This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug sanitizer/81601] New: incorrect Warray-bounds warning with -fsanitize

From: "arnd at linaro dot org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Fri, 28 Jul 2017 12:50:52 +0000
Subject: [Bug sanitizer/81601] New: incorrect Warray-bounds warning with -fsanitize
Auto-submitted: auto-generated

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81601

            Bug ID: 81601
           Summary: incorrect Warray-bounds warning with -fsanitize
           Product: gcc
           Version: 7.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: arnd at linaro dot org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Created attachment 41856
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=41856&action=edit
reduced version of linux/net/ipv4/tcp_output.c

Compiling the Linux kernel with gcc-7.1.1 and ubsan, I get this warning:

net/ipv4/tcp_output.c: In function 'tcp_connect':
net/ipv4/tcp_output.c:2207:40: error: array subscript is below array bounds
[-Werror=array-bounds]
   tp->chrono_stat[tp->chrono_type - 1] += now - tp->chrono_start;
                                        ^~
net/ipv4/tcp_output.c:2207:40: error: array subscript is below array bounds
[-Werror=array-bounds]
   tp->chrono_stat[tp->chrono_type - 1] += now - tp->chrono_start;
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~

I have manually reduced the file to the attached version (this can be reduced
further, I decided to leave a little more context for clarity).

The warning is an array dereference after a range check:

        if (tp->chrono_type > TCP_CHRONO_UNSPEC)
                tp->chrono_stat[tp->chrono_type - 1] += now - tp->chrono_start;

so it clearly cannot be below the bounds.

In the original version, this happens specifically when at least one of
-fsanitize=object-size, -fsanitize=alignment, or -fsanitize=null is set in
addition to "-O2 -Wall", but not when all three are disabled. In the reduced
version, I can also reproduce it with "-Os -Wall" (without ubsan).

I also see the problem with gcc-7.0.1 on all architectures I tried (arm, arm64
and x86), but not with gcc-6.3.1.

Follow-Ups:
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: marxin at gcc dot gnu.org
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: jakub at gcc dot gnu.org
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: jakub at gcc dot gnu.org
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: arnd at linaro dot org
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: ppalka at gcc dot gnu.org
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: ppalka at gcc dot gnu.org
- [Bug sanitizer/81601] [7/8 Regression] incorrect Warray-bounds warning with -fsanitize
  - From: rguenth at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]