diff mbox series

[6/6] detect unterminated const arrays in strnlen calls (PR 86552)

Message ID 90953771-af77-b1a6-2215-fc48a07cebd6@gmail.com
State New
Headers show
Series improve handling of char arrays with missing nul (PR 86552, 86711, 86714) | expand

Commit Message

Martin Sebor Aug. 13, 2018, 9:29 p.m. UTC 
The attached changes implement the detection of past-the-end reads
by strncpy due to unterminated arguments and excessive bounds.

Comments

Jeff Law Aug. 30, 2018, 11:25 p.m. UTC | #1 
On 08/13/2018 03:29 PM, Martin Sebor wrote:
> The attached changes implement the detection of past-the-end reads
> by strncpy due to unterminated arguments and excessive bounds.
> 
> 
> gcc-86552-6.diff
> 
> 
> PR tree-optimization/86552 - missing warning for reading past the end of non-string arrays
> 
> gcc/ChangeLog:
> 	* builtins.c (expand_builtin_strnlen): Detect, avoid expanding,
> 	and diagnose unterminated arrays.
> 
> gcc/testsuite/ChangeLog:
> 	* gcc.dg/warn-strnlen-no-nul.c: New.
This will have the same state and resolution as #2-#5.

jeff
Jeff Law Oct. 1, 2018, 9:48 p.m. UTC | #2 
On 8/13/18 3:29 PM, Martin Sebor wrote:
> The attached changes implement the detection of past-the-end reads
> by strncpy due to unterminated arguments and excessive bounds.
> 
> 
> gcc-86552-6.diff
> 
> PR tree-optimization/86552 - missing warning for reading past the end of non-string arrays
> 
> gcc/ChangeLog:
> 	* builtins.c (expand_builtin_strnlen): Detect, avoid expanding,
> 	and diagnose unterminated arrays.
> 
> gcc/testsuite/ChangeLog:
> 	* gcc.dg/warn-strnlen-no-nul.c: New.
So the changes to c_strlen's API allow us to simplify the changes you
made to unterminated_array.  Essentially we get to drop the code which
tears apart EXP before handing things off to c_strlen -- that's all
handled inside c_strlen/string_constant now.


c_strlen returns NULL for an unterminated array or anything it can't
handle.  So we check for NULL return value and a non-NULL data.decl to
see if we had an unterminated array.  We can get the length of the
unterminated string and the offset via the c_strlen_data we pass to
c_strlen in that case.

If the offset is a pure constant, then it will already be accounted for
in data->len.  So we no longer need to adjust it.  If the offset is
SSA_NAME + INTEGER_CST, we adjust the length by INTEGER_CST and bubble
up exact = false.


I think that summarizes the relatively minor changes I ended up making.

Bootstrapped and regression tested on x86_64.  Installing on the trunk.

Jeff
commit ab9a04daf8adffdb00fd085e6f217efeb42875ce
Author: Jeff Law <law@torsion.usersys.redhat.com>
Date:   Thu Aug 30 19:24:34 2018 -0400

            * builtins.c (unterminated_array): Add new arguments.
            If argument is not terminated, bubble up size and exact
            state to callers.
            (expand_builtin_strnlen): Detect, avoid expanding
            and diagnose unterminated arrays.
            (c_strlen): Fill in offset of start of unterminated strings.
            * builtins.h (unterminated_array): Update prototype.
    
            * gcc.dg/warn-strnlen-no-nul.c: New.

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index b43cc388fa8..05c6f558246 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,14 @@
+2018-10-01  Martin Sebor  <msebor@redhat.com>
+	    Jeff Law  <law@redhat.com>
+
+	* builtins.c (unterminated_array): Add new arguments.
+	If argument is not terminated, bubble up size and exact
+	state to callers.
+	(expand_builtin_strnlen): Detect, avoid expanding
+	and diagnose unterminated arrays.
+	(c_strlen): Fill in offset of start of unterminated strings.
+	* builtins.h (unterminated_array): Update prototype.
+
 2018-10-01  Carl Love  <cel@us.ibm.com>
 
 	PR 69431
diff --git a/gcc/builtins.c b/gcc/builtins.c
index fe411efd9a9..2cb1996dad3 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -565,15 +565,50 @@ warn_string_no_nul (location_t loc, const char *fn, tree arg, tree decl)
 
 /* If EXP refers to an unterminated constant character array return
    the declaration of the object of which the array is a member or
-   element.  Otherwise return null.  */
+   element and if SIZE is not null, set *SIZE to the size of
+   the unterminated array and set *EXACT if the size is exact or
+   clear it otherwise.  Otherwise return null.  */
 
 tree
-unterminated_array (tree exp)
+unterminated_array (tree exp, tree *size /* = NULL */, bool *exact /* = NULL */)
 {
+  /* C_STRLEN will return NULL and set DECL in the info
+     structure if EXP references a unterminated array.  */
   c_strlen_data data;
   memset (&data, 0, sizeof (c_strlen_data));
-  c_strlen (exp, 1, &data);
-  return data.decl;
+  tree len = c_strlen (exp, 1, &data);
+  if (len == NULL_TREE && data.len && data.decl)
+     {
+       if (size)
+	{
+	  len = data.len;
+	  if (data.off)
+	    {
+	      /* Constant offsets are already accounted for in data.len, but
+		 not in a SSA_NAME + CST expression.  */
+	      if (TREE_CODE (data.off) == INTEGER_CST)
+		*exact = true;
+	      else if (TREE_CODE (data.off) == PLUS_EXPR
+		       && TREE_CODE (TREE_OPERAND (data.off, 1)) == INTEGER_CST)
+		{
+		  /* Subtract the offset from the size of the array.  */
+		  *exact = false;
+		  tree temp = TREE_OPERAND (data.off, 1);
+		  temp = fold_convert (ssizetype, temp);
+		  len = fold_build2 (MINUS_EXPR, ssizetype, len, temp);
+		}
+	      else
+		*exact = false;
+	    }
+	  else
+	    *exact = true;
+
+	  *size = len;
+	}
+       return data.decl;
+     }
+
+  return NULL_TREE;
 }
 
 /* Compute the length of a null-terminated character string or wide
@@ -685,6 +720,7 @@ c_strlen (tree src, int only_value, c_strlen_data *data, unsigned eltsize)
       else if (len >= maxelts)
 	{
 	  data->decl = decl;
+	  data->off = byteoff;
 	  data->len = ssize_int (len);
 	  return NULL_TREE;
 	}
@@ -755,6 +791,7 @@ c_strlen (tree src, int only_value, c_strlen_data *data, unsigned eltsize)
   if (len >= maxelts - eltoff)
     {
       data->decl = decl;
+      data->off = byteoff;
       data->len = ssize_int (len);
       return NULL_TREE;
     }
@@ -3037,9 +3074,11 @@ expand_builtin_strnlen (tree exp, rtx target, machine_mode target_mode)
   tree maxobjsize = max_object_size ();
   tree func = get_callee_fndecl (exp);
 
