[PATCH] D71714: [Sema] Fix -Warray-bounds false negative when casting an out-of-bounds array item

[Richard Smith - zygoloid via Phabricator via cfe-commits]

rsmith added inline comments.


================
Comment at: clang/lib/Sema/SemaChecking.cpp:13384
       case Stmt::MemberExprClass: {
         expr = cast<MemberExpr>(expr)->getBase();
         break;
----------------
ilya wrote:
> rsmith wrote:
> > Hmm, don't we need to do different things for dot and arrow in this case?
> There are several test cases for an out of bounds access on an array member using dot and arrow operators in array-bounds.cpp. Do you have a specific test case for which you think the code is broken?
> There are several test cases for an out of bounds access on an array member using dot and arrow operators in array-bounds.cpp. Do you have a specific test case for which you think the code is broken?

Sure. There's a false negative for this:

```
struct A { int n; };
A *a[4];
int *n = &a[4]->n;
```

... because we incorrectly visit the left-hand side of the `->` with `AllowOnePastEnd == 1`. The left-hand side of `->` is subject to lvalue-to-rvalue conversion, so can't be one-past-the-end regardless of the context in which the `->` appears.


================
Comment at: clang/test/SemaCXX/array-bounds.cpp:331
+  Base baseArr[2]; // expected-note {{array 'baseArr' declared here}}
+  Derived *d1 = dynamic_cast<Derived *>(&baseArr[2]); // no warning for one-past-end element's address retrieval
+  Derived &d2 = dynamic_cast<Derived &>(baseArr[2]); // expected-warning {{array index 2 is past the end of the array (which contains 2 elements)}}
----------------
This case should warn; `dynamic_cast` will access the object's vptr. Please at least add a FIXME.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D71714/new/

https://reviews.llvm.org/D71714