* [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
@ 2008-04-04 1:04 Simon Baldwin
2008-04-04 9:59 ` Richard Guenther
2008-04-08 16:07 ` Dirk Mueller
0 siblings, 2 replies; 28+ messages in thread
From: Simon Baldwin @ 2008-04-04 1:04 UTC (permalink / raw)
To: gcc-patches
Attached below is a modest patch to provide a subset of the -Warray-bounds
warnings from tree-vrp.c in the C and C++ front ends. This permits the
compiler to warn about egregious array bounds violations in unoptimized
compilations or compilations that may use -fno-tree-vrp. At present, array
bounds checking is only done on optimized compilations.
A side effect of copying these warnings up into the language frontends is
that warnings are now printed even if the array access is in dead or
inaccessible code.
The current array bounds tests are modified to account for this new checking,
and additionally there are two new tests for warnings from -O0 compilations,
one for C and one for C++.
Bootstrapped, and regression tested on i686 Linux for gcc and g++.
Thoughts? Okay for trunk?
:ADDPATCH diagnostic:
gcc/ChangeLog
2008-04-03 Simon Baldwin <simonb@google.com>
* c-typeck.c (build_array_ref): Added array bounds checking for
bounded arrays indexed by constants.
gcc/cp/ChangeLog
2008-04-03 Simon Baldwin <simonb@google.com>
* typeck.c (build_array_ref): Added array bounds checking for
bounded arrays indexed by constants.
gcc/testsuite/ChangeLog
2008-04-03 Simon Baldwin <simonb@google.com>
* testsuite/gcc.dg/Warray-bounds.c: Updated for frontend warnings.
* testsuite/g++.dg/warn/Warray-bounds.c: Updated for frontend warnings.
* testsuite/gcc.dg/Warray-bounds-noopt.c: New testcase.
* testsuite/g++.dg/warn/Warray-bounds-noopt.c: New testcase.
Index: gcc/doc/invoke.texi
===================================================================
--- gcc/doc/invoke.texi (revision 133772)
+++ gcc/doc/invoke.texi (working copy)
@@ -2658,7 +2658,7 @@
@option{-Wall} turns on the following warning flags:
@gccoptlist{-Waddress @gol
--Warray-bounds @r{(only with} @option{-O2}@r{)} @gol
+-Warray-bounds @r{(some checks, but more complete with} @option{-O2}@r{)} @gol
-Wc++0x-compat @gol
-Wchar-subscripts @gol
-Wimplicit-int @gol
@@ -3361,7 +3361,8 @@
@item -Warray-bounds
@opindex Wno-array-bounds
@opindex Warray-bounds
-This option is only active when @option{-ftree-vrp} is active
+This option performs a subset of checks in unoptimized compilations, and
+stricter checking when @option{-ftree-vrp} is active
(default for -O2 and above). It warns about subscripts to arrays
that are always out of bounds. This warning is enabled by @option{-Wall}.
Index: gcc/testsuite/gcc.dg/Warray-bounds.c
===================================================================
--- gcc/testsuite/gcc.dg/Warray-bounds.c (revision 133772)
+++ gcc/testsuite/gcc.dg/Warray-bounds.c (working copy)
@@ -56,13 +56,13 @@
g(&a[8]);
g(&a[9]);
g(&a[10]);
- g(&a[11]); /* { dg-warning "array subscript" "" { xfail *-*-* } } */
- g(&a[-30]+10); /* { dg-warning "array subscript" } */
- g(&a[-30]+30);
+ g(&a[11]); /* { dg-warning "array subscript" } */
+ g(&a[-30]+10); /* { dg-warning "array subscript" } */
+ g(&a[-30]+30); /* { dg-warning "array subscript" } */
g(&b[10]);
g(&c.c[10]);
- g(&b[11]); /* { dg-warning "array subscript" "" { xfail *-*-* } } */
+ g(&b[11]); /* { dg-warning "array subscript" } */
g(&c.c[11]); /* { dg-warning "array subscript" } */
g(&a[0]);
@@ -71,11 +71,11 @@
g(&a[-1]); /* { dg-warning "array subscript" } */
g(&b[-1]); /* { dg-warning "array subscript" } */
- h(sizeof a[-1]);
+ h(sizeof a[-1]); /* { dg-warning "array subscript" } */
h(sizeof a[10]);
- h(sizeof b[-1]);
+ h(sizeof b[-1]); /* { dg-warning "array subscript" } */
h(sizeof b[10]);
- h(sizeof c.c[-1]);
+ h(sizeof c.c[-1]); /* { dg-warning "array subscript" } */
h(sizeof c.c[10]);
if (10 < 10)
@@ -83,11 +83,10 @@
if (10 < 10)
b[10] = 0;
if (-1 >= 0)
- c.c[-1] = 0;
+ c.c[-1] = 0; /* { dg-warning "array subscript" } */
for (i = 20; i < 30; ++i)
a[i] = 1; /* { dg-warning "array subscript" } */
return a;
}
-
Index: gcc/testsuite/g++.dg/warn/Warray-bounds.C
===================================================================
--- gcc/testsuite/g++.dg/warn/Warray-bounds.C (revision 133772)
+++ gcc/testsuite/g++.dg/warn/Warray-bounds.C (working copy)
@@ -57,12 +57,11 @@
g(&a[9]);
g(&a[10]);
g(&a[11]); /* { dg-warning "array subscript" } */
- g(&a[-30]+10); /* { dg-warning "array subscript" } */
- g(&a[-30]+30);
+ g(&a[-30]+10); /* { dg-warning "array subscript" } */
+ g(&a[-30]+30); /* { dg-warning "array subscript" } */
g(&b[10]);
g(&c.c[10]);
- g(&a[11]); /* { dg-warning "array subscript" } */
g(&b[11]); /* { dg-warning "array subscript" } */
g(&c.c[11]); /* { dg-warning "array subscript" } */
@@ -72,11 +71,11 @@
g(&a[-1]); /* { dg-warning "array subscript" } */
g(&b[-1]); /* { dg-warning "array subscript" } */
- h(sizeof a[-1]);
+ h(sizeof a[-1]); /* { dg-warning "array subscript" } */
h(sizeof a[10]);
- h(sizeof b[-1]);
+ h(sizeof b[-1]); /* { dg-warning "array subscript" } */
h(sizeof b[10]);
- h(sizeof c.c[-1]);
+ h(sizeof c.c[-1]); /* { dg-warning "array subscript" } */
h(sizeof c.c[10]);
if (10 < 10)
@@ -84,8 +83,10 @@
if (10 < 10)
b[10] = 0;
if (-1 >= 0)
- c.c[-1] = 0;
+ c.c[-1] = 0; /* { dg-warning "array subscript" } */
+
+ for (i = 20; i < 30; ++i)
+ a[i] = 1; /* { dg-warning "array subscript" } */
return a;
}
-
Index: gcc/cp/typeck.c
===================================================================
--- gcc/cp/typeck.c (revision 133772)
+++ gcc/cp/typeck.c (working copy)
@@ -2554,7 +2554,8 @@
if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE)
{
- tree rval, type;
+ bool has_warned_on_bounds_check = false;
+ tree rval, type, ref;
warn_array_subscript_with_type_char (idx);
@@ -2571,6 +2572,48 @@
pointer arithmetic.) */
idx = perform_integral_promotions (idx);
+ /* Warn about obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. This is a subset of similar checks in
+ tree-vrp.c; by doing this here we can get some level of checking
+ from non-optimized, non-vrp compilation. */
+ if (TREE_CODE (idx) == INTEGER_CST && TYPE_DOMAIN (TREE_TYPE (array)))
+ {
+ const_tree max_index;
+
+ max_index = TYPE_MAX_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (max_index && TREE_CODE (max_index) == INTEGER_CST
+ && tree_int_cst_lt (max_index, idx)
+ && !tree_int_cst_equal (idx, max_index)
+ /* Always allow off-by-one. */
+ && !tree_int_cst_equal (int_const_binop (PLUS_EXPR,
+ max_index,
+ integer_one_node,
+ 0),
+ idx)
+ /* Accesses after the end of arrays of size 0 (gcc
+ extension) and 1 are likely intentional ("struct
+ hack"). */
+ && compare_tree_int (max_index, 1) > 0)
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is above array bounds");
+ has_warned_on_bounds_check = true;
+ }
+ else
+ {
+ const_tree min_index;
+
+ min_index = TYPE_MIN_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (min_index && TREE_CODE (min_index) == INTEGER_CST
+ && tree_int_cst_lt (idx, min_index))
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is below array bounds");
+ has_warned_on_bounds_check = true;
+ }
+ }
+ }
+
/* An array that is indexed by a non-constant
cannot be stored in a register; we must be able to do
address arithmetic on its address.
@@ -2621,7 +2664,12 @@
|= (CP_TYPE_VOLATILE_P (type) | TREE_SIDE_EFFECTS (array));
TREE_THIS_VOLATILE (rval)
|= (CP_TYPE_VOLATILE_P (type) | TREE_THIS_VOLATILE (array));
- return require_complete_type (fold_if_not_in_template (rval));
+ ref = require_complete_type (fold_if_not_in_template (rval));
+
+ /* Suppress bounds warning in tree-vrp.c if already warned here. */
+ if (has_warned_on_bounds_check)
+ TREE_NO_WARNING (ref) = 1;
+ return ref;
}
{
Index: gcc/c-typeck.c
===================================================================
--- gcc/c-typeck.c (revision 133772)
+++ gcc/c-typeck.c (working copy)
@@ -2086,7 +2086,50 @@
if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE)
{
- tree rval, type;
+ bool has_warned_on_bounds_check = false;
+ tree rval, type, ref;
+
+ /* Warn about obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. This is a subset of similar checks in
+ tree-vrp.c; by doing this here we can get some level of checking
+ from non-optimized, non-vrp compilation. */
+ if (TREE_CODE (index) == INTEGER_CST && TYPE_DOMAIN (TREE_TYPE (array)))
+ {
+ const_tree max_index;
+
+ max_index = TYPE_MAX_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (max_index && TREE_CODE (max_index) == INTEGER_CST
+ && tree_int_cst_lt (max_index, index)
+ && !tree_int_cst_equal (index, max_index)
+ /* Always allow off-by-one. */
+ && !tree_int_cst_equal (int_const_binop (PLUS_EXPR,
+ max_index,
+ integer_one_node,
+ 0),
+ index)
+ /* Accesses after the end of arrays of size 0 (gcc
+ extension) and 1 are likely intentional ("struct
+ hack"). */
+ && compare_tree_int (max_index, 1) > 0)
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is above array bounds");
+ has_warned_on_bounds_check = true;
+ }
+ else
+ {
+ const_tree min_index;
+
+ min_index = TYPE_MIN_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (min_index && TREE_CODE (min_index) == INTEGER_CST
+ && tree_int_cst_lt (index, min_index))
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is below array bounds");
+ has_warned_on_bounds_check = true;
+ }
+ }
+ }
/* An array that is indexed by a non-constant
cannot be stored in a register; we must be able to do
@@ -2139,7 +2182,12 @@
in an inline function.
