build failure with gcc 4.6.0 "array subscript is above array bounds"

build failure with gcc 4.6.0 "array subscript is above array bounds"

[Ian Campbell]

I noticed this with a defconfig build:
      CC      arch/powerpc/kernel/ptrace.o
    arch/powerpc/kernel/ptrace.c: In function 'arch_ptrace':
    arch/powerpc/kernel/ptrace.c:1502:5: error: array subscript is above array bounds [-Werror=array-bounds]
    arch/powerpc/kernel/ptrace.c:1530:5: error: array subscript is above array bounds [-Werror=array-bounds]

That corresponds to:
	tmp = ((unsigned long *)child->thread.fpr)
		[TS_FPRWIDTH * (index - PT_FPR0)];

child->thread.fpr is "double fpr[32][TS_FPRWIDTH]".

index has already been bounds checked so we know it is <= PT_FPSCR.

I tried to fix but I don't really know enough about PPC to figure out
the correct fix is. PT_FPSCR is "PT_FPR0 + 32" on ppc64, which seems
consistent with the fpr definition.

On ppc32 PT_FPSCR is "PT_FPR0 + 2*32 + 1", I tried replacing the 32 with
"PT_FPSCR - PT_FPR0" (+ 1) but that got me into the BUILD_BUG_ONs at
line 346 and 374. At this point I'm afraid gave up trying to fix things,
I hope the report is useful anyway...

Ian.

RE: build failure with gcc 4.6.0 "array subscript is above array bounds"

[David Laight]

=20
> Subject: build failure with gcc 4.6.0 "array subscript is=20
> above array bounds"
...
> That corresponds to:
> 	tmp =3D ((unsigned long *)child->thread.fpr)
> 		[TS_FPRWIDTH * (index - PT_FPR0)];
>=20
> child->thread.fpr is "double fpr[32][TS_FPRWIDTH]".
>=20
> index has already been bounds checked so we know it is <=3D PT_FPSCR.

That code looks gross....
I think it is trying to index a 2D array with a single index
and type-pun the lookup.
I'm not sure how the array size (for the subscript error)
is determined in the presence of the cast, but without
the cast the index would have to be less than 32.
I also suspect this is failing when gcc inlines the function
from a call where 'index' is a constant.

Possibly the code should read:
   tmp =3D (unsigned long *)child->thread.fpr[index - PT_FPRO];
although index may have been scaled by 'sizeof double/sizeof long'.

	David

Re: build failure with gcc 4.6.0 "array subscript is above array bounds"

[Andreas Schwab]

Ian Campbell <Ian.Campbell@citrix.com> writes:

> I noticed this with a defconfig build:
>       CC      arch/powerpc/kernel/ptrace.o
>     arch/powerpc/kernel/ptrace.c: In function 'arch_ptrace':
>     arch/powerpc/kernel/ptrace.c:1502:5: error: array subscript is above array bounds [-Werror=array-bounds]
>     arch/powerpc/kernel/ptrace.c:1530:5: error: array subscript is above array bounds [-Werror=array-bounds]
>
> That corresponds to:
> 	tmp = ((unsigned long *)child->thread.fpr)
> 		[TS_FPRWIDTH * (index - PT_FPR0)];
>
> child->thread.fpr is "double fpr[32][TS_FPRWIDTH]".
>
> index has already been bounds checked so we know it is <= PT_FPSCR.
>
> I tried to fix but I don't really know enough about PPC to figure out
> the correct fix is. PT_FPSCR is "PT_FPR0 + 32" on ppc64, which seems
> consistent with the fpr definition.

Perhaps there should be a union that overlays fpr with an array of
longs.

> On ppc32 PT_FPSCR is "PT_FPR0 + 2*32 + 1", I tried replacing the 32 with
> "PT_FPSCR - PT_FPR0" (+ 1) but that got me into the BUILD_BUG_ONs at
> line 346 and 374. At this point I'm afraid gave up trying to fix things,
> I hope the report is useful anyway...

On ppc32 a single ptrace call can only read/write half of an fpr, so
each fpr occupies two slots.

Andreas.

-- 
Andreas Schwab, schwab@redhat.com
GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84  5EC7 45C6 250E 6F00 984E
"And now for something completely different."