| blob | eae49ab3910ad57288d772e63af10fd610527a84 |
1 /* Array bounds checking.
2 Copyright (C) 2005-2022 Free Software Foundation, Inc.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3, or (at your option)
9 any later version.
11 GCC is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
45 {
46 /* No-op. */
47 }
51 {
53 }
55 /* Try to determine the DECL that REF refers to. Return the DECL or
56 the expression closest to it. Used in informational notes pointing
57 to referenced objects or function parameters. */
59 static tree
61 {
72 do
73 {
76 {
79 }
92 }
94 /* Return the constant byte size of the object or type referenced by
95 the MEM_REF ARG. On success, set *PREF to the DECL or expression
96 ARG refers to. Otherwise return null. */
98 static tree
100 {
119 }
121 /* Return true if REF is (likely) an ARRAY_REF to a trailing array member
122 of a struct. It refines array_ref_flexible_size_p by detecting a pointer
123 to an array and an array parameter declared using the [N] syntax (as
124 opposed to a pointer) and returning false. Set *PREF to the decl or
125 expression REF refers to. */
127 static bool
129 {
136 {
140 {
141 /* A multidimensional trailing array is not considered special
142 no matter what its major bound is. */
146 }
147 }
148 else
154 {
158 }
161 }
163 /* Checks one ARRAY_REF in REF, located at LOCUS. Ignores flexible
164 arrays and "struct" hacks. If VRP can determine that the array
165 subscript is a constant, check if it is outside valid range. If
166 the array subscript is a RANGE, warn if it is non-overlapping with
167 valid range. IGNORE_OFF_BY_ONE is true if the ARRAY_REF is inside
168 a ADDR_EXPR. Return true if a warning has been issued or if
169 no-warning is set. */
171 bool
174 {
176 /* Return true to have the caller prevent warnings for enclosing
177 refs. */
184 /* Referenced decl if one can be determined. */
187 /* Set for accesses to interior zero-length arrays. */
188 special_array_member sam{ };
190 tree up_bound_p1;
195 {
196 /* Accesses to trailing arrays via pointers may access storage
197 beyond the types array bounds. For such arrays, or for flexible
198 array members, as well as for other arrays of an unknown size,
199 replace the upper bound with a more permissive one that assumes
200 the size of the largest object is PTRDIFF_MAX. */
205 {
208 }
209 else
210 {
217 {
218 /* Try to determine the size of the trailing array from
219 its initializer (if it has one). */
223 }
226 {
227 /* Try to determine the size of the base object. Avoid
228 COMPONENT_REF already tried above. Using its DECL_SIZE
229 size wouldn't necessarily be correct if the reference is
230 to its flexible array member initialized in a different
231 translation unit. */
232 poly_int64 off;
234 {
236 {
237 /* Try to determine the size from a pointer to
238 an array if BASE is one. */
241 }
245 {
248 }
253 off));
254 }
255 }
256 else
264 else
266 }
267 }
268 else
278 /* Empty array. */
286 {
289 {
292 }
293 }
298 {
301 && (ignore_off_by_one
307 "array subscript [%E, %E] is outside "
310 }
313 && (ignore_off_by_one
335 {
337 {
341 }
343 /* Avoid more warnings when checking more significant subscripts
344 of the same expression. */
353 {
354 /* For a reference to a member of a struct object also mention
355 the object if it's known. It may be defined in a different
356 function than the out-of-bounds access. */
361 }
367 }
370 }
372 /* Checks one MEM_REF in REF, located at LOCATION, for out-of-bounds
373 references to string constants. If VRP can determine that the array
374 subscript is a constant, check if it is outside valid range.
375 If the array subscript is a RANGE, warn if it is non-overlapping
376 with valid range.
377 IGNORE_OFF_BY_ONE is true if the MEM_REF is inside an ADDR_EXPR
378 (used to allow one-past-the-end indices for code that takes
379 the address of the just-past-the-end element of an array).