Hope it doesn't break something else. */
| TREE_THIS_VOLATILE (array));
- return require_complete_type (fold (rval));
+ ref = require_complete_type (fold (rval));
+
+ /* Suppress bounds warning in tree-vrp.c if already warned here. */
+ if (has_warned_on_bounds_check)
+ TREE_NO_WARNING (ref) = 1;
+ return ref;
}
else
{
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-04 1:04 [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends Simon Baldwin
@ 2008-04-04 9:59 ` Richard Guenther
2008-04-04 23:50 ` Simon Baldwin
2008-04-08 19:42 ` Mark Mitchell
2008-04-08 16:07 ` Dirk Mueller
1 sibling, 2 replies; 28+ messages in thread
From: Richard Guenther @ 2008-04-04 9:59 UTC (permalink / raw)
To: Simon Baldwin; +Cc: gcc-patches
On Fri, Apr 4, 2008 at 1:07 AM, Simon Baldwin <simonb@google.com> wrote:
> Attached below is a modest patch to provide a subset of the -Warray-bounds
> warnings from tree-vrp.c in the C and C++ front ends. This permits the
> compiler to warn about egregious array bounds violations in unoptimized
> compilations or compilations that may use -fno-tree-vrp. At present, array
> bounds checking is only done on optimized compilations.
>
> A side effect of copying these warnings up into the language frontends is
> that warnings are now printed even if the array access is in dead or
> inaccessible code.
>
> The current array bounds tests are modified to account for this new checking,
> and additionally there are two new tests for warnings from -O0 compilations,
> one for C and one for C++.
>
> Bootstrapped, and regression tested on i686 Linux for gcc and g++.
>
> Thoughts? Okay for trunk?
I think it is a good thing to move these to the frontends. Did you test
the warning on some real-world C and C++ code? I expect some
"false" positives from deliberately partial dead code coming from
template instantiation or constant propagation from function arguments.
Thanks,
Richard.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-04 9:59 ` Richard Guenther
@ 2008-04-04 23:50 ` Simon Baldwin
2008-04-05 0:50 ` Andrew Pinski
2008-04-08 19:42 ` Mark Mitchell
1 sibling, 1 reply; 28+ messages in thread
From: Simon Baldwin @ 2008-04-04 23:50 UTC (permalink / raw)
To: Richard Guenther; +Cc: gcc-patches
Richard Guenther wrote:
> On Fri, Apr 4, 2008 at 1:07 AM, Simon Baldwin <simonb@google.com> wrote:
>
>> Attached below is a modest patch to provide a subset of the -Warray-bounds
>> warnings from tree-vrp.c in the C and C++ front ends. This permits the
>> compiler to warn about egregious array bounds violations in unoptimized
>> compilations or compilations that may use -fno-tree-vrp. At present, array
>> bounds checking is only done on optimized compilations.
>>
>> A side effect of copying these warnings up into the language frontends is
>> that warnings are now printed even if the array access is in dead or
>> inaccessible code.
>>
>> The current array bounds tests are modified to account for this new checking,
>> and additionally there are two new tests for warnings from -O0 compilations,
>> one for C and one for C++.
>>
>> Bootstrapped, and regression tested on i686 Linux for gcc and g++.
>>
>> Thoughts? Okay for trunk?
>>
>
> I think it is a good thing to move these to the frontends. Did you test
> the warning on some real-world C and C++ code? I expect some
> "false" positives from deliberately partial dead code coming from
> template instantiation or constant propagation from function arguments.
I tried it on a codebase consisting of more than 3,000 source modules,
almost all C++. Encouragingly, it produced no false positives, and only
one true positive, the latter from a "plant" I'd deliberately placed
into the code ahead of time just to be sure I'd set up the compilation
correctly.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-04 23:50 ` Simon Baldwin
@ 2008-04-05 0:50 ` Andrew Pinski
2008-04-07 22:51 ` Simon Baldwin
` (2 more replies)
0 siblings, 3 replies; 28+ messages in thread
From: Andrew Pinski @ 2008-04-05 0:50 UTC (permalink / raw)
To: Simon Baldwin; +Cc: Richard Guenther, gcc-patches
On Fri, Apr 4, 2008 at 4:42 PM, Simon Baldwin <simonb@google.com> wrote:
> I tried it on a codebase consisting of more than 3,000 source modules,
> almost all C++. Encouragingly, it produced no false positives, and only one
> true positive, the latter from a "plant" I'd deliberately placed into the
> code ahead of time just to be sure I'd set up the compilation correctly.
Here is one case where this might break:
#define strlen(a) ({ int len = 0; if(__builtin_constant_p(a)) {if
(!a[0]) len=0; else if (!a[1]) len = 1; else if (!a[2]) len = 2; else
len = realstrlen(a); } else len = realstrlen (a); len;})
This is just a semi fake example (glibc does something like this for
one of the str* functions, I forget which one) where define comes up
with out of bounds array references in dead code.
Thanks,
Andrew Pinski
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-05 0:50 ` Andrew Pinski
@ 2008-04-07 22:51 ` Simon Baldwin
2008-04-08 9:43 ` Richard Guenther
2008-04-08 15:39 ` Dirk Mueller
2008-04-08 15:21 ` Dirk Mueller
2008-04-10 18:05 ` Andrew Pinski
2 siblings, 2 replies; 28+ messages in thread
From: Simon Baldwin @ 2008-04-07 22:51 UTC (permalink / raw)
To: Andrew Pinski; +Cc: Richard Guenther, gcc-patches
Andrew Pinski wrote:
> On Fri, Apr 4, 2008 at 4:42 PM, Simon Baldwin <simonb@google.com> wrote:
>
>> I tried it on a codebase consisting of more than 3,000 source modules,
>> almost all C++. Encouragingly, it produced no false positives, and only one
>> true positive, the latter from a "plant" I'd deliberately placed into the
>> code ahead of time just to be sure I'd set up the compilation correctly.
>>
>
> Here is one case where this might break:
>
> #define strlen(a) ({ int len = 0; if(__builtin_constant_p(a)) {if
> (!a[0]) len=0; else if (!a[1]) len = 1; else if (!a[2]) len = 2; else
> len = realstrlen(a); } else len = realstrlen (a); len;})
>
> This is just a semi fake example (glibc does something like this for
> one of the str* functions, I forget which one) where define comes up
> with out of bounds array references in dead code.
Thanks for the note.
The semi-fake example above doesn't trigger the front-end warning added
by the patch. Warnings for subscripts above the array bounds are
suppressed for arrays defined with zero or one element, and this warning
also always allows over-by-one, so that accessing 'a[2]' for an array
defined with two elements gives no warning (but also see * below). As a
further test, I compiled glibc 2.4 with the patched compiler, and no
-Warray-bounds warnings triggered.
Can you recall or locate the glibc code that you think might have
problems here? I took a look through it and couldn't readily locate
anything that looked dodgy. There's bits/string2.h, of course, but
since it's a system header it should be immune, I think.
*) One extra finding from further testing. I believe that the check in
the patch that reads
+ /* Accesses after the end of arrays of size 0 (gcc
+ extension) and 1 are likely intentional ("struct
+ hack"). */
+ && compare_tree_int (max_index, 1) > 0)
is off-by-one, in that it disagrees with the comment. max_index here is
the largest valid subscript, not the array dimension. For 'int a[2]',
max_index is 1, so with this test, the warning is suppressed for arrays
dimensioned 2 or less, not 1 or less as noted in the comment.
I copied (and inverted) this out of check_array_ref() in tree-vrp.c, for
complete consistency. It uses
4541 /* Accesses after the end of arrays of size 0 (gcc
4542 extension) and 1 are likely intentional ("struct
4543 hack"). */
4544 || compare_tree_int (up_bound, 1) <= 0)
and this looks to be off-by-one or in disagreement with the comment in
the same way, borne out by testing current prerelase gcc 4.3.1
(unfortunately I don't have a top-of-tree unpatched 4.4 build readily to
hand):
1 int func(void) {
2 const char a[0], b[1], c[2], d[3], e[4];
3 int x = 0;
4
5 x += a[1]; // warning should be suppressed, and is
6 x += b[2]; // warning should be suppressed, and is
7 x += c[3]; // should warn, but doesn't
8 x += d[4]; // should warn, and does
9 x += e[5]; // should warn, and does
10
11 return x;
12 }
$ gcc -Wall -W -Warray-bounds -O2 -c a.c
a.c: In function 'func':
a.c:8: warning: array subscript is above array bounds
a.c:9: warning: array subscript is above array bounds
If my reading of the code is correct here, the probable conservative
course here is to amend the comments to reflect the code, rather than
the other way round, noting that arrays sized two elements or less have
this check suppressed. And maybe add an explicit test case for
clarity. The riskier course is to enable the checks for arrays
dimensioned two and above, and see what happens. Any preference?
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-07 22:51 ` Simon Baldwin
@ 2008-04-08 9:43 ` Richard Guenther
2008-04-08 15:39 ` Dirk Mueller
1 sibling, 0 replies; 28+ messages in thread
From: Richard Guenther @ 2008-04-08 9:43 UTC (permalink / raw)
To: Simon Baldwin; +Cc: Andrew Pinski, gcc-patches
On Mon, Apr 7, 2008 at 11:40 PM, Simon Baldwin <simonb@google.com> wrote:
>
> Andrew Pinski wrote:
>
> > On Fri, Apr 4, 2008 at 4:42 PM, Simon Baldwin <simonb@google.com> wrote:
> >
> >
> > > I tried it on a codebase consisting of more than 3,000 source modules,
> > > almost all C++. Encouragingly, it produced no false positives, and only
> one
> > > true positive, the latter from a "plant" I'd deliberately placed into
> the
> > > code ahead of time just to be sure I'd set up the compilation correctly.
> > >
> > >
> >
> > Here is one case where this might break:
> >
> > #define strlen(a) ({ int len = 0; if(__builtin_constant_p(a)) {if
> > (!a[0]) len=0; else if (!a[1]) len = 1; else if (!a[2]) len = 2; else
> > len = realstrlen(a); } else len = realstrlen (a); len;})
> >
> > This is just a semi fake example (glibc does something like this for
> > one of the str* functions, I forget which one) where define comes up
> > with out of bounds array references in dead code.
> >
>
> Thanks for the note.
