This is an archive of the discontinued LLVM Phabricator instance.

Differential D71714

[Sema] Fix -Warray-bounds false negative when casting an out-of-bounds array item
ClosedPublic

Authored by ilya on Dec 19 2019, 9:17 AM.

Details

Reviewers
rsmith
Commits
rGe48f444751cf: [Sema] Fix -Warray-bounds false negative when casting an out-of-bounds array…
Summary

Patch by Ilya Mirsky!

Fixes: http://llvm.org/PR44343

Diff Detail

Event Timeline

ilya created this revision.Dec 19 2019, 9:17 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 19 2019, 9:17 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B42785: Diff 234739.Dec 19 2019, 9:23 AM
ilya retitled this revision from [Sema] NFC: Remove trailing spaces and fix a typo in a test file to [Sema] Fix -Warray-bounds false negative when casting an out-of-bounds array item.Dec 19 2019, 9:28 AM
ilya edited the summary of this revision. (Show Details)
ilya added a reviewer: rsmith.
ilya added a subscriber: ebevhan.
riccibruno added a subscriber: riccibruno.Dec 19 2019, 9:46 AM
riccibruno added a comment.Dec 19 2019, 10:13 AM

These are not the only AST nodes representing cast expressions (there is also CXXFunctionalCastExpr, ...). What about replacing the IgnoreParenImpCasts() above by IgnoreParenCasts() ? Incidentally doing this uncovers another test (Parser/cxx-ambig-decl-expr.cpp ) where this diagnostic is triggered.

rsmith added a comment.Dec 19 2019, 12:54 PM

In addition to @riccibruno's comment, I found a couple of other suspicious things nearby (unrelated to the fix in this patch). No need to address them in this patch unless you feel motivated :)

clang/lib/Sema/SemaChecking.cpp
14389–14390

Hmm, don't we need to do different things for dot and arrow in this case?

14389–14390

Doesn't this need to preserve the AllowOnePastEnd value to avoid a false positive for &(cond ? arr1[N] : arr2[N])?

efriedma added a subscriber: efriedma.Dec 19 2019, 5:11 PM

To be rigorous, we should perform "pointer" checking for every operation that performs pointer arithmetic. Then we should perform "lvalue" checking (which doesn't allow pointers one past the end) in the following places:

  1. When we take the address of an lvalue.
  2. When we form a reference to an lvalue.
  3. When we perform an lvalue-to-rvalue conversion.
  4. When we perform an assignment to an lvalue.

This sort of piecemeal approach of recursively looking through arbitrary expressions seems likely to miss cases. For example, we currently don't perform checks inside compound literals.

rsmith added a comment.Dec 19 2019, 6:51 PM
In D71714#1792085, @efriedma wrote:

To be rigorous, we should perform "pointer" checking for every operation that performs pointer arithmetic. Then we should perform "lvalue" checking (which doesn't allow pointers one past the end) in the following places:

  1. When we take the address of an lvalue.
  2. When we form a reference to an lvalue.
  3. When we perform an lvalue-to-rvalue conversion.
  4. When we perform an assignment to an lvalue.

This sort of piecemeal approach of recursively looking through arbitrary expressions seems likely to miss cases. For example, we currently don't perform checks inside compound literals.

I agree that this approach is not good. I'm concerned that your direction might still miss things, though (and it seems to involve a lot of AST traversal, which would be nice to avoid). For example, __builtin_bitcast performs a load without an lvalue-to-rvalue conversion, and to be thorough we'd need to special-case it. Perhaps we could instead:

  • warn immediately when indexing outside [0, N] inclusive
  • produce a deferred warning when indexing with index N, and diagnose at the end of the expression evaluation context
  • remove elements from the list of deferred warnings when handling an & operator

In C at least, that should be correct in all cases. I think it's correct in C++ as well; there are lots more forms of lvalue to walk into in the third step (eg, &(cond ? x[n] : y[n]) shouldn't warn), but it seems feasible to enumerate. (This would lose the warnings on *&x[n], but I don't think that's a disaster.)

efriedma added a comment.Dec 20 2019, 2:29 PM

and it seems to involve a lot of AST traversal

I was thinking we'd just call into SemaChecking in appropriate places. I guess there's a little AST traversal to figure whether an expression forms an array address. Your idea seems simpler.

