1154151 - [gcc 5.0] RegExpEngine.cpp:4605:48: error: array subscript is above array bounds [-Werror=array-bounds]

Status: RESOLVED DUPLICATE of bug 1153122

(Core :: JavaScript Engine, defect)

Description

[Mike Hommey [:glandium]]

While we're discussing in bug 1153122 the possibility of turning off this warning-as-error, it does seem, at cursory glance, this one is a real issue:

22:47:55 INFO - In file included from /builds/slave/try-l64-d-00000000000000000000/build/src/obj-firefox/js/src/Unified_cpp_js_src2.cpp:74:0:
22:47:55 INFO - /builds/slave/try-l64-d-00000000000000000000/build/src/js/src/irregexp/RegExpEngine.cpp: In member function 'virtual bool js::irregexp::TextNode::FillInBMInfo(int, int, js::irregexp::BoyerMooreLookahead*, bool)':
22:47:55 INFO - /builds/slave/try-l64-d-00000000000000000000/build/src/js/src/irregexp/RegExpEngine.cpp:4605:48: error: array subscript is above array bounds [-Werror=array-bounds]
22:47:55 INFO - bm->Set(offset, chars[j]);
22:47:55 INFO - ^
22:47:55 INFO - cc1plus: all warnings being treated as errors
22:47:55 INFO - gmake[5]: *** [Unified_cpp_js_src2.o] Error 1

Comment 1

[Chris Peterson [:cpeterson]]

This looks like a false positive to me:

- The chars array is 4 char16_ts long (kEcma262UnCanonicalizeMaxWidth: https://dxr.mozilla.org/mozilla-central/source/js/src/irregexp/RegExpEngine.cpp?from=GetCaseIndependentLetters#186

- Subscript j is less than length returned from GetCaseIndependentLetters().

- GetCaseIndependentLetters() will only return 0–3 because count is always less than ArrayLength(choices): https://dxr.mozilla.org/mozilla-central/source/js/src/irregexp/RegExpEngine.cpp?from=GetCaseIndependentLetters#191

Comment 2

[Mike Hommey [:glandium]]

(In reply to Chris Peterson [:cpeterson] from comment #1)
> This looks like a false positive to me:

doh. Missed the inline "choices" array.