[Bug sanitizer/105729] False positive UBsan "reference binding to null pointer of type" when evaluating array indexing which throws exception

Fri May 27 09:41:45 GMT 2022

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105729

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:e2f014fcefcd2ad56b31995329820bbd99072eae

commit r13-795-ge2f014fcefcd2ad56b31995329820bbd99072eae
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Fri May 27 11:40:42 2022 +0200

    fold-const: Fix up -fsanitize=null in C++ [PR105729]

    The following testcase triggers a false positive UBSan binding a reference
    to null diagnostics.
    In the FE we instrument conversions from pointer to reference type
    to diagnose at runtime if the operand of such a conversion is 0.
    The problem is that a GENERIC folding folds
    ((const struct Bar *) ((const struct Foo *) this)->data) + (sizetype)
range_check (x)
    conversion to const struct Bar & by converting to that the first
    operand of the POINTER_PLUS_EXPR.  But that changes when the
-fsanitize=null
    binding to reference runtime check occurs.  Without the optimization,
    it is invoked on the result of the POINTER_PLUS_EXPR, and as range_check
    call throws, that means it never triggers in the testcase.
    With the optimization, it checks whether this->data is NULL and it is.

    The following patch avoids that optimization during GENERIC folding when
    -fsanitize=null is enabled and it is a cast from non-REFERENCE_TYPE to
    REFERENCE_TYPE.

    2022-05-27  Jakub Jelinek  <jakub@redhat.com>

            PR sanitizer/105729
            * fold-const.cc (fold_unary_loc): Don't optimize (X &) ((Y *) z +
w)
            to (X &) z + w if -fsanitize=null during GENERIC folding.

            * g++.dg/ubsan/pr105729.C: New test.