remove elements from the list of deferred warnings when handling an & operator

For C++, I think you might also need to handle discarded-value expressions? Maybe it's okay if we warn anyway in that case. :)

This would lose the warnings on *&x[n], but I don't think that's a disaster

And more generally *(x+n), although I guess that isn't implemented now anyway.

ilya marked an inline comment as done.Dec 23 2019, 1:19 PM
In D71714#1791464, @riccibruno wrote:

These are not the only AST nodes representing cast expressions (there is also CXXFunctionalCastExpr, ...). What about replacing the IgnoreParenImpCasts() above by IgnoreParenCasts() ? Incidentally doing this uncovers another test (Parser/cxx-ambig-decl-expr.cpp ) where this diagnostic is triggered.

Thanks, using IgnoreParenCasts is even better.

clang/lib/Sema/SemaChecking.cpp
14389–14390

There are several test cases for an out of bounds access on an array member using dot and arrow operators in array-bounds.cpp. Do you have a specific test case for which you think the code is broken?

ilya updated this revision to Diff 235184.Dec 23 2019, 4:27 PM
  1. Refactor CheckArrayAccess() to take AllowPastTheEnd parameter to avoid a false positive array out-of-bounds warning for &(cond ? arr1[N] : arr2[N]).
  2. Use IgnoreParenCasts() instead of IgnoreParenImpCasts() in CheckArrayAccess() to avoid false negatives when explicit cast is involved.
Harbormaster completed remote builds in B42907: Diff 235184.Dec 23 2019, 4:32 PM
ilya marked an inline comment as done.Dec 23 2019, 4:33 PM

Implemented @riccibruno's and @rsmith's comments.
While I agree with the general notion about the flaws with the current implementation, I feel that the more major refactoring proposed in this review is out of the scope of this minor fix.

ilya added a comment.Jan 6 2020, 9:59 AM

Kind ping

rsmith added inline comments.Jan 6 2020, 1:34 PM
clang/lib/Sema/SemaChecking.cpp
14389–14390

There are several test cases for an out of bounds access on an array member using dot and arrow operators in array-bounds.cpp. Do you have a specific test case for which you think the code is broken?

Sure. There's a false negative for this:

struct A { int n; };
A *a[4];
int *n = &a[4]->n;

... because we incorrectly visit the left-hand side of the -> with AllowOnePastEnd == 1. The left-hand side of -> is subject to lvalue-to-rvalue conversion, so can't be one-past-the-end regardless of the context in which the -> appears.

clang/test/SemaCXX/array-bounds.cpp
331

This case should warn; dynamic_cast will access the object's vptr. Please at least add a FIXME.

rsmith added a comment.Jan 6 2020, 1:36 PM
In D71714#1795313, @ilya wrote:

While I agree with the general notion about the flaws with the current implementation, I feel that the more major refactoring proposed in this review is out of the scope of this minor fix.

I'm OK with making the minor fix here and deferring the larger rework.

ilya updated this revision to Diff 238106.Jan 14 2020, 2:38 PM

Address rsmith's comments.

Harbormaster completed remote builds in B44003: Diff 238106.Jan 14 2020, 2:45 PM
ilya marked 4 inline comments as done.Jan 14 2020, 2:48 PM
ilya added inline comments.
clang/lib/Sema/SemaChecking.cpp
14389–14390

... because we incorrectly visit the left-hand side of the -> with AllowOnePastEnd == 1. The left-hand side of -> is subject to lvalue-to-rvalue conversion, so can't be one-past-the-end regardless of the context in which the -> appears.

Thanks for clarifying. So basically we don't want to allow one-past-end for MemberExpr?

ebevhan added inline comments.Jan 16 2020, 7:18 AM
clang/lib/Sema/SemaChecking.cpp
14389–14390

Thanks for clarifying. So basically we don't want to allow one-past-end for MemberExpr?

I think the point is rather that when the MemberExpr isArrow, we want to think of it as performing an implicit dereference first, and thus we should do AllowOnePastEnd-- before recursing if that is the case.

ilya marked 2 inline comments as done.Jan 21 2020, 10:10 AM
ilya added inline comments.
clang/lib/Sema/SemaChecking.cpp
14389–14390

I think the point is rather that when the MemberExpr isArrow, we want to think of it as performing an implicit dereference first, and thus we should do AllowOnePastEnd-- before recursing if that is the case.

