Re: [PATCH] ubsan: remove bogus check for flexible array members

[Marek Polacek <polacek at redhat dot com>]

On Thu, Feb 26, 2015 at 11:08:04AM +0100, Richard Biener wrote:
> > --- gcc/c-family/c-ubsan.c
> > +++ gcc/c-family/c-ubsan.c
> > @@ -303,8 +303,9 @@ ubsan_instrument_bounds (location_t loc, tree array, tree *index,
> >
> >    /* Detect flexible array members and suchlike.  */
> >    tree base = get_base_address (array);
> > -  if (base && (TREE_CODE (base) == INDIRECT_REF
> > -              || TREE_CODE (base) == MEM_REF))
> > +  if (TREE_CODE (array) == COMPONENT_REF
> 
> Err - this doesn't detect
> 
> int
> main (void)
> {
>   int *t = (int *) __builtin_malloc (sizeof (int) * 10);
>   int (*a)[1] = (int (*)[1])t;
>   (*a)[2] = 1;
> }
> 
> that is a trailing array VLA.
> 
> What I've definitely seen is
> 
> int
> main (void)
> {
>   int *t = (int *) __builtin_malloc (sizeof (int) * 9);
>   int (*a)[3][3] = (int (*)[3][3])t;
>   (*a)[0][9] = 1;
> }
 
I think we should error on those.
With my patch we'd emit the same -fsanitize=bounds runtime errors as clang
does.

> that is, assume that the array dimension with the fast running
> index "wraps" over into the next (hello SPEC CPU 2006!).
 
I think they're invoking UB then.

> > +      && base && (TREE_CODE (base) == INDIRECT_REF
> > +                 || TREE_CODE (base) == MEM_REF))
> >      {
> >        tree next = NULL_TREE;
> >        tree cref = array;
> >
> > I think it is a bug that we're playing games on something that is not
> > an element of a structure.
> 
> Not sure about this.

The comment says that we're trying to detect a flexible array member
there - and those can't be outside struct.  I certainly hadn't anything
else in my mind when I was writing that ;).

	Marek