https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116984
--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> --- (In reply to Kees Cook from comment #4) > (In reply to Andrew Pinski from comment #1) > > I don't think so since &p->array[negative] is undefined behavior even inside > > a dynamic boz. > > Without counted_by, that is true. With counted_by all out of bounds > calculations are defined to result in a 0 bdos. Ugh, why? counted_by is just another way how to get the initial whole object dynamic size (similarly to fixed size automatic/static vars, malloc etc., alloca, VLA definitions, whatever else provides the size of the whole object). The rest is __builtin_dynamic_object_size dynamic tracking from that size through pointer arithmetics etc. And that doesn't change depending on what the whole size has been computed with.
