From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 9A6E63857036; Mon, 12 Apr 2021 09:29:07 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9A6E63857036
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/99801] Address sanitizer false positive with pointer
 to member function.
Date: Mon, 12 Apr 2021 09:29:07 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 11.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: marxin at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: marxin at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-99801-4-ZD88ne5Dkh@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-99801-4@http.gcc.gnu.org/bugzilla/>
References: <bug-99801-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 09:29:07 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99801

Martin Li=C5=A1ka <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jason at gcc dot gnu.org

--- Comment #2 from Martin Li=C5=A1ka <marxin at gcc dot gnu.org> ---
So let's consider the following example:

$ cat pr99801.C
class Curses_table {
public:
        void draw_row() {};
        void draw_table();
};

void Curses_table::draw_table()
{
  void (Curses_table::*draw_fn) (void) =3D &Curses_table::draw_row;
        auto Curses_table::*draw_fn2 =3D &Curses_table::draw_row;
        (this->*draw_fn)();
        (this->*draw_fn2)();
}

int main() {
        Curses_table t;
        t.draw_table();
}

What happens is that we wrongly assign DECL_SIZE_UNIT for draw_fn2 in:

Breakpoint 5, layout_decl (decl=3D<var_decl 0x7ffff7fbef30 draw_fn>,
known_align=3D0) at /home/marxin/Programming/gcc/gcc/stor-layout.c:634
(gdb) p debug_tree(type)
 <offset_type 0x7ffff777d690
    type <template_type_parm 0x7ffff777d5e8 auto VOID
        align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7ffff777d5e8
       index 0 level 1 orig_level 1
        chain <type_decl 0x7ffff760ee40 auto>>
    DI
    size <integer_cst 0x7ffff75e1eb8 type <integer_type 0x7ffff75ff0a8
bitsizetype> constant 64>
    unit-size <integer_cst 0x7ffff75e1ed0 type <integer_type 0x7ffff75ff000
sizetype> constant 8>
    align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7ffff777d690 basetype <record_type 0x7ffff777d888 Curses_table>>

while draw_fn is called with:

(gdb) p debug_tree(type)
 <record_type 0x7ffff777d3f0 type_2 TI
    size <integer_cst 0x7ffff75e1f00 type <integer_type 0x7ffff75ff0a8
bitsizetype> constant 128>
    unit-size <integer_cst 0x7ffff75e1f18 type <integer_type 0x7ffff75ff000
sizetype> constant 16>
    align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type
0x7ffff777d498
    fields <field_decl 0x7ffff760eab0 __pfn
        type <pointer_type 0x7ffff777d2a0 type <method_type 0x7ffff777d0a8>
            unsigned DI
            size <integer_cst 0x7ffff75e1eb8 constant 64>
            unit-size <integer_cst 0x7ffff75e1ed0 constant 8>
            align:64 warn_if_not_align:0 symtab:0 alias-set -1 canonical-ty=
pe
0x7ffff777d348>
        unsigned nonaddressable DI
/home/marxin/Programming/testcases/pr99801.C:9:38 size <integer_cst
0x7ffff75e1eb8 64> unit-size <integer_cst 0x7ffff75e1ed0 8>
        align:64 warn_if_not_align:0 offset_align 128
        offset <integer_cst 0x7ffff75e1ee8 constant 0>
        bit-offset <integer_cst 0x7ffff75e1f30 constant 0> context <record_=
type
0x7ffff777d3f0>
        chain <field_decl 0x7ffff760eb48 __delta type <integer_type
0x7ffff75ff738 long int>
            nonaddressable DI /home/marxin/Programming/testcases/pr99801.C:=
9:38
size <integer_cst 0x7ffff75e1eb8 64> unit-size <integer_cst 0x7ffff75e1ed0 =
8>
            align:64 warn_if_not_align:0 offset_align 128 offset <integer_c=
st
0x7ffff75e1ee8 0> bit-offset <integer_cst 0x7ffff75e1eb8 64> context
<record_type 0x7ffff777d3f0>>> ptrmemfunc fn type <pointer_type 0x7ffff777d=
2a0>
    chain <type_decl 0x7ffff760ebe0 __ptrmemfunc_type>>

later then the corresponding record_type is set as TREE_TYPE of draw_fn2:

(gdb) bt
#0  0x0000000000a16cd0 in cp_finish_decl (decl=3Ddecl@entry=3D<var_decl
0x7ffff7794510 draw_fn2>, init=3D<optimized out>, init@entry=3D<ptrmem_cst
0x7ffff7774b20>, init_const_expr_p=3Dtrue, asmspec_tree=3D<optimized out>,
asmspec_tree@entry=3D<tree 0x0>, flags=3D5)
    at /home/marxin/Programming/gcc/gcc/cp/decl.c:7744
#1  0x0000000000b06168 in cp_parser_init_declarator (parser=3D0x7ffff760e7b=
8,
flags=3D<optimized out>, decl_specifiers=3D0x7fffffffd2b0, checks=3D0x0,
function_definition_allowed_p=3D<optimized out>, member_p=3D<optimized out>,
declares_class_or_enum=3D0,=20
    function_definition_p=3D0x7fffffffd350, maybe_range_for_decl=3D0x0,
init_loc=3D0x7fffffffd29c, auto_result=3D0x7fffffffd3f0) at
/home/marxin/Programming/gcc/gcc/cp/parser.c:21872
#2  0x0000000000ae166d in cp_parser_simple_declaration (parser=3D0x7ffff760=
e7b8,
function_definition_allowed_p=3D<optimized out>, maybe_range_for_decl=3D0x0=
) at
/home/marxin/Programming/gcc/gcc/cp/parser.c:14442
#3  0x0000000000ae385b in cp_parser_declaration_statement
(parser=3Dparser@entry=3D0x7ffff760e7b8) at
/home/marxin/Programming/gcc/gcc/cp/parser.c:13577
#4  0x0000000000ae3ea4 in cp_parser_statement (parser=3D0x7ffff760e7b8,
in_statement_expr=3D<tree 0x0>, in_compound=3D<optimized out>, if_p=3D<opti=
mized
out>, chain=3D<optimized out>, loc_after_labels=3D0x0) at
/home/marxin/Programming/gcc/gcc/cp/parser.c:11808
#5  0x0000000000ae5983 in cp_parser_statement_seq_opt
(parser=3Dparser@entry=3D0x7ffff760e7b8,
in_statement_expr=3Din_statement_expr@entry=3D<tree 0x0>) at
/home/marxin/Programming/gcc/gcc/cp/parser.c:12174

but the DECL_SIZE_UNIT is not adjusted.
@Jason: Can you please take a look?=