Re: [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds

Re: [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds

[Kees Cook]

On Sun, Jan 30, 2022 at 01:00:43AM +0000, ci_notify@linaro.org wrote:
> [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds:
> commit d4e0dad4a0cd00d1518f2105ccbfee17e2aa44a7
> Author: Kees Cook <keescook@chromium.org>
> 
>     Makefile: Enable -Warray-bounds
> [...]
> # 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]

Thanks for the report!

Would it be possible to include the "inlined from" details in the email
summaries? Just getting a header file doesn't say where a header-defined
inline is being used.

For example, extracting from the build log, I can see more:

> 00:00:53 In file included from ./include/linux/io.h:13,
> 00:00:53                  from arch/arm/mach-cns3xxx/pm.c:8:
> 00:00:53 In function ‘__raw_readl’,
> 00:00:53     inlined from ‘cns3xxx_pwr_clk_en’ at arch/arm/mach-cns3xxx/pm.c:17:12:
> 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]
> 00:00:53   113 |         asm volatile("ldr %0, %1"
> 00:00:53       |         ^~~

Looks like something sees a "void" type... this smells like a compiler
bug. I haven't been able to reproduce this warning yet.

> [...]
> git clone https://git.linaro.org/toolchain/jenkins-scripts
> 
> # Fetch manifests and test.sh script
> mkdir -p artifacts/manifests
> curl -o artifacts/manifests/build-baseline.sh https://ci.linaro.org/job/tcwg_kernel-gnu-bisect-gnu-master-arm-next-allmodconfig/45/artifact/artifacts/manifests/build-baseline.sh --fail
> curl -o artifacts/manifests/build-parameters.sh https://ci.linaro.org/job/tcwg_kernel-gnu-bisect-gnu-master-arm-next-allmodconfig/45/artifact/artifacts/manifests/build-parameters.sh --fail
> curl -o artifacts/test.sh https://ci.linaro.org/job/tcwg_kernel-gnu-bisect-gnu-master-arm-next-allmodconfig/45/artifact/artifacts/test.sh --fail
> chmod +x artifacts/test.sh
> 
> # Reproduce the baseline build (build all pre-requisites)
> ./jenkins-scripts/tcwg_kernel-build.sh @@ artifacts/manifests/build-baseline.sh

I couldn't find the compiler version anywhere in here. Could you include
the compiler and linker --version output in the build logs too?

Maybe something in tcwg_kernel-build.sh near here, to get either CC or
CROSS_COMPILE + HOSTCC and ld_opt's --version output:

    local opts
    opts="CC=$(pwd)/bin/${rr[target]}-cc $ld_opt SUBLEVEL=0 EXTRAVERSION=-bisect"
    if [ x"${rr[target]}" != x"$(uname -m)" ]; then
	opts="$opts ARCH=$(print_kernel_target ${rr[target]})"
	opts="$opts CROSS_COMPILE=$(print_gnu_target ${rr[target]})-"
	opts="$opts HOSTCC=gcc"
    fi

It looks like maybe this is built under Ubuntu bionic? Or maybe focal? I
don't see the warning with any GCC version I've tested with: 11.2.0
(impish), 10.3.0 (hirsute), 9.3.0 (focal), nor 7.5.0 (bionic).

Do you have some further hints about this?

Thanks!

-- 
Kees Cook

Re: [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds

[Arnd Bergmann]

On Mon, Jan 31, 2022 at 11:30 PM Kees Cook <keescook@chromium.org> wrote:
> On Sun, Jan 30, 2022 at 01:00:43AM +0000, ci_notify@linaro.org wrote:
>
> For example, extracting from the build log, I can see more:
>
> > 00:00:53 In file included from ./include/linux/io.h:13,
> > 00:00:53                  from arch/arm/mach-cns3xxx/pm.c:8:
> > 00:00:53 In function ‘__raw_readl’,
> > 00:00:53     inlined from ‘cns3xxx_pwr_clk_en’ at arch/arm/mach-cns3xxx/pm.c:17:12:
> > 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]
> > 00:00:53   113 |         asm volatile("ldr %0, %1"
> > 00:00:53       |         ^~~
>
> Looks like something sees a "void" type... this smells like a compiler
> bug. I haven't been able to reproduce this warning yet.

