From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 20AD5385DC14; Wed, 10 Jun 2020 17:53:42 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 20AD5385DC14
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
 s=default; t=1591811622;
 bh=xX6KKkcU1weMCO7iZdF7EyNnhFmZbcz6h3k8sWAcInE=;
 h=From:To:Subject:Date:In-Reply-To:References:From;
 b=q/6+K/Oow+HV5XALnTyNXhzg3/UTfziXbUiJKjgfjb6R7Ly1mDt4KWBwVc5cNVQev
 RzfzV6jZ2bicATi1jCT9TtabkBfo6xorf15m9qYtnb0V5w8YXIVx1M1QRkHX5x3x2w
 7cEldGoF4Um2j4jLHfpWJvLKy0yKNUzAMlI7w8Po=
From: "msebor at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug tree-optimization/82608] missing -Warray-bounds on an
 out-of-bounds VLA index
Date: Wed, 10 Jun 2020 17:53:42 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: tree-optimization
X-Bugzilla-Version: 8.0
X-Bugzilla-Keywords: diagnostic
X-Bugzilla-Severity: normal
X-Bugzilla-Who: msebor at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: msebor at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cf_known_to_fail cf_reconfirmed_on
Message-ID: <bug-82608-4-flUQseyumt@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-82608-4@http.gcc.gnu.org/bugzilla/>
References: <bug-82608-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <http://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <http://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2020 17:53:42 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D82608

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|                            |10.1.0, 11.0, 8.4.0, 9.3.0
   Last reconfirmed|2019-11-05 00:00:00         |2020-6-10

--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
GCC 11 issues -Wuninitialized for all accesses but only because the test ca=
se
isn't careful enough to initialize the arrays before using them:

$ gcc -O2 -S -Wall -Wextra pr82608.c
pr82608.c: In function =E2=80=98idx_negative=E2=80=99:
pr82608.c:18:11: warning: =E2=80=98*(<unknown>)[-99]=E2=80=99 is used unini=
tialized
[-Wuninitialized]
   18 |   return a[-99];             // -Warray-bounds (since GCC 8)
      |          ~^~~~~
pr82608.c: In function =E2=80=98idx_cst_too_big=E2=80=99:
pr82608.c:25:11: warning: =E2=80=98*(<unknown>)[<unknown>]=E2=80=99 is used=
 uninitialized
[-Wuninitialized]
   25 |   return a[n + 1];           // missing _Warray-bounds
      |          ~^~~~~~~
pr82608.c: In function =E2=80=98idx_out_of_type_bounds=E2=80=99:
pr82608.c:31:11: warning: =E2=80=98*(<unknown>)[2147483647]=E2=80=99 is use=
d uninitialized
[-Wuninitialized]
   31 |   return a[__INT_MAX__];     // missing -Warray-bounds
      |          ~^~~~~~~~~~~~~
pr82608.c: In function =E2=80=98idx_var_too_big=E2=80=99:
pr82608.c:37:11: warning: =E2=80=98*(<unknown>)[<unknown>]=E2=80=99 is used=
 uninitialized
[-Wuninitialized]
   37 |   return a[n + 1];           // missing -Warray-bounds
      |          ~^~~~~~~


With -Wno-uninitialized or with the arrays initialized GCC still doesn't de=
tect
all the out-of-bounds accesses:

$ cat pr82608.c && gcc -O2 -S -Wall -Wextra pr82608.c
void sink (void*);

int f (unsigned n)
{
  if (n < 1 || n > 32)
    n =3D 32;

  char vla[n];
  sink (vla);
  return vla[97];            // missing -Warray-bounds
}
int idx_negative (void)
{=20
  int n =3D 4;
  char a[n];
  sink (a);
  return a[-99];             // -Warray-bounds (since GCC 8)
}

int idx_cst_too_big (void)
{
  int n =3D 4;
  char a[n];
  sink (a);
  return a[n + 1];           // missing _Warray-bounds
}

int idx_out_of_type_bounds (unsigned char n)
{
  char a[n];
  sink (a);
  return a[__INT_MAX__];     // missing -Warray-bounds
}

int idx_var_too_big (int n)
{=20
  char a[n];
  sink (a);
  return a[n + 1];           // missing -Warray-bounds
}
pr82608.c: In function =E2=80=98idx_negative=E2=80=99:
pr82608.c:17:11: warning: array subscript -99 is below array bounds of
=E2=80=98char[<U3750> + 1]=E2=80=99 [-Warray-bounds]
   17 |   return a[-99];             // -Warray-bounds (since GCC 8)
      |          ~^~~~~
pr82608.c:15:8: note: while referencing =E2=80=98a.16=E2=80=99
   15 |   char a[n];
      |        ^
pr82608.c: In function =E2=80=98idx_cst_too_big=E2=80=99:
pr82608.c:25:11: warning: array subscript 5 is above array bounds of
=E2=80=98char[<U3ea0> + 1]=E2=80=99 [-Warray-bounds]
   25 |   return a[n + 1];           // missing _Warray-bounds
      |          ~^~~~~~~
pr82608.c:23:8: note: while referencing =E2=80=98a.18=E2=80=99
   23 |   char a[n];
      |        ^=