From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 894003857C77; Sat, 13 Feb 2021 23:48:29 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 894003857C77 From: "msebor at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/84050] [8/9/10/11 Regression] missing -Warray-bounds accessing a struct array member Date: Sat, 13 Feb 2021 23:48:29 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 8.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: 9.4 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cf_known_to_fail Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2021 23:48:29 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D84050 Martin Sebor changed: What |Removed |Added ---------------------------------------------------------------------------- Known to fail|10.0 |10.2.0, 11.0 --- Comment #7 from Martin Sebor --- (In reply to Aldy Hernandez from comment #2) ... > I'm not a language lawyer, so I don't know what the semantics of undefined > behavior is. Is returning 0 even the correct thing to do? Anything goes for undefined behavior so folding the access to zero is stric= tly valid. But doing it silently, without issuing a warning designed to detect this bug, is at a minimum unfriendly (I'd even say it's a bug in the warnin= g). I believe the problem is in fold_nonarray_ctor_reference(): the function doesn't make sure the reference is in bounds of the object. It simply retu= rns zero when it isn't om the assumption reflected in a comment removed in r274= 837: /* Memory not explicitly mentioned in constructor is 0. */ The function assumes that when the constructor is smaller than the type of = the declared object the reference is to an element of the object. But that's o= nly true for valid references, not for those that are out of bounds. So before returning zero, the function should check that the offset into the object p= lus the element size doesn't exceed the size of the object and if it does, retu= rn null. I suspect a fix wouldn't be considered in stage 4 of GCC 11 but it's someth= ing to look into for GCC 12.=