292] New: [12 regression] xorg-server-1.20.13 -Werror=array-bounds false positive on unions

[Bug c/103292] New: [12 regression] xorg-server-1.20.13 -Werror=array-bounds false positive on unions

[slyfox at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103292

            Bug ID: 103292
           Summary: [12 regression] xorg-server-1.20.13
                    -Werror=array-bounds false positive on unions
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
  Target Milestone: ---

Created attachment 51818
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51818&action=edit
a.c.c.orig

Initially observed build failure on xorg-server-1.20.13.

Looks like gcc detects out-of-bounds access on union of structs of different
sizes. Extracted example from unreduced a.c.c.orig (attached):

$ cat a.c.c
    typedef long unsigned int size_t;
    extern void *malloc (size_t __size) __attribute__ ((__nothrow__ ,
__leaf__)) __attribute__ ((__malloc__)) __attribute__ ((__alloc_size__ (1)))
__attribute__ ((__warn_unused_result__));

    struct _PictSolidFill {
        unsigned int type;

        char foo[20];
    };

    struct _PictHuge {
        unsigned int type;

        char foo[200];
    };

    union _SourcePict {
        // each union member has a type
        unsigned int type;

        struct _PictSolidFill maybePSF;

        // presence of this field triggers an error
        struct _PictHuge maybeHuge;
    };

    struct _Picture {
        union _SourcePict* pSourcePict;
    };

    extern
    void CreateSolidPicture(struct _Picture* pPicture);
    void CreateSolidPicture(struct _Picture* pPicture)
    {
        pPicture->pSourcePict = (union _SourcePict*) malloc(sizeof(struct
_PictSolidFill));
        pPicture->pSourcePict->type = 0;
    }

$ gcc-12.0.0 -Werror=array-bounds -c a.c.c -O2
a.c.c: In function 'CreateSolidPicture':
a.c.c:47:30: error: array subscript 'union _SourcePict[0]' is partly outside
array bounds of 'unsigned char[24]' [-Werror=array-bounds]
   47 |         pPicture->pSourcePict->type = 0;
      |                              ^~
a.c.c:46:54: note: object of size 24 allocated by 'malloc'
   46 |         pPicture->pSourcePict = (union _SourcePict*)
malloc(sizeof(struct _PictSolidFill));
      |                                                     
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors

$ gcc-12.0.0 -v
Using built-in specs.
COLLECT_GCC=/nix/store/59jdmdy3ylrpmap1bjxic1fjaq8wf96s-gcc-12.0.0/bin/gcc
COLLECT_LTO_WRAPPER=/nix/store/59jdmdy3ylrpmap1bjxic1fjaq8wf96s-gcc-12.0.0/libexec/gcc/x86_64-unknown-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with:
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 12.0.0 20211114 (experimental) (GCC)

[Bug c/103292] [12 regression] xorg-server-1.20.13 -Werror=array-bounds false positive on unions

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103292

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID
           Keywords|                            |diagnostic
           See Also|                            |https://gcc.gnu.org/bugzill
                   |                            |a/show_bug.cgi?id=102151
                 CC|                            |msebor at gcc dot gnu.org

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
The warning is intended.  The program allocates an object of a size that's
smaller than the size of the type used to access it:

       pPicture->pSourcePict = (union _SourcePict*) malloc(sizeof(struct
_PictSolidFill));
        pPicture->pSourcePict->type = 0;

It's not valid to access an object of one type using an lvalue of another.  In
simple cases GCC diagnoses violations of this requirement by -Wstrict-aliasing.
 -Warray-bounds doesn't detect aliasing violations but it does detect a subset
of the problem that's apparent when the size of the lvalue's type is greater
than the size of the object.  The object must be big enough for the whole
lvalue, even if the accessed member is within the bounds of the smaller object.

The following is a smaller test case that should make the issue clearer.  See
also pr102151 for a similar report.

