https://gcc.gnu.org/bugzilla/show_bug.cgi?id=125604
--- Comment #5 from GCC Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by Martin Uecker <[email protected]>: https://gcc.gnu.org/g:1184375b0c7158b7a739489915724c08532d7b17 commit r17-1711-g1184375b0c7158b7a739489915724c08532d7b17 Author: Kees Cook <[email protected]> Date: Thu Jun 18 12:56:51 2026 -0700 c: handle .ACCESS_WITH_SIZE in build_unary_op for !/+/- [PR125604] PR123569 fixed wrong code with the counted_by attribute on a pointer member by suppressing creation of the .ACCESS_WITH_SIZE wrapper in the parser's pre/post-increment paths, and added a checking assertion in build_unary_op to ensure no .ACCESS_WITH_SIZE call reaches it. The other rvalue-consuming unary operators (!, -, +) still rvalue-convert their operand via convert_lvalue_to_rvalue, which produces the .ACCESS_WITH_SIZE wrapper as before. They then reach parser_build_unary_op then build_unary_op carrying the wrapper and trip the assertion. A minimal reproducer: struct s { int n; char *p __attribute__((__counted_by__(n))); }; int f (struct s *o) { return !o->p; } Unwrap the .ACCESS_WITH_SIZE call at the top of build_unary_op via get_ref_from_access_with_size. These unary operators consume the pointer rvalue rather than the pointed-to data, so the bounds-checking wrapper is not load-bearing here. The assertion is retained: after the unwrap it documents the post-condition the rest of the function relies on. PR c/125604 gcc/c/ChangeLog: * c-typeck.cc (build_unary_op): Unwrap .ACCESS_WITH_SIZE from the operand before further processing. gcc/testsuite/ChangeLog: * gcc.dg/counted-by-unary.c: New test.