380 Returns true if a warning has been issued. */
382 bool
385 {
389 /* The statement used to allocate the array or null. */
391 /* For an allocation statement, the low bound of the size range. */
393 /* The type and size of the access. */
400 access_ref aref;
408 {
411 {
412 /* Save the allocation call and the low bound on the size. */
415 }
416 }
418 /* The range of the byte offset into the reference. Adjusted below. */
421 /* The type of the referenced object. */
423 /* The size of the referenced array element. */
429 /* Restore the original (pointer) type and avoid trying to create
430 an array of functions (done below). */
432 else
433 {
434 /* The byte size of the array has already been determined above
435 based on a pointer ARG. Set ELTSIZE to the size of the type
436 it points to and REFTYPE to the array with the size, rounded
437 down as necessary. */
446 }
448 /* Compute the more permissive upper bound when IGNORE_OFF_BY_ONE
449 is set (when taking the address of the one-past-last element
450 of an array) but always use the stricter bound in diagnostics. */
455 /* Set if the lower bound of the subscript is out of bounds. */
459 /* Set if only the upper bound of the subscript is out of bounds.
460 This can happen when using a bigger type to index into an array
461 of a smaller type, as is common with unsigned char. */
464 {
465 /* Treat a reference to a non-array object as one to an array
466 of a single element. */
470 /* Extract the element type out of MEM_REF and use its size
471 to compute the index to print in the diagnostic; arrays
472 in MEM_REF don't mean anything. A type with no size like
473 void is as good as having a size of 1. */
476 {
479 }
480 }
484 {
487 "array subscript %wi is outside array bounds "
490 else
492 "array subscript [%wi, %wi] is outside "
496 }
498 {
501 /* If the memory was dynamically allocated refer to it as if
502 it were an untyped array of bytes. */
507 "array subscript %<%T[%wi]%> is partly "
510 }
513 {
514 /* TODO: Determine the access from the statement and use it. */
518 }
523 /* At level 2 check also intermediate offsets. */
526 {
530 "intermediate array offset %wi is outside array bounds "
532 {
535 }
536 }
539 }
541 /* Searches if the expr T, located at LOCATION computes
542 address of an ARRAY_REF, and call check_array_ref on it. */
544 void
547 {
548 /* For the most significant subscript only, accept taking the address
549 of the just-past-the-end element. */
552 /* Check each ARRAY_REF and MEM_REF in the reference chain. */
553 do
554 {
557 {
560 }
568 }
588 || !up_bound
590 || !el_sz
594 offset_int idx;
601 {
603 {
607 }
609 "array subscript %wi is below "
612 }
615 {
617 {
621 }
623 "array subscript %wu is above "
626 }
629 {
634 }
635 }
637 /* Return true if T is a reference to a member of a base class that's within
638 the bounds of the enclosing complete object. The function "hacks" around
639 problems discussed in pr98266 and pr97595. */
641 static bool
643 {
651 /* Consider the access if its type is a derived class. */
657 /* Compute the size of the referenced object (it could be dynamically
658 allocated). */
665 /* Compute the byte offset of the member within its enclosing class. */
671 /* Compute the byte offset of the member with the outermost complete
672 object by adding its offset computed above to the MEM_REF offset. */
675 /* Return false if the member offset is greater or equal to the size
676 of the complete object. */
684 /* Return true if the offset just past the end of the member is less
685 than or equal to the size of the complete object. */
688 }
690 /* Callback for walk_tree to check a tree for out of bounds array
691 accesses. The array_bounds_checker class is passed in DATA. */
693 tree
696 {
700 location_t location;
704 else
720 {
723 }
725 /* Hack: Skip MEM_REF checks in accesses to a member of a base class
726 at an offset that's within the bounds of the enclosing object.
727 See pr98266 and pr97595. */
730 /* Propagate the no-warning bit to the outer statement to avoid also
731 issuing -Wstringop-overflow/-overread for the out-of-bounds accesses. */
736 }
738 /* A dom_walker subclass for use by check_all_array_refs, to walk over
739 all statements of all reachable BBs and call check_array_bounds on
740 them. */
743 {
747 /* Discover non-executable edges, preserving EDGE_EXECUTABLE
748 flags, so that we can merge in information on
749 non-executable edges from vrp_folder . */
750 REACHABLE_BLOCKS_PRESERVING_FLAGS),
758 };
760 /* Implementation of dom_walker::before_dom_children.
762 Walk over all statements of BB and call check_array_bounds on them,
763 and determine if there's a unique successor edge. */
765 edge
767 {
768 gimple_stmt_iterator si;
770 {
781 }
783 /* Determine if there's a unique successor edge, and if so, return
784 that back to dom_walker, ensuring that we don't visit blocks that
785 became unreachable during the VRP propagation
786 (PR tree-optimization/83312). */
788 }
790 void
792 {
795 }