We weren't able to find OBJ_TYPE_REF_OBJECT walking through
OBJ_TYPE_REF_EXPR because we had folded away the ADDR_EXPR.
Tested x86_64-pc-linux-gnu, applying to trunk.
gcc/cp/ChangeLog:
PR c++/95311
PR c++/95221
* class.c (build_vfn_ref): Don't fold the INDIRECT_REF.
gcc/testsuite/ChangeLog:
PR c++/95311
* g++.dg/ubsan/vptr-16.C: New test.
---
gcc/cp/class.c | 8 ++++++--
gcc/testsuite/g++.dg/ubsan/vptr-16.C | 14 ++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
create mode 100644 gcc/testsuite/g++.dg/ubsan/vptr-16.C
diff --git a/gcc/cp/class.c b/gcc/cp/class.c
index bab15524a60..ca492cdbd40 100644
--- a/gcc/cp/class.c
+++ b/gcc/cp/class.c
@@ -729,9 +729,13 @@ build_vtbl_ref (tree instance, tree idx)
tree
build_vfn_ref (tree instance_ptr, tree idx)
{
- tree aref;
+ tree obtype = TREE_TYPE (TREE_TYPE (instance_ptr));
- aref = build_vtbl_ref (cp_build_fold_indirect_ref (instance_ptr), idx);
+ /* Leave the INDIRECT_REF unfolded so cp_ubsan_maybe_instrument_member_call
+ can find instance_ptr. */
+ tree ind = build1 (INDIRECT_REF, obtype, instance_ptr);
+
+ tree aref = build_vtbl_ref (ind, idx);
/* When using function descriptors, the address of the
vtable entry is treated as a function pointer. */
diff --git a/gcc/testsuite/g++.dg/ubsan/vptr-16.C
b/gcc/testsuite/g++.dg/ubsan/vptr-16.C
new file mode 100644
index 00000000000..a3db66e9140
--- /dev/null
+++ b/gcc/testsuite/g++.dg/ubsan/vptr-16.C
@@ -0,0 +1,14 @@
+// PR c++/95311
+// { dg-additional-options -fsanitize=undefined }
+
+class a {
+ virtual long b() const;
+};
+class c : a {
+public:
+ long b() const;
+};
+class d : c {
+ long e();
+};
+long d::e() { b(); return 0; }
base-commit: 24663f1f6d709daf8913484914ed01af9f7a480a
--
2.18.1