@ebevhan and I have discussed this offline, and we believe that there's no reason to allow an address-of of a member of a one past-the-end value, using either '.' or '->' operators, regardless of the fact that referencing a member of a one past-the-end value using '.' is merely a pointer arithmetic and doesn't imply dereferencing, as with operator '->'.

We couldn't find any reference in the C++ 2017 N4659 regarding member access of a one past-the-end value. Only mentions of one past-the-end in the context of iterators (27.2.1 p. 7) and pointer arithmetic (8.3.1 p. 3).

ISO C99 describes in 6.5.3.2 p. 3 that if the operand to the '&' operator is the result of an unary '*' operator (or array subscript, implictly), the two operators "cancel" each other, but it says nothing about the case when there's a member expression "in-between", (the member expression section, 6.5.2.3, says nothing about that either).

@rsmith, what do you think?

ilya added a comment.Feb 17 2020, 6:22 AM

Ping

ilya added a comment.Mar 13 2020, 7:30 PM

One last kind ping

vabridgers added a subscriber: vabridgers.Jan 14 2021, 5:00 PM

Ping @rsmith . Are you ok if I rebase and push this change? Or do you have specific items that require attention? I've spoken to @ilya , he's ok if I clean this up and push with credit to him. Thanks

vabridgers updated this revision to Diff 317252.Jan 17 2021, 5:21 PM

Rebase, commandeer this patch from Ilya.

vabridgers edited the summary of this revision. (Show Details)Jan 17 2021, 5:22 PM
Harbormaster completed remote builds in B85546: Diff 317252.Jan 17 2021, 6:01 PM
vabridgers added a comment.Jan 20 2021, 5:40 PM

Ping. Could someone pick up review of this patch again, please? Ilya left off with a question to @rsmith , and at that point all activity fell off. Thanks.

steakhal added a subscriber: steakhal.Jan 21 2021, 7:23 AM
vabridgers added a subscriber: lattner.Jan 28 2021, 1:44 PM

Gentle and polite ping :) Could someone have a look at this? @rsmith , or @lattner ? Thanks.

rsmith accepted this revision.Jan 28 2021, 4:00 PM
rsmith added inline comments.
clang/lib/Sema/SemaChecking.cpp
14389–14390

Let's give this a go. I'm a little concerned that people might write things like:

struct X { int n; };
X x[32];
int *end = &x[32].n;

I don't think that has defined behavior in C++, because there isn't an X object so there isn't an n member to refer to, but I think it's probably OK in C (hard to say in both cases, though, due to underspecification in both standards). Nonetheless, such code is at least questionable. I don't think we have a good way to determine how well this warning will work other than trying it, so let's do that.

Please be prepared to revert and do something more conservative if we find this fires a lot on somewhat-reasonable code :)

This revision is now accepted and ready to land.Jan 28 2021, 4:00 PM
Closed by commit rGe48f444751cf: [Sema] Fix -Warray-bounds false negative when casting an out-of-bounds array… (authored by ilya, committed by einvbri <vince.a.bridgers@ericsson.com>). · Explain WhyFeb 3 2021, 5:51 AM
This revision was automatically updated to reflect the committed changes.
einvbri <vince.a.bridgers@ericsson.com> added a commit: rGe48f444751cf: [Sema] Fix -Warray-bounds false negative when casting an out-of-bounds array….
vabridgers added a comment.Feb 3 2021, 5:53 AM

Thanks @rsmith, will do. Best!

thakis added a subscriber: thakis.Feb 3 2021, 4:48 PM

Hi,

this causes a warning in harfbuzz on code that looks like so:

UChar decomposed[4];
...
int len = unorm2_getRawDecomposition(...decomposed, ARRAY_LENGTH (decomposed)...)
if (len == 1) {
  U16_GET_UNSAFE (decomposed, 0, *a);

where U16_GET_UNSAFE looks like so:

#define U16_GET_UNSAFE(s, i, c) UPRV_BLOCK_MACRO_BEGIN { \
    (c)=(s)[i]; \
    if(U16_IS_SURROGATE(c)) { \
        if(U16_IS_SURROGATE_LEAD(c)) { \
            (c)=U16_GET_SUPPLEMENTARY((c), (s)[(i)+1]); \
        } else { \
            (c)=U16_GET_SUPPLEMENTARY((s)[(i)-1], (c)); \
        } \
    } \
} UPRV_BLOCK_MACRO_END

(The BLOCK_MACRO macros are just a way to spell do...while(false) as far as I understand.)

