[Bug c/103215] New: [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of

Fri, 12 Nov 2021 11:53:19 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

            Bug ID: 103215
           Summary: [12 regression] gcc generates unexpected warnings on
                    libx11-1.7.2: error: array subscript -2 is outside
                    array bounds of
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
  Target Milestone: ---

Upstream core:
https://gitlab.freedesktop.org/xorg/lib/libx11/-/blob/6d1dc1f6169ebf0ba71785d461bd98129c65c862/src/RdBitF.c#L156

Self-contained example:

    // $ cat bug.c
    #include <string.h>
    int extract(char*);
    int XReadBitmapFileData (void) {
        char name_and_type[255];
        for (;;) {
            extract (name_and_type);
            char * type = strrchr (name_and_type, '_');
            if (type) type++; else type = name_and_type;
            if (strcmp ("hot", type) == 0) {
            if (type-- == name_and_type || type-- == name_and_type) continue;
            if (strcmp ("ax_hot", type) == 0) return 1;
        }
      }
      return -1;
    }


Good:
    $ gcc-11.2.0 -Wall -Werror=array-bounds -fno-strict-aliasing -O2 -c bug.c
-o bug.o

Bad:
    $ gcc-12.0.0 -Wall -Werror=array-bounds -fno-strict-aliasing -O2 -c bug.c
-o bug.o
bug.c: In function 'XReadBitmapFileData':
bug.c:10:48: error: array subscript -2 is outside array bounds of
'char[9223372036854775807]' [-Werror=array-bounds]
   10 |             if (type-- == name_and_type || type-- == name_and_type)
continue;
      |                                            ~~~~^~
bug.c:4:14: note: at offset [0, 253] into object 'name_and_type' of size 255
    4 |         char name_and_type[255];
      |              ^~~~~~~~~~~~~
cc1: some warnings being treated as errors

Does double post-increment `if (type-- == name_and_type || type-- ==
name_and_type)` have defined behaviour?

I think error message is at least incorrectly worded. I don't think there is an
out-of-bounds access.

$ LANG=C ./result-2/bin/gcc -v
Using built-in specs.
COLLECT_GCC=/nix/store/w588w2rqb5zrs6d09q3rmqpf7m9259y1-gcc-12.0.0/bin/gcc
COLLECT_LTO_WRAPPER=/nix/store/w588w2rqb5zrs6d09q3rmqpf7m9259y1-gcc-12.0.0/libexec/gcc/x86_64-unknown-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with:
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 12.0.0 20211107 (experimental) (GCC)

Reply via email to