-  tree len = c_strlen (src, 0);
   /* FIXME: Change c_strlen() to return sizetype instead of ssizetype
      so these conversions aren't necessary.  */
+  c_strlen_data data;
+  memset (&data, 0, sizeof (c_strlen_data));
+  tree len = c_strlen (src, 0, &data, 1);
   if (len)
     len = fold_convert_loc (loc, TREE_TYPE (bound), len);
 
@@ -3053,7 +3092,43 @@ expand_builtin_strnlen (tree exp, rtx target, machine_mode target_mode)
 			 exp, func, bound, maxobjsize))
 	  TREE_NO_WARNING (exp) = true;
 
+      bool exact = true;
       if (!len || TREE_CODE (len) != INTEGER_CST)
+	{
+	  /* Clear EXACT if LEN may be less than SRC suggests,
+	     such as in
+	       strnlen (&a[i], sizeof a)
+	     where the value of i is unknown.  Unless i's value is
+	     zero, the call is unsafe because the bound is greater. */
+	  data.decl = unterminated_array (src, &len, &exact);
+	  if (!data.decl)
+	    return NULL_RTX;
+	}
+
+      if (data.decl
+	  && !TREE_NO_WARNING (exp)
+	  && ((tree_int_cst_lt (len, bound))
+	      || !exact))
+	{
+	  location_t warnloc
+	    = expansion_point_location_if_in_system_header (loc);
+
+	  if (warning_at (warnloc, OPT_Wstringop_overflow_,
+			  exact
+			  ? G_("%K%qD specified bound %E exceeds the size %E "
+			       "of unterminated array")
+			  : G_("%K%qD specified bound %E may exceed the size "
+			       "of at most %E of unterminated array"),
+			  exp, func, bound, len))
+	    {
+	      inform (DECL_SOURCE_LOCATION (data.decl),
+		      "referenced argument declared here");
+	      TREE_NO_WARNING (exp) = true;
+	      return NULL_RTX;
+	    }
+	}
+
+      if (!len)
 	return NULL_RTX;
 
       len = fold_build2_loc (loc, MIN_EXPR, size_type_node, len, bound);
@@ -3079,6 +3154,18 @@ expand_builtin_strnlen (tree exp, rtx target, machine_mode target_mode)
   if (!len || TREE_CODE (len) != INTEGER_CST)
     return NULL_RTX;
 
+  if (!TREE_NO_WARNING (exp)
+      && wi::ltu_p (wi::to_wide (len), min)
+      && warning_at (loc, OPT_Wstringop_overflow_,
+		     "%K%qD specified bound [%wu, %wu] "
+		     "exceeds the size %E of unterminated array",
+		     exp, func, min.to_uhwi (), max.to_uhwi (), len))
+    {
+      inform (DECL_SOURCE_LOCATION (data.decl),
+	      "referenced argument declared here");
+      TREE_NO_WARNING (exp) = true;
+    }
+
   if (wi::gtu_p (min, wi::to_wide (len)))
     return expand_expr (len, target, target_mode, EXPAND_NORMAL);
 
diff --git a/gcc/builtins.h b/gcc/builtins.h
index 3801251f372..cf4f9b1b264 100644
--- a/gcc/builtins.h
+++ b/gcc/builtins.h
@@ -111,7 +111,7 @@ extern internal_fn associated_internal_fn (tree);
 extern internal_fn replacement_internal_fn (gcall *);
 
 extern void warn_string_no_nul (location_t, const char *, tree, tree);
-extern tree unterminated_array (tree);
+extern tree unterminated_array (tree, tree * = NULL, bool * = NULL);
 extern tree max_object_size ();
 
 #endif /* GCC_BUILTINS_H */
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index f322cc56caa..3a906bff938 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,7 @@
+2018-10-01  Martin Sebor  <msebor@redhat.com>
+
+	* gcc.dg/warn-strnlen-no-nul.c: New.
+
 2018-10-01  Carl Love  <cel@us.ibm.com>
 
