| blob | eb0f05045d59083b32c4601ba784a9a4a647f38e |
1 /* Exercise that -Warray-bounds is issued for out-of-bounds offsets
2 in calls to built-in functions.
3 { dg-do compile }
4 { dg-options "-O2 -Wno-stringop-overflow -Warray-bounds -ftrack-macro-expansion=0" } */
8 #if __cplusplus
9 # define restrict __restrict
11 #endif
23 #if __cplusplus
25 #endif
29 #define CAT(x, y) x ## y
30 #define CONCAT(x, y) CAT (x, y)
31 #define UNIQUE_NAME(x) CONCAT(x, __LINE__)
33 #define T(type, N, dst, src, n) do { \
34 extern type UNIQUE_NAME (a)[N]; \
35 type *a = UNIQUE_NAME (a); \
36 type *pd = (dst); \
37 const type *ps = (src); \
38 FUNC (pd, ps, n); \
39 sink (a, pd, ps); \
40 } while (0)
44 {
45 #define FUNC memcpy
47 /* Verify that invalid offsets into an array of known size are
48 detected. */
50 T (char, 1, a + SR (DIFF_MIN, -1), s, n); /* { dg-warning "offset \\\[-\[0-9\]+, -1] is out of the bounds \\\[0, 1] of object \[^\n\r]* with type .char ?\\\[1]" } */
51 T (char, 1, a + SR (-2, -1), s, n); /* { dg-warning "offset \\\[-2, -1] is out of the bounds \\\[0, 1] of object" } */
57 T (char, 1, a + UR (2, 3), s, n); /* { dg-warning "offset \\\[2, 3] is out of the bounds \\\[0, 1] of object " } */
58 T (char, 1, a + UR (2, DIFF_MAX), s, n); /* { dg-warning "offset \\\[2, \[0-9\]+] is out of the bounds \\\[0, 1] of object " "memcpy" } */
60 /* Offsets in excess of DIFF_MAX are treated as negative even if
61 they appear as large positive in the source. It would be nice
62 if they retained their type but unfortunately that's not how
63 it works so be prepared for both in case it even gets fixed. */
64 T (char, 1, a + UR (3, SIZE_MAX - 1), s, n); /* { dg-warning "offset \\\[3, -2] is out of the bounds \\\[0, 1] of object" "memcpy" } */
66 /* Verify that invalid offsets into an array of unknown size are
67 detected. */
70 T (char, 1, arr + SR (DIFF_MIN + 1, -1), s, n); /* { dg-warning "offset \\\[-\[0-9\]+, -1] is out of the bounds of object " "memcpy" } */
73 T (char, 1, arr + SR ( -2, -1), s, n); /* { dg-warning "offset \\\[-2, -1] is out of the bounds of object " "memcpy" } */
82 /* Verify that all offsets via a pointer to an uknown object are
83 accepted. */
85 /* Negative indices between [DIFF_MIN, DIFF_MAX] are valid since
86 the pointer to which the offset is applied can be at a positive
87 offset from the beginning of an object. */
100 }
102 /* Verify offsets in an anti-range. */
105 {
113 /* The initial source range is valid but the final range after the access
114 has complete cannot be. The value mentioned in the warning is the final
115 offset, i.e., 7 + 3. Including the whole final range because would be
116 confusing (the upper bound would either be negative or a very large
117 positive number) so only the lower bound is included. */
118 T (char, 9, a, a + SAR ( 0, 6), 3); /* { dg-warning "forming offset 10 is out of the bounds \\\[0, 9] of object " "memcpy" } */
120 /* This fails because the offset isn't represented as an SSA_NAME
121 but rather as a GIMPLE_PHI (offset, 0). With some effort it is
122 possible to extract the range from the PHI but it's not implemented
123 (yet). */
124 T (char, 9, a, a + SAR ( 1, 6), 3); /* { dg-warning "forming offset \\\[9, 0] is out of the bounds \\\[0, 9] of object " "memcpy" { xfail *-*-* } } */
126 /* The range of offsets is the union of [0, 1] and [7, PTRDIFF_MAX]
127 of which the first subrange is valid and thus no warming for memcpy
128 is issued. Similarly for the next test. */
132 T (char, 9, a, a + SAR (-1, 7), 3); /* { dg-warning "forming offset \\\[10, 11] is out of the bounds \\\[0, 9] of object " "memcpy" } */
133 T (char, 9, a, a + SAR (-2, 8), 3); /* { dg-warning "forming offset \\\[10, 12] is out of the bounds \\\[0, 9] of object " "memcpy" } */
134 T (char, 9, a, a + SAR (-3, 7), 5); /* { dg-warning "forming offset \\\[10, 13] is out of the bounds \\\[0, 9] of object " "memcpy" } */