I suspect this is a variation of
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578

When gcc sees a pointer dereference of a literal address like *(int
*)(void *)0x1234000,
this is sometimes interpreted as a NULL pointer with an offset, which
in turn is
assumed to have zero bytes that can be dereferenced.

        Arnd

Re: [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds

[Kees Cook]

On Tue, Feb 01, 2022 at 08:17:50AM +0100, Arnd Bergmann wrote:
> On Mon, Jan 31, 2022 at 11:30 PM Kees Cook <keescook@chromium.org> wrote:
> > On Sun, Jan 30, 2022 at 01:00:43AM +0000, ci_notify@linaro.org wrote:
> >
> > For example, extracting from the build log, I can see more:
> >
> > > 00:00:53 In file included from ./include/linux/io.h:13,
> > > 00:00:53                  from arch/arm/mach-cns3xxx/pm.c:8:
> > > 00:00:53 In function ‘__raw_readl’,
> > > 00:00:53     inlined from ‘cns3xxx_pwr_clk_en’ at arch/arm/mach-cns3xxx/pm.c:17:12:
> > > 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]
> > > 00:00:53   113 |         asm volatile("ldr %0, %1"
> > > 00:00:53       |         ^~~
> >
> > Looks like something sees a "void" type... this smells like a compiler
> > bug. I haven't been able to reproduce this warning yet.
> 
> I suspect this is a variation of
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578
> 
> When gcc sees a pointer dereference of a literal address like *(int
> *)(void *)0x1234000,
> this is sometimes interpreted as a NULL pointer with an offset, which
> in turn is
> assumed to have zero bytes that can be dereferenced.

Eww.

I still can't reproduce this error myself. Any hints on compiler
versions?

-- 
Kees Cook

Re: [TCWG CI] Regression caused by linux: Makefile: Enable -Warray-bounds

[Arnd Bergmann]

On Tue, Feb 1, 2022 at 8:52 AM Kees Cook <keescook@chromium.org> wrote:
> On Tue, Feb 01, 2022 at 08:17:50AM +0100, Arnd Bergmann wrote:
> > On Mon, Jan 31, 2022 at 11:30 PM Kees Cook <keescook@chromium.org> wrote:
> > > On Sun, Jan 30, 2022 at 01:00:43AM +0000, ci_notify@linaro.org wrote:
> > >
> > > For example, extracting from the build log, I can see more:
> > >
> > > > 00:00:53 In file included from ./include/linux/io.h:13,
> > > > 00:00:53                  from arch/arm/mach-cns3xxx/pm.c:8:
> > > > 00:00:53 In function ‘__raw_readl’,
> > > > 00:00:53     inlined from ‘cns3xxx_pwr_clk_en’ at arch/arm/mach-cns3xxx/pm.c:17:12:
> > > > 00:00:53 ./arch/arm/include/asm/io.h:113:9: error: array subscript 0 is outside array bounds of ‘const volatile void[0]’ [-Werror=array-bounds]
> > > > 00:00:53   113 |         asm volatile("ldr %0, %1"
> > > > 00:00:53       |         ^~~
> > >
> > > Looks like something sees a "void" type... this smells like a compiler
> > > bug. I haven't been able to reproduce this warning yet.
> >
> > I suspect this is a variation of
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99578
> >
> > When gcc sees a pointer dereference of a literal address like *(int
> > *)(void *)0x1234000,
> > this is sometimes interpreted as a NULL pointer with an offset, which
> > in turn is
> > assumed to have zero bytes that can be dereferenced.
>
> Eww.
>
> I still can't reproduce this error myself. Any hints on compiler
> versions?

The godbolt.org link in my report shows this as reproducible with any
gcc-11.x version but not gcc-10 or earlier.

       Arnd