[Bug sanitizer/99418] sanitizer checks for accessing multidimentional VLA-array

["vanyacpp at gmail dot com" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99418

--- Comment #6 from Ivan Sorokin <vanyacpp at gmail dot com> ---
(In reply to Jakub Jelinek from comment #4)
> Asan can't by design detect neither #c0 nor #c1, only ubsan can.
> The reason why ubsan has that off by one stuff is that in C/C++,
> &mas[n - 1][m] is not undefined behavior, only mas[n - 1][m] is.

That is very unfortunate. For standard containers subscripting with wrond
index is undefined behavior no matter if it is followed by taking of address.
I assumed the same rules apply for builtin arrays. If one need just a point
one can easily write a + n instead of &a[n]. Now I see that this is not the
case and built-in arrays behave differently.

> For #c1, the big question is what exactly is UB in C++, whether already
> binding a reference to the object after the end of the array or only
> actually accessing that reference.  If the former, ubsan could treat
> REFERENCE_TYPE differently, if the latter, then I'm afraid it can't do that,
> and ubsan by design has to be done early before all the optimizations change
> the IL so much that it is completely lost what were the user errors in it.
> For the method calls, there really isn't a reference in the IL either, this
> argument is a pointer, but .UBSAN_BOUNDS calls are added in the FE and so
> perhaps it could know it is a method call and treat it as a reference.
> So, something can be done but we need answers on where the UB in C++ exactly
> happens.

For -fsanitize=null the rules are quite subtle: dereferencing by itself (*p)
doesn't check for nullptr, but binding a reference (int& q = *p;) does.
Perhaps similar rules can be employed for past-the-end element: taking pointer
to it is fine, but passing the pointer as this parameter to function is UB? At
least this would be consistent with null pointers.