From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 80DCD383B7B0; Mon, 30 May 2022 03:36:55 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 80DCD383B7B0 From: "cvs-commit at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/105729] False positive UBsan "reference binding to null pointer of type" when evaluating array indexing which throws exception Date: Mon, 30 May 2022 03:36:55 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 11.3.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cvs-commit at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: jakub at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2022 03:36:55 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D105729 --- Comment #5 from CVS Commits --- The releases/gcc-12 branch has been updated by Jakub Jelinek : https://gcc.gnu.org/g:2f3ccb79ca859332915cb29a1c965a0f7be2408c commit r12-8434-g2f3ccb79ca859332915cb29a1c965a0f7be2408c Author: Jakub Jelinek Date: Fri May 27 11:40:42 2022 +0200 fold-const: Fix up -fsanitize=3Dnull in C++ [PR105729] The following testcase triggers a false positive UBSan binding a refere= nce to null diagnostics. In the FE we instrument conversions from pointer to reference type to diagnose at runtime if the operand of such a conversion is 0. The problem is that a GENERIC folding folds ((const struct Bar *) ((const struct Foo *) this)->data) + (sizetype) range_check (x) conversion to const struct Bar & by converting to that the first operand of the POINTER_PLUS_EXPR. But that changes when the -fsanitize=3Dnull binding to reference runtime check occurs. Without the optimization, it is invoked on the result of the POINTER_PLUS_EXPR, and as range_check call throws, that means it never triggers in the testcase. With the optimization, it checks whether this->data is NULL and it is. The following patch avoids that optimization during GENERIC folding when -fsanitize=3Dnull is enabled and it is a cast from non-REFERENCE_TYPE to REFERENCE_TYPE. 2022-05-27 Jakub Jelinek PR sanitizer/105729 * fold-const.cc (fold_unary_loc): Don't optimize (X &) ((Y *) z= + w) to (X &) z + w if -fsanitize=3Dnull during GENERIC folding. * g++.dg/ubsan/pr105729.C: New test. (cherry picked from commit e2f014fcefcd2ad56b31995329820bbd99072eae)=