It's true that the else block in the macro evaluates to decomposed[0-1], which is out of bounds -- but it's also in a conditional, and in a macro. That seems like this can cause quite a few false positives. Maybe this warning should be suppressed in conditionals, or macros, or some such?

(50k/70k files of chromium built with this patch, this so far is the only instance it flagged, and that's a false positive.)

uabelho added a subscriber: uabelho.Feb 3 2021, 10:00 PM
thakis added a comment.Feb 5 2021, 11:07 AM

@vabridgers: ping ^

vabridgers added a comment.Feb 8 2021, 3:01 AM

Thanks @thakis, per @rsmith 's suggestion in the review, I'll revert this. Apologies for the inconvenience.

einvbri <vince.a.bridgers@ericsson.com> added a reverting change: rG9083d0a40d98: Revert "[Sema] Fix -Warray-bounds false negative when casting an out-of-bounds….Feb 8 2021, 4:41 AM

Revision Contents

PathSize
clang/
include/
clang/
Sema/
2 lines
lib/
Sema/
111 lines
test/
Parser/
2 lines
SemaCXX/
36 lines

Diff 317252

clang/include/clang/Sema/Sema.h

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 12,304 Lines▼ Show 20 Lines
public: public:
SourceLocation getLocationOfStringLiteralByte(const StringLiteral *SL, SourceLocation getLocationOfStringLiteralByte(const StringLiteral *SL,
unsigned ByteNo) const; unsigned ByteNo) const;
private: private:
void CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, void CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
const ArraySubscriptExpr *ASE=nullptr, const ArraySubscriptExpr *ASE=nullptr,
bool AllowOnePastEnd=true, bool IndexNegated=false); bool AllowOnePastEnd=true, bool IndexNegated=false);
void CheckArrayAccess(const Expr *E); void CheckArrayAccess(const Expr *E, int AllowOnePastEnd = 0);
// Used to grab the relevant information from a FormatAttr and a // Used to grab the relevant information from a FormatAttr and a
// FunctionDeclaration. // FunctionDeclaration.
struct FormatStringInfo { struct FormatStringInfo {
unsigned FormatIdx; unsigned FormatIdx;
unsigned FirstDataArg; unsigned FirstDataArg;
bool HasVAListArg; bool HasVAListArg;
}; };
▲ Show 20 LinesShow All 567 LinesShow Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 14,380 Lines▼ Show 20 Lines if (!ND) {
if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr)) if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr))
ND = ME->getMemberDecl(); ND = ME->getMemberDecl();
} }
if (ND) if (ND)
DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr, DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
PDiag(diag::note_array_declared_here) << ND); PDiag(diag::note_array_declared_here) << ND);
} }
void Sema::CheckArrayAccess(const Expr *expr) { void Sema::CheckArrayAccess(const Expr *expr, int AllowOnePastEnd) {
rsmithUnsubmitted
Done
ReplyInline Actions

Hmm, don't we need to do different things for dot and arrow in this case?

rsmith: Hmm, don't we need to do different things for dot and arrow in this case?
ilyaAuthorUnsubmitted
Done
ReplyInline Actions

There are several test cases for an out of bounds access on an array member using dot and arrow operators in array-bounds.cpp. Do you have a specific test case for which you think the code is broken?

ilya: There are several test cases for an out of bounds access on an array member using dot and arrow…
rsmithUnsubmitted
Done
ReplyInline Actions

There are several test cases for an out of bounds access on an array member using dot and arrow operators in array-bounds.cpp. Do you have a specific test case for which you think the code is broken?

Sure. There's a false negative for this:

struct A { int n; };
A *a[4];
int *n = &a[4]->n;

... because we incorrectly visit the left-hand side of the -> with AllowOnePastEnd == 1. The left-hand side of -> is subject to lvalue-to-rvalue conversion, so can't be one-past-the-end regardless of the context in which the -> appears.

rsmith: > There are several test cases for an out of bounds access on an array member using dot and…
ilyaAuthorUnsubmitted
Done
ReplyInline Actions

... because we incorrectly visit the left-hand side of the -> with AllowOnePastEnd == 1. The left-hand side of -> is subject to lvalue-to-rvalue conversion, so can't be one-past-the-end regardless of the context in which the -> appears.

