[Bug sanitizer/105729] False positive UBsan "reference binding to null pointer of type" when evaluating array indexing which throws exception
cvs-commit at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Mon Jun 20 06:37:38 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105729
--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-11 branch has been updated by Jakub Jelinek
<jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:e396f501f8a33439dee3ee5eef5b1d3a928852d9
commit r11-10079-ge396f501f8a33439dee3ee5eef5b1d3a928852d9
Author: Jakub Jelinek <jakub@redhat.com>
Date: Fri May 27 11:40:42 2022 +0200
fold-const: Fix up -fsanitize=null in C++ [PR105729]
The following testcase triggers a false positive UBSan binding a reference
to null diagnostics.
In the FE we instrument conversions from pointer to reference type
to diagnose at runtime if the operand of such a conversion is 0.
The problem is that a GENERIC folding folds
((const struct Bar *) ((const struct Foo *) this)->data) + (sizetype)
range_check (x)
conversion to const struct Bar & by converting to that the first
operand of the POINTER_PLUS_EXPR. But that changes when the
-fsanitize=null
binding to reference runtime check occurs. Without the optimization,
it is invoked on the result of the POINTER_PLUS_EXPR, and as range_check
call throws, that means it never triggers in the testcase.
With the optimization, it checks whether this->data is NULL and it is.
The following patch avoids that optimization during GENERIC folding when
-fsanitize=null is enabled and it is a cast from non-REFERENCE_TYPE to
REFERENCE_TYPE.
2022-05-27 Jakub Jelinek <jakub@redhat.com>
PR sanitizer/105729
* fold-const.c (fold_unary_loc): Don't optimize (X &) ((Y *) z + w)
to (X &) z + w if -fsanitize=null during GENERIC folding.
* g++.dg/ubsan/pr105729.C: New test.
(cherry picked from commit e2f014fcefcd2ad56b31995329820bbd99072eae)
More information about the Gcc-bugs
mailing list