Assignments to bit-fields yield results of bit-field type

tautschnig · tautschnig · commit 0aacbe452821 · 2023-11-24T16:14:49.000Z
Do not pre-emptively cast side effects over bit-fields to the underlying type. sizeof just has a very peculiar semantics, which is discussed in https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2958.htm. Issue was found by CSmith (test generated with random seed 1700653858).
diff --git a/regression/cbmc/Bitfields5/main.c b/regression/cbmc/Bitfields5/main.c
@@ -0,0 +1,26 @@
+#include <assert.h>
+#include <limits.h>
+
+struct S0
+{
+  unsigned long f2 : CHAR_BIT + 1;
+  int x;
+};
+
+int main()
+{
+  struct S0 g = {0};
+  // All compilers in compiler explorer appear to agree that comma and
+  // assignment expressions over bit-fields have the declared width (rounded to
+  // bytes) of the bit-field as sizeof result.
+  // https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2958.htm
+  // for a discussion that this isn't actually specified (while being a
+  // sizeof/typeof peculiarity)
+  _Static_assert(sizeof(++g.f2) == 2, "");
+  _Static_assert(sizeof(0, g.f2) == 2, "");
+  _Static_assert(sizeof(g.f2 = g.f2) == 2, "");
+  if(g.f2 <= -1)
+    assert(0);
+  if((g.f2 = g.f2) <= -1)
+    assert(0);
+}
diff --git a/regression/cbmc/Bitfields5/test.desc b/regression/cbmc/Bitfields5/test.desc
@@ -0,0 +1,8 @@
+CORE
+main.c
+
+^EXIT=0$
+^SIGNAL=0$
+^VERIFICATION SUCCESSFUL$
+--
+^warning: ignoring
diff --git a/src/ansi-c/c_typecheck_expr.cpp b/src/ansi-c/c_typecheck_expr.cpp
@@ -970,9 +970,22 @@ void c_typecheck_baset::typecheck_expr_sizeof(exprt &expr)
 
   if(type.id()==ID_c_bit_field)
   {
-    error().source_location = expr.source_location();
-    error() << "sizeof cannot be applied to bit fields" << eom;
-    throw 0;
+    // only comma or side-effect expressions are permitted
+    const exprt &op = to_unary_expr(as_const(expr)).op();
+    if(op.id() == ID_comma || op.id() == ID_side_effect)
+    {
+      const c_bit_field_typet &bf_type = to_c_bit_field_type(type);
+      new_expr = from_integer(
+        (bf_type.get_width() + config.ansi_c.char_width - 1) /
+          config.ansi_c.char_width,
+        size_type());
+    }
+    else
+    {
+      error().source_location = expr.source_location();
+      error() << "sizeof cannot be applied to bit fields" << eom;
+      throw 0;
+    }
   }
   else if(type.id() == ID_bool)
   {
@@ -1872,13 +1885,13 @@ void c_typecheck_baset::typecheck_expr_side_effect(side_effect_exprt &expr)
         typecast_exprt(op0, enum_type.underlying_type());
       expr.type() = enum_type.underlying_type();
     }
-    else if(type0.id() == ID_c_bit_field)
+    /*else if(type0.id() == ID_c_bit_field)
     {
       // promote to underlying type
       typet underlying_type = to_c_bit_field_type(type0).underlying_type();
       to_unary_expr(expr).op() = typecast_exprt(op0, underlying_type);
       expr.type()=underlying_type;
-    }
+    }*/
     else if(type0.id() == ID_bool || type0.id() == ID_c_bool)
     {
       implicit_typecast_arithmetic(to_unary_expr(expr).op());
@@ -4344,12 +4357,6 @@ void c_typecheck_baset::typecheck_side_effect_assignment(
     }
   }
 
-  // Add a cast to the underlying type for bit fields.
-  // In particular, sizeof(s.f=1) works for bit fields.
-  if(op0.type().id()==ID_c_bit_field)
-    op0 =
-      typecast_exprt(op0, to_c_bit_field_type(op0.type()).underlying_type());
-
   const typet o_type0=op0.type();
   const typet o_type1=op1.type();
 
