https://gcc.gnu.org/bugzilla/show_bug.cgi?id=125604

--- Comment #7 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-16 branch has been updated by Martin Uecker
<[email protected]>:

https://gcc.gnu.org/g:de66874d48bbd0392fd2d29036c30c609ad0f709

commit r16-9228-gde66874d48bbd0392fd2d29036c30c609ad0f709
Author: Kees Cook <[email protected]>
Date:   Thu Jun 18 12:56:51 2026 -0700

    c: handle .ACCESS_WITH_SIZE in build_unary_op for !/+/- [PR125604]

    PR123569 fixed wrong code with the counted_by attribute on a pointer
    member by suppressing creation of the .ACCESS_WITH_SIZE wrapper in the
    parser's pre/post-increment paths, and added a checking assertion in
    build_unary_op to ensure no .ACCESS_WITH_SIZE call reaches it.

    The other rvalue-consuming unary operators (!, -, +) still
    rvalue-convert their operand via convert_lvalue_to_rvalue, which
    produces the .ACCESS_WITH_SIZE wrapper as before.  They then reach
    parser_build_unary_op then build_unary_op carrying the wrapper and
    trip the assertion.  A minimal reproducer:

      struct s {
        int n;
        char *p __attribute__((__counted_by__(n)));
      };
      int f (struct s *o) { return !o->p; }

    Unwrap the .ACCESS_WITH_SIZE call at the top of build_unary_op via
    get_ref_from_access_with_size.  These unary operators consume the
    pointer rvalue rather than the pointed-to data, so the bounds-checking
    wrapper is not load-bearing here.  The assertion is retained: after
    the unwrap it documents the post-condition the rest of the function
    relies on.

            PR c/125604

    gcc/c/ChangeLog:

            * c-typeck.cc (build_unary_op): Unwrap .ACCESS_WITH_SIZE
            from the operand before further processing.

    gcc/testsuite/ChangeLog:

            * gcc.dg/counted-by-unary.c: New test.

    (cherry picked from commit 1184375b0c7158b7a739489915724c08532d7b17)

Reply via email to