>
> The semi-fake example above doesn't trigger the front-end warning added by
> the patch. Warnings for subscripts above the array bounds are suppressed
> for arrays defined with zero or one element, and this warning also always
> allows over-by-one, so that accessing 'a[2]' for an array defined with two
> elements gives no warning (but also see * below). As a further test, I
> compiled glibc 2.4 with the patched compiler, and no -Warray-bounds warnings
> triggered.
>
> Can you recall or locate the glibc code that you think might have problems
> here? I took a look through it and couldn't readily locate anything that
> looked dodgy. There's bits/string2.h, of course, but since it's a system
> header it should be immune, I think.
>
>
> *) One extra finding from further testing. I believe that the check in the
> patch that reads
>
>
> + /* Accesses after the end of arrays of size 0 (gcc
> + extension) and 1 are likely intentional ("struct
> + hack"). */
> + && compare_tree_int (max_index, 1) > 0)
>
> is off-by-one, in that it disagrees with the comment. max_index here is
> the largest valid subscript, not the array dimension. For 'int a[2]',
> max_index is 1, so with this test, the warning is suppressed for arrays
> dimensioned 2 or less, not 1 or less as noted in the comment.
>
> I copied (and inverted) this out of check_array_ref() in tree-vrp.c, for
> complete consistency. It uses
>
> 4541 /* Accesses after the end of arrays of size 0 (gcc
> 4542 extension) and 1 are likely intentional ("struct
> 4543 hack"). */
> 4544 || compare_tree_int (up_bound, 1) <= 0)
>
> and this looks to be off-by-one or in disagreement with the comment in the
> same way, borne out by testing current prerelase gcc 4.3.1 (unfortunately I
> don't have a top-of-tree unpatched 4.4 build readily to hand):
>
> 1 int func(void) {
> 2 const char a[0], b[1], c[2], d[3], e[4];
> 3 int x = 0;
> 4
> 5 x += a[1]; // warning should be suppressed, and is
> 6 x += b[2]; // warning should be suppressed, and is
> 7 x += c[3]; // should warn, but doesn't
> 8 x += d[4]; // should warn, and does
> 9 x += e[5]; // should warn, and does
> 10
> 11 return x;
> 12 }
>
> $ gcc -Wall -W -Warray-bounds -O2 -c a.c
> a.c: In function 'func':
> a.c:8: warning: array subscript is above array bounds
> a.c:9: warning: array subscript is above array bounds
>
> If my reading of the code is correct here, the probable conservative course
> here is to amend the comments to reflect the code, rather than the other way
> round, noting that arrays sized two elements or less have this check
> suppressed. And maybe add an explicit test case for clarity. The riskier
> course is to enable the checks for arrays dimensioned two and above, and see
> what happens. Any preference?
Feel free to fix the off-by-one errors.
Thanks,
Richard.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-05 0:50 ` Andrew Pinski
2008-04-07 22:51 ` Simon Baldwin
@ 2008-04-08 15:21 ` Dirk Mueller
2008-04-10 18:05 ` Andrew Pinski
2 siblings, 0 replies; 28+ messages in thread
From: Dirk Mueller @ 2008-04-08 15:21 UTC (permalink / raw)
To: gcc-patches
On Saturday 05 April 2008, Andrew Pinski wrote:
> This is just a semi fake example (glibc does something like this for
> one of the str* functions, I forget which one) where define comes up
> with out of bounds array references in dead code.
strpbrk usually triggers that.
Greetings,
Dirk
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-07 22:51 ` Simon Baldwin
2008-04-08 9:43 ` Richard Guenther
@ 2008-04-08 15:39 ` Dirk Mueller
1 sibling, 0 replies; 28+ messages in thread
From: Dirk Mueller @ 2008-04-08 15:39 UTC (permalink / raw)
To: gcc-patches
On Tuesday 08 April 2008, Simon Baldwin wrote:
> If my reading of the code is correct here, the probable conservative
> course here is to amend the comments to reflect the code, rather than
> the other way round, noting that arrays sized two elements or less have
> this check suppressed. And maybe add an explicit test case for
> clarity. The riskier course is to enable the checks for arrays
> dimensioned two and above, and see what happens. Any preference?
The code should be adjusted to match the comment, I believe.
Greetings,
Dirk
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-04 1:04 [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends Simon Baldwin
2008-04-04 9:59 ` Richard Guenther
@ 2008-04-08 16:07 ` Dirk Mueller
1 sibling, 0 replies; 28+ messages in thread
From: Dirk Mueller @ 2008-04-08 16:07 UTC (permalink / raw)
To: gcc-patches; +Cc: Simon Baldwin
On Friday 04 April 2008, Simon Baldwin wrote:
> Attached below is a modest patch to provide a subset of the -Warray-bounds
> warnings from tree-vrp.c in the C and C++ front ends.
Is there a reason you haven't implemented that in c-common.c with hooks in the
different frontends calling it?
dg-warning "array subscript" } */
> - h(sizeof a[-1]);
> + h(sizeof a[-1]); /* { dg-warning "array subscript" } */
I'm not sure it should be warning here, and I think it would be possible to
suppress the warning here.
Thanks,
Dirk
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-04 9:59 ` Richard Guenther
2008-04-04 23:50 ` Simon Baldwin
@ 2008-04-08 19:42 ` Mark Mitchell
2008-04-11 20:37 ` Simon Baldwin
1 sibling, 1 reply; 28+ messages in thread
From: Mark Mitchell @ 2008-04-08 19:42 UTC (permalink / raw)
To: Richard Guenther; +Cc: Simon Baldwin, gcc-patches
Richard Guenther wrote:
>> Thoughts? Okay for trunk?
>
> I think it is a good thing to move these to the frontends.
Me too! The code all looks good. However, I do think this should be
factored into a function in c_common.
Also:
+ if (min_index && TREE_CODE (min_index) == INTEGER_CST
+ && tree_int_cst_lt (idx, min_index))
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is below array bounds");
could do with a better error message. In C/C++, the min_index is (I
believe) always zero. I think you're right to have written the test in
terms of min_index (future-proofing!), but I think we should special
case the message. If the idx is negative and the min_index is zero, say:
"array subscript is negative"
That's more obvious to the average user.
Thanks,
--
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-05 0:50 ` Andrew Pinski
2008-04-07 22:51 ` Simon Baldwin
2008-04-08 15:21 ` Dirk Mueller
@ 2008-04-10 18:05 ` Andrew Pinski
2 siblings, 0 replies; 28+ messages in thread
From: Andrew Pinski @ 2008-04-10 18:05 UTC (permalink / raw)
To: Simon Baldwin; +Cc: Richard Guenther, gcc-patches
On Fri, Apr 4, 2008 at 4:50 PM, Andrew Pinski <pinskia@gmail.com> wrote:
> This is just a semi fake example (glibc does something like this for
> one of the str* functions, I forget which one) where define comes up
> with out of bounds array references in dead code.
I was reported an example of where this happens (even currently but
that is a different issue):
From #gcc:
[10:44:57] < ryanarn> So is this actually bad form in C? strcmp (arg,
"no");? GCC 4.3 warns by default now. It should be:char no[]=
"no\0"; strcmp(arg,no);?
[10:45:33] < apinski> what is the warning about?
[10:46:01] < ryanarn> warning: array subscript is above array bounds
[10:46:09] < apinski> false warnings
[10:46:13] < apinski> due to glibc
[10:46:34] < apinski> this is why I mentioned about why we should not
move these warnings to the front-end
[10:46:55] < ryanarn> apinski: well this is in glibc's libm-test.c
So if you want to test for the warning, please try running make check
with glibc also and not just building it. Also try compiling glibc
2.6.x instead of 2.4.x or better yet the trunk of glibc where I think
Ryan found these warnings.
Thanks,
Andrew Pinski
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-08 19:42 ` Mark Mitchell
@ 2008-04-11 20:37 ` Simon Baldwin
2008-04-15 19:18 ` Tom Tromey
2008-04-26 13:42 ` Simon Baldwin
0 siblings, 2 replies; 28+ messages in thread
From: Simon Baldwin @ 2008-04-11 20:37 UTC (permalink / raw)
To: Mark Mitchell, Richard Guenther, gcc-patches, Dirk Mueller
[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]
Thanks for the feedback.
I've incorporated most comments, and a revised patch is attached below.
One thing I wasn't able to fathom was how to suppress warnings about
"sizeof(a[-1])" in the C and C++ frontends; if anyone's got any hints on
this, I'd love to hear them.
In testing, the new version passes bootstrap and gcc tests, and also the
3k C++ source files real world test.
When compiling libc 2.4 with it, two new warnings arise, in optimized
(tree-vrp) builds only, so from tree-vrp.c:check_array_ref():
digits_dots.c: In function '__nss_hostname_digits_dots':
digits_dots.c:159: warning: array subscript is above array bounds
digits_dots.c:291: warning: array subscript is above array bounds
Abstracting out the problematic parts of this gives:
void func(void) {
typedef unsigned char host_addr_t[16];
host_addr_t *host_addr;
typedef char *host_addr_list_t[2];
host_addr_list_t *h_addr_ptrs;
char **h_alias_ptr;
host_addr = (host_addr_t *) 0;
h_addr_ptrs = (host_addr_list_t *) ((char *) host_addr + sizeof
(*host_addr));
h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));
h_alias_ptr[0] = ((void *)0); // Warning here
}
This doesn't show up with un-patched gcc because h_alias_ptr appears in
tree-vrp as having dimension 2, and prior to this patch
check_array_ref() let a[2], as well as a[1] and a[0], slide by
unchecked. I'm wondering if check_array_ref() doesn't actually have a
bona-fide complaint here.
[-- Attachment #2: bounds.patch --]
[-- Type: text/x-patch, Size: 13998 bytes --]
This is a modest patch to provide a subset of the -Warray-bounds warnings
from tree-vrp.c in the C and C++ front ends. This permits the compiler to
warn about egregious array bounds violations in unoptimized compilations or
compilations that may use -fno-tree-vrp. At present, array bounds checking
is only done on optimized compilations.
A side effect of copying these warnings up into the language frontends is
that warnings are now printed even if the array access is in dead or
inaccessible code.
The current array bounds tests are modified to account for this new checking,
and additionally there are two new tests for warnings from -O0 compilations,
one for C and one for C++.
Bootstrapped, and regression tested on i686 Linux for gcc and g++.
:ADDPATCH diagnostic:
gcc/ChangeLog
2008-04-09 Simon Baldwin <simonb@google.com>
* c-common.h (warn_array_subscript_range): New function.
* c-common.c (warn_array_subscript_range): Ditto.
* tree-vrp.c (check_array_ref): Corrected code to agree with
comment, ignoring only arrays of size 0 or size 1.