 	PR 69431
diff --git a/gcc/testsuite/gcc.dg/warn-strnlen-no-nul.c b/gcc/testsuite/gcc.dg/warn-strnlen-no-nul.c
new file mode 100644
index 00000000000..09a527ea337
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/warn-strnlen-no-nul.c
@@ -0,0 +1,356 @@
+/* PR tree-optimization/86552 - missing warning for reading past the end
+   of non-string arrays
+   { dg-do compile }
+   { dg-options "-O2 -Wall -ftrack-macro-expansion=0" } */
+
+typedef __SIZE_TYPE__ size_t;
+extern size_t strnlen (const char*, size_t);
+
+const char a[5] = "12345";   /* { dg-message "declared here" } */
+enum { asz = sizeof a };
+
+int v0 = 0;
+int v1 = 1;
+
+void sink (int, ...);
+
+#define CONCAT(a, b)   a ## b
+#define CAT(a, b)      CONCAT(a, b)
+
+#define T(str, n)					\
+  __attribute__ ((noipa))				\
+  void CAT (test_, __LINE__) (void) {			\
+    int i0 = 0, i1 = i0 + 1, i2 = i1 + 1, i3 = i2 + 1;	\
+    sink (strnlen (str, n), i0, i1, i2, i3);		\
+  } typedef void dummy_type
+
+T (a, asz);
+T (a, asz - 1);
+T (a, asz - 2);
+T (a, asz - 5);
+T (&a[0], asz);
+T (&a[0] + 1, asz);            /* { dg-warning "specified bound 5 exceeds the size 4 of unterminated array" } */
+T (&a[1], asz);                /* { dg-warning "specified bound 5 exceeds the size 4 of unterminated array" } */
+T (&a[1], asz - 1);
+T (&a[v0], asz);               /* { dg-warning "specified bound 5 may exceed the size of at most 5 of unterminated array" } */
+T (&a[v0] + 1, asz);           /* { dg-warning "specified bound 5 may exceed the size of at most 5 of unterminated array" } */
+
+T (a, asz + 1);                /* { dg-warning "specified bound 6 exceeds the size 5 " } */
+T (&a[0], asz + 1);            /* { dg-warning "unterminated" } */
+T (&a[0] + 1, asz - 1);
+T (&a[0] + 1, asz + 1);        /* { dg-warning "unterminated" } */
+T (&a[1], asz + 1);            /* { dg-warning "unterminated" } */
+T (&a[v0], asz + 1);           /* { dg-warning "unterminated" } */
+T (&a[v0] + 1, asz + 1);       /* { dg-warning "unterminated" } */
+
+
+const char b[][5] = { /* { dg-message "declared here" } */
+  "12", "123", "1234", "54321"
+};
+enum { bsz = sizeof b[0] };
+
+T (b[0], bsz);
+T (b[1], bsz);
+T (b[2], bsz);
+T (b[3], bsz);
+
+T (b[0], bsz - 1);
+T (b[1], bsz - 1);
+T (b[2], bsz - 1);
+T (b[3], bsz - 1);
+
+T (b[0], bsz + 1);
+T (b[1], bsz + 1);
+T (b[2], bsz + 1);
+T (b[3], bsz + 1);            /* { dg-warning "unterminated" } */
+
+T (b[i0], bsz);
+T (b[i1], bsz);
+T (b[i2], bsz);
+T (b[i3], bsz);
+
+T (b[i0], bsz + 1);
+T (b[i1], bsz + 1);
+T (b[i2], bsz + 1);
+T (b[i3], bsz + 1);           /* { dg-warning "unterminated" } */
+
+T (b[v0], bsz);
+T (b[v0], bsz + 1);
+
+T (&b[i2][i1], bsz);
+T (&b[i2][i1] + i1, bsz);
+T (&b[i2][v0], bsz);
+T (&b[i2][i1] + v0, bsz);
+
+T (&b[i2][i1], bsz + 1);
+T (&b[i2][i1] + i1, bsz + 1);
+T (&b[i2][v0], bsz + 1);
+T (&b[i2][i1] + v0, bsz + 1);
+
+T (&b[2][1], bsz);
+T (&b[2][1] + i1, bsz);
+T (&b[2][i0], bsz);
+T (&b[2][1] + i0, bsz);
+T (&b[2][1] + v0, bsz);
+T (&b[2][v0], bsz);
+
+T (&b[2][1], bsz + 1);
+T (&b[2][1] + i1, bsz + 1);
+T (&b[2][i0], bsz + 1);
+T (&b[2][1] + i0, bsz + 1);
+T (&b[2][1] + v0, bsz + 1);
+T (&b[2][v0], bsz + 1);
+
+T (&b[3][1], bsz);                /* { dg-warning "unterminated" } */
+T (&b[3][1], bsz - 1);
+T (&b[3][1] + 1, bsz);            /* { dg-warning "unterminated" } */
+T (&b[3][1] + 1, bsz - 1);        /* { dg-warning "unterminated" } */
+T (&b[3][1] + 1, bsz - 2);
+T (&b[3][1] + i1, bsz);           /* { dg-warning "unterminated" } */
+T (&b[3][1] + i1, bsz - i1);      /* { dg-warning "unterminated" } */
+T (&b[3][1] + i1, bsz - i2);
+T (&b[3][v0], bsz);
+T (&b[3][1] + v0, bsz);           /* { dg-warning "specified bound 5 may exceed the size of at most 4 of unterminated array" } */
+T (&b[3][v0] + v1, bsz);          /* { dg-warning "specified bound 5 may exceed the size of at most 4 of unterminated array" "pr?????" { xfail *-*-* } } */
+
+T (&b[3][1], bsz + 1);            /* { dg-warning "unterminated" } */
+T (&b[3][1] + 1, bsz + 1);        /* { dg-warning "unterminated" } */
+T (&b[3][1] + i1, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&b[3][v0], bsz + 1);           /* { dg-warning "unterminated" "pr86936" { xfail *-*-* } } */
+T (&b[3][1] + v0, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&b[3][v0] + v1, bsz + 1);      /* { dg-warning "unterminated" "pr86936" { xfail *-*-* } } */
+
+T (&b[i3][i1], bsz);              /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + 1, bsz);          /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + i1, bsz);         /* { dg-warning "specified bound 5 exceeds the size 3 of unterminated array" } */
+T (&b[i3][v0], bsz);
+T (&b[i3][i1] + v0, bsz);         /* { dg-warning "specified bound 5 may exceed the size of at most 4 of unterminated array" } */
+T (&b[i3][v0] + v1, bsz);
+
+T (&b[i3][i1], bsz + 1);          /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + 1, bsz + 1);      /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + i1, bsz + 1);     /* { dg-warning "unterminated" } */
+T (&b[i3][v0], bsz + 1);          /* { dg-warning "unterminated" "pr86919" { xfail *-*-* } } */
+T (&b[i3][i1] + v0, bsz + 1);     /* { dg-warning "unterminated" } */
+T (&b[i3][v0] + v1, bsz + 1);     /* { dg-warning "unterminated" "pr86919" { xfail *-*-* } } */
+
+T (v0 ? "" : b[0], bsz);
+T (v0 ? "" : b[1], bsz);
+T (v0 ? "" : b[2], bsz);
+T (v0 ? "" : b[3], bsz);
+T (v0 ? b[0] : "", bsz);
+T (v0 ? b[1] : "", bsz);
+T (v0 ? b[2] : "", bsz);
+T (v0 ? b[3] : "", bsz);
+
+T (v0 ? "" : b[0], bsz + 1);
+T (v0 ? "" : b[1], bsz + 1);
+T (v0 ? "" : b[2], bsz + 1);
+T (v0 ? "" : b[3], bsz + 1);      /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[0] : "", bsz + 1);
+T (v0 ? b[1] : "", bsz + 1);
+T (v0 ? b[2] : "", bsz + 1);
+T (v0 ? b[3] : "", bsz + 1);      /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+T (v0 ? "" : b[i0], bsz);
+T (v0 ? "" : b[i1], bsz);
+T (v0 ? "" : b[i2], bsz);
+T (v0 ? "" : b[i3], bsz);
+T (v0 ? b[i0] : "", bsz);
+T (v0 ? b[i1] : "", bsz);
+T (v0 ? b[i2] : "", bsz);
+T (v0 ? b[i3] : "", bsz);
+
+T (v0 ? "" : b[i0], bsz + 1);
+T (v0 ? "" : b[i1], bsz + 1);
+T (v0 ? "" : b[i2], bsz + 1);
+T (v0 ? "" : b[i3], bsz + 1);     /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[i0] : "", bsz + 1);
+T (v0 ? b[i1] : "", bsz + 1);
+T (v0 ? b[i2] : "", bsz + 1);
+T (v0 ? b[i3] : "", bsz + 1);     /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+T (v0 ? "1234" : b[3], bsz);
+T (v0 ? "1234" : b[i3], bsz);
+T (v0 ? b[3] : "1234", bsz);
+T (v0 ? b[i3] : "1234", bsz);
+
+T (v0 ? a : b[3], bsz);
+T (v0 ? b[0] : b[2], bsz);
+T (v0 ? b[2] : b[3], bsz);
+T (v0 ? b[3] : b[2], bsz);
+
