public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type
@ 2020-03-16 15:27 msebor at gcc dot gnu.org
2020-08-07 15:34 ` [Bug middle-end/94195] " msebor at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-03-16 15:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94195
Bug ID: 94195
Summary: missing warning reading a smaller object via an lvalue
of a larger type
Product: gcc
Version: 10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
The following test case was derived from PR 94187. The past-the-end store in
f() is diagnosed by -Wstringop-overflow as expected but the corresponding
past-the-end read in g() is not. It's checked by -Warray-bounds but the code
there doesn't fully consider the type of the access.
$ cat pr94187.c && gcc -O2 -S -Wall -Wextra -Wpedantic
-fdump-tree-vrp=/dev/stdout pr94187.c
char a[1];
void f (void)
{
*(int*)a = 0; // -Wstringop-overflow (good)
}
int g (void)
{
return *(int*)a; // missing warning (-Warray-bounds)
}
;; Function f (f, funcdef_no=0, decl_uid=1931, cgraph_uid=1, symbol_order=1)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
Value ranges after VRP:
f ()
{
<bb 2> [local count: 1073741824]:
MEM[(int *)&a] = 0;
return;
}
pr94187.c: In function ‘f’:
pr94187.c:5:12: warning: writing 4 bytes into a region of size 1
[-Wstringop-overflow=]
5 | *(int*)a = 0; // -Wstringop-overflow (good)
| ~~~~~~~~~^~~
pr94187.c:1:6: note: at offset 0 to object ‘a’ with size 1 declared here
1 | char a[1];
| ^
;; Function f (f, funcdef_no=0, decl_uid=1931, cgraph_uid=1, symbol_order=1)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
Value ranges after VRP:
f ()
{
<bb 2> [local count: 1073741824]:
MEM[(int *)&a] = 0;
return;
}
;; Function g (g, funcdef_no=1, decl_uid=1934, cgraph_uid=2, symbol_order=2)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
Value ranges after VRP:
_2: int VARYING
g ()
{
int _2;
<bb 2> [local count: 1073741824]:
_2 = MEM[(int *)&a];
return _2;
}
;; Function g (g, funcdef_no=1, decl_uid=1934, cgraph_uid=2, symbol_order=2)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
Value ranges after VRP:
_2: int VARYING
g ()
{
int _2;
<bb 2> [local count: 1073741824]:
_2 = MEM[(int *)&a];
return _2;
}
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/94195] missing warning reading a smaller object via an lvalue of a larger type
2020-03-16 15:27 [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type msebor at gcc dot gnu.org
@ 2020-08-07 15:34 ` msebor at gcc dot gnu.org
2020-09-19 23:57 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-08-07 15:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94195
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Known to fail| |10.2.0, 11.0, 8.4.0, 9.3.0
Last reconfirmed| |2020-08-07
Status|UNCONFIRMED |ASSIGNED
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
My patch for pr50584 includes code to handle this case as well.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/94195] missing warning reading a smaller object via an lvalue of a larger type
2020-03-16 15:27 [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type msebor at gcc dot gnu.org
2020-08-07 15:34 ` [Bug middle-end/94195] " msebor at gcc dot gnu.org
@ 2020-09-19 23:57 ` cvs-commit at gcc dot gnu.org
2020-09-26 18:10 ` dimhen at gmail dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-09-19 23:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94195
--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:
https://gcc.gnu.org/g:3f9a497d1b0dd9da87908a11b59bf364ad40ddca
commit r11-3306-g3f9a497d1b0dd9da87908a11b59bf364ad40ddca
Author: Martin Sebor <msebor@redhat.com>
Date: Sat Sep 19 17:47:29 2020 -0600
Extend -Warray-bounds to detect out-of-bounds accesses to array parameters.
gcc/ChangeLog:
PR middle-end/82608
PR middle-end/94195
PR c/50584
PR middle-end/84051
* gimple-array-bounds.cc (get_base_decl): New function.
(get_ref_size): New function.
(trailing_array): New function.
(array_bounds_checker::check_array_ref): Call them. Handle arrays
declared in function parameters.
(array_bounds_checker::check_mem_ref): Same. Handle references to
dynamically allocated arrays.
gcc/testsuite/ChangeLog:
PR middle-end/82608
PR middle-end/94195
PR c/50584
PR middle-end/84051
* c-c++-common/Warray-bounds.c: Adjust.
* gcc.dg/Wbuiltin-declaration-mismatch-9.c: Adjust.
* gcc.dg/Warray-bounds-63.c: New test.
* gcc.dg/Warray-bounds-64.c: New test.
* gcc.dg/Warray-bounds-65.c: New test.
* gcc.dg/Warray-bounds-66.c: New test.