* c-typeck.c (build_array_ref): Call warn_array_subscript_range.
gcc/cp/ChangeLog
2008-04-09 Simon Baldwin <simonb@google.com>
* typeck.c (build_array_ref): Call warn_array_subscript_range.
gcc/testsuite/ChangeLog
2008-04-09 Simon Baldwin <simonb@google.com>
* testsuite/gcc.dg/Warray-bounds.c: Updated for frontend warnings,
additional tests for arrays of size 0 and size 1.
* testsuite/g++.dg/warn/Warray-bounds.c: Ditto.
* testsuite/gcc.dg/Warray-bounds-noopt.c: New testcase.
* testsuite/g++.dg/warn/Warray-bounds-noopt.c: Ditto.
Index: gcc/tree-vrp.c
===================================================================
--- gcc/tree-vrp.c (revision 133772)
+++ gcc/tree-vrp.c (working copy)
@@ -4540,8 +4540,8 @@
&& TYPE_MAX_VALUE (TYPE_DOMAIN (TREE_TYPE (ref))) == NULL_TREE)
/* Accesses after the end of arrays of size 0 (gcc
extension) and 1 are likely intentional ("struct
- hack"). */
- || compare_tree_int (up_bound, 1) <= 0)
+ hack"). Note that up_bound is array dimension - 1. */
+ || compare_tree_int (up_bound, 1) < 0)
return;
low_bound = array_ref_low_bound (ref);
Index: gcc/doc/invoke.texi
===================================================================
--- gcc/doc/invoke.texi (revision 133772)
+++ gcc/doc/invoke.texi (working copy)
@@ -2658,7 +2658,7 @@
@option{-Wall} turns on the following warning flags:
@gccoptlist{-Waddress @gol
--Warray-bounds @r{(only with} @option{-O2}@r{)} @gol
+-Warray-bounds @r{(some checks, but more complete with} @option{-O2}@r{)} @gol
-Wc++0x-compat @gol
-Wchar-subscripts @gol
-Wimplicit-int @gol
@@ -3361,7 +3361,8 @@
@item -Warray-bounds
@opindex Wno-array-bounds
@opindex Warray-bounds
-This option is only active when @option{-ftree-vrp} is active
+This option performs a subset of checks in unoptimized compilations, and
+stricter checking when @option{-ftree-vrp} is active
(default for -O2 and above). It warns about subscripts to arrays
that are always out of bounds. This warning is enabled by @option{-Wall}.
Index: gcc/testsuite/gcc.dg/Warray-bounds.c
===================================================================
--- gcc/testsuite/gcc.dg/Warray-bounds.c (revision 133772)
+++ gcc/testsuite/gcc.dg/Warray-bounds.c (working copy)
@@ -17,6 +17,7 @@
struct {
int c[10];
} c;
+ int p[0], q[1], r[2], s[3], t[4];
a[-1] = 0; /* { dg-warning "array subscript" } */
a[ 0] = 0;
@@ -56,13 +57,13 @@
g(&a[8]);
g(&a[9]);
g(&a[10]);
- g(&a[11]); /* { dg-warning "array subscript" "" { xfail *-*-* } } */
- g(&a[-30]+10); /* { dg-warning "array subscript" } */
- g(&a[-30]+30);
+ g(&a[11]); /* { dg-warning "array subscript" } */
+ g(&a[-30]+10); /* { dg-warning "array subscript" } */
+ g(&a[-30]+30); /* { dg-warning "array subscript" } */
g(&b[10]);
g(&c.c[10]);
- g(&b[11]); /* { dg-warning "array subscript" "" { xfail *-*-* } } */
+ g(&b[11]); /* { dg-warning "array subscript" } */
g(&c.c[11]); /* { dg-warning "array subscript" } */
g(&a[0]);
@@ -71,23 +72,52 @@
g(&a[-1]); /* { dg-warning "array subscript" } */
g(&b[-1]); /* { dg-warning "array subscript" } */
- h(sizeof a[-1]);
+ h(sizeof a[-1]); /* { dg-warning "array subscript" } */
h(sizeof a[10]);
- h(sizeof b[-1]);
+ h(sizeof b[-1]); /* { dg-warning "array subscript" } */
h(sizeof b[10]);
- h(sizeof c.c[-1]);
+ h(sizeof c.c[-1]); /* { dg-warning "array subscript" } */
h(sizeof c.c[10]);
+ p[-1] = 0; /* { dg-warning "array subscript" } */
+ p[0] = 0;
+ p[1] = 0;
+
+ q[-1] = 0; /* { dg-warning "array subscript" } */
+ q[0] = 0;
+ q[1] = 0;
+ q[2] = 0;
+
+ r[-1] = 0; /* { dg-warning "array subscript" } */
+ r[0] = 0;
+ r[1] = 0;
+ r[2] = 0;
+ r[3] = 0; /* { dg-warning "array subscript" } */
+
+ s[-1] = 0; /* { dg-warning "array subscript" } */
+ s[0] = 0;
+ s[1] = 0;
+ s[2] = 0;
+ s[3] = 0;
+ s[4] = 0; /* { dg-warning "array subscript" } */
+
+ t[-1] = 0; /* { dg-warning "array subscript" } */
+ t[0] = 0;
+ t[1] = 0;
+ t[2] = 0;
+ t[3] = 0;
+ t[4] = 0;
+ t[5] = 0; /* { dg-warning "array subscript" } */
+
if (10 < 10)
a[10] = 0;
if (10 < 10)
b[10] = 0;
if (-1 >= 0)
- c.c[-1] = 0;
+ c.c[-1] = 0; /* { dg-warning "array subscript" } */
for (i = 20; i < 30; ++i)
a[i] = 1; /* { dg-warning "array subscript" } */
return a;
}
-
Index: gcc/testsuite/g++.dg/warn/Warray-bounds.C
===================================================================
--- gcc/testsuite/g++.dg/warn/Warray-bounds.C (revision 133772)
+++ gcc/testsuite/g++.dg/warn/Warray-bounds.C (working copy)
@@ -17,6 +17,7 @@
struct {
int c[10];
} c;
+ int p[0], q[1], r[2], s[3], t[4];
a[-1] = 0; /* { dg-warning "array subscript" } */
a[ 0] = 0;
@@ -57,12 +58,11 @@
g(&a[9]);
g(&a[10]);
g(&a[11]); /* { dg-warning "array subscript" } */
- g(&a[-30]+10); /* { dg-warning "array subscript" } */
- g(&a[-30]+30);
+ g(&a[-30]+10); /* { dg-warning "array subscript" } */
+ g(&a[-30]+30); /* { dg-warning "array subscript" } */
g(&b[10]);
g(&c.c[10]);
- g(&a[11]); /* { dg-warning "array subscript" } */
g(&b[11]); /* { dg-warning "array subscript" } */
g(&c.c[11]); /* { dg-warning "array subscript" } */
@@ -72,20 +72,52 @@
g(&a[-1]); /* { dg-warning "array subscript" } */
g(&b[-1]); /* { dg-warning "array subscript" } */
- h(sizeof a[-1]);
+ h(sizeof a[-1]); /* { dg-warning "array subscript" } */
h(sizeof a[10]);
- h(sizeof b[-1]);
+ h(sizeof b[-1]); /* { dg-warning "array subscript" } */
h(sizeof b[10]);
- h(sizeof c.c[-1]);
+ h(sizeof c.c[-1]); /* { dg-warning "array subscript" } */
h(sizeof c.c[10]);
+ p[-1] = 0; /* { dg-warning "array subscript" } */
+ p[0] = 0;
+ p[1] = 0;
+
+ q[-1] = 0; /* { dg-warning "array subscript" } */
+ q[0] = 0;
+ q[1] = 0;
+ q[2] = 0;
+
+ r[-1] = 0; /* { dg-warning "array subscript" } */
+ r[0] = 0;
+ r[1] = 0;
+ r[2] = 0;
+ r[3] = 0; /* { dg-warning "array subscript" } */
+
+ s[-1] = 0; /* { dg-warning "array subscript" } */
+ s[0] = 0;
+ s[1] = 0;
+ s[2] = 0;
+ s[3] = 0;
+ s[4] = 0; /* { dg-warning "array subscript" } */
+
+ t[-1] = 0; /* { dg-warning "array subscript" } */
+ t[0] = 0;
+ t[1] = 0;
+ t[2] = 0;
+ t[3] = 0;
+ t[4] = 0;
+ t[5] = 0; /* { dg-warning "array subscript" } */
+
if (10 < 10)
a[10] = 0;
if (10 < 10)
b[10] = 0;
if (-1 >= 0)
- c.c[-1] = 0;
+ c.c[-1] = 0; /* { dg-warning "array subscript" } */
+
+ for (i = 20; i < 30; ++i)
+ a[i] = 1; /* { dg-warning "array subscript" } */
return a;
}
-
Index: gcc/cp/typeck.c
===================================================================
--- gcc/cp/typeck.c (revision 133772)
+++ gcc/cp/typeck.c (working copy)
@@ -2554,7 +2554,8 @@
if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE)
{
- tree rval, type;
+ bool has_warned_on_bounds_check = false;
+ tree rval, type, ref;
warn_array_subscript_with_type_char (idx);
@@ -2571,6 +2572,10 @@
pointer arithmetic.) */
idx = perform_integral_promotions (idx);
+ /* Warn about any obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. */
+ has_warned_on_bounds_check = warn_array_subscript_range (array, idx);
+
/* An array that is indexed by a non-constant
cannot be stored in a register; we must be able to do
address arithmetic on its address.
@@ -2621,7 +2626,12 @@
|= (CP_TYPE_VOLATILE_P (type) | TREE_SIDE_EFFECTS (array));
TREE_THIS_VOLATILE (rval)
|= (CP_TYPE_VOLATILE_P (type) | TREE_THIS_VOLATILE (array));
- return require_complete_type (fold_if_not_in_template (rval));
+ ref = require_complete_type (fold_if_not_in_template (rval));
+
+ /* Suppress bounds warning in tree-vrp.c if already warned here. */
+ if (has_warned_on_bounds_check)
+ TREE_NO_WARNING (ref) = 1;
+ return ref;
}
{
Index: gcc/c-typeck.c
===================================================================
--- gcc/c-typeck.c (revision 133772)
+++ gcc/c-typeck.c (working copy)
@@ -2086,7 +2086,12 @@
if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE)
{
- tree rval, type;
+ tree rval, type, ref;
+ bool has_warned_on_bounds_check = false;
+
+ /* Warn about any obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. */
+ has_warned_on_bounds_check = warn_array_subscript_range (array, index);
/* An array that is indexed by a non-constant
cannot be stored in a register; we must be able to do
@@ -2139,7 +2144,12 @@
in an inline function.