+T (v0 ? "1234" : b[3], bsz + 1);  /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? "1234" : b[i3], bsz + 1); /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[3] : "1234", bsz + 1);  /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[i3] : "1234", bsz + 1); /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+T (v0 ? a : b[3], bsz + 1);       /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[0] : b[2], bsz + 1);
+T (v0 ? b[2] : b[3], bsz + 1);    /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[3] : b[2], bsz + 1);    /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+struct A { char a[5], b[5]; };
+
+const struct A s = { "1234", "12345" };
+
+T (s.a, asz);
+T (&s.a[0], asz);
+T (&s.a[0] + 1, asz);
+T (&s.a[0] + v0, asz);
+T (&s.a[1], asz);
+T (&s.a[1] + 1, asz);
+T (&s.a[1] + v0, asz);
+
+T (&s.a[i0], asz);
+T (&s.a[i0] + i1, asz);
+T (&s.a[i0] + v0, asz);
+T (&s.a[i1], asz);
+T (&s.a[i1] + i1, asz);
+T (&s.a[i1] + v0, asz);
+
+T (s.a, asz + 1);
+T (&s.a[0], asz + 1);
+T (&s.a[0] + 1, asz + 1);
+T (&s.a[0] + v0, asz + 1);
+T (&s.a[1], asz + 1);
+T (&s.a[1] + 1, asz + 1);
+T (&s.a[1] + v0, asz + 1);
+
+T (&s.a[i0], asz + 1);
+T (&s.a[i0] + i1, asz + 1);
+T (&s.a[i0] + v0, asz + 1);
+T (&s.a[i1], asz + 1);
+T (&s.a[i1] + i1, asz + 1);
+T (&s.a[i1] + v0, asz + 1);
+
+T (s.b, bsz);
+T (&s.b[0], bsz);
+T (&s.b[0] + 1, bsz);             /* { dg-warning "unterminated" } */
+T (&s.b[0] + v0, bsz);            /* { dg-warning "unterminated" } */
+T (&s.b[1], bsz);                 /* { dg-warning "unterminated" } */
+T (&s.b[1] + 1, bsz);             /* { dg-warning "unterminated" } */
+T (&s.b[1] + v0, bsz);            /* { dg-warning "unterminated" } */
+
+T (&s.b[i0], bsz);
+T (&s.b[i0] + i1, bsz);           /* { dg-warning "unterminated" } */
+T (&s.b[i0] + v0, bsz);           /* { dg-warning "unterminated" } */
+T (&s.b[i1], bsz);                /* { dg-warning "unterminated" } */
+T (&s.b[i1] + i1, bsz);           /* { dg-warning "unterminated" } */
+T (&s.b[i1] + v0, bsz);           /* { dg-warning "unterminated" } */
+
+T (s.b, bsz + 1);                 /* { dg-warning "unterminated" } */
+T (&s.b[0], bsz + 1);             /* { dg-warning "unterminated" } */
+T (&s.b[0] + 1, bsz + 1);         /* { dg-warning "unterminated" } */
+T (&s.b[0] + v0, bsz + 1);        /* { dg-warning "unterminated" } */
+T (&s.b[1], bsz + 1);             /* { dg-warning "unterminated" } */
+T (&s.b[1] + 1, bsz + 1);         /* { dg-warning "unterminated" } */
+T (&s.b[1] + v0, bsz + 1);        /* { dg-warning "unterminated" } */
+
+T (&s.b[i0], bsz + 1);            /* { dg-warning "unterminated" } */
+T (&s.b[i0] + i1, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&s.b[i0] + v0, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&s.b[i1], bsz + 1);            /* { dg-warning "unterminated" } */
+T (&s.b[i1] + i1, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&s.b[i1] + v0, bsz + 1);       /* { dg-warning "unterminated" } */
+
+struct B { struct A a[2]; };
+
+const struct B ba[] = {
+  { { { "123", "12345" }, { "12345", "123" } } },
+  { { { "12345", "123" }, { "123", "12345" } } },
+  { { { "1", "12" },      { "123", "1234" } } },
+  { { { "123", "1234" },  { "12345", "12" } } }
+};
+
+T (ba[0].a[0].a, asz + 1);
+T (&ba[0].a[0].a[0], asz + 1);
+T (&ba[0].a[0].a[0] + 1, asz + 1);
+T (&ba[0].a[0].a[0] + v0, asz + 1);
+T (&ba[0].a[0].a[1], asz + 1);
+T (&ba[0].a[0].a[1] + 1, asz + 1);
+T (&ba[0].a[0].a[1] + v0, asz + 1);
+
+T (ba[0].a[0].b, bsz);
+T (&ba[0].a[0].b[0], bsz);
+T (&ba[0].a[0].b[0] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0] + 1, bsz - 1);
+T (&ba[0].a[0].b[0] + v0, bsz);       /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1], bsz);            /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1], bsz - 1);
+T (&ba[0].a[0].b[1] + 1, bsz - 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + 1, bsz - 2);
+T (&ba[0].a[0].b[1] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + v0, bsz);       /* { dg-warning "unterminated" } */
+
+T (ba[0].a[0].b, bsz + 1);            /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0], bsz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0] + 1, bsz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0] + v0, bsz + 1);   /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1], bsz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + 1, bsz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + v0, bsz + 1);   /* { dg-warning "unterminated" } */
+
+T (ba[0].a[1].a, asz + 1);            /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[0], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[0] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[0] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[1], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[1] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[1] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+
+T (ba[0].a[1].b, bsz + 1);
+T (&ba[0].a[1].b[0], bsz + 1);
+T (&ba[0].a[1].b[0] + 1, bsz + 1);
+T (&ba[0].a[1].b[0] + v0, bsz + 1);
+T (&ba[0].a[1].b[1], bsz + 1);
+T (&ba[0].a[1].b[1] + 1, bsz + 1);
+T (&ba[0].a[1].b[1] + v0, bsz + 1);
+
+T (ba[1].a[0].a, asz);
+T (&ba[1].a[0].a[0], asz);
+T (&ba[1].a[0].a[0] + 1, asz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0] + v0, asz);       /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1], asz);            /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + 1, asz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + v0, asz);       /* { dg-warning "unterminated" } */
+
+T (ba[1].a[0].a, asz + 1);            /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+
+T (ba[1].a[0].b, bsz);
+T (&ba[1].a[0].b[0], bsz);
+T (&ba[1].a[0].b[0] + 1, bsz);
+T (&ba[1].a[0].b[0] + v0, bsz);
+T (&ba[1].a[0].b[1], bsz);
+T (&ba[1].a[0].b[1] + 1, bsz);
+T (&ba[1].a[0].b[1] + v0, bsz);
+
+T (ba[1].a[1].a, asz);
+T (&ba[1].a[1].a[0], asz);
+T (&ba[1].a[1].a[0] + 1, asz);
+T (&ba[1].a[1].a[0] + v0, asz);
+T (&ba[1].a[1].a[1], asz);
+T (&ba[1].a[1].a[1] + 1, asz);
+T (&ba[1].a[1].a[1] + v0, asz);
+
+T (ba[1].a[1].b, bsz);
+T (&ba[1].a[1].b[0], bsz);
+T (&ba[1].a[1].b[0] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[0] + 1, bsz - 1);
+T (&ba[1].a[1].b[0] + v0, bsz);       /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1], bsz);            /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1], bsz - 1);
+T (&ba[1].a[1].b[1] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1] + 1, bsz - 1);    /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1] + 1, bsz - 2);
+T (&ba[1].a[1].b[1] + 1, bsz - i2);
+T (&ba[1].a[1].b[1] + v0, bsz);       /* { dg-warning "unterminated" } */
+
+/* Prune out warnings with no location (pr?????).
+   { dg-prune-output "cc1:" } */
diff mbox series