Thanks for clarifying. So basically we don't want to allow one-past-end for MemberExpr?

ilya: > ... because we incorrectly visit the left-hand side of the -> with AllowOnePastEnd == 1. The…
ebevhanUnsubmitted
Not Done
ReplyInline Actions

Thanks for clarifying. So basically we don't want to allow one-past-end for MemberExpr?

I think the point is rather that when the MemberExpr isArrow, we want to think of it as performing an implicit dereference first, and thus we should do AllowOnePastEnd-- before recursing if that is the case.

ebevhan: > Thanks for clarifying. So basically we don't want to allow one-past-end for MemberExpr? I…
ilyaAuthorUnsubmitted
Done
ReplyInline Actions

I think the point is rather that when the MemberExpr isArrow, we want to think of it as performing an implicit dereference first, and thus we should do AllowOnePastEnd-- before recursing if that is the case.

@ebevhan and I have discussed this offline, and we believe that there's no reason to allow an address-of of a member of a one past-the-end value, using either '.' or '->' operators, regardless of the fact that referencing a member of a one past-the-end value using '.' is merely a pointer arithmetic and doesn't imply dereferencing, as with operator '->'.

We couldn't find any reference in the C++ 2017 N4659 regarding member access of a one past-the-end value. Only mentions of one past-the-end in the context of iterators (27.2.1 p. 7) and pointer arithmetic (8.3.1 p. 3).

ISO C99 describes in 6.5.3.2 p. 3 that if the operand to the '&' operator is the result of an unary '*' operator (or array subscript, implictly), the two operators "cancel" each other, but it says nothing about the case when there's a member expression "in-between", (the member expression section, 6.5.2.3, says nothing about that either).

@rsmith, what do you think?

ilya: > I think the point is rather that when the MemberExpr isArrow, we want to think of it as…
rsmithUnsubmitted
Not Done
ReplyInline Actions

Let's give this a go. I'm a little concerned that people might write things like:

struct X { int n; };
X x[32];
int *end = &x[32].n;

I don't think that has defined behavior in C++, because there isn't an X object so there isn't an n member to refer to, but I think it's probably OK in C (hard to say in both cases, though, due to underspecification in both standards). Nonetheless, such code is at least questionable. I don't think we have a good way to determine how well this warning will work other than trying it, so let's do that.

Please be prepared to revert and do something more conservative if we find this fires a lot on somewhat-reasonable code :)

rsmith: Let's give this a go. I'm a little concerned that people might write things like: ``` struct X…
rsmithUnsubmitted
Done
ReplyInline Actions

Doesn't this need to preserve the AllowOnePastEnd value to avoid a false positive for &(cond ? arr1[N] : arr2[N])?

