What error is this fixing?

What error is this fixing?

This fixes undefined behavior which can be "miscompiled" in future
compilers releases (or even now with different settings).

E.g. Here it's perfectly legal for compiler in case of "n = 5" compile as
return (pixel_type*)(c + 4 * pix_step);
or
return (pixel_type*)(c);
because array is just 4 elements
http://eel.is/c++draft/expr.add#4.2

Also it lets users to compile code with -fsanitize=bounds or -fsanitize=bounds-strict.

ping

Semantically, I understand what it was trying to do, even if it's not up to the standard, but in practice, dropping the different sizes shouldn't be a problem.

In practice it's inconvenience for those who compile with -fsanitize=bounds. We will have to
disable the check for the project or maintain a local patch. Both are invenveniece.

This check finds real buffer overflow which can't be detected by other means. E.g. -fsanitize=address will not report buffer overflow reads from a different field of the same structure.

Also I think my last patch makes code a little bit nice even regardless to the bounds :)

Yes, it would break -fsanitize=bounds, but I don't think we ever use num_components != pix_step, since we don't use the rgb version, never template Step in gray, and rgba has them equal.

Can someone merge this please?

Merging requires 2 approvals. Please be patient.

I would need far more context to approve. What is this c code used by, and how do we know that this change works?

@jklymak: Is there anything I could do to help? I'm quite keen on having this fixed. So... first off, is it contentious whether the status quo is buggy? (It is accessing an array out of bounds.) Is the fix correct? If you consider why the buggy code "seems to work", it's because it is using the address of the first subobject and casting it to the address of the object itself, so we can replace the cast by just this The load-bearing question is how the stride changes; this is about the relation between the size of value_type and the size of (the type of) *this.

It seems that what is meant here is to itereate through an array of pixel_type, and it so happens that that type is exactly as large as its contents (i.e. there's no padding), namely 4 * sizeof(value_type) for "rgba" and 1 * sizeof(value_type) for "rgb" and "gray". If we're just iterating over pixel_types, then simple pointer arithmetic on this will do just that.

I've applied this change internally (minus the change of the array bound), and some of our tests continue to pass, and the previous bug (as reported by sanitizers) is fixed. (I'm not sure how much coverage we have, though. I can run some more tests.)

A correction to my previous comment: The stride logic is only correct for the "rgba" version, where num_components and pix_step are both hard-coded to 4. In the "rgb" and "gray" versions, the status quo is questionable, see other comment thread above. That other code might warrant a separate analysis and fix; it's not just about an "out of bounds UB", but it actually seems questionable whether the class layout is currently correct in those cases: e.g. in "rgb", c is an array value_type[3], but next computes (pixel_type*)(c + Step), so this would be outright invalid whenever Step is not a multiple of 3 even if you believe flattened pointer arithmetic through arrays of structs. The first thing to decide here would be if c was really intended to be an array of value_type[Step] (as is currently proposed).

Step must only be >= 3 to be correct as far as the intention of the original code.

@QuLogic: If Step is not a multiple of 3, then c + Step does not point at a pixel_type object, though, does it? So the pointer cast would be invalid?

Why do you keep pinging a random other person? I don't think they appreciate it.

The point of Step is to be a stride; it is intentionally not related to the number of components. The buffer is not pixel_type[]; it's (pixel_type *)char[]; (playing a bit loose with syntax there).

@QuLogic: Oh, so sorry, I had been completely blind to the mixup! I used the auto completion and selected the wrong user! Hopefully fixed now.

@QuLogic: aha -- so do you mean that you really have a large array char[N] and inside that you freely want to pick out chunks of size 3 (at arbitrary offsets) and treat those as pixel_types?

Yes, it's somewhat like BMP (maybe JPEG too?) where every row must be on a 4-byte boundary, even if width is not divisible by 4.

But note this is mostly academic, as we never use rgb, and always use Step=1(=num_components) for gray.

Oh, interesting -- could you maybe back up a bit and explain the intended layout from scratch? So, let's say for example for RGB, we have a contiguous buffer RGBRGBRGBRGB... -- and one pixel_type contains one chunk RGB, is that right? It never starts on, say, a G? And there's no padding? But then you still want to make larger, aligned steps to somewhere that's a multiple of 4 from the beginning of the buffer? If the step is unrelated to the number of components, where does any eventual padding go? (In the BMP example, say, there'd be padding at the end of each row, so there's a "row pitch" to allow random access to the beginning of each row.)

@QuLogic: Oh, is that right? Could we maybe enshrine this in code and remove the Step template parameter from "gray"?

Well, we aren't upstream, and while upstream is somewhat dormant, it's fine to fix bugs, but changing semantics seems unnecessary.

OK, so if we're not changing that, but only the pointer arithmetic, then I suppose the next implementation for "gray" should say this + pix_step and for "rgba" it should say this + 1. But what should it be for "rgb"?

No, this + pix_step is definitely wrong, as pointer arithmetic would turn that into (typeof this)((char*)this + sizeof(*this) * pix_step). That's why it's always this + 1.

Thank you for the contribution!