Patch

PR tree-optimization/86552 - missing warning for reading past the end of non-string arrays

gcc/ChangeLog:
	* builtins.c (expand_builtin_strnlen): Detect, avoid expanding,
	and diagnose unterminated arrays.

gcc/testsuite/ChangeLog:
	* gcc.dg/warn-strnlen-no-nul.c: New.

diff --git a/gcc/builtins.c b/gcc/builtins.c
index 2f493d3..46df2ea 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -582,11 +582,16 @@  warn_string_no_nul (location_t loc, tree exp, tree fndecl, tree nonstr)
 
 /* If EXP refers to an unterminated constant character array return
    the declaration of the object of which the array is a member or
-   element.  Otherwise return null.  */
+   element and if SIZE is not null, set *SIZE to the size of
+   the unterminated array and set *EXACT if the size is exact or
+   clear it otherwise.  Otherwise return null.  */
 
 tree
-unterminated_array (tree exp)
+unterminated_array (tree exp, tree *size /* = NULL */, bool *exact /* = NULL */)
 {
+  /* Offset from the beginning of the array or null.  */
+  tree off = NULL_TREE;
+
   if (TREE_CODE (exp) == SSA_NAME)
     {
       gimple *stmt = SSA_NAME_DEF_STMT (exp);
@@ -595,18 +600,43 @@  unterminated_array (tree exp)
 
       tree rhs1 = gimple_assign_rhs1 (stmt);
       tree_code code = gimple_assign_rhs_code (stmt);
-      if (code == ADDR_EXPR
-	  && TREE_CODE (TREE_OPERAND (rhs1, 0)) == ARRAY_REF)
-	rhs1 = rhs1;
-      else if (code != POINTER_PLUS_EXPR)
+      if ((code == ADDR_EXPR
+	   && TREE_CODE (TREE_OPERAND (rhs1, 0)) == ARRAY_REF)
+	  || code == POINTER_PLUS_EXPR)
+	{
+	  /* Store the index or offset.  */
+	  off = gimple_assign_rhs2 (stmt);
+	  exp = rhs1;
+	}
+      else
 	return NULL_TREE;
-
-      exp = rhs1;
     }
 
   tree nonstr;
-  if (c_strlen (exp, 1, &nonstr) && nonstr)
-    return nonstr;
+  tree len = c_strlen (exp, 1, &nonstr);
+  if (len && nonstr)
+    {
+      if (size)
+	{
+	  if (off)
+	    {
+	      if (TREE_CODE (off) == INTEGER_CST)
+		{
+		  /* Subtract the offset from the size of the array.  */
+		  *exact = true;
+		  off = fold_convert (ssizetype, off);
+		  len = fold_build2 (MINUS_EXPR, ssizetype, len, off);
+		}
+	      else
+		*exact = false;
+	    }
+	  else
+	    *exact = true;
+
+	  *size = len;
+	}
+      return nonstr;
+    }
 
   return NULL_TREE;
 }
@@ -3068,7 +3098,8 @@  expand_builtin_strnlen (tree exp, rtx target, machine_mode target_mode)
   tree maxobjsize = max_object_size ();
   tree func = get_callee_fndecl (exp);
 
-  tree len = c_strlen (src, 0);
+  tree nonstr;
+  tree len = c_strlen (src, 0, &nonstr);
 
   if (TREE_CODE (bound) == INTEGER_CST)
     {
@@ -3080,8 +3111,41 @@  expand_builtin_strnlen (tree exp, rtx target, machine_mode target_mode)
 			 exp, func, bound, maxobjsize))
 	  TREE_NO_WARNING (exp) = true;
 
+      bool exact = true;
       if (!len || TREE_CODE (len) != INTEGER_CST)
-	return NULL_RTX;
+	{
+	  /* Clear EXACT if LEN may be less than SRC suggests,
+	     such as in
+	       strnlen (&a[i], sizeof a)
+	     where the value of i is unknown.  Unless i's value is
+	     zero, the call is unsafe because the bound is greater. */
+	  nonstr = unterminated_array (src, &len, &exact);
+	  if (!nonstr)
+	    return NULL_RTX;
+	}
+
+      if (nonstr
+	  && !TREE_NO_WARNING (exp)
+	  && (tree_int_cst_lt (len, bound)
+	      || !exact))
+	{
+	  location_t warnloc
+	    = expansion_point_location_if_in_system_header (loc);
+
+	  if (warning_at (warnloc, OPT_Wstringop_overflow_,
+			  exact
+			  ? G_("%K%qD specified bound %E exceeds the size %E "
+			       "of unterminated array")
+			  : G_("%K%qD specified bound %E may exceed the size "
+			       "of at most %E of unterminated array"),
+			  exp, func, bound, len))
+	    {
+	      inform (DECL_SOURCE_LOCATION (nonstr),
+		      "referenced argument declared here");
+	      TREE_NO_WARNING (exp) = true;
+	      return NULL_RTX;
+	    }
+	}
 
       len = fold_convert_loc (loc, size_type_node, len);
       len = fold_build2_loc (loc, MIN_EXPR, size_type_node, len, bound);
@@ -3107,6 +3171,18 @@  expand_builtin_strnlen (tree exp, rtx target, machine_mode target_mode)
   if (!len || TREE_CODE (len) != INTEGER_CST)
     return NULL_RTX;
 
