From: Martin Sebor <msebor@gmail.com>
To: Richard Biener <richard.guenther@gmail.com>
Cc: Jeff Law <law@redhat.com>, Gcc Patch List <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] set range for strlen(array) to avoid spurious -Wstringop-overflow (PR 83373 , PR 78450)
Date: Fri, 15 Dec 2017 15:58:00 -0000 [thread overview]
Message-ID: <b77a400a-f346-cb2a-3af6-681fb540a38b@gmail.com> (raw)
In-Reply-To: <CAFiYyc0hpXFTL2sqAcp3hZiphBZ3up0xCM9w5UbEkRwMEzLBQg@mail.gmail.com>
On 12/15/2017 01:48 AM, Richard Biener wrote:
> On Thu, Dec 14, 2017 at 5:01 PM, Martin Sebor <msebor@gmail.com> wrote:
>> On 12/14/2017 03:43 AM, Richard Biener wrote:
>>>
>>> On Wed, Dec 13, 2017 at 4:47 AM, Martin Sebor <msebor@gmail.com> wrote:
>>>>
>>>> On 12/12/2017 05:35 PM, Jeff Law wrote:
>>>>>
>>>>>
>>>>> On 12/12/2017 01:15 PM, Martin Sebor wrote:
>>>>>>
>>>>>>
>>>>>> Bug 83373 - False positive reported by -Wstringop-overflow, is
>>>>>> another example of warning triggered by a missed optimization
>>>>>> opportunity, this time in the strlen pass. The optimization
>>>>>> is discussed in pr78450 - strlen(s) return value can be assumed
>>>>>> to be less than the size of s. The gist of it is that the result
>>>>>> of strlen(array) can be assumed to be less than the size of
>>>>>> the array (except in the corner case of last struct members).
>>>>>>
>>>>>> To avoid the false positive the attached patch adds this
>>>>>> optimization to the strlen pass. Although the patch passes
>>>>>> bootstrap and regression tests for all front-ends I'm not sure
>>>>>> the way it determines the upper bound of the range is 100%
>>>>>> correct for languages with arrays with a non-zero lower bound.
>>>>>> Maybe it's just not as tight as it could be.
>>>>>
>>>>>
>>>>> What about something hideous like
>>>>>
>>>>> struct fu {
>>>>> char x1[10];
>>>>> char x2[10];
>>>>> int avoid_trailing_array;
>>>>> }
>>>>>
>>>>> Where objects stored in x1 are not null terminated. Are we in the realm
>>>>> of undefined behavior at that point (I hope so)?
>>>>
>>>>
>>>>
>>>> Yes, this is undefined. Pointer arithmetic (either direct or
>>>> via standard library functions) is only defined for pointers
>>>> to the same object or subobject. So even something like
>>>>
>>>> memcpy (pfu->x1, pfu->x1 + 10, 10);
>>>>
>>>> is undefined.
>>>
>>>
>>> There's nothing undefined here - computing the pointer pointing
>>> to one-after-the-last element of an array is valid (you are just
>>> not allowed to dereference it).
>>
>>
>> Right, and memcpy dereferences it, so it's undefined.
>
> That's interpretation of the standard that I don't share.
It's not an interpretation. It's a basic rule of the languages
that the standards are explicit about. In C11 you will find
this specified in detail in 6.5.6, paragraph 7 and 8 (of
particular relevance to your question below is p7: "a pointer
to an object that is not an element of an array behaves the same
as a pointer to the first element of an array of length one.")
> Also, if I have struct f { int i; int j; }; and a int * that points
> to the j member you say I have no standard conforming way
> to get at a pointer to the i member from this, right?
Correct. See above.
> Because
> the pointer points to an 'int' object. But it also points within
> a struct f object! So at least maybe (int *)((char *)p - offsetof
> (struct f, j))
> should be valid?
No, not really. It works in practice but it's not well-defined.
It doesn't matter how you get at the result. What matters is
what you start with. As Jeff said, to derive a pointer to
distinct suobjects of a larger object you need to start with
a pointer to the larger object and treat it as an array of
chars.
> This means that pfu->x1 + 10 is a valid pointer
> into *pfu no matter what you say and you can dereference it.
No.
As another hopefully more convincing example consider a multi-
dimensional array A[2][2]. The value of the offset of A[i][j]
is sizeof A[i] + j. With that, the offset of A[1][0] is
sizeof A[1] + 0, and so would be the offset of A[0][2]. But
that doesn't make A[0][2] a valid reference to an element of
A (because A[0] has only two elements, A[0][0] and A[0][1]),
or &A[0] + 2 a derefernceable pointer. It's a pointer that
points just past the last element of the array A[0]. That
there's another array right after A[0] (namely A[1]) is
immaterial, same as in the struct f example above.
Martin
next prev parent reply other threads:[~2017-12-15 15:58 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-12 20:15 Martin Sebor
2017-12-13 0:35 ` Jeff Law
2017-12-13 3:47 ` Martin Sebor
2017-12-14 10:43 ` Richard Biener
2017-12-14 16:01 ` Martin Sebor
2017-12-15 8:50 ` Richard Biener
2017-12-15 15:58 ` Martin Sebor [this message]
2017-12-15 16:17 ` Richard Biener
2017-12-15 17:29 ` Martin Sebor
2017-12-16 17:38 ` Martin Sebor
2017-12-14 16:13 ` Jeff Law
2017-12-14 16:19 ` Jakub Jelinek
2017-12-14 18:51 ` Martin Sebor
2017-12-14 18:55 ` Jakub Jelinek
2017-12-14 19:04 ` Jeff Law
2017-12-18 22:53 ` Martin Sebor
2017-12-13 7:25 ` Bernhard Reutner-Fischer
2017-12-13 16:16 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b77a400a-f346-cb2a-3af6-681fb540a38b@gmail.com \
--to=msebor@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=law@redhat.com \
--cc=richard.guenther@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).