rsmith: Doesn't this need to preserve the `AllowOnePastEnd` value to avoid a false positive for `&(cond…
int AllowOnePastEnd = 0; if (!expr)
while (expr) { return;
expr = expr->IgnoreParenImpCasts();
expr = expr->IgnoreParenCasts();
switch (expr->getStmtClass()) { switch (expr->getStmtClass()) {
case Stmt::ArraySubscriptExprClass: { case Stmt::ArraySubscriptExprClass: {
const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr); const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr);
CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE, AllowOnePastEnd > 0);
AllowOnePastEnd > 0); CheckArrayAccess(ASE->getBase(), AllowOnePastEnd);
expr = ASE->getBase(); return;
break;
} }
case Stmt::MemberExprClass: { case Stmt::MemberExprClass: {
expr = cast<MemberExpr>(expr)->getBase(); expr = cast<MemberExpr>(expr)->getBase();
break; CheckArrayAccess(expr, /*AllowOnePastEnd=*/0);
return;
} }
case Stmt::OMPArraySectionExprClass: { case Stmt::OMPArraySectionExprClass: {
const OMPArraySectionExpr *ASE = cast<OMPArraySectionExpr>(expr); const OMPArraySectionExpr *ASE = cast<OMPArraySectionExpr>(expr);
if (ASE->getLowerBound()) if (ASE->getLowerBound())
CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(), CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(),
/*ASE=*/nullptr, AllowOnePastEnd > 0); /*ASE=*/nullptr, AllowOnePastEnd > 0);
return; return;
} }
case Stmt::UnaryOperatorClass: { case Stmt::UnaryOperatorClass: {
// Only unwrap the * and & unary operators // Only unwrap the * and & unary operators
const UnaryOperator *UO = cast<UnaryOperator>(expr); const UnaryOperator *UO = cast<UnaryOperator>(expr);
expr = UO->getSubExpr(); expr = UO->getSubExpr();
switch (UO->getOpcode()) { switch (UO->getOpcode()) {
case UO_AddrOf: case UO_AddrOf:
AllowOnePastEnd++; AllowOnePastEnd++;
break; break;
case UO_Deref: case UO_Deref:
AllowOnePastEnd--; AllowOnePastEnd--;
break; break;
default: default:
return; return;
} }
break; CheckArrayAccess(expr, AllowOnePastEnd);
return;
} }
case Stmt::ConditionalOperatorClass: { case Stmt::ConditionalOperatorClass: {
const ConditionalOperator *cond = cast<ConditionalOperator>(expr); const ConditionalOperator *cond = cast<ConditionalOperator>(expr);
if (const Expr *lhs = cond->getLHS()) if (const Expr *lhs = cond->getLHS())
CheckArrayAccess(lhs); CheckArrayAccess(lhs, AllowOnePastEnd);
if (const Expr *rhs = cond->getRHS()) if (const Expr *rhs = cond->getRHS())
CheckArrayAccess(rhs); CheckArrayAccess(rhs, AllowOnePastEnd);
return; return;
} }
case Stmt::CXXOperatorCallExprClass: { case Stmt::CXXOperatorCallExprClass: {
const auto *OCE = cast<CXXOperatorCallExpr>(expr); const auto *OCE = cast<CXXOperatorCallExpr>(expr);
for (const auto *Arg : OCE->arguments()) for (const auto *Arg : OCE->arguments())
CheckArrayAccess(Arg); CheckArrayAccess(Arg);
return; return;
} }
default: default:
return; return;
} }
} }
}
//===--- CHECK: Objective-C retain cycles ----------------------------------// //===--- CHECK: Objective-C retain cycles ----------------------------------//
namespace { namespace {
struct RetainCycleOwner { struct RetainCycleOwner {
VarDecl *Variable = nullptr; VarDecl *Variable = nullptr;
SourceRange Range; SourceRange Range;
▲ Show 20 LinesShow All 1,645 LinesShow Last 20 Lines

clang/test/Parser/cxx-ambig-decl-expr.cpp

Show All 18 Lines
int f(unknown const x); // expected-error {{unknown type name 'unknown'}} int f(unknown const x); // expected-error {{unknown type name 'unknown'}}
// Disambiguating an array declarator from an array subscripting. // Disambiguating an array declarator from an array subscripting.
void arr() { void arr() {
int x[] = {1}; // expected-note 2{{previous}} int x[] = {1}; // expected-note 2{{previous}}
// This is array indexing not an array declarator because a comma expression // This is array indexing not an array declarator because a comma expression
// is not syntactically a constant-expression. // is not syntactically a constant-expression.
int(x[1,1]); // expected-warning 2{{unused}} int(x[1,0]); // expected-warning 2{{unused}}
// This is array indexing not an array declaration because a braced-init-list // This is array indexing not an array declaration because a braced-init-list
// is not syntactically a constant-expression. // is not syntactically a constant-expression.
int(x[{0}]); // expected-error {{array subscript is not an integer}} int(x[{0}]); // expected-error {{array subscript is not an integer}}
struct A { struct A {
struct Q { int n; }; struct Q { int n; };
int operator[](Q); int operator[](Q);
} a; } a;
Show All 9 Lines