+  if (!TREE_NO_WARNING (exp)
+      && wi::ltu_p (wi::to_wide (len), min)
+      && warning_at (loc, OPT_Wstringop_overflow_,
+		     "%K%qD specified bound [%wu, %wu] "
+		     "exceeds the size %E of unterminated array",
+		     exp, func, min.to_uhwi (), max.to_uhwi (), len))
+    {
+      inform (DECL_SOURCE_LOCATION (nonstr),
+	      "referenced argument declared here");
+      TREE_NO_WARNING (exp) = true;
+    }
+
   if (wi::gtu_p (min, wi::to_wide (len)))
     return expand_expr (len, target, target_mode, EXPAND_NORMAL);
 
diff --git a/gcc/builtins.h b/gcc/builtins.h
index f722dd8..c55fa6b 100644
--- a/gcc/builtins.h
+++ b/gcc/builtins.h
@@ -103,7 +103,7 @@  extern bool target_char_cst_p (tree t, char *p);
 
 extern internal_fn associated_internal_fn (tree);
 extern internal_fn replacement_internal_fn (gcall *);
-extern tree unterminated_array (tree);
+extern tree unterminated_array (tree, tree * = NULL, bool * = NULL);
 extern void warn_string_no_nul (location_t, tree, tree, tree);
 extern tree max_object_size ();
 
