On Wed, Oct 30, 2013 at 11:56:25AM -0400, Jason Merrill wrote: > On 10/30/2013 10:52 AM, Marek Polacek wrote: > >+ if ((flag_sanitize & SANITIZE_VLA) > >+ && !processing_template_decl > > You don't need to check processing_template_decl; the template case > was already handled above.
Right, removed. > >+ tree x = cp_save_expr (size); > >+ x = build2 (COMPOUND_EXPR, TREE_TYPE (x), > >+ ubsan_instrument_vla (input_location, x), x); > >+ finish_expr_stmt (x); > > Saving 'size' here doesn't help since it's already been used above. > Could you use itype instead of size here? I already experimented with that and I think I can't, since we call the finish_expr_stmt too soon, which results in: int x = 1; int a[0:(sizetype) SAVE_EXPR <D.2143>]; <<cleanup_point int x = 1;>>; <<cleanup_point <<< Unknown tree: expr_stmt if (SAVE_EXPR <D.2143> <= 0) { __builtin___ubsan_handle_vla_bound_not_positive (&*.Lubsan_data0, (unsigned long) SAVE_EXPR <D.2143>); } else { 0 }, (void) SAVE_EXPR <D.2143>; >>>>>; ssizetype D.2143; <<cleanup_point <<< Unknown tree: expr_stmt (void) (D.2143 = (ssizetype) ++x + -1) >>>>>; and that ICEs in gimplify_var_or_parm_decl, presumably because the if (SAVE_EXPR <D.2143> <= 0) { ... } should be emitted *after* that cleanup_point. When we generated the C++1y check in cp_finish_decl, we emitted the check after the cleanup_point, and everything was OK. I admit I don't understand the cleanup_points very much and I don't know exactly where they are coming from, because normally I don't see them coming out of C FE. :) Thanks. Marek