clang/test/SemaCXX/array-bounds.cpp

Show All 21 Lines
// This code example tests that -Warray-bounds works with arrays that // This code example tests that -Warray-bounds works with arrays that
// are template parameters. // are template parameters.
template <char *sz> class Qux { template <char *sz> class Qux {
bool test() { return sz[0] == 'a'; } bool test() { return sz[0] == 'a'; }
}; };
void f1(int a[1]) { void f1(int a[1]) {
int val = a[3]; // no warning for function argumnet int val = a[3]; // no warning for function argument
} }
void f2(const int (&a)[2]) { // expected-note {{declared here}} void f2(const int (&a)[2]) { // expected-note {{declared here}}
int val = a[3]; // expected-warning {{array index 3 is past the end of the array (which contains 2 elements)}} int val = a[3]; // expected-warning {{array index 3 is past the end of the array (which contains 2 elements)}}
} }
void test() { void test() {
struct { struct {
▲ Show 20 LinesShow All 89 Lines▼ Show 20 Lines
int test_pr9296() { int test_pr9296() {
int array[2]; int array[2];
return array[true]; // no-warning return array[true]; // no-warning
} }
int test_sizeof_as_condition(int flag) { int test_sizeof_as_condition(int flag) {
int arr[2] = { 0, 0 }; // expected-note {{array 'arr' declared here}} int arr[2] = { 0, 0 }; // expected-note {{array 'arr' declared here}}
if (flag) if (flag)
return sizeof(char) != sizeof(char) ? arr[2] : arr[1]; return sizeof(char) != sizeof(char) ? arr[2] : arr[1];
return sizeof(char) == sizeof(char) ? arr[2] : arr[1]; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}} return sizeof(char) == sizeof(char) ? arr[2] : arr[1]; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
} }
void test_switch() { void test_switch() {
switch (4) { switch (4) {
case 1: { case 1: {
int arr[2]; int arr[2];
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Linesvoid test_pr10771() {
((char*)foo)[sizeof(foo)] = '\0'; // expected-warning {{array index 32768 is past the end of the array (which contains 32768 elements)}} ((char*)foo)[sizeof(foo)] = '\0'; // expected-warning {{array index 32768 is past the end of the array (which contains 32768 elements)}}
// TODO: This should probably warn, too. // TODO: This should probably warn, too.
*(((char*)foo) + sizeof(foo)) = '\0'; // no-warning *(((char*)foo) + sizeof(foo)) = '\0'; // no-warning
} }
int test_pr11007_aux(const char * restrict, ...); int test_pr11007_aux(const char * restrict, ...);
// Test checking with varargs. // Test checking with varargs.
void test_pr11007() { void test_pr11007() {
double a[5]; // expected-note {{array 'a' declared here}} double a[5]; // expected-note {{array 'a' declared here}}
test_pr11007_aux("foo", a[1000]); // expected-warning {{array index 1000 is past the end of the array}} test_pr11007_aux("foo", a[1000]); // expected-warning {{array index 1000 is past the end of the array}}
} }
void test_rdar10916006(void) void test_rdar10916006(void)
{ {
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Lines
template <> int arr<float>[1]; // expected-note {{array 'arr<float>' declared here}} template <> int arr<float>[1]; // expected-note {{array 'arr<float>' declared here}}
void test() { void test() {
arr<int>[1] = 0; // ok arr<int>[1] = 0; // ok
arr<int>[2] = 0; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}} arr<int>[2] = 0; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
arr<float>[1] = 0; // expected-warning {{array index 1 is past the end of the array (which contains 1 element)}} arr<float>[1] = 0; // expected-warning {{array index 1 is past the end of the array (which contains 1 element)}}
} }
} // namespace var_template_array } // namespace var_template_array
namespace PR44343 {
const unsigned int array[2] = {0, 1}; // expected-note 5{{array 'array' declared here}}
const int i1 = (const int)array[2]; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
const int i2 = static_cast<const int>(array[2]); // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
const int &i3 = reinterpret_cast<const int&>(array[2]); // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
unsigned int &i4 = const_cast<unsigned int&>(array[2]); // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
int i5 = int(array[2]); // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
rsmithUnsubmitted
Done
ReplyInline Actions

This case should warn; dynamic_cast will access the object's vptr. Please at least add a FIXME.

rsmith: This case should warn; `dynamic_cast` will access the object's vptr. Please at least add a…
const unsigned int *i6 = &(1 > 0 ? array[2] : array[1]); // no warning for one-past-end element's address retrieval
// Test dynamic cast
struct Base {
virtual ~Base();
};
struct Derived : Base {
};
Base baseArr[2]; // expected-note {{array 'baseArr' declared here}}
Derived *d1 = dynamic_cast<Derived *>(&baseArr[2]); // FIXME: Should actually warn because dynamic_cast accesses the vptr
Derived &d2 = dynamic_cast<Derived &>(baseArr[2]); // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
// Test operator `&` in combination with operators `.` and `->`
struct A {
int n;
};
A a[2]; // expected-note {{array 'a' declared here}}
int *n = &a[2].n; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
A *aPtr[2]; // expected-note {{array 'aPtr' declared here}}
int *n2 = &aPtr[2]->n; // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
}