141 T (char, 9, a + SAR ( 0, 6), a, 3); /* { dg-warning "forming offset 10 is out of the bounds \\\[0, 9] of object " "memcpy" } */
142 T (char, 9, a + SAR (-1, 7), a, 3); /* { dg-warning "forming offset \\\[10, 11] is out of the bounds \\\[0, 9] of object " "memcpy" } */
143 T (char, 9, a + SAR (-2, 8), a, 3); /* { dg-warning "forming offset \\\[10, 12] is out of the bounds \\\[0, 9] of object " "memcpy" } */
148 }
150 /* Verify that pointer overflow in the computation done by memcpy
151 (i.e., offset + size) is detected and diagnosed. */
154 {
157 /* Verify that offset overflow involving an array of unknown size
158 but known access size is detected. This works except with small
159 sizes that are powers of 2 due to bug . */
161 T (char, 1, arr + SR (DIFF_MAX - 1, DIFF_MAX), s, 2); /* { dg-warning "pointer overflow between offset \\\[\[0-9\]+, \[0-9\]+] and size 2 accessing array " "bug " { xfail *-*-* } } */
162 T (char, 1, arr + SR (DIFF_MAX - 2, DIFF_MAX), s, 3); /* { dg-warning "pointer overflow between offset \\\[\[0-9\]+, \[0-9\]+] and size 3 accessing array " "memcpy" } */
163 T (char, 1, arr + SR (DIFF_MAX - 4, DIFF_MAX), s, 5); /* { dg-warning "pointer overflow between offset \\\[\[0-9\]+, \[0-9\]+] and size 5 accessing array " "memcpy" } */
164 }
167 {
168 #undef TM
169 #define TM(mem, dst, src, n) \
170 do { \
171 struct MA { char a5[5]; int i; } ma; \
173 memcpy (dst, src, n); \
174 sink (&ma); \
175 } while (0)
183 }
186 {
187 #undef FUNC
188 #define FUNC memmove
190 T (char, 1, a + SR (DIFF_MIN + 1, -1), s, n); /* { dg-warning "offset \\\[-\[0-9\]+, -1] is out of the bounds \\\[0, 1] of object \[^\n\r]+ with type .char ?\\\[1]" } */
191 T (char, 1, a + SR (-2, -1), s, n); /* { dg-warning "offset \\\[-2, -1] is out of the bounds \\\[0, 1] of object" } */
202 T (int32_t, 2, a + SR ( 3, 4), pi, n); /* { dg-warning "offset \\\[12, 16] is out of the bounds \\\[0, 8] of object .\[^\n\r]+. with type .int32_t ?\\\[2]." } */
203 }
207 {
208 #undef FUNC
209 #define FUNC mempcpy
211 /* Verify that invalid offsets into an array of known size are
212 detected. */
214 T (char, 1, a + SR (DIFF_MIN, -1), s, n); /* { dg-warning "offset \\\[-\[0-9\]+, -1] is out of the bounds" "mempcpy" } */
215 T (char, 1, a + SR (-2, -1), s, n); /* { dg-warning "offset \\\[-2, -1] is out of the bounds" "mempcpy" } */
221 T (char, 1, a + UR (2, 3), s, n); /* { dg-warning "offset \\\[2, 3] is out of the bounds \\\[0, 1] of object " "mempcpy" } */
222 T (char, 1, a + UR (2, DIFF_MAX), s, n); /* { dg-warning "offset \\\[2, \[0-9\]+] is out of the bounds \\\[0, 1] of object" "mempcpy" } */
224 /* Offsets in excess of DIFF_MAX are treated as negative even if
225 they appear as large positive in the source. It would be nice
226 if they retained their type but unfortunately that's not how
227 it works so be prepared for both in case it ever gets fixed. */
228 T (char, 1, a + UR (3, SIZE_MAX), s, n); /* { dg-warning "offset \\\[3, -1] is out of the bounds \\\[0, 1] of object " "mempcpy" } */
230 /* Verify that invalid offsets into an array of unknown size are
231 detected. */
234 T (char, 1, arr + SR (DIFF_MIN, -1), s, n); /* { dg-warning "offset \\\[-\[0-9\]+, -1] is out of the bounds of object" "mempcpy" } */
237 T (char, 1, arr + SR ( -2, -1), s, n); /* { dg-warning "offset \\\[-2, -1] is out of the bounds of object" "mempcpy" } */
246 /* Verify that all offsets via a pointer to an uknown object are
247 accepted. */
249 /* Negative indices between [DIFF_MIN, DIFF_MAX] are valid since
250 the pointer to which the offset is applied can be at a positive
251 offset from the beginning of an object. */
264 }
266 #define TI(type, N, init, dst, src) do { \
267 type UNIQUE_NAME (a)[N] = init; \
268 type *a = UNIQUE_NAME (a); \
269 type *pd = (dst); \
270 const type *ps = (src); \
271 FUNC (pd, ps); \
272 sink (a, pd, ps, s); \
273 } while (0)
276 {
277 #undef FUNC
278 #define FUNC strcpy
289 /* The following needs a warning for reading past the end. */
