[mypyc] Fix undefined behavior related to empty vecs (#21094)

JukkaL · web-flow · commit 3cf57e115241 · 2026-03-23T16:06:37.000Z
We used to use `&amp;vec.buf-&gt;items`, which causes undefined behavior for an
empty vec that can be triggered on GCC when using -O3, since `buf` is
NULL for an empty vec. Use `offsetof` instead to calculate struct field
offset, since it doesn't trigger UB if pointer is NULL.
diff --git a/mypyc/codegen/emitfunc.py b/mypyc/codegen/emitfunc.py
@@ -809,9 +809,12 @@ def visit_get_element_ptr(self, op: GetElementPtr) -> None:
         # TODO: support tuple type
         assert isinstance(op.src_type, RStruct), op.src_type
         assert op.field in op.src_type.names, "Invalid field name."
+        # Use offsetof to avoid undefined behavior when src is NULL
+        # (e.g., vec buf pointer for empty vecs). The &((T*)p)->field
+        # pattern is UB when p is NULL, which GCC -O3 can exploit.
         self.emit_line(
-            "{} = ({})&(({} *){})->{};".format(
-                dest, op.type._ctype, op.src_type.name, src, op.field
+            "{} = ({})((CPyPtr){} + offsetof({}, {}));".format(
+                dest, op.type._ctype, src, op.src_type.name, op.field
             )
         )
 
diff --git a/mypyc/irbuild/vec.py b/mypyc/irbuild/vec.py
@@ -222,6 +222,11 @@ def vec_len_native(builder: LowLevelIRBuilder, val: Value) -> Value:
 
 
 def vec_items(builder: LowLevelIRBuilder, vecobj: Value) -> Value:
+    """Return pointer to first item in vec's buf.
+
+    Safe to call even when buf is NULL (empty vec), since GetElementPtr
+    uses offsetof-based arithmetic instead of &((T*)p)->field.
+    """
     vtype = cast(RVec, vecobj.type)
     buf = builder.get_element(vecobj, "buf")
     return builder.add(GetElementPtr(buf, vtype.buf_type, "items"))
diff --git a/mypyc/test/test_emitfunc.py b/mypyc/test/test_emitfunc.py
@@ -760,13 +760,16 @@ def test_get_element_ptr(self) -> None:
             "Foo", ["b", "i32", "i64"], [bool_rprimitive, int32_rprimitive, int64_rprimitive]
         )
         self.assert_emit(
-            GetElementPtr(self.o, r, "b"), """cpy_r_r0 = (CPyPtr)&((Foo *)cpy_r_o)->b;"""
+            GetElementPtr(self.o, r, "b"),
+            """cpy_r_r0 = (CPyPtr)((CPyPtr)cpy_r_o + offsetof(Foo, b));""",
         )
         self.assert_emit(
-            GetElementPtr(self.o, r, "i32"), """cpy_r_r0 = (CPyPtr)&((Foo *)cpy_r_o)->i32;"""
+            GetElementPtr(self.o, r, "i32"),
+            """cpy_r_r0 = (CPyPtr)((CPyPtr)cpy_r_o + offsetof(Foo, i32));""",
         )
         self.assert_emit(
-            GetElementPtr(self.o, r, "i64"), """cpy_r_r0 = (CPyPtr)&((Foo *)cpy_r_o)->i64;"""
+            GetElementPtr(self.o, r, "i64"),
+            """cpy_r_r0 = (CPyPtr)((CPyPtr)cpy_r_o + offsetof(Foo, i64));""",
         )
 
     def test_set_element(self) -> None:

Original file line number	Diff line number	Diff line change
`@@ -809,9 +809,12 @@ def visit_get_element_ptr(self, op: GetElementPtr) -> None:`
`809`	`809`	`# TODO: support tuple type`
`810`	`810`	`assert isinstance(op.src_type, RStruct), op.src_type`
`811`	`811`	`assert op.field in op.src_type.names, "Invalid field name."`
	`812`	`+ # Use offsetof to avoid undefined behavior when src is NULL`
	`813`	`+ # (e.g., vec buf pointer for empty vecs). The &((T*)p)->field`
	`814`	`+ # pattern is UB when p is NULL, which GCC -O3 can exploit.`
`812`	`815`	`self.emit_line(`
`813`		`- "{} = ({})&(({} *){})->{};".format(`
`814`		`- dest, op.type._ctype, op.src_type.name, src, op.field`
	`816`	`+ "{} = ({})((CPyPtr){} + offsetof({}, {}));".format(`
	`817`	`+ dest, op.type._ctype, src, op.src_type.name, op.field`
`815`	`818`	`)`
`816`	`819`	`)`
`817`	`820`
Original file line number	Diff line number	Diff line change
`@@ -760,13 +760,16 @@ def test_get_element_ptr(self) -> None:`
`760`	`760`	`"Foo", ["b", "i32", "i64"], [bool_rprimitive, int32_rprimitive, int64_rprimitive]`
`761`	`761`	`)`
`762`	`762`	`self.assert_emit(`
`763`		`- GetElementPtr(self.o, r, "b"), """cpy_r_r0 = (CPyPtr)&((Foo *)cpy_r_o)->b;"""`
	`763`	`+ GetElementPtr(self.o, r, "b"),`
	`764`	`+ """cpy_r_r0 = (CPyPtr)((CPyPtr)cpy_r_o + offsetof(Foo, b));""",`
`764`	`765`	`)`
`765`	`766`	`self.assert_emit(`
`766`		`- GetElementPtr(self.o, r, "i32"), """cpy_r_r0 = (CPyPtr)&((Foo *)cpy_r_o)->i32;"""`
	`767`	`+ GetElementPtr(self.o, r, "i32"),`
	`768`	`+ """cpy_r_r0 = (CPyPtr)((CPyPtr)cpy_r_o + offsetof(Foo, i32));""",`
`767`	`769`	`)`
`768`	`770`	`self.assert_emit(`
`769`		`- GetElementPtr(self.o, r, "i64"), """cpy_r_r0 = (CPyPtr)&((Foo *)cpy_r_o)->i64;"""`
	`771`	`+ GetElementPtr(self.o, r, "i64"),`
	`772`	`+ """cpy_r_r0 = (CPyPtr)((CPyPtr)cpy_r_o + offsetof(Foo, i64));""",`
`770`	`773`	`)`
`771`	`774`
`772`	`775`	`def test_set_element(self) -> None:`