[Bug c++/102805] New: at -O2, spurious stringop-overflow warning writing to std::vector::back()

[Bug c++/102805] New: at -O2, spurious stringop-overflow warning writing to std::vector::back()

[rudick at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102805

            Bug ID: 102805
           Summary: at -O2, spurious stringop-overflow warning writing to
                    std::vector::back()
           Product: gcc
           Version: 11.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: rudick at gmail dot com
  Target Milestone: ---

g++ -O2 -Wextra -Wall -Werror -Wextra vectorBackWrite.cpp

#include <vector>
#include <stddef.h>
#include <iostream>

extern FILE* f;
void triggerBug(uint64_t start, uint64_t end) {
  if (f && end > start) {
    std::vector<char> data(end - start + 1);
    auto res = fread(&data[0], end-start, 1, f);
    if (res == 1) {
      data.back() = 0;
    }
  }
}

error is:

vectorBackWrite.cpp: In function ‘void triggerBug(uint64_t, uint64_t)’:
vectorBackWrite.cpp:11:19: error: writing 1 byte into a region of size 0
[-Werror=stringop-overflow=]
   11 |       data.back() = 0;
      |       ~~~~~~~~~~~~^~~
In file included from
/opt/gcc-11.2.0/include/c++/11.2.0/x86_64-linux-gnu/bits/c++allocator.h:33,
                 from /opt/gcc-11.2.0/include/c++/11.2.0/bits/allocator.h:46,
                 from /opt/gcc-11.2.0/include/c++/11.2.0/vector:64,
                 from vectorBackWrite.cpp:1:
/opt/gcc-11.2.0/include/c++/11.2.0/ext/new_allocator.h:127:48: note: at offset
[0, 9223372036854775806] into destination object of size [2,
9223372036854775807] allocated by ‘operator new’
  127 |         return static_cast<_Tp*>(::operator new(__n * sizeof(_Tp)));
      |                                  ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
cc1plus: all warnings being treated as errors


Interestingly, this also fails w/ the same error:
*(data.rbegin()) = 0;

but this is accepted:
data[data.size()-1] = 0;

code works in gcc7 & gcc9 on the same platform, & works on gcc11 with -O1
It also seems to require the fread to be present

Version: 11.2.0

system: CentOS Linux 7.7.1908 on Intel Xeon

[Bug tree-optimization/102805] at -O2, spurious stringop-overflow warning writing to std::vector::back()

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102805

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Hmm:
  <bb 3> [local count: 751619281]:
  if (end_8(D) > start_9(D))
    goto <bb 4>; [33.00%]
  else
    goto <bb 15>; [67.00%]

  <bb 4> [local count: 248034361]:
  _2 = end_8(D) - start_9(D);
  _3 = _2 + 1;
  data ={v} {CLOBBER};
  _23 = (signed long) _3;
  if (_23 < 0)
    goto <bb 5>; [0.04%]
  else
    goto <bb 6>; [99.96%]

  <bb 5> [local count: 99214]:
  std::__throw_length_error ("cannot create std::vector larger than
max_size()");

  <bb 6> [local count: 247935148]:
  MEM[(struct _Vector_impl_data *)&data] ={v} {CLOBBER};
  MEM[(struct _Vector_impl_data *)&data]._M_start = 0B;
  MEM[(struct _Vector_impl_data *)&data]._M_finish = 0B;
  MEM[(struct _Vector_impl_data *)&data]._M_end_of_storage = 0B;
  if (_3 != 0)
    goto <bb 8>; [71.00%]
  else
    goto <bb 7>; [29.00%]

  <bb 7> [local count: 71901193]:
  MEM[(struct _Vector_base *)&data]._M_impl.D.49479._M_start = 0B;
  MEM[(struct _Vector_base *)&data]._M_impl.D.49479._M_finish = 0B;
  MEM[(struct _Vector_base *)&data]._M_impl.D.49479._M_end_of_storage = 0B;
  goto <bb 9>; [100.00%]

  <bb 8> [local count: 158430559]:
  _33 = operator new (_3);
  MEM[(struct _Vector_base *)&data]._M_impl.D.49479._M_start = _33;
  MEM[(struct _Vector_base *)&data]._M_impl.D.49479._M_finish = _33;
  _28 = _33 + _3;
  MEM[(struct _Vector_base *)&data]._M_impl.D.49479._M_end_of_storage = _28;
  *_33 = 0;
  __first_35 = _33 + 1;
  _41 = (long int) _2;
  __builtin_memset (__first_35, 0, _2);


if end is UINT64_MAX and start is 0, then _2 would be UINT64_MAX and _3 would
be 0. And _23 < 0 would be false and then _3!=0 would be false..

So I think the warning is correct, just you don't have an wrapping check
defined in the code for (end - start + 1) .......

[Bug tree-optimization/102805] at -O2, spurious stringop-overflow warning writing to std::vector::back()

[rudick at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102805

--- Comment #2 from rudick at gmail dot com ---
Interesting.

if (f && end > start && start < 100 && end < 100) {

& I still get the warning though

[Bug tree-optimization/102805] at -O2, spurious stringop-overflow warning writing to std::vector::back()

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102805

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2021-10-17
     Ever confirmed|0                           |1
           Keywords|                            |missed-optimization

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to rudick from comment #2)
> Interesting.
> 
> if (f && end > start && start < 100 && end < 100) {
> 
> & I still get the warning though

There is a missed VRP for that case:
Testcase for the above case:
void f1(uint64_t start, uint64_t end)
{
  if (end > start && start < 100 && end < 100)
    {
        uint64_t t = end - start + 1;
        if (t != 0)
          __builtin_abort();
    }
}

[Bug tree-optimization/102805] at -O2, spurious stringop-overflow warning writing to std::vector::back()

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102805

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Looks to be fixed in GCC 12.