$ cat a.c && gcc -O2 -S -Wall a.c
struct A { char a[1]; };
struct B { char a[2]; };
union U { struct A a; struct B b; };

void* f (void)
{
  union U *p = __builtin_malloc (sizeof (struct A));
  p->a.a[0] = 0;
  return p;
}
a.c: In function ‘f’:
a.c:8:4: warning: array subscript ‘union U[0]’ is partly outside array bounds
of ‘unsigned char[1]’ [-Warray-bounds]
    8 |   p->a.a[0] = 0;
      |    ^~
a.c:7:16: note: object of size 1 allocated by ‘__builtin_malloc’
    7 |   union U *p = __builtin_malloc (sizeof (struct A));
      |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Bug c/103292] [12 regression] xorg-server-1.20.13 -Werror=array-bounds false positive on unions

[slyfox at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103292

--- Comment #2 from Sergei Trofimovich <slyfox at gcc dot gnu.org> ---
(In reply to Martin Sebor from comment #1)
> The warning is intended.  The program allocates an object of a size that's
> smaller than the size of the type used to access it:
> 
>        pPicture->pSourcePict = (union _SourcePict*) malloc(sizeof(struct
> _PictSolidFill));
>         pPicture->pSourcePict->type = 0;
> 
> It's not valid to access an object of one type using an lvalue of another. 
> In simple cases GCC diagnoses violations of this requirement by
> -Wstrict-aliasing.  -Warray-bounds doesn't detect aliasing violations but it
> does detect a subset of the problem that's apparent when the size of the
> lvalue's type is greater than the size of the object.  The object must be
> big enough for the whole lvalue, even if the accessed member is within the
> bounds of the smaller object.
> 
> The following is a smaller test case that should make the issue clearer. 
> See also pr102151 for a similar report.
> 
> $ cat a.c && gcc -O2 -S -Wall a.c
> struct A { char a[1]; };
> struct B { char a[2]; };
> union U { struct A a; struct B b; };
> 
> void* f (void)
> {
>   union U *p = __builtin_malloc (sizeof (struct A));
>   p->a.a[0] = 0;
>   return p;
> }
> a.c: In function ‘f’:
> a.c:8:4: warning: array subscript ‘union U[0]’ is partly outside array
> bounds of ‘unsigned char[1]’ [-Warray-bounds]
>     8 |   p->a.a[0] = 0;
>       |    ^~
> a.c:7:16: note: object of size 1 allocated by ‘__builtin_malloc’
>     7 |   union U *p = __builtin_malloc (sizeof (struct A));
>       |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Aha, that makes sense. Filed upstream report as
https://gitlab.freedesktop.org/xorg/xserver/-/issues/1256

Related question:

It sounds like this diagnostic is somewhat related to -fstrict-aliasing. xorg
builds with -fno-strict-aliasing. Would it be fair to say the access in that
case is reasonable and -Warray-bounds is a false positive?

[Bug middle-end/103292] [12 regression] xorg-server-1.20.13 -Werror=array-bounds false positive on unions

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103292

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|INVALID                     |DUPLICATE
          Component|c                           |middle-end
             Blocks|                            |56456
                 CC|                            |jeffreyalaw at gmail dot com

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
The originally intended purpose of this instance of -Warray-bounds was to warn
for accesses to smaller buffers by larger lvalues, like in this function:

struct A { int i; };
struct B { long j; };

struct B* make_B_from_A (const struct A *p)
{
  struct B *q = __builtin_malloc (sizeof *p);   // should be sizeof *q
  q->j = p->i;
  return q;
}

Here a warning should be issued regardless of whether -fstrict-aliasing is in
effect because the access is out of bounds.  That the warning also triggers in
instances when the problem isn't one of an out-of-bounds access but rather an
aliasing violation was incidental (i.e., I didn't set out with that as a goal),
but because -Wstrict-aliasing in GCC is very limited, seemed like a bonus.

So an argument could be (and in pr98503 in fact was) made that the instances of
-Warray-bounds where the ultimate access is strictly in bounds should be
replaced by one of -Wstrict-aliasing, which is enabled only when
-fstrict-aliasing is in effect.  I agreed and submitted a patch to do that:

  https://gcc.gnu.org/pipermail/gcc-patches/2021-January/564483.html

Regrettably, the change was rejected.  I CC the reviewer for his comments.

*** This bug has been marked as a duplicate of bug 98503 ***


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456
[Bug 56456] [meta-bug] bogus/missing -Warray-bounds