[Bug c/109298] New: warning: array subscript ‘...’ is partly outside array bounds of ‘...’

[Bug c/109298] New: warning: array subscript ‘...’ is partly outside array bounds of ‘...’

[ubizjak at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109298

            Bug ID: 109298
           Summary: warning: array subscript ‘...’ is partly outside array
                    bounds of ‘...’
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: ubizjak at gmail dot com
  Target Milestone: ---

This warning/error is actually emitted when compiling
drivers/infiniband/core/user_mad.c linux source file.

The testcase:

--cut here--
enum {
        IB_MGMT_RMPP_HDR = 36,
        IB_MGMT_RMPP_DATA = 220,
};

struct ib_umad_packet {
        int hdr;
        unsigned char data[];
};

struct ib_rmpp_mad {
        int class;
        unsigned char data[IB_MGMT_RMPP_DATA];
};

int foo (const unsigned char *buf)
{
  struct ib_umad_packet *packet;
  struct ib_rmpp_mad *rmpp_mad;

  packet = __builtin_malloc (sizeof *packet + IB_MGMT_RMPP_HDR);

  __builtin_memcpy (&packet->data, buf, IB_MGMT_RMPP_HDR);

  rmpp_mad = (struct ib_rmpp_mad *) packet->data;

  return rmpp_mad->class;
}
--cut here--

-O2 -Wall

test.c: In function ‘foo’:
test.c:27:18: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly
outside array bounds of ‘unsigned char[40]’ [-Warray-bounds=]
   27 |   return rmpp_mad->class;
      |                  ^~
test.c:21:12: note: at offset 4 into object of size 40 allocated by
‘__builtin_malloc’
   21 |   packet = __builtin_malloc (sizeof *packet + IB_MGMT_RMPP_HDR);
      |            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adding -fno-strict-aliasing to compile flags does not help.

[Bug tree-optimization/109298] warning: array subscript ‘...’ is partly outside array bounds of ‘...’

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109298

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|c                           |tree-optimization
     Ever confirmed|0                           |1
           Keywords|                            |diagnostic
             Status|UNCONFIRMED                 |NEW
             Blocks|                            |56456
   Last reconfirmed|                            |2023-03-28

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.

<bb 2> [local count: 1073741824]:
packet_4 = __builtin_malloc (40);
_1 = &packet_4->data;
__builtin_memcpy (_1, buf_5(D), 36);
_7 = MEM[(struct ib_rmpp_mad *)packet_4 + 4B].class;
return _7;

the issue is that rmpp_mad->class is considered a dereference of rmpp_mad
where ib_rmpp_mad doesn't fit in the allocation.  The wording of the
diagnostic is just very confusing here.

How the fix to the driver should look like probably depends on the actual
source - for the reduced testcase the allocation/copying doesn't make sense
while for the actual driver it probably does.

As said above, the diagnostic wording could be improved, so confirmed.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456
[Bug 56456] [meta-bug] bogus/missing -Warray-bounds