[Bug tree-optimization/82608] missing -Warray-bounds on an out-of-bounds VLA index

Wed, 10 Jun 2020 10:53:55 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82608

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|                            |10.1.0, 11.0, 8.4.0, 9.3.0
   Last reconfirmed|2019-11-05 00:00:00         |2020-6-10

--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
GCC 11 issues -Wuninitialized for all accesses but only because the test case
isn't careful enough to initialize the arrays before using them:

$ gcc -O2 -S -Wall -Wextra pr82608.c
pr82608.c: In function ‘idx_negative’:
pr82608.c:18:11: warning: ‘*(<unknown>)[-99]’ is used uninitialized
[-Wuninitialized]
   18 |   return a[-99];             // -Warray-bounds (since GCC 8)
      |          ~^~~~~
pr82608.c: In function ‘idx_cst_too_big’:
pr82608.c:25:11: warning: ‘*(<unknown>)[<unknown>]’ is used uninitialized
[-Wuninitialized]
   25 |   return a[n + 1];           // missing _Warray-bounds
      |          ~^~~~~~~
pr82608.c: In function ‘idx_out_of_type_bounds’:
pr82608.c:31:11: warning: ‘*(<unknown>)[2147483647]’ is used uninitialized
[-Wuninitialized]
   31 |   return a[__INT_MAX__];     // missing -Warray-bounds
      |          ~^~~~~~~~~~~~~
pr82608.c: In function ‘idx_var_too_big’:
pr82608.c:37:11: warning: ‘*(<unknown>)[<unknown>]’ is used uninitialized
[-Wuninitialized]
   37 |   return a[n + 1];           // missing -Warray-bounds
      |          ~^~~~~~~


With -Wno-uninitialized or with the arrays initialized GCC still doesn't detect
all the out-of-bounds accesses:

$ cat pr82608.c && gcc -O2 -S -Wall -Wextra pr82608.c
void sink (void*);

int f (unsigned n)
{
  if (n < 1 || n > 32)
    n = 32;

  char vla[n];
  sink (vla);
  return vla[97];            // missing -Warray-bounds
}
int idx_negative (void)
{ 
  int n = 4;
  char a[n];
  sink (a);
  return a[-99];             // -Warray-bounds (since GCC 8)
}

int idx_cst_too_big (void)
{
  int n = 4;
  char a[n];
  sink (a);
  return a[n + 1];           // missing _Warray-bounds
}

int idx_out_of_type_bounds (unsigned char n)
{
  char a[n];
  sink (a);
  return a[__INT_MAX__];     // missing -Warray-bounds
}

int idx_var_too_big (int n)
{ 
  char a[n];
  sink (a);
  return a[n + 1];           // missing -Warray-bounds
}
pr82608.c: In function ‘idx_negative’:
pr82608.c:17:11: warning: array subscript -99 is below array bounds of
‘char[<U3750> + 1]’ [-Warray-bounds]
   17 |   return a[-99];             // -Warray-bounds (since GCC 8)
      |          ~^~~~~
pr82608.c:15:8: note: while referencing ‘a.16’
   15 |   char a[n];
      |        ^
pr82608.c: In function ‘idx_cst_too_big’:
pr82608.c:25:11: warning: array subscript 5 is above array bounds of
‘char[<U3ea0> + 1]’ [-Warray-bounds]
   25 |   return a[n + 1];           // missing _Warray-bounds
      |          ~^~~~~~~
pr82608.c:23:8: note: while referencing ‘a.18’
   23 |   char a[n];
      |        ^

Reply via email to