diff --git a/gcc/testsuite/gcc.dg/warn-strnlen-no-nul.c b/gcc/testsuite/gcc.dg/warn-strnlen-no-nul.c
new file mode 100644
index 0000000..09a527e
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/warn-strnlen-no-nul.c
@@ -0,0 +1,356 @@ 
+/* PR tree-optimization/86552 - missing warning for reading past the end
+   of non-string arrays
+   { dg-do compile }
+   { dg-options "-O2 -Wall -ftrack-macro-expansion=0" } */
+
+typedef __SIZE_TYPE__ size_t;
+extern size_t strnlen (const char*, size_t);
+
+const char a[5] = "12345";   /* { dg-message "declared here" } */
+enum { asz = sizeof a };
+
+int v0 = 0;
+int v1 = 1;
+
+void sink (int, ...);
+
+#define CONCAT(a, b)   a ## b
+#define CAT(a, b)      CONCAT(a, b)
+
+#define T(str, n)					\
+  __attribute__ ((noipa))				\
+  void CAT (test_, __LINE__) (void) {			\
+    int i0 = 0, i1 = i0 + 1, i2 = i1 + 1, i3 = i2 + 1;	\
+    sink (strnlen (str, n), i0, i1, i2, i3);		\
+  } typedef void dummy_type
+
+T (a, asz);
+T (a, asz - 1);
+T (a, asz - 2);
+T (a, asz - 5);
+T (&a[0], asz);
+T (&a[0] + 1, asz);            /* { dg-warning "specified bound 5 exceeds the size 4 of unterminated array" } */
+T (&a[1], asz);                /* { dg-warning "specified bound 5 exceeds the size 4 of unterminated array" } */
+T (&a[1], asz - 1);
+T (&a[v0], asz);               /* { dg-warning "specified bound 5 may exceed the size of at most 5 of unterminated array" } */
+T (&a[v0] + 1, asz);           /* { dg-warning "specified bound 5 may exceed the size of at most 5 of unterminated array" } */
+
+T (a, asz + 1);                /* { dg-warning "specified bound 6 exceeds the size 5 " } */
+T (&a[0], asz + 1);            /* { dg-warning "unterminated" } */
+T (&a[0] + 1, asz - 1);
+T (&a[0] + 1, asz + 1);        /* { dg-warning "unterminated" } */
+T (&a[1], asz + 1);            /* { dg-warning "unterminated" } */
+T (&a[v0], asz + 1);           /* { dg-warning "unterminated" } */
+T (&a[v0] + 1, asz + 1);       /* { dg-warning "unterminated" } */
+
+
+const char b[][5] = { /* { dg-message "declared here" } */
+  "12", "123", "1234", "54321"
+};
+enum { bsz = sizeof b[0] };
+
+T (b[0], bsz);
+T (b[1], bsz);
+T (b[2], bsz);
+T (b[3], bsz);
+
+T (b[0], bsz - 1);
+T (b[1], bsz - 1);
+T (b[2], bsz - 1);
+T (b[3], bsz - 1);
+
+T (b[0], bsz + 1);
+T (b[1], bsz + 1);
+T (b[2], bsz + 1);
+T (b[3], bsz + 1);            /* { dg-warning "unterminated" } */
+
+T (b[i0], bsz);
+T (b[i1], bsz);
+T (b[i2], bsz);
+T (b[i3], bsz);
+
+T (b[i0], bsz + 1);
+T (b[i1], bsz + 1);
+T (b[i2], bsz + 1);
+T (b[i3], bsz + 1);           /* { dg-warning "unterminated" } */
+
+T (b[v0], bsz);
+T (b[v0], bsz + 1);
+
+T (&b[i2][i1], bsz);
+T (&b[i2][i1] + i1, bsz);
+T (&b[i2][v0], bsz);
+T (&b[i2][i1] + v0, bsz);
+
+T (&b[i2][i1], bsz + 1);
+T (&b[i2][i1] + i1, bsz + 1);
+T (&b[i2][v0], bsz + 1);
+T (&b[i2][i1] + v0, bsz + 1);
+
+T (&b[2][1], bsz);
+T (&b[2][1] + i1, bsz);
+T (&b[2][i0], bsz);
+T (&b[2][1] + i0, bsz);
+T (&b[2][1] + v0, bsz);
+T (&b[2][v0], bsz);
+
+T (&b[2][1], bsz + 1);
+T (&b[2][1] + i1, bsz + 1);
+T (&b[2][i0], bsz + 1);
+T (&b[2][1] + i0, bsz + 1);
+T (&b[2][1] + v0, bsz + 1);
+T (&b[2][v0], bsz + 1);
+
+T (&b[3][1], bsz);                /* { dg-warning "unterminated" } */
+T (&b[3][1], bsz - 1);
+T (&b[3][1] + 1, bsz);            /* { dg-warning "unterminated" } */
+T (&b[3][1] + 1, bsz - 1);        /* { dg-warning "unterminated" } */
+T (&b[3][1] + 1, bsz - 2);
+T (&b[3][1] + i1, bsz);           /* { dg-warning "unterminated" } */
+T (&b[3][1] + i1, bsz - i1);      /* { dg-warning "unterminated" } */
+T (&b[3][1] + i1, bsz - i2);
+T (&b[3][v0], bsz);
+T (&b[3][1] + v0, bsz);           /* { dg-warning "specified bound 5 may exceed the size of at most 4 of unterminated array" } */
+T (&b[3][v0] + v1, bsz);          /* { dg-warning "specified bound 5 may exceed the size of at most 4 of unterminated array" "pr?????" { xfail *-*-* } } */
+
+T (&b[3][1], bsz + 1);            /* { dg-warning "unterminated" } */
+T (&b[3][1] + 1, bsz + 1);        /* { dg-warning "unterminated" } */
+T (&b[3][1] + i1, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&b[3][v0], bsz + 1);           /* { dg-warning "unterminated" "pr86936" { xfail *-*-* } } */
+T (&b[3][1] + v0, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&b[3][v0] + v1, bsz + 1);      /* { dg-warning "unterminated" "pr86936" { xfail *-*-* } } */
+
+T (&b[i3][i1], bsz);              /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + 1, bsz);          /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + i1, bsz);         /* { dg-warning "specified bound 5 exceeds the size 3 of unterminated array" } */
+T (&b[i3][v0], bsz);
+T (&b[i3][i1] + v0, bsz);         /* { dg-warning "specified bound 5 may exceed the size of at most 4 of unterminated array" } */
+T (&b[i3][v0] + v1, bsz);
+
+T (&b[i3][i1], bsz + 1);          /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + 1, bsz + 1);      /* { dg-warning "unterminated" } */
+T (&b[i3][i1] + i1, bsz + 1);     /* { dg-warning "unterminated" } */
+T (&b[i3][v0], bsz + 1);          /* { dg-warning "unterminated" "pr86919" { xfail *-*-* } } */
+T (&b[i3][i1] + v0, bsz + 1);     /* { dg-warning "unterminated" } */
+T (&b[i3][v0] + v1, bsz + 1);     /* { dg-warning "unterminated" "pr86919" { xfail *-*-* } } */
+
+T (v0 ? "" : b[0], bsz);
+T (v0 ? "" : b[1], bsz);
+T (v0 ? "" : b[2], bsz);
+T (v0 ? "" : b[3], bsz);
+T (v0 ? b[0] : "", bsz);
+T (v0 ? b[1] : "", bsz);
+T (v0 ? b[2] : "", bsz);
+T (v0 ? b[3] : "", bsz);
+
+T (v0 ? "" : b[0], bsz + 1);
+T (v0 ? "" : b[1], bsz + 1);
+T (v0 ? "" : b[2], bsz + 1);
+T (v0 ? "" : b[3], bsz + 1);      /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[0] : "", bsz + 1);
+T (v0 ? b[1] : "", bsz + 1);
+T (v0 ? b[2] : "", bsz + 1);
+T (v0 ? b[3] : "", bsz + 1);      /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+T (v0 ? "" : b[i0], bsz);
+T (v0 ? "" : b[i1], bsz);
+T (v0 ? "" : b[i2], bsz);
+T (v0 ? "" : b[i3], bsz);
+T (v0 ? b[i0] : "", bsz);
+T (v0 ? b[i1] : "", bsz);
+T (v0 ? b[i2] : "", bsz);
+T (v0 ? b[i3] : "", bsz);
+
+T (v0 ? "" : b[i0], bsz + 1);
+T (v0 ? "" : b[i1], bsz + 1);
+T (v0 ? "" : b[i2], bsz + 1);
+T (v0 ? "" : b[i3], bsz + 1);     /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[i0] : "", bsz + 1);
+T (v0 ? b[i1] : "", bsz + 1);
+T (v0 ? b[i2] : "", bsz + 1);
+T (v0 ? b[i3] : "", bsz + 1);     /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+T (v0 ? "1234" : b[3], bsz);
+T (v0 ? "1234" : b[i3], bsz);
+T (v0 ? b[3] : "1234", bsz);
+T (v0 ? b[i3] : "1234", bsz);
+
+T (v0 ? a : b[3], bsz);
+T (v0 ? b[0] : b[2], bsz);
+T (v0 ? b[2] : b[3], bsz);
+T (v0 ? b[3] : b[2], bsz);
+
+T (v0 ? "1234" : b[3], bsz + 1);  /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? "1234" : b[i3], bsz + 1); /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[3] : "1234", bsz + 1);  /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[i3] : "1234", bsz + 1); /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+T (v0 ? a : b[3], bsz + 1);       /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[0] : b[2], bsz + 1);