Hope it doesn't break something else. */
| TREE_THIS_VOLATILE (array));
- return require_complete_type (fold (rval));
+ ref = require_complete_type (fold (rval));
+
+ /* Suppress bounds warning in tree-vrp.c if already warned here. */
+ if (has_warned_on_bounds_check)
+ TREE_NO_WARNING (ref) = 1;
+ return ref;
}
else
{
Index: gcc/c-common.c
===================================================================
--- gcc/c-common.c (revision 133772)
+++ gcc/c-common.c (working copy)
@@ -7281,6 +7281,59 @@
warning (OPT_Wchar_subscripts, "array subscript has type %<char%>");
}
+/* Warn about obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. This is a subset of similar checks in
+ tree-vrp.c; by doing this here we can get some level of checking
+ from non-optimized, non-vrp compilation. Returns true if a warning
+ is issued. */
+
+bool
+warn_array_subscript_range (const_tree array, const_tree index)
+{
+ if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE
+ && TYPE_DOMAIN (TREE_TYPE (array)) && TREE_CODE (index) == INTEGER_CST)
+ {
+ const_tree max_index;
+
+ max_index = TYPE_MAX_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (max_index && TREE_CODE (max_index) == INTEGER_CST
+ && tree_int_cst_lt (max_index, index)
+ && !tree_int_cst_equal (index, max_index)
+ /* Always allow off-by-one. */
+ && !tree_int_cst_equal (int_const_binop (PLUS_EXPR,
+ max_index,
+ integer_one_node,
+ 0),
+ index)
+ /* Accesses after the end of arrays of size 0 (gcc
+ extension) and 1 are likely intentional ("struct
+ hack"). Note that max_index is array dimension - 1. */
+ && compare_tree_int (max_index, 1) >= 0)
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is above array bounds");
+ return true;
+ }
+ else
+ {
+ const_tree min_index;
+
+ min_index = TYPE_MIN_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (min_index && TREE_CODE (min_index) == INTEGER_CST
+ && tree_int_cst_lt (index, min_index))
+ {
+ warning (OPT_Warray_bounds,
+ compare_tree_int (min_index, 0) == 0
+ ? "array subscript is negative"
+ : "array subscript is below array bounds");
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
/* Implement -Wparentheses for the unexpected C precedence rules, to
cover cases like x + y << z which readers are likely to
misinterpret. We have seen an expression in which CODE is a binary
Index: gcc/c-common.h
===================================================================
--- gcc/c-common.h (revision 133772)
+++ gcc/c-common.h (working copy)
@@ -884,6 +884,7 @@
extern tree builtin_type_for_size (int, bool);
extern void warn_array_subscript_with_type_char (tree);
+extern bool warn_array_subscript_range (const_tree, const_tree);
extern void warn_about_parentheses (enum tree_code, enum tree_code,
enum tree_code);
extern void warn_for_unused_label (tree label);
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-11 20:37 ` Simon Baldwin
@ 2008-04-15 19:18 ` Tom Tromey
2008-04-26 13:42 ` Simon Baldwin
1 sibling, 0 replies; 28+ messages in thread
From: Tom Tromey @ 2008-04-15 19:18 UTC (permalink / raw)
To: Simon Baldwin; +Cc: Mark Mitchell, Richard Guenther, gcc-patches, Dirk Mueller
>>>>> "Simon" == Simon Baldwin <simonb@google.com> writes:
Simon> One thing I wasn't able to fathom was how to suppress warnings
Simon> about "sizeof(a[-1])" in the C and C++ frontends; if anyone's got any
Simon> hints on this, I'd love to hear them.
The global 'skip_evaluation' is set while handling sizeof and some
other things. It may be what you want.
Tom
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-11 20:37 ` Simon Baldwin
2008-04-15 19:18 ` Tom Tromey
@ 2008-04-26 13:42 ` Simon Baldwin
2008-04-27 14:56 ` Mark Mitchell
1 sibling, 1 reply; 28+ messages in thread
From: Simon Baldwin @ 2008-04-26 13:42 UTC (permalink / raw)
To: gcc-patches; +Cc: Mark Mitchell, Richard Guenther, Dirk Mueller
[-- Attachment #1: Type: text/plain, Size: 438 bytes --]
Thanks to a well targeted pointer from Tom Tromey, I've now added the
extra logic to suppress warnings about "sizeof(a[-1])" in the C and C++
frontends. Attached is the revised version.
So far I've been unable to reproduce the false warning from the current
(unpatched) tree-vrp.c implementation, reported in gcc PR 35903. I'll
keep trying.
In the meantime, go ahead and commit, leave in limbo, or consign to
history? Thanks.
[-- Attachment #2: bounds.patch --]
[-- Type: text/x-patch, Size: 13290 bytes --]
This is version 3 of a patch to provide a subset of -Warray-bounds warnings
from tree-vrp.c in the C and C++ front ends. This permits the compiler to
warn about egregious array bounds violations in unoptimized compilations or
compilations that may use -fno-tree-vrp. At present, array bounds checking
is only done on optimized compilations.
A side effect of copying these warnings up into the language frontends is
that warnings are now printed even if the array access is in dead or
inaccessible code.
The current array bounds tests are modified to account for this new checking,
and additionally there are two new tests for warnings from -O0 compilations,
one for C and one for C++.
The patch also updates the current array bounds checking logic in tree-vrp.c
to agree with the code comments.
Bootstrapped, and regression tested on i686 Linux for gcc and g++.
:ADDPATCH diagnostic:
gcc/ChangeLog
2008-04-25 Simon Baldwin <simonb@google.com>
* c-common.h (warn_array_subscript_range): New function.
* c-common.c (warn_array_subscript_range): Ditto.
* tree-vrp.c (check_array_ref): Corrected code to agree with
comment, ignoring only arrays of size 0 or size 1.
* c-typeck.c (build_array_ref): Call warn_array_subscript_range.
gcc/cp/ChangeLog
2008-04-25 Simon Baldwin <simonb@google.com>
* typeck.c (build_array_ref): Call warn_array_subscript_range.
gcc/testsuite/ChangeLog
2008-04-25 Simon Baldwin <simonb@google.com>
* testsuite/gcc.dg/Warray-bounds.c: Updated for frontend warnings,
additional tests for arrays of size 0 and size 1.
* testsuite/g++.dg/warn/Warray-bounds.c: Ditto.
* testsuite/gcc.dg/Warray-bounds-noopt.c: New testcase.
* testsuite/g++.dg/warn/Warray-bounds-noopt.c: Ditto.
Index: gcc/tree-vrp.c
===================================================================
--- gcc/tree-vrp.c (revision 133772)
+++ gcc/tree-vrp.c (working copy)
@@ -4540,8 +4540,8 @@
&& TYPE_MAX_VALUE (TYPE_DOMAIN (TREE_TYPE (ref))) == NULL_TREE)
/* Accesses after the end of arrays of size 0 (gcc
extension) and 1 are likely intentional ("struct
- hack"). */
- || compare_tree_int (up_bound, 1) <= 0)
+ hack"). Note that up_bound is array dimension - 1. */
+ || compare_tree_int (up_bound, 1) < 0)
return;
low_bound = array_ref_low_bound (ref);
Index: gcc/doc/invoke.texi
===================================================================
--- gcc/doc/invoke.texi (revision 133772)
+++ gcc/doc/invoke.texi (working copy)
@@ -2658,7 +2658,7 @@
@option{-Wall} turns on the following warning flags:
@gccoptlist{-Waddress @gol
--Warray-bounds @r{(only with} @option{-O2}@r{)} @gol
+-Warray-bounds @r{(some checks, but more complete with} @option{-O2}@r{)} @gol
-Wc++0x-compat @gol
-Wchar-subscripts @gol
-Wimplicit-int @gol
@@ -3361,7 +3361,8 @@
@item -Warray-bounds
@opindex Wno-array-bounds
@opindex Warray-bounds
-This option is only active when @option{-ftree-vrp} is active
+This option performs a subset of checks in unoptimized compilations, and
+stricter checking when @option{-ftree-vrp} is active
(default for -O2 and above). It warns about subscripts to arrays
that are always out of bounds. This warning is enabled by @option{-Wall}.