291 TI (char, 2, "0", a, a + SR (3, DIFF_MAX - 1)); /* { dg-warning "offset \\\[3, \[0-9\]+] is out of the bounds \\\[0, 2] of object \[^\n\r\]+ with type .char ?\\\[2\\\]." "strcpy" } */
296 /* The following needs a warning for reading past the end. */
298 TI (char, 3, "01", a, a + SR (4, DIFF_MAX - 1)); /* { dg-warning "offset \\\[4, \[0-9\]+] is out of the bounds \\\[0, 3] of object \[^\n\r\]+ with type .char ?\\\[3\\\]." "strcpy" } */
300 TI (char, 4, "012", a, a + SR (DIFF_MAX - 2, DIFF_MAX - 1)); /* { dg-warning "offset \\\[\[0-9\]+, \[0-9\]+] is out of the bounds \\\[0, 4] of object \[^\n\r\]+ with type .char ?\\\[4\\\]." "strcpy" } */
310 /* The following is diagnosed not because the initial source offset
311 it out of bounds (it isn't) but because the final source offset
312 after the access has completed, is. It would be clearer if
313 the warning mentioned the final offset. */
314 TI (char, 2, "", a + SR (2, DIFF_MAX - 1), s); /* { dg-warning "forming offset 3 is out of the bounds \\\[0, 2] of object \[^\n\r\]+ with type .char ?\\\[2\\\]." "strcpy" } */
315 TI (char, 2, "", a + SR (3, DIFF_MAX - 1), s); /* { dg-warning "offset \\\[3, \[0-9\]+] is out of the bounds \\\[0, 2] of object \[^\n\r\]+ with type .char ?\\\[2\\\]." "strcpy" } */
320 TI (char, 3, "", a + SR (3, DIFF_MAX - 1), s); /* { dg-warning "forming offset 4 is out of the bounds \\\[0, 3] of object \[^\n\r\]+ with type .char ?\\\[3\\\]." "strcpy" } */
321 TI (char, 3, "", a + SR (4, DIFF_MAX - 1), s); /* { dg-warning "offset \\\[4, \[0-9\]+] is out of the bounds \\\[0, 3] of object \[^\n\r\]+ with type .char ?\\\[3\\\]." "strcpy" } */
323 TI (char, 4, "", a + SR (DIFF_MAX - 2, DIFF_MAX - 1), s); /* { dg-warning "offset \\\[\[0-9\]+, \[0-9\]+] is out of the bounds \\\[0, 4] of object \[^\n\r\]+ with type .char ?\\\[4\\\]." "strcpy" } */
324 }
326 struct MA
327 {
331 };
333 struct MA2
334 {
338 };
340 struct MA3
341 {
344 };
347 {
348 #undef TM
349 #define TM(mem, init, dst, src) \
350 do { \
351 struct MA ma; \
352 strcpy (ma.mem, init); \
353 strcpy (dst, src); \
354 sink (&ma); \
355 } while (0)
362 TM (a5, "0123", ma.a5 + i, ma.a5); /* { dg-warning "offset 10 from the object at .ma. is out of the bounds of referenced subobject .\(MA::\)?a5. with type .char ?\\\[5]. at offset 4" "strcpy" } */
368 TM (a11, "01234", ma.a5, ma.a11); /* { dg-warning "offset 10 from the object at .ma. is out of the bounds of referenced subobject .\(MA::\)?a5. with type .char ?\\\[5]' at offset 4" } */
369 TM (a11, "012345", ma.a5, ma.a11); /* { dg-warning "offset \\\[10, 11] from the object at .ma. is out of the bounds of referenced subobject .\(MA::\)?a5. with type .char ?\\\[5]' at offset 4" } */
370 TM (a11, "0123456", ma.a5, ma.a11); /* { dg-warning "offset \\\[10, 12] from the object at .ma. is out of the bounds of referenced subobject .\(MA::\)?a5. with type .char ?\\\[5]' at offset 4" } */
373 }
379 {
380 #undef TM
381 #define TM(dst, src) do { \
382 strcpy (dst, src); \
383 sink (dst, src); \
384 } while (0)
391 /* The following forms a pointer during the call that's outside
392 the bounds of the array it was derived from (pma->a5) so
393 it should be diagnosed but the representation of the pointer
394 addition doesn't contain information to distinguish it from
395 the valid pma->a11 + 1 so this is an XFAIL. */
396 TM (pma->a5 + 5, s); /* { dg-warning "offset 17 from the object at .pma. is out of the bounds of .struct MA." "strcpy" { xfail *-*-* } } */
398 /* The following also forms an out-of-bounds pointer but similar
399 to the above, there is no reliable way to distinguish it from
400 (char*)&pma[1].i + 1 so this too is not diagnosed. */
401 TM (pma->a5 + sizeof *pma + 1, s); /* { dg-warning "offset 17 from the object at .pma. is out of the bounds of .struct MA." "strcpy" { xfail *-*-* } } */
403 TM (pma->a5 - 1, s); /* { dg-warning "offset -1 from the object at .pma. is out of the bounds of .struct MA." "strcpy" { xfail *-*-* } } */
413 }