+T (v0 ? b[2] : b[3], bsz + 1);    /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+T (v0 ? b[3] : b[2], bsz + 1);    /* { dg-warning "unterminated" "pr86937" { xfail *-*-* } } */
+
+struct A { char a[5], b[5]; };
+
+const struct A s = { "1234", "12345" };
+
+T (s.a, asz);
+T (&s.a[0], asz);
+T (&s.a[0] + 1, asz);
+T (&s.a[0] + v0, asz);
+T (&s.a[1], asz);
+T (&s.a[1] + 1, asz);
+T (&s.a[1] + v0, asz);
+
+T (&s.a[i0], asz);
+T (&s.a[i0] + i1, asz);
+T (&s.a[i0] + v0, asz);
+T (&s.a[i1], asz);
+T (&s.a[i1] + i1, asz);
+T (&s.a[i1] + v0, asz);
+
+T (s.a, asz + 1);
+T (&s.a[0], asz + 1);
+T (&s.a[0] + 1, asz + 1);
+T (&s.a[0] + v0, asz + 1);
+T (&s.a[1], asz + 1);
+T (&s.a[1] + 1, asz + 1);
+T (&s.a[1] + v0, asz + 1);
+
+T (&s.a[i0], asz + 1);
+T (&s.a[i0] + i1, asz + 1);
+T (&s.a[i0] + v0, asz + 1);
+T (&s.a[i1], asz + 1);
+T (&s.a[i1] + i1, asz + 1);
+T (&s.a[i1] + v0, asz + 1);
+
+T (s.b, bsz);
+T (&s.b[0], bsz);
+T (&s.b[0] + 1, bsz);             /* { dg-warning "unterminated" } */
+T (&s.b[0] + v0, bsz);            /* { dg-warning "unterminated" } */
+T (&s.b[1], bsz);                 /* { dg-warning "unterminated" } */
+T (&s.b[1] + 1, bsz);             /* { dg-warning "unterminated" } */
+T (&s.b[1] + v0, bsz);            /* { dg-warning "unterminated" } */
+
+T (&s.b[i0], bsz);
+T (&s.b[i0] + i1, bsz);           /* { dg-warning "unterminated" } */
+T (&s.b[i0] + v0, bsz);           /* { dg-warning "unterminated" } */
+T (&s.b[i1], bsz);                /* { dg-warning "unterminated" } */
+T (&s.b[i1] + i1, bsz);           /* { dg-warning "unterminated" } */
+T (&s.b[i1] + v0, bsz);           /* { dg-warning "unterminated" } */
+
+T (s.b, bsz + 1);                 /* { dg-warning "unterminated" } */
+T (&s.b[0], bsz + 1);             /* { dg-warning "unterminated" } */
+T (&s.b[0] + 1, bsz + 1);         /* { dg-warning "unterminated" } */
+T (&s.b[0] + v0, bsz + 1);        /* { dg-warning "unterminated" } */
+T (&s.b[1], bsz + 1);             /* { dg-warning "unterminated" } */
+T (&s.b[1] + 1, bsz + 1);         /* { dg-warning "unterminated" } */
+T (&s.b[1] + v0, bsz + 1);        /* { dg-warning "unterminated" } */
+
+T (&s.b[i0], bsz + 1);            /* { dg-warning "unterminated" } */
+T (&s.b[i0] + i1, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&s.b[i0] + v0, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&s.b[i1], bsz + 1);            /* { dg-warning "unterminated" } */
+T (&s.b[i1] + i1, bsz + 1);       /* { dg-warning "unterminated" } */
+T (&s.b[i1] + v0, bsz + 1);       /* { dg-warning "unterminated" } */
+
+struct B { struct A a[2]; };
+
+const struct B ba[] = {
+  { { { "123", "12345" }, { "12345", "123" } } },
+  { { { "12345", "123" }, { "123", "12345" } } },
+  { { { "1", "12" },      { "123", "1234" } } },
+  { { { "123", "1234" },  { "12345", "12" } } }
+};
+
+T (ba[0].a[0].a, asz + 1);
+T (&ba[0].a[0].a[0], asz + 1);
+T (&ba[0].a[0].a[0] + 1, asz + 1);
+T (&ba[0].a[0].a[0] + v0, asz + 1);
+T (&ba[0].a[0].a[1], asz + 1);
+T (&ba[0].a[0].a[1] + 1, asz + 1);
+T (&ba[0].a[0].a[1] + v0, asz + 1);
+
+T (ba[0].a[0].b, bsz);
+T (&ba[0].a[0].b[0], bsz);
+T (&ba[0].a[0].b[0] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0] + 1, bsz - 1);
+T (&ba[0].a[0].b[0] + v0, bsz);       /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1], bsz);            /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1], bsz - 1);
+T (&ba[0].a[0].b[1] + 1, bsz - 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + 1, bsz - 2);
+T (&ba[0].a[0].b[1] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + v0, bsz);       /* { dg-warning "unterminated" } */
+
+T (ba[0].a[0].b, bsz + 1);            /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0], bsz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0] + 1, bsz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[0] + v0, bsz + 1);   /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1], bsz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + 1, bsz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[0].b[1] + v0, bsz + 1);   /* { dg-warning "unterminated" } */
+
+T (ba[0].a[1].a, asz + 1);            /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[0], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[0] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[0] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[1], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[1] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[0].a[1].a[1] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+
+T (ba[0].a[1].b, bsz + 1);
+T (&ba[0].a[1].b[0], bsz + 1);
+T (&ba[0].a[1].b[0] + 1, bsz + 1);
+T (&ba[0].a[1].b[0] + v0, bsz + 1);
+T (&ba[0].a[1].b[1], bsz + 1);
+T (&ba[0].a[1].b[1] + 1, bsz + 1);
+T (&ba[0].a[1].b[1] + v0, bsz + 1);
+
+T (ba[1].a[0].a, asz);
+T (&ba[1].a[0].a[0], asz);
+T (&ba[1].a[0].a[0] + 1, asz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0] + v0, asz);       /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1], asz);            /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + 1, asz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + v0, asz);       /* { dg-warning "unterminated" } */
+
+T (ba[1].a[0].a, asz + 1);            /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[0] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1], asz + 1);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + 1, asz + 1);    /* { dg-warning "unterminated" } */
+T (&ba[1].a[0].a[1] + v0, asz + 1);   /* { dg-warning "unterminated" } */
+
+T (ba[1].a[0].b, bsz);
+T (&ba[1].a[0].b[0], bsz);
+T (&ba[1].a[0].b[0] + 1, bsz);
+T (&ba[1].a[0].b[0] + v0, bsz);
+T (&ba[1].a[0].b[1], bsz);
+T (&ba[1].a[0].b[1] + 1, bsz);
+T (&ba[1].a[0].b[1] + v0, bsz);
+
+T (ba[1].a[1].a, asz);
+T (&ba[1].a[1].a[0], asz);
+T (&ba[1].a[1].a[0] + 1, asz);
+T (&ba[1].a[1].a[0] + v0, asz);
+T (&ba[1].a[1].a[1], asz);
+T (&ba[1].a[1].a[1] + 1, asz);
+T (&ba[1].a[1].a[1] + v0, asz);
+
+T (ba[1].a[1].b, bsz);
+T (&ba[1].a[1].b[0], bsz);
+T (&ba[1].a[1].b[0] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[0] + 1, bsz - 1);
+T (&ba[1].a[1].b[0] + v0, bsz);       /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1], bsz);            /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1], bsz - 1);
+T (&ba[1].a[1].b[1] + 1, bsz);        /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1] + 1, bsz - 1);    /* { dg-warning "unterminated" } */
+T (&ba[1].a[1].b[1] + 1, bsz - 2);
+T (&ba[1].a[1].b[1] + 1, bsz - i2);
+T (&ba[1].a[1].b[1] + v0, bsz);       /* { dg-warning "unterminated" } */
+
+/* Prune out warnings with no location (pr?????).
+   { dg-prune-output "cc1:" } */
diff --git a/gcc/tree-ssa-strlen.c b/gcc/tree-ssa-strlen.c
index 1d813b4..b747c35 100644
--- a/gcc/tree-ssa-strlen.c
+++ b/gcc/tree-ssa-strlen.c
@@ -336,8 +336,12 @@  get_stridx (tree exp)
 	return idx;
     }
 
-  s = string_constant (exp, &o);
+  /* Set if EXP refers to a constant array that is not a nul-terminated
+     string, otherwise clear.  */
+  tree nonstr;
+  s = string_constant (exp, &o, &nonstr);
   if (s != NULL_TREE
+      && nonstr == NULL_TREE
       && (o == NULL_TREE || tree_fits_shwi_p (o))
       && TREE_STRING_LENGTH (s) > 0)
     {