Index: gcc/testsuite/gcc.dg/Warray-bounds.c
===================================================================
--- gcc/testsuite/gcc.dg/Warray-bounds.c (revision 133772)
+++ gcc/testsuite/gcc.dg/Warray-bounds.c (working copy)
@@ -17,6 +17,7 @@
struct {
int c[10];
} c;
+ int p[0], q[1], r[2], s[3], t[4];
a[-1] = 0; /* { dg-warning "array subscript" } */
a[ 0] = 0;
@@ -56,13 +57,13 @@
g(&a[8]);
g(&a[9]);
g(&a[10]);
- g(&a[11]); /* { dg-warning "array subscript" "" { xfail *-*-* } } */
- g(&a[-30]+10); /* { dg-warning "array subscript" } */
- g(&a[-30]+30);
+ g(&a[11]); /* { dg-warning "array subscript" } */
+ g(&a[-30]+10); /* { dg-warning "array subscript" } */
+ g(&a[-30]+30); /* { dg-warning "array subscript" } */
g(&b[10]);
g(&c.c[10]);
- g(&b[11]); /* { dg-warning "array subscript" "" { xfail *-*-* } } */
+ g(&b[11]); /* { dg-warning "array subscript" } */
g(&c.c[11]); /* { dg-warning "array subscript" } */
g(&a[0]);
@@ -78,16 +79,45 @@
h(sizeof c.c[-1]);
h(sizeof c.c[10]);
+ p[-1] = 0; /* { dg-warning "array subscript" } */
+ p[0] = 0;
+ p[1] = 0;
+
+ q[-1] = 0; /* { dg-warning "array subscript" } */
+ q[0] = 0;
+ q[1] = 0;
+ q[2] = 0;
+
+ r[-1] = 0; /* { dg-warning "array subscript" } */
+ r[0] = 0;
+ r[1] = 0;
+ r[2] = 0;
+ r[3] = 0; /* { dg-warning "array subscript" } */
+
+ s[-1] = 0; /* { dg-warning "array subscript" } */
+ s[0] = 0;
+ s[1] = 0;
+ s[2] = 0;
+ s[3] = 0;
+ s[4] = 0; /* { dg-warning "array subscript" } */
+
+ t[-1] = 0; /* { dg-warning "array subscript" } */
+ t[0] = 0;
+ t[1] = 0;
+ t[2] = 0;
+ t[3] = 0;
+ t[4] = 0;
+ t[5] = 0; /* { dg-warning "array subscript" } */
+
if (10 < 10)
a[10] = 0;
if (10 < 10)
b[10] = 0;
if (-1 >= 0)
- c.c[-1] = 0;
+ c.c[-1] = 0; /* { dg-warning "array subscript" } */
for (i = 20; i < 30; ++i)
a[i] = 1; /* { dg-warning "array subscript" } */
return a;
}
-
Index: gcc/testsuite/g++.dg/warn/Warray-bounds.C
===================================================================
--- gcc/testsuite/g++.dg/warn/Warray-bounds.C (revision 133772)
+++ gcc/testsuite/g++.dg/warn/Warray-bounds.C (working copy)
@@ -17,6 +17,7 @@
struct {
int c[10];
} c;
+ int p[0], q[1], r[2], s[3], t[4];
a[-1] = 0; /* { dg-warning "array subscript" } */
a[ 0] = 0;
@@ -57,12 +58,11 @@
g(&a[9]);
g(&a[10]);
g(&a[11]); /* { dg-warning "array subscript" } */
- g(&a[-30]+10); /* { dg-warning "array subscript" } */
- g(&a[-30]+30);
+ g(&a[-30]+10); /* { dg-warning "array subscript" } */
+ g(&a[-30]+30); /* { dg-warning "array subscript" } */
g(&b[10]);
g(&c.c[10]);
- g(&a[11]); /* { dg-warning "array subscript" } */
g(&b[11]); /* { dg-warning "array subscript" } */
g(&c.c[11]); /* { dg-warning "array subscript" } */
@@ -79,13 +79,45 @@
h(sizeof c.c[-1]);
h(sizeof c.c[10]);
+ p[-1] = 0; /* { dg-warning "array subscript" } */
+ p[0] = 0;
+ p[1] = 0;
+
+ q[-1] = 0; /* { dg-warning "array subscript" } */
+ q[0] = 0;
+ q[1] = 0;
+ q[2] = 0;
+
+ r[-1] = 0; /* { dg-warning "array subscript" } */
+ r[0] = 0;
+ r[1] = 0;
+ r[2] = 0;
+ r[3] = 0; /* { dg-warning "array subscript" } */
+
+ s[-1] = 0; /* { dg-warning "array subscript" } */
+ s[0] = 0;
+ s[1] = 0;
+ s[2] = 0;
+ s[3] = 0;
+ s[4] = 0; /* { dg-warning "array subscript" } */
+
+ t[-1] = 0; /* { dg-warning "array subscript" } */
+ t[0] = 0;
+ t[1] = 0;
+ t[2] = 0;
+ t[3] = 0;
+ t[4] = 0;
+ t[5] = 0; /* { dg-warning "array subscript" } */
+
if (10 < 10)
a[10] = 0;
if (10 < 10)
b[10] = 0;
if (-1 >= 0)
- c.c[-1] = 0;
+ c.c[-1] = 0; /* { dg-warning "array subscript" } */
+
+ for (i = 20; i < 30; ++i)
+ a[i] = 1; /* { dg-warning "array subscript" } */
return a;
}
-
Index: gcc/cp/typeck.c
===================================================================
--- gcc/cp/typeck.c (revision 133772)
+++ gcc/cp/typeck.c (working copy)
@@ -2554,7 +2554,8 @@
if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE)
{
- tree rval, type;
+ bool has_warned_on_bounds_check = false;
+ tree rval, type, ref;
warn_array_subscript_with_type_char (idx);
@@ -2571,6 +2572,10 @@
pointer arithmetic.) */
idx = perform_integral_promotions (idx);
+ /* Warn about any obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. */
+ has_warned_on_bounds_check = warn_array_subscript_range (array, idx);
+
/* An array that is indexed by a non-constant
cannot be stored in a register; we must be able to do
address arithmetic on its address.
@@ -2621,7 +2626,12 @@
|= (CP_TYPE_VOLATILE_P (type) | TREE_SIDE_EFFECTS (array));
TREE_THIS_VOLATILE (rval)
|= (CP_TYPE_VOLATILE_P (type) | TREE_THIS_VOLATILE (array));
- return require_complete_type (fold_if_not_in_template (rval));
+ ref = require_complete_type (fold_if_not_in_template (rval));
+
+ /* Suppress bounds warning in tree-vrp.c if already warned here. */
+ if (has_warned_on_bounds_check)
+ TREE_NO_WARNING (ref) = 1;
+ return ref;
}
{
Index: gcc/c-typeck.c
===================================================================
--- gcc/c-typeck.c (revision 133772)
+++ gcc/c-typeck.c (working copy)
@@ -2086,7 +2086,12 @@
if (TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE)
{
- tree rval, type;
+ tree rval, type, ref;
+ bool has_warned_on_bounds_check = false;
+
+ /* Warn about any obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. */
+ has_warned_on_bounds_check = warn_array_subscript_range (array, index);
/* An array that is indexed by a non-constant
cannot be stored in a register; we must be able to do
@@ -2139,7 +2144,12 @@
in an inline function.
Hope it doesn't break something else. */
| TREE_THIS_VOLATILE (array));
- return require_complete_type (fold (rval));
+ ref = require_complete_type (fold (rval));
+
+ /* Suppress bounds warning in tree-vrp.c if already warned here. */
+ if (has_warned_on_bounds_check)
+ TREE_NO_WARNING (ref) = 1;
+ return ref;
}
else
{
Index: gcc/c-common.c
===================================================================
--- gcc/c-common.c (revision 133772)
+++ gcc/c-common.c (working copy)
@@ -7281,6 +7281,60 @@
warning (OPT_Wchar_subscripts, "array subscript has type %<char%>");
}
+/* Warn about obvious array bounds errors for fixed size arrays that
+ are indexed by a constant. This is a subset of similar checks in
+ tree-vrp.c; by doing this here we can get some level of checking
+ from non-optimized, non-vrp compilation. Returns true if a warning
+ is issued. */
+
+bool
+warn_array_subscript_range (const_tree array, const_tree index)
+{
+ if (skip_evaluation == 0
+ && TREE_CODE (TREE_TYPE (array)) == ARRAY_TYPE
+ && TYPE_DOMAIN (TREE_TYPE (array)) && TREE_CODE (index) == INTEGER_CST)
+ {
+ const_tree max_index;
+
+ max_index = TYPE_MAX_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (max_index && TREE_CODE (max_index) == INTEGER_CST
+ && tree_int_cst_lt (max_index, index)
+ && !tree_int_cst_equal (index, max_index)
+ /* Always allow off-by-one. */
+ && !tree_int_cst_equal (int_const_binop (PLUS_EXPR,
+ max_index,
+ integer_one_node,
+ 0),
+ index)
+ /* Accesses after the end of arrays of size 0 (gcc
+ extension) and 1 are likely intentional ("struct
+ hack"). Note that max_index is array dimension - 1. */
+ && compare_tree_int (max_index, 1) >= 0)
+ {
+ warning (OPT_Warray_bounds,
+ "array subscript is above array bounds");
+ return true;
+ }
+ else
+ {
+ const_tree min_index;
+
+ min_index = TYPE_MIN_VALUE (TYPE_DOMAIN (TREE_TYPE (array)));
+ if (min_index && TREE_CODE (min_index) == INTEGER_CST
+ && tree_int_cst_lt (index, min_index))
+ {
+ warning (OPT_Warray_bounds,
+ compare_tree_int (min_index, 0) == 0
+ ? "array subscript is negative"
+ : "array subscript is below array bounds");
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
/* Implement -Wparentheses for the unexpected C precedence rules, to
cover cases like x + y << z which readers are likely to
misinterpret. We have seen an expression in which CODE is a binary
Index: gcc/c-common.h
===================================================================
--- gcc/c-common.h (revision 133772)
+++ gcc/c-common.h (working copy)
@@ -884,6 +884,7 @@
extern tree builtin_type_for_size (int, bool);
extern void warn_array_subscript_with_type_char (tree);
+extern bool warn_array_subscript_range (const_tree, const_tree);
extern void warn_about_parentheses (enum tree_code, enum tree_code,
enum tree_code);
extern void warn_for_unused_label (tree label);
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-26 13:42 ` Simon Baldwin
@ 2008-04-27 14:56 ` Mark Mitchell
2008-04-27 15:05 ` Joseph S. Myers
2008-05-01 19:07 ` Simon Baldwin
0 siblings, 2 replies; 28+ messages in thread
From: Mark Mitchell @ 2008-04-27 14:56 UTC (permalink / raw)
To: Simon Baldwin
Cc: gcc-patches, Richard Guenther, Dirk Mueller, Joseph S. Myers
Simon Baldwin wrote:
> Thanks to a well targeted pointer from Tom Tromey, I've now added the
> extra logic to suppress warnings about "sizeof(a[-1])" in the C and C++
> frontends. Attached is the revised version.
Thanks for following up. I think this is a worthwhile patch.
> +This option performs a subset of checks in unoptimized compilations, and
> +stricter checking when @option{-ftree-vrp} is active
> (default for -O2 and above).
I think "stricter" could be made more explicit. How about something like:
This option detects some cases of out-of-bounds accesses in unoptimized
compilations. More cases are detected when @option{-ftree-vrp} is
enabled. (The @option{-ftree-vrp} option is enabled automatically when
compiling with @option{-O2} or higher optimization options.)
Joseph, do you have any comments on the C changes? Simon, if you do not
hear otherwise from Joseph within 72 hours, this patch is OK.
Thanks,
--
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-27 14:56 ` Mark Mitchell
@ 2008-04-27 15:05 ` Joseph S. Myers
2008-05-01 19:07 ` Simon Baldwin
1 sibling, 0 replies; 28+ messages in thread
From: Joseph S. Myers @ 2008-04-27 15:05 UTC (permalink / raw)
To: Mark Mitchell; +Cc: Simon Baldwin, gcc-patches, Richard Guenther, Dirk Mueller
On Sat, 26 Apr 2008, Mark Mitchell wrote:
> Joseph, do you have any comments on the C changes? Simon, if you do not hear
I have no comments on this patch to add to those other people have already
made on the various versions of it.
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-04-27 14:56 ` Mark Mitchell
2008-04-27 15:05 ` Joseph S. Myers
@ 2008-05-01 19:07 ` Simon Baldwin
2008-05-02 12:51 ` H.J. Lu
1 sibling, 1 reply; 28+ messages in thread
From: Simon Baldwin @ 2008-05-01 19:07 UTC (permalink / raw)
To: Mark Mitchell
Cc: gcc-patches, Richard Guenther, Dirk Mueller, Joseph S. Myers
Thanks all. Committed, with suggested doc/invoke.texi change, as
revision 134865.
