public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "msebor at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/101134] Bogus -Wstringop-overflow warning about non-existent overflow Date: Thu, 24 Jun 2021 21:18:08 +0000 [thread overview] Message-ID: <bug-101134-4-uqCZNzn5Zq@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-101134-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101134 --- Comment #12 from Martin Sebor <msebor at gcc dot gnu.org> --- I don't need to be convinced that it would be nice to be able to differentiate between certain bugs and possible ones. The text of this class of warnings already does differentiate between "may write/read/access" and "writing/reading/accessing" under some conditions: https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/builtins.c;h=73c12e3bb8c39907b6bd95148f860709dbbf3f50;hb=refs/heads/releases/gcc-11#l4136 This is not among them. In this case the IL that triggers the warning is: <bb 3> [local count: 10145877954]: # size_18 = PHI <512(2), size_13(10)> # prephitmp_54 = PHI <"edFunction.staticBuf(2), newBuf_36(10)> ... <bb 7> [local count: 2825037180]: newBuf_33 = malloc (_51); goto <bb 9>; [100.00%] <bb 8> [local count: 6591753510]: newBuf_35 = realloc (_30, _51); ... <bb 9> [local count: 9416790700]: # newBuf_36 = PHI <newBuf_33(7), newBuf_35(8)> ... <bb 14> [local count: 3449598541]: MEM[(char *)prephitmp_54 + -1B] = 0; <<< -Wstring-overflow prephitmp_54 is set to point to either the beginning of quotedFunction.staticBuf or the dynamically allocated buffer. So prephitmp_54 - 1 is unconditionally invalid and the warning triggers. The warning doesn't consider the predicates leading up to the invalid store: all it uses to make its decision is the statement itself and its arguments. For PHIs, to minimize noise, it triggers only if the statement is invalid for all arguments. This is how most flow-based warnings work in GCC (some like -Warray-bounds don't consider PHIs yet). To do better and either hope to issue a "maybe" kind of a warning or preferably avoid it altogether if the code is unreachable we would need to do what -Wmaybe-uninitialized does (as I said in comment #5) and analyze the predicates. I've been working on extracting the uninitialized predicate analyzer for the last few months. I'm not sure to what extent it will be usable outside the uninitialized pass yet or how well it will work. As we know, -Wmaybe-uninitialized has lots of false positives (and negatives). But even the uninitialized pass issues unconditional warnings for conditional bugs. For instance: int f (void) { int i, j = 0; int *p = i ? &i : &j; return *p; } a.c: In function ‘f’: a.c:4:14: warning: ‘i’ is used uninitialized [-Wuninitialized] 4 | int *p = i ? &i : &j; | ^ It does that because the first time it runs it's too early to make the distinction, and by the second time it runs to issuse -Wmaybe-uninitialized the uninitialized read has been eliminated. And this is done to strike a reasonable balance between false negatives and positives. So in general, the distinction between the two cases can only be made when it can be discerned from the IL, and the IL doesn't always preserve the conditional nature of the problem statement. So every warning must always be viewed as a "maybe" kind of a warning. It will never be a sure a thing, either at the scope of individual functions, and certainly not with inlining or function cloning.
next prev parent reply other threads:[~2021-06-24 21:18 UTC|newest] Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-06-19 9:52 [Bug middle-end/101134] New: " dangelog at gmail dot com 2021-06-21 16:10 ` [Bug middle-end/101134] " msebor at gcc dot gnu.org 2021-06-21 16:44 ` dangelog at gmail dot com 2021-06-21 20:40 ` msebor at gcc dot gnu.org 2021-06-22 8:57 ` dangelog at gmail dot com 2021-06-22 15:27 ` msebor at gcc dot gnu.org 2021-06-22 16:34 ` dangelog at gmail dot com 2021-06-23 19:56 ` msebor at gcc dot gnu.org 2021-06-24 14:07 ` dangelog at gmail dot com 2021-06-24 17:05 ` segher at gcc dot gnu.org 2021-06-24 17:57 ` rsandifo at gcc dot gnu.org 2021-06-24 19:36 ` dmalcolm at gcc dot gnu.org 2021-06-24 21:18 ` msebor at gcc dot gnu.org [this message] 2021-06-24 22:18 ` dangelog at gmail dot com 2022-03-17 10:18 ` redi at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-101134-4-uqCZNzn5Zq@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).