| blob | 352d0745178f97502723469746322f548bef5407 |
1 /* Array bounds checking.
2 Copyright (C) 2005-2020 Free Software Foundation, Inc.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3, or (at your option)
9 any later version.
11 GCC is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
40 // This purposely returns a value_range, not a value_range_equiv, to
41 // break the dependency on equivalences for this pass.
45 {
47 }
49 /* Checks one ARRAY_REF in REF, located at LOCUS. Ignores flexible
50 arrays and "struct" hacks. If VRP can determine that the array
51 subscript is a constant, check if it is outside valid range. If
52 the array subscript is a RANGE, warn if it is non-overlapping with
53 valid range. IGNORE_OFF_BY_ONE is true if the ARRAY_REF is inside
54 a ADDR_EXPR. Returns true if a warning has been issued. */
56 bool
59 {
67 /* Referenced decl if one can be determined. */
70 /* Set for accesses to interior zero-length arrays. */
73 tree up_bound_p1;
79 {
80 /* Accesses to trailing arrays via pointers may access storage
81 beyond the types array bounds. For such arrays, or for flexible
82 array members, as well as for other arrays of an unknown size,
83 replace the upper bound with a more permissive one that assumes
84 the size of the largest object is PTRDIFF_MAX. */
89 {
92 }
93 else
94 {
101 {
102 /* Try to determine the size of the trailing array from
103 its initializer (if it has one). */
107 }
110 {
111 /* Try to determine the size of the base object. Avoid
112 COMPONENT_REF already tried above. Using its DECL_SIZE
113 size wouldn't necessarily be correct if the reference is
114 to its flexible array member initialized in a different
115 translation unit. */
116 poly_int64 off;
118 {
122 {
125 }
130 off));
131 }
132 }
133 else
141 else
143 }
144 }
145 else
155 /* Empty array. */
163 {
166 {
169 }
170 }
175 {
178 && (ignore_off_by_one
184 "array subscript [%E, %E] is outside "
187 }
190 && (ignore_off_by_one
212 {
214 {
218 }
224 {
225 /* For a reference to a member of a struct object also mention
226 the object if it's known. It may be defined in a different
227 function than the out-of-bounds access. */
232 }
240 }
243 }
245 /* Checks one MEM_REF in REF, located at LOCATION, for out-of-bounds
246 references to string constants. If VRP can determine that the array
247 subscript is a constant, check if it is outside valid range.
248 If the array subscript is a RANGE, warn if it is non-overlapping
249 with valid range.
250 IGNORE_OFF_BY_ONE is true if the MEM_REF is inside an ADDR_EXPR
251 (used to allow one-past-the-end indices for code that takes
252 the address of the just-past-the-end element of an array).
253 Returns true if a warning has been issued. */
255 bool
258 {
263 /* The constant and variable offset of the reference. */
269 /* The array or string constant bounds in bytes. Initially set
270 to [-MAXOBJSIZE - 1, MAXOBJSIZE] until a tighter bound is
271 determined. */
274 /* The minimum and maximum intermediate offset. For a reference
275 to be valid, not only does the final offset/subscript must be
276 in bounds but all intermediate offsets should be as well.
277 GCC may be able to deal gracefully with such out-of-bounds
278 offsets so the checking is only enbaled at -Warray-bounds=2
279 where it may help detect bugs in uses of the intermediate
280 offsets that could otherwise not be detectable. */
284 /* The range of the byte offset into the reference. */
289 /* Determine the offsets and increment OFFRANGE for the bounds of each.
290 The loop computes the range of the final offset for expressions such
291 as (A + i0 + ... + iN)[CSTOFF] where i0 through iN are SSA_NAMEs in
292 some range. */
295 {
302 {
305 }
307 {
310 }
311 else
314 /* VAROFF should always be a SSA_NAME here (and not even
315 INTEGER_CST) but there's no point in taking chances. */
327 {
328 offset_int min
330 offset_int max
333 {
336 }
337 else
338 {
339 /* When MIN >= MAX, the offset is effectively in a union
340 of two ranges: [-MAXOBJSIZE -1, MAX] and [MIN, MAXOBJSIZE].
341 Since there is no way to represent such a range across
342 additions, conservatively add [-MAXOBJSIZE -1, MAXOBJSIZE]
343 to OFFRANGE. */
346 }
347 }
348 else
349 {
350 /* For an anti-range, analogously to the above, conservatively
351 add [-MAXOBJSIZE -1, MAXOBJSIZE] to OFFRANGE. */
354 }
356 /* Keep track of the minimum and maximum offset. */
367 }
370 {
376 }
377 else
380 /* The type of the object being referred to. It can be an array,
381 string literal, or a non-array type when the MEM_REF represents
382 a reference/subscript via a pointer to an object that is not
383 an element of an array. Incomplete types are excluded as well
384 because their size is not known. */
391 /* Except in declared objects, references to trailing array members
392 of structs and union objects are excluded because MEM_REF doesn't
393 make it possible to identify the member where the reference
394 originated. */
402 offset_int eltsize;
404 {
407 {
410 {
415 }
418 else
421 }
422 else
425 /* Determine a tighter bound of the non-array element type. */
430 }
431 else
432 {
441 }
446 /* Compute the more permissive upper bound when IGNORE_OFF_BY_ONE
447 is set (when taking the address of the one-past-last element
448 of an array) but always use the stricter bound in diagnostics. */
456 {
457 /* Treat a reference to a non-array object as one to an array
458 of a single element. */
462 /* Extract the element type out of MEM_REF and use its size
463 to compute the index to print in the diagnostic; arrays
464 in MEM_REF don't mean anything. A type with no size like
465 void is as good as having a size of 1. */
470 {
473 }
478 "array subscript %wi is outside array bounds "
481 else
483 "array subscript [%wi, %wi] is outside "
493 }
498 /* At level 2 check also intermediate offsets. */
501 {
505 "intermediate array offset %wi is outside array bounds "
507 {
510 }
511 }
514 }
516 /* Searches if the expr T, located at LOCATION computes
517 address of an ARRAY_REF, and call check_array_ref on it. */
519 void
521 {
522 /* Check each ARRAY_REF and MEM_REF in the reference chain. */
523 do
524 {
535 }
555 || !up_bound
557 || !el_sz
561 offset_int idx;
568 {
570 {
574 }
576 "array subscript %wi is below "
579 }
582 {
584 {
588 }
590 "array subscript %wu is above "
593 }
596 {
601 }
602 }
604 /* Callback for walk_tree to check a tree for out of bounds array
605 accesses. The array_bounds_checker class is passed in DATA. */
607 tree
610 {
613 location_t location;
617 else
631 {
634 }
635 /* Propagate the no-warning bit to the outer expression. */
640 }
642 /* A dom_walker subclass for use by check_all_array_refs, to walk over
643 all statements of all reachable BBs and call check_array_bounds on
644 them. */
647 {
651 /* Discover non-executable edges, preserving EDGE_EXECUTABLE
652 flags, so that we can merge in information on
653 non-executable edges from vrp_folder . */
654 REACHABLE_BLOCKS_PRESERVING_FLAGS),
662 };
664 /* Implementation of dom_walker::before_dom_children.
666 Walk over all statements of BB and call check_array_bounds on them,
667 and determine if there's a unique successor edge. */
669 edge
671 {
672 gimple_stmt_iterator si;
674 {
686 }
688 /* Determine if there's a unique successor edge, and if so, return
689 that back to dom_walker, ensuring that we don't visit blocks that
690 became unreachable during the VRP propagation
691 (PR tree-optimization/83312). */
693 }
695 void
697 {
700 }