Mark Mitchell wrote:
> Simon Baldwin wrote:
>> Thanks to a well targeted pointer from Tom Tromey, I've now added the
>> extra logic to suppress warnings about "sizeof(a[-1])" in the C and
>> C++ frontends. Attached is the revised version.
>
> Thanks for following up. I think this is a worthwhile patch.
>
>> +This option performs a subset of checks in unoptimized compilations,
>> and
>> +stricter checking when @option{-ftree-vrp} is active
>> (default for -O2 and above).
>
> I think "stricter" could be made more explicit. How about something
> like:
>
> This option detects some cases of out-of-bounds accesses in
> unoptimized compilations. More cases are detected when
> @option{-ftree-vrp} is enabled. (The @option{-ftree-vrp} option is
> enabled automatically when compiling with @option{-O2} or higher
> optimization options.)
>
> Joseph, do you have any comments on the C changes? Simon, if you do
> not hear otherwise from Joseph within 72 hours, this patch is OK.
>
> Thanks,
>
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-01 19:07 ` Simon Baldwin
@ 2008-05-02 12:51 ` H.J. Lu
2008-05-02 12:58 ` H.J. Lu
0 siblings, 1 reply; 28+ messages in thread
From: H.J. Lu @ 2008-05-02 12:51 UTC (permalink / raw)
To: Simon Baldwin
Cc: Mark Mitchell, gcc-patches, Richard Guenther, Dirk Mueller,
Joseph S. Myers
Hi Simon,
Your patch breaks gcc bootstrap:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=36108
H.J.
On Thu, May 1, 2008 at 12:07 PM, Simon Baldwin <simonb@google.com> wrote:
> Thanks all. Committed, with suggested doc/invoke.texi change, as revision
> 134865.
>
>
>
>
> Mark Mitchell wrote:
>
> > Simon Baldwin wrote:
> >
> > > Thanks to a well targeted pointer from Tom Tromey, I've now added the
> extra logic to suppress warnings about "sizeof(a[-1])" in the C and C++
> frontends. Attached is the revised version.
> > >
> >
> > Thanks for following up. I think this is a worthwhile patch.
> >
> >
> > > +This option performs a subset of checks in unoptimized compilations,
> and
> > > +stricter checking when @option{-ftree-vrp} is active
> > > (default for -O2 and above).
> > >
> >
> > I think "stricter" could be made more explicit. How about something like:
> >
> > This option detects some cases of out-of-bounds accesses in unoptimized
> compilations. More cases are detected when @option{-ftree-vrp} is enabled.
> (The @option{-ftree-vrp} option is enabled automatically when compiling with
> @option{-O2} or higher optimization options.)
> >
> > Joseph, do you have any comments on the C changes? Simon, if you do not
> hear otherwise from Joseph within 72 hours, this patch is OK.
> >
> > Thanks,
> >
> >
>
>
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 12:51 ` H.J. Lu
@ 2008-05-02 12:58 ` H.J. Lu
2008-05-02 14:06 ` Mark Mitchell
0 siblings, 1 reply; 28+ messages in thread
From: H.J. Lu @ 2008-05-02 12:58 UTC (permalink / raw)
To: Simon Baldwin
Cc: Mark Mitchell, gcc-patches, Richard Guenther, Dirk Mueller,
Joseph S. Myers
Hi Simon,
In http://gcc.gnu.org/ml/gcc-patches/2008-04/msg01945.html, you said
---
A side effect of copying these warnings up into the language frontends is
that warnings are now printed even if the array access is in dead or
inaccessible code.
---
So this behavior is intentional. I don't see how it will be useful. Should
this patch be reverted for now?
Thanks.
H.J.
---
On Fri, May 2, 2008 at 5:50 AM, H.J. Lu <hjl.tools@gmail.com> wrote:
> Hi Simon,
>
> Your patch breaks gcc bootstrap:
>
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=36108
>
>
> H.J.
>
>
> On Thu, May 1, 2008 at 12:07 PM, Simon Baldwin <simonb@google.com> wrote:
> > Thanks all. Committed, with suggested doc/invoke.texi change, as revision
> > 134865.
> >
> >
> >
> >
> > Mark Mitchell wrote:
> >
> > > Simon Baldwin wrote:
> > >
> > > > Thanks to a well targeted pointer from Tom Tromey, I've now added the
> > extra logic to suppress warnings about "sizeof(a[-1])" in the C and C++
> > frontends. Attached is the revised version.
> > > >
> > >
> > > Thanks for following up. I think this is a worthwhile patch.
> > >
> > >
> > > > +This option performs a subset of checks in unoptimized compilations,
> > and
> > > > +stricter checking when @option{-ftree-vrp} is active
> > > > (default for -O2 and above).
> > > >
> > >
> > > I think "stricter" could be made more explicit. How about something like:
> > >
> > > This option detects some cases of out-of-bounds accesses in unoptimized
> > compilations. More cases are detected when @option{-ftree-vrp} is enabled.
> > (The @option{-ftree-vrp} option is enabled automatically when compiling with
> > @option{-O2} or higher optimization options.)
> > >
> > > Joseph, do you have any comments on the C changes? Simon, if you do not
> > hear otherwise from Joseph within 72 hours, this patch is OK.
> > >
> > > Thanks,
> > >
> > >
> >
> >
>
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 12:58 ` H.J. Lu
@ 2008-05-02 14:06 ` Mark Mitchell
2008-05-02 16:04 ` H.J. Lu
0 siblings, 1 reply; 28+ messages in thread
From: Mark Mitchell @ 2008-05-02 14:06 UTC (permalink / raw)
To: H.J. Lu
Cc: Simon Baldwin, gcc-patches, Richard Guenther, Dirk Mueller,
Joseph S. Myers
H.J. Lu wrote:
> A side effect of copying these warnings up into the language frontends is
> that warnings are now printed even if the array access is in dead or
> inaccessible code.
We've had this discussion for years. The arguments are:
1. Users only care about problems that actually affect their build. Let
the optimizers do their thing and warn about problems that are detected
that way. This avoids warning about things in dead code, and it results
in warnings that occur after (say) simplifications from inlining.
2. Users care about problems that might occur when building their code
in some different mode. Users want the same warnings across platforms,
and whether optimizing or not. Thus, we should emit warnings only from
front ends, without trying to avoid dead code, and without doing a lot
of transformation on the code.
GCC has traditionally done (1). I've argued for (2), which is what most
compilers do. Simon's patch makes it do a bit of (2), while still doing
(1). This seems to me like a reasonable compromise; you give up none of
the warnings in (1), but still get many of the benefits of (2).
Obviously, Simon needs to fix the bootstrap issue. But, I don't see a
fundamental problem with the patch -- at least not yet.
--
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 14:06 ` Mark Mitchell
@ 2008-05-02 16:04 ` H.J. Lu
2008-05-02 16:21 ` Simon Baldwin
2008-05-02 16:24 ` Paul Koning
0 siblings, 2 replies; 28+ messages in thread
From: H.J. Lu @ 2008-05-02 16:04 UTC (permalink / raw)
To: Mark Mitchell
Cc: Simon Baldwin, gcc-patches, Richard Guenther, Dirk Mueller,
Joseph S. Myers
On Fri, May 2, 2008 at 7:06 AM, Mark Mitchell <mark@codesourcery.com> wrote:
> H.J. Lu wrote:
>
>
> > A side effect of copying these warnings up into the language frontends is
> > that warnings are now printed even if the array access is in dead or
> > inaccessible code.
> >
>
> We've had this discussion for years. The arguments are:
>
> 1. Users only care about problems that actually affect their build. Let
> the optimizers do their thing and warn about problems that are detected that
> way. This avoids warning about things in dead code, and it results in
> warnings that occur after (say) simplifications from inlining.
>
> 2. Users care about problems that might occur when building their code in
> some different mode. Users want the same warnings across platforms, and
> whether optimizing or not. Thus, we should emit warnings only from front
> ends, without trying to avoid dead code, and without doing a lot of
> transformation on the code.
>
> GCC has traditionally done (1). I've argued for (2), which is what most
> compilers do. Simon's patch makes it do a bit of (2), while still doing
> (1). This seems to me like a reasonable compromise; you give up none of the
> warnings in (1), but still get many of the benefits of (2).
>
> Obviously, Simon needs to fix the bootstrap issue. But, I don't see a
> fundamental problem with the patch -- at least not yet.
>
If it doesn't work on gcc itself, I don' think it will be much useful elsewhere.
I suggest
1. At -O0, the frond-end warning should never be turned into an error
even if -Werror is used since the frond-end doesn't know if the code
will be dead or not.
2, At -O1 and above, the frond-end warning should be queued and
optimizer can remove it from the queue if the code in question turns
out dead.
H.J.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 16:04 ` H.J. Lu
@ 2008-05-02 16:21 ` Simon Baldwin
2008-05-02 16:35 ` Mark Mitchell
2008-05-02 16:24 ` Paul Koning
1 sibling, 1 reply; 28+ messages in thread
From: Simon Baldwin @ 2008-05-02 16:21 UTC (permalink / raw)
To: H.J. Lu
Cc: Mark Mitchell, gcc-patches, Richard Guenther, Dirk Mueller,
Joseph S. Myers
H.J. Lu wrote:
> On Fri, May 2, 2008 at 7:06 AM, Mark Mitchell <mark@codesourcery.com> wrote:
>
>> H.J. Lu wrote:
>>
>>
>>
>>> A side effect of copying these warnings up into the language frontends is
>>> that warnings are now printed even if the array access is in dead or
>>> inaccessible code.
>>>
>>>
>> We've had this discussion for years. The arguments are:
>>
>> 1. Users only care about problems that actually affect their build. Let
>> the optimizers do their thing and warn about problems that are detected that
>> way. This avoids warning about things in dead code, and it results in
>> warnings that occur after (say) simplifications from inlining.
>>
>> 2. Users care about problems that might occur when building their code in
>> some different mode. Users want the same warnings across platforms, and
>> whether optimizing or not. Thus, we should emit warnings only from front
>> ends, without trying to avoid dead code, and without doing a lot of
>> transformation on the code.
>>
>> GCC has traditionally done (1). I've argued for (2), which is what most
>> compilers do. Simon's patch makes it do a bit of (2), while still doing
>> (1). This seems to me like a reasonable compromise; you give up none of the
>> warnings in (1), but still get many of the benefits of (2).
>>
>> Obviously, Simon needs to fix the bootstrap issue. But, I don't see a
>> fundamental problem with the patch -- at least not yet.
>>
>>
>
> If it doesn't work on gcc itself, I don' think it will be much useful elsewhere.
> I suggest
>
> 1. At -O0, the frond-end warning should never be turned into an error
> even if -Werror is used since the frond-end doesn't know if the code
> will be dead or not.
