[Bug c/103292] New: [12 regression] xorg-server-1.20.13 -Werror=array-bounds false positive on unions

Tue, 16 Nov 2021 14:47:56 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103292

            Bug ID: 103292
           Summary: [12 regression] xorg-server-1.20.13
                    -Werror=array-bounds false positive on unions
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
  Target Milestone: ---

Created attachment 51818
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51818&action=edit
a.c.c.orig

Initially observed build failure on xorg-server-1.20.13.

Looks like gcc detects out-of-bounds access on union of structs of different
sizes. Extracted example from unreduced a.c.c.orig (attached):

$ cat a.c.c
    typedef long unsigned int size_t;
    extern void *malloc (size_t __size) __attribute__ ((__nothrow__ ,
__leaf__)) __attribute__ ((__malloc__)) __attribute__ ((__alloc_size__ (1)))
__attribute__ ((__warn_unused_result__));

    struct _PictSolidFill {
        unsigned int type;

        char foo[20];
    };

    struct _PictHuge {
        unsigned int type;

        char foo[200];
    };

    union _SourcePict {
        // each union member has a type
        unsigned int type;

        struct _PictSolidFill maybePSF;

        // presence of this field triggers an error
        struct _PictHuge maybeHuge;
    };

    struct _Picture {
        union _SourcePict* pSourcePict;
    };

    extern
    void CreateSolidPicture(struct _Picture* pPicture);
    void CreateSolidPicture(struct _Picture* pPicture)
    {
        pPicture->pSourcePict = (union _SourcePict*) malloc(sizeof(struct
_PictSolidFill));
        pPicture->pSourcePict->type = 0;
    }

$ gcc-12.0.0 -Werror=array-bounds -c a.c.c -O2
a.c.c: In function 'CreateSolidPicture':
a.c.c:47:30: error: array subscript 'union _SourcePict[0]' is partly outside
array bounds of 'unsigned char[24]' [-Werror=array-bounds]
   47 |         pPicture->pSourcePict->type = 0;
      |                              ^~
a.c.c:46:54: note: object of size 24 allocated by 'malloc'
   46 |         pPicture->pSourcePict = (union _SourcePict*)
malloc(sizeof(struct _PictSolidFill));
      |                                                     
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors

$ gcc-12.0.0 -v
Using built-in specs.
COLLECT_GCC=/nix/store/59jdmdy3ylrpmap1bjxic1fjaq8wf96s-gcc-12.0.0/bin/gcc
COLLECT_LTO_WRAPPER=/nix/store/59jdmdy3ylrpmap1bjxic1fjaq8wf96s-gcc-12.0.0/libexec/gcc/x86_64-unknown-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with:
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 12.0.0 20211114 (experimental) (GCC)

Reply via email to