On Thu, Feb 26, 2015 at 11:08:04AM +0100, Richard Biener wrote:
> > --- gcc/c-family/c-ubsan.c
> > +++ gcc/c-family/c-ubsan.c
> > @@ -303,8 +303,9 @@ ubsan_instrument_bounds (location_t loc, tree array,
> > tree *index,
> >
> > /* Detect flexible array members and suchlike. */
> > tree base = get_base_address (array);
> > - if (base && (TREE_CODE (base) == INDIRECT_REF
> > - || TREE_CODE (base) == MEM_REF))
> > + if (TREE_CODE (array) == COMPONENT_REF
>
> Err - this doesn't detect
>
> int
> main (void)
> {
> int *t = (int *) __builtin_malloc (sizeof (int) * 10);
> int (*a)[1] = (int (*)[1])t;
> (*a)[2] = 1;
> }
>
> that is a trailing array VLA.
>
> What I've definitely seen is
>
> int
> main (void)
> {
> int *t = (int *) __builtin_malloc (sizeof (int) * 9);
> int (*a)[3][3] = (int (*)[3][3])t;
> (*a)[0][9] = 1;
> }
I think we should error on those.
With my patch we'd emit the same -fsanitize=bounds runtime errors as clang
does.
> that is, assume that the array dimension with the fast running
> index "wraps" over into the next (hello SPEC CPU 2006!).
I think they're invoking UB then.
> > + && base && (TREE_CODE (base) == INDIRECT_REF
> > + || TREE_CODE (base) == MEM_REF))
> > {
> > tree next = NULL_TREE;
> > tree cref = array;
> >
> > I think it is a bug that we're playing games on something that is not
> > an element of a structure.
>
> Not sure about this.
The comment says that we're trying to detect a flexible array member
there - and those can't be outside struct. I certainly hadn't anything
else in my mind when I was writing that ;).
Marek