* gcc.dg/Warray-bounds-67.c: New test.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/94195] missing warning reading a smaller object via an lvalue of a larger type
2020-03-16 15:27 [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type msebor at gcc dot gnu.org
2020-08-07 15:34 ` [Bug middle-end/94195] " msebor at gcc dot gnu.org
2020-09-19 23:57 ` cvs-commit at gcc dot gnu.org
@ 2020-09-26 18:10 ` dimhen at gmail dot com
2020-09-27 20:24 ` msebor at gcc dot gnu.org
2020-09-27 20:25 ` msebor at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: dimhen at gmail dot com @ 2020-09-26 18:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94195
Dmitry G. Dyachenko <dimhen at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dimhen at gmail dot com
--- Comment #3 from Dmitry G. Dyachenko <dimhen at gmail dot com> ---
(In reply to CVS Commits from comment #2)
> The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:
>
> https://gcc.gnu.org/g:3f9a497d1b0dd9da87908a11b59bf364ad40ddca
>
> commit r11-3306-g3f9a497d1b0dd9da87908a11b59bf364ad40ddca
> Author: Martin Sebor <msebor@redhat.com>
> Date: Sat Sep 19 17:47:29 2020 -0600
>
> Extend -Warray-bounds to detect out-of-bounds accesses to array
> parameters.
>
> gcc/ChangeLog:
>
> PR middle-end/82608
> PR middle-end/94195
> PR c/50584
> PR middle-end/84051
> * gimple-array-bounds.cc (get_base_decl): New function.
> (get_ref_size): New function.
> (trailing_array): New function.
> (array_bounds_checker::check_array_ref): Call them. Handle
> arrays
> declared in function parameters.
> (array_bounds_checker::check_mem_ref): Same. Handle references
> to
> dynamically allocated arrays.
>
> gcc/testsuite/ChangeLog:
>
> PR middle-end/82608
> PR middle-end/94195
> PR c/50584
> PR middle-end/84051
> * c-c++-common/Warray-bounds.c: Adjust.
> * gcc.dg/Wbuiltin-declaration-mismatch-9.c: Adjust.
> * gcc.dg/Warray-bounds-63.c: New test.
> * gcc.dg/Warray-bounds-64.c: New test.
> * gcc.dg/Warray-bounds-65.c: New test.
> * gcc.dg/Warray-bounds-66.c: New test.
> * gcc.dg/Warray-bounds-67.c: New test.
I am a bit confused -- now gcc produces warning.
But access is not out of allocated memory.
Is it expected?
$ cat x.c
#include <stdlib.h>
struct S1 {
unsigned x;
};
struct S {
struct S1 s1;
int z;
};
void f1()
{
struct S *pS = (struct S*) calloc(sizeof(struct S1),1);
if(pS->s1.x == 0)
return;
free(pS);
}
$ gcc -O2 -Wall -c x.i
x.c: In function 'f1':
x.c:18:8: warning: array subscript 'struct S[0]' is partly outside array bounds
of 'unsigned char[4]' [-Warray-bounds]
18 | if(pS->s1.x == 0)
| ^~
x.c:17:30: note: referencing an object of size 4 allocated by 'calloc'
17 | struct S *pS = (struct S*) calloc(sizeof(struct S1),1);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/94195] missing warning reading a smaller object via an lvalue of a larger type
2020-03-16 15:27 [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type msebor at gcc dot gnu.org
` (2 preceding siblings ...)
2020-09-26 18:10 ` dimhen at gmail dot com
@ 2020-09-27 20:24 ` msebor at gcc dot gnu.org
2020-09-27 20:25 ` msebor at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-09-27 20:24 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94195
--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
(In reply to Dmitry G. Dyachenko from comment #3)
The warning is expected. The access to pS->s1.x implies that there must be an
object at pS that's at least sizeof *pS large, even though only the leading 4
bytes of it are being accessed.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/94195] missing warning reading a smaller object via an lvalue of a larger type
2020-03-16 15:27 [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type msebor at gcc dot gnu.org
` (3 preceding siblings ...)
2020-09-27 20:24 ` msebor at gcc dot gnu.org
@ 2020-09-27 20:25 ` msebor at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-09-27 20:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94195
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |11.0
Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org
Status|ASSIGNED |RESOLVED
--- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> ---
Implemented for GCC 11 in r11-3306.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-09-27 20:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-16 15:27 [Bug middle-end/94195] New: missing warning reading a smaller object via an lvalue of a larger type msebor at gcc dot gnu.org
2020-08-07 15:34 ` [Bug middle-end/94195] " msebor at gcc dot gnu.org
2020-09-19 23:57 ` cvs-commit at gcc dot gnu.org
2020-09-26 18:10 ` dimhen at gmail dot com
2020-09-27 20:24 ` msebor at gcc dot gnu.org
2020-09-27 20:25 ` msebor at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).