> 2, At -O1 and above, the frond-end warning should be queued and
> optimizer can remove it from the queue if the code in question turns
> out dead.
>
I think the wisest course for now is to roll back this change until I
have a better understanding of the issues. There's obviously a case
here that's not going be rare overall, and with which the additional
front-end warning cannot cope well in its current form.
I'm putting together the roll back change. It should be done in a short
while.
Thanks all for the comments and feedback here.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 16:04 ` H.J. Lu
2008-05-02 16:21 ` Simon Baldwin
@ 2008-05-02 16:24 ` Paul Koning
1 sibling, 0 replies; 28+ messages in thread
From: Paul Koning @ 2008-05-02 16:24 UTC (permalink / raw)
To: hjl.tools; +Cc: mark, simonb, gcc-patches, richard.guenther, dmuell, joseph
>>>>> "H" == H J Lu <H.J.> writes:
H> On Fri, May 2, 2008 at 7:06 AM, Mark Mitchell
H> <mark@codesourcery.com> wrote:
>> H.J. Lu wrote:
>>
>>
>> > A side effect of copying these warnings up into the language
>> frontends is > that warnings are now printed even if the array
>> access is in dead or > inaccessible code.
>> >
>>
>> We've had this discussion for years. The arguments are:
>>
>> 1. Users only care about problems that actually affect their
>> build. Let the optimizers do their thing and warn about problems
>> that are detected that way. This avoids warning about things in
>> dead code, and it results in warnings that occur after (say)
>> simplifications from inlining.
>>
>> 2. Users care about problems that might occur when building their
>> code in some different mode. Users want the same warnings across
>> platforms, and whether optimizing or not. Thus, we should emit
>> warnings only from front ends, without trying to avoid dead code,
>> and without doing a lot of transformation on the code.
>>
>> GCC has traditionally done (1). I've argued for (2), which is
>> what most compilers do. Simon's patch makes it do a bit of (2),
>> while still doing (1). This seems to me like a reasonable
>> compromise; you give up none of the warnings in (1), but still get
>> many of the benefits of (2).
>>
>> Obviously, Simon needs to fix the bootstrap issue. But, I don't
>> see a fundamental problem with the patch -- at least not yet.
>>
H> If it doesn't work on gcc itself, I don' think it will be much
H> useful elsewhere. I suggest
H> 1. At -O0, the frond-end warning should never be turned into an
H> error even if -Werror is used since the frond-end doesn't know if
H> the code will be dead or not. 2, At -O1 and above, the frond-end
H> warning should be queued and optimizer can remove it from the
H> queue if the code in question turns out dead.
I don't like this notion at all.
If a bit of code is wrong, I believe it is perfectly reasonable (and
in fact desirable) to call it wrong even if it happens to be
unreachable.
I wouldn't make that a requirement -- it's ok for warnings to come out
of the back end after optimization. But I don't agree with the notion
that warnings about dead code are bad.
Dead code can come alive with very small source code changes. As a
matter of good software engineering, it's helpful for warnings to
appear when the bad code is created. If the warning appears 6 months
later as a side effect of a small change elsewhere, the repair can be
significantly harder.
Also, it seems to me that suppressing warnings as a side effect of
optimization can produce results somewhat like the one we recently
debated at length with CERT. Not quite the same, but somewhat like
it.
In other words, I would support Mark's preference for approach #2, for
the same sort of reasons he gave.
paul
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 16:21 ` Simon Baldwin
@ 2008-05-02 16:35 ` Mark Mitchell
2008-05-02 19:53 ` Andrew Pinski
0 siblings, 1 reply; 28+ messages in thread
From: Mark Mitchell @ 2008-05-02 16:35 UTC (permalink / raw)
To: Simon Baldwin
Cc: H.J. Lu, gcc-patches, Richard Guenther, Dirk Mueller, Joseph S. Myers
Simon Baldwin wrote:
> I think the wisest course for now is to roll back this change until I
> have a better understanding of the issues.
If you want to roll back, that's fine. You can do that without any
further approval.
Thanks,
--
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 16:35 ` Mark Mitchell
@ 2008-05-02 19:53 ` Andrew Pinski
2008-05-02 20:01 ` H.J. Lu
0 siblings, 1 reply; 28+ messages in thread
From: Andrew Pinski @ 2008-05-02 19:53 UTC (permalink / raw)
To: Mark Mitchell
Cc: Simon Baldwin, H.J. Lu, gcc-patches, Richard Guenther,
Dirk Mueller, Joseph S. Myers
On Fri, May 2, 2008 at 9:34 AM, Mark Mitchell <mark@codesourcery.com> wrote:
> Simon Baldwin wrote:
>
>
> > I think the wisest course for now is to roll back this change until I have
> a better understanding of the issues.
> >
>
> If you want to roll back, that's fine. You can do that without any further
> approval.
x86-darwin is also broken with the following warning:
/home/regress/tbox/svn-gcc/gcc/config/i386/i386.c:20877: error: array
subscript is above array bounds
which is a false warning.
We have:
mode0 = insn_data[icode].operand[0].mode;
where insn_data is defined as:
extern const struct insn_data insn_data[];
operand is a pointer so that is not an issue.
Thanks,
Andrew Pinski
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 19:53 ` Andrew Pinski
@ 2008-05-02 20:01 ` H.J. Lu
2008-05-02 20:04 ` Simon Baldwin
0 siblings, 1 reply; 28+ messages in thread
From: H.J. Lu @ 2008-05-02 20:01 UTC (permalink / raw)
To: Andrew Pinski
Cc: Mark Mitchell, Simon Baldwin, gcc-patches, Richard Guenther,
Dirk Mueller, Joseph S. Myers
On Fri, May 2, 2008 at 12:53 PM, Andrew Pinski <pinskia@gmail.com> wrote:
> On Fri, May 2, 2008 at 9:34 AM, Mark Mitchell <mark@codesourcery.com> wrote:
> > Simon Baldwin wrote:
> >
> >
> > > I think the wisest course for now is to roll back this change until I have
> > a better understanding of the issues.
> > >
> >
> > If you want to roll back, that's fine. You can do that without any further
> > approval.
>
> x86-darwin is also broken with the following warning:
> /home/regress/tbox/svn-gcc/gcc/config/i386/i386.c:20877: error: array
>
> subscript is above array bounds
>
> which is a false warning.
> We have:
> mode0 = insn_data[icode].operand[0].mode;
>
> where insn_data is defined as:
> extern const struct insn_data insn_data[];
>
> operand is a pointer so that is not an issue.
>
May I suggest to revert it now and use a branch to implement it
properly before merging it with trunk? I can prepare a patch in half
an hour.
Thanks.
H.J.
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 20:01 ` H.J. Lu
@ 2008-05-02 20:04 ` Simon Baldwin
2008-05-02 20:11 ` H.J. Lu
0 siblings, 1 reply; 28+ messages in thread
From: Simon Baldwin @ 2008-05-02 20:04 UTC (permalink / raw)
To: H.J. Lu
Cc: Andrew Pinski, Mark Mitchell, gcc-patches, Richard Guenther,
Dirk Mueller, Joseph S. Myers
H.J. Lu wrote:
> On Fri, May 2, 2008 at 12:53 PM, Andrew Pinski <pinskia@gmail.com> wrote:
>
>> On Fri, May 2, 2008 at 9:34 AM, Mark Mitchell <mark@codesourcery.com> wrote:
>> > Simon Baldwin wrote:
>> >
>> >
>> > > I think the wisest course for now is to roll back this change until I have
>> > a better understanding of the issues.
>> > >
>> >
>> > If you want to roll back, that's fine. You can do that without any further
>> > approval.
>>
>> x86-darwin is also broken with the following warning:
>> /home/regress/tbox/svn-gcc/gcc/config/i386/i386.c:20877: error: array
>>
>> subscript is above array bounds
>>
>> which is a false warning.
>> We have:
>> mode0 = insn_data[icode].operand[0].mode;
>>
>> where insn_data is defined as:
>> extern const struct insn_data insn_data[];
>>
>> operand is a pointer so that is not an issue.
>>
>>
>
> May I suggest to revert it now and use a branch to implement it
> properly before merging it with trunk? I can prepare a patch in half
> an hour.
>
I've just this minute committed the rollback -- revision 134889.
Testing did not complete as quick as I'd hoped; sorry for the delay.
Thanks. --S
^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends
2008-05-02 20:04 ` Simon Baldwin
@ 2008-05-02 20:11 ` H.J. Lu
0 siblings, 0 replies; 28+ messages in thread
From: H.J. Lu @ 2008-05-02 20:11 UTC (permalink / raw)
To: Simon Baldwin
Cc: Andrew Pinski, Mark Mitchell, gcc-patches, Richard Guenther,
Dirk Mueller, Joseph S. Myers
On Fri, May 2, 2008 at 1:03 PM, Simon Baldwin <simonb@google.com> wrote:
>
> I've just this minute committed the rollback -- revision 134889. Testing
> did not complete as quick as I'd hoped; sorry for the delay.
>
Thanks.
H.J.
^ permalink raw reply [flat|nested] 28+ messages in thread
end of thread, other threads:[~2008-05-02 20:11 UTC | newest]
Thread overview: 28+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-04-04 1:04 [PATCH][RFC] Add a subset of -Warray-bounds warnings to C/C++ front ends Simon Baldwin
2008-04-04 9:59 ` Richard Guenther
2008-04-04 23:50 ` Simon Baldwin
2008-04-05 0:50 ` Andrew Pinski
2008-04-07 22:51 ` Simon Baldwin
2008-04-08 9:43 ` Richard Guenther
2008-04-08 15:39 ` Dirk Mueller
2008-04-08 15:21 ` Dirk Mueller
2008-04-10 18:05 ` Andrew Pinski
2008-04-08 19:42 ` Mark Mitchell
2008-04-11 20:37 ` Simon Baldwin
2008-04-15 19:18 ` Tom Tromey
2008-04-26 13:42 ` Simon Baldwin
2008-04-27 14:56 ` Mark Mitchell
2008-04-27 15:05 ` Joseph S. Myers
2008-05-01 19:07 ` Simon Baldwin
2008-05-02 12:51 ` H.J. Lu
2008-05-02 12:58 ` H.J. Lu
2008-05-02 14:06 ` Mark Mitchell
2008-05-02 16:04 ` H.J. Lu
2008-05-02 16:21 ` Simon Baldwin
2008-05-02 16:35 ` Mark Mitchell
2008-05-02 19:53 ` Andrew Pinski
2008-05-02 20:01 ` H.J. Lu
2008-05-02 20:04 ` Simon Baldwin
2008-05-02 20:11 ` H.J. Lu
2008-05-02 16:24 ` Paul Koning
2008-04-08 16:07 ` Dirk Mueller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).