From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id E633D3858C30; Tue, 7 Mar 2023 23:19:25 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E633D3858C30 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1678231165; bh=0HQDSiYXTbmF6IGGAVh0zaXGiFVQAPgQ019NMhsP7bI=; h=From:To:Subject:Date:In-Reply-To:References:From; b=xua0E3nl0RXf1vfF9cUBvE3cpiKhJUoEm2bPZx0IUI/sq0aTQUzRFU59KjT/IAMed D3Hp2wA37n6zQNsduGUpSGiby0bZuVU4UYqH1aE+sLtTO292K360yaelXZ+PJG+ZMT iwlEpSYbG3gbLJXX+Yk9h+8qYGPOVcslRnPZCBLI= From: "mpolacek at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/108060] [10/11/12/13 Regression] UBsan missed an out-of-bound bug at -O0 since r7-1900-g8a1b7b7fd75a3847 Date: Tue, 07 Mar 2023 23:19:25 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mpolacek at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: mpolacek at gcc dot gnu.org X-Bugzilla-Target-Milestone: 10.5 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108060 --- Comment #7 from Marek Polacek --- Candidate fix: --- a/gcc/c-family/c-gimplify.cc +++ b/gcc/c-family/c-gimplify.cc @@ -106,6 +106,18 @@ ubsan_walk_array_refs_r (tree *tp, int *walk_subtrees, void *data) } else if (TREE_CODE (*tp) =3D=3D ARRAY_REF) ubsan_maybe_instrument_array_ref (tp, false); + else if (TREE_CODE (*tp) =3D=3D MODIFY_EXPR) + { + /* Since r7-1900, we gimplify RHS before LHS. Consider + a[b] |=3D c; + wherein we can have a single shared tree a[b] in both LHS and RHS. + If we only instrument the LHS and the access is invalid, the program + could crash before emitting a UBSan error. So instrument the RHS + first. */ + *walk_subtrees =3D 0; + walk_tree (&TREE_OPERAND (*tp, 1), ubsan_walk_array_refs_r, pset, ps= et); + walk_tree (&TREE_OPERAND (*tp, 0), ubsan_walk_array_refs_r, pset, ps= et); + } return NULL_TREE; } It handles b =3D 0; a[b] =3D (a[b], b =3D -32768, a[b] | c); correctly (the first a[b] is OK but not the 2nd or 3rd).=