[Bug middle-end/99630] New: missing -Warray-bounds accessing a trailing array of a virtual base class

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug middle-end/99630] New: missing -Warray-bounds accessing a trailing array of a virtual base class
@ 2021-03-17 16:57 msebor at gcc dot gnu.org
  2021-03-17 16:59 ` [Bug middle-end/99630] " msebor at gcc dot gnu.org
  0 siblings, 1 reply; 2+ messages in thread
From: msebor at gcc dot gnu.org @ 2021-03-17 16:57 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99630

            Bug ID: 99630
           Summary: missing -Warray-bounds accessing a trailing array of a
                    virtual base class
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

GCC issues -Warray-bounds for the out of bounds access to an object with an
ordinary base class in f() but not for the same out of bounds access to an
object with a virtual base class in g().  Both access should be diagnosed.

The problem is that trailing_array() calls array_at_struct_end_p() which
returns true for trailing array members without considering the type of the
enclosing object.

$ cat u.C && gcc -O2 -S -Wall -fdump-tree-vrp1=/dev/stdout u.C
struct A1
{
  virtual ~A1 ();
  int a1a[1];
};

struct A2
{
  virtual ~A2 ();
  int a2a[1];
};

struct B1: A1 { };
struct B2: A2 { };
struct D1: B1, B2 { };

void f (D1 *p)
{
  extern D1 d1;
  p->a1a[0] = (char*)d1.a1a - (char*)&d1;
  p->a1a[1] = (char*)d1.a2a - (char*)&d1;   // -Warray-bounds (good)
}

struct V1: virtual A1 { };
struct V2: virtual A2 { };

struct D2: V1, V2 { };

void f (D2 *p)
{
  extern D2 d2;
  p->a1a[0] = (char*)d2.a1a - (char*)&d2;
  p->a1a[1] = (char*)d2.a2a - (char*)&d2;   // missing -Warray-bounds
}

;; Function f (_Z1fP2D1, funcdef_no=0, decl_uid=2468, cgraph_uid=1,
symbol_order=0)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }

SSA replacement table
N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j

p_5 -> { p_2(D) }
Incremental SSA update started at block: 2
Number of blocks in CFG: 3
Number of blocks to update: 1 ( 33%)



Value ranges after VRP:

p_2(D): struct D1 * VARYING
p_5: struct D1 * [1B, +INF]  EQUIVALENCES: { p_2(D) } (1 elements)


u.C: In function ‘void f(D1*)’:
u.C:21:11: warning: array subscript 1 is above array bounds of ‘int [1]’
[-Warray-bounds]
   21 |   p->a1a[1] = (char*)d1.a2a - (char*)&d1;   // -Warray-bounds (good)
      |   ~~~~~~~~^
u.C:4:7: note: while referencing ‘A1::a1a’
    4 |   int a1a[1];
      |       ^~~
void f (struct D1 * p)
{
  <bb 2> [local count: 1073741824]:
  p_2(D)->D.2450.D.2409.a1a[0] = 8;
  p_2(D)->D.2450.D.2409.a1a[1] = 24;
  return;

}



;; Function f (_Z1fP2D2, funcdef_no=1, decl_uid=2566, cgraph_uid=2,
symbol_order=1)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }

SSA replacement table
N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j

_9 -> { _4 }
p_10 -> { p_6(D) }
Incremental SSA update started at block: 2
Number of blocks in CFG: 3
Number of blocks to update: 1 ( 33%)



Value ranges after VRP:

_1: int (*) () * VARYING
_2: long int VARYING
_3: sizetype VARYING
_4: struct D2 * [1B, +INF]
p_6(D): struct D2 * VARYING
_9: struct D2 * [1B, +INF]  EQUIVALENCES: { _4 } (1 elements)
p_10: struct D2 * [1B, +INF]  EQUIVALENCES: { p_6(D) } (1 elements)


void f (struct D2 * p)
{
  int (*) () * _1;
  long int _2;
  sizetype _3;
  struct D2 * _4;

  <bb 2> [local count: 1073741824]:
  _1 = p_6(D)->D.2549._vptr.V1;
  _2 = MEM[(long int *)_1 + -24B];
  _3 = (sizetype) _2;
  _4 = p_6(D) + _3;
  MEM[(struct A1 *)_4].a1a[0] = 24;
  MEM[(struct A1 *)_4].a1a[1] = 40;   <<< _4's type is D2 and a1a[1] overlaps
its _vptr
  return;

}

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [Bug middle-end/99630] missing -Warray-bounds accessing a trailing array of a virtual base class
  2021-03-17 16:57 [Bug middle-end/99630] New: missing -Warray-bounds accessing a trailing array of a virtual base class msebor at gcc dot gnu.org
@ 2021-03-17 16:59 ` msebor at gcc dot gnu.org
  0 siblings, 0 replies; 2+ messages in thread
From: msebor at gcc dot gnu.org @ 2021-03-17 16:59 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99630

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
It might be worth warning for any out of bounds access to trailing members of
polymorphic classes, regardless of whether the type of the complete enclosing
object is known (and known to be derived virtually).

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-03-17 16:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-17 16:57 [Bug middle-end/99630] New: missing -Warray-bounds accessing a trailing array of a virtual base class msebor at gcc dot gnu.org
2021-03-17 16:59 ` [Bug middle-end/99630] " msebor at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).