From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 39AA63857814; Wed, 10 Nov 2021 16:19:16 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 39AA63857814
From: "msebor at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug testsuite/103161] [12 Regression] Better ranges cause
 builtin-sprintf-warn-16.c failure
Date: Wed, 10 Nov 2021 16:19:16 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: testsuite
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: diagnostic
X-Bugzilla-Severity: normal
X-Bugzilla-Who: msebor at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: msebor at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 12.0
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: component
Message-ID: <bug-103161-4-2OAPp6udUQ@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-103161-4@http.gcc.gnu.org/bugzilla/>
References: <bug-103161-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 16:19:16 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D103161

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|tree-optimization           |testsuite

--- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> ---
Great!  With the strlen conversion to ranger
(g:6b8b959675a3e14cfdd2145bd62e4260eb193765) the test now fails on x86_64 as
well:

Excess errors:
/src/gcc/master/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-16.c:142=
:5:
warning: '%*u' directive writing 5 or more bytes into a region of size 0
[-Wformat-overflow=3D]

while on or1k-elf:

Excess errors:
/src/gcc/master/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-16.c:142=
:5:
warning: '%*u' directive writing 5 or more bytes into a region of size 0
[-Wformat-overflow=3D]
/src/gcc/master/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-16.c:243=
:5:
warning: '%.*u' directive writing 7 or more bytes into a region of size 0
[-Wformat-overflow=3D]

I think the test unwittingly depends on GCC not inferring a range from a
conditional (although the intent is clearly that it does).  It uses an unsi=
gned
int as the width argument to sprintf which is undefined, but I suspect it d=
oes
it as an attempt to create a signed anti-range.  So this might simply be a
problem with the test.  The difference between EVRP and Ranger can be seen =
in
the test case below (function g() corresponds to what the test does, and wi=
th
EVRP the range for w in it is the same as in f() on some targets like or1k-=
elf
and on others it's varying):

$ cat pr103161.c && gcc-11 -O2 -S -Wall -fdump-tree-strlen=3D/dev/stdout
pr103161.c
extern char a[1];

int f (int i, unsigned w)
{
  if (w < 5)
    w =3D 5;

  return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is [5, INT_=
MAX]
}

int g (int i)
{
  extern unsigned w;

  if (w < 5)
    w =3D 5;

  return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is [0, INT_=
MAX]
}

;; Function f (f, funcdef_no=3D0, decl_uid=3D1945, cgraph_uid=3D1, symbol_o=
rder=3D0)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }
pr103161.c:8: __builtin_sprintf: objsize =3D 0, fmtstr =3D "%*i"
  Directive 1 at offset 0: "%*i", width in range [5, 4294967295]
pr103161.c: In function =E2=80=98f=E2=80=99:
pr103161.c:8:37: warning: =E2=80=98%*i=E2=80=99 directive writing 5 or more=
 bytes into a region
of size 0 [-Wformat-overflow=3D]
    8 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[5,
INT_MAX]
      |                                     ^~~
    Result: 5, 5, -1, 4294967295 (5, 5, -1, -1)
  Directive 2 at offset 3: "", length =3D 1
pr103161.c:8:10: note: =E2=80=98__builtin_sprintf=E2=80=99 output 6 or more=
 bytes into a
destination of size 0
    8 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[5,
INT_MAX]
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Discarding out-of-bounds return value 0.

int f (int i, unsigned int w)
{
  unsigned int _2;
  int _6;

  <bb 2> [local count: 1073741824]:
  _2 =3D MAX_EXPR <w_1(D), 5>;
  _6 =3D __builtin_sprintf (&MEM <char[1]> [(void *)&a + 1B], "%*i", _2, i_=
4(D));
  return _6;

}



;; Function g (g, funcdef_no=3D1, decl_uid=3D1948, cgraph_uid=3D2, symbol_o=
rder=3D1)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2 3 4
;; 2 succs { 3 4 }
;; 3 succs { 4 }
;; 4 succs { 1 }
pr103161.c:18: __builtin_sprintf: objsize =3D 0, fmtstr =3D "%*i"
  Directive 1 at offset 0: "%*i", width in range [0, 2147483648]
pr103161.c: In function =E2=80=98g=E2=80=99:
pr103161.c:18:37: warning: =E2=80=98%*i=E2=80=99 directive writing between =
1 and 2147483648
bytes into a region of size 0 [-Wformat-overflow=3D]
   18 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[0,
INT_MAX]
      |                                     ^~~
    Result: 1, 1, 2147483648, 2147483648 (1, 1, 2147483648, 2147483648)
  Directive 2 at offset 3: "", length =3D 1
pr103161.c:18:10: note: =E2=80=98__builtin_sprintf=E2=80=99 output between =
2 and 2147483649
bytes into a destination of size 0
   18 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[0,
INT_MAX]
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Discarding out-of-bounds return value 0.

int g (int i)
{
  unsigned int w.0_1;
  int _8;
  unsigned int prephitmp_9;

  <bb 2> [local count: 1073741824]:
  w.0_1 =3D w;
  if (w.0_1 <=3D 4)
    goto <bb 3>; [50.00%]
  else
    goto <bb 4>; [50.00%]

  <bb 3> [local count: 536870913]:
  w =3D 5;

  <bb 4> [local count: 1073741824]:
  # prephitmp_9 =3D PHI <w.0_1(2), 5(3)>
  _8 =3D __builtin_sprintf (&MEM <char[1]> [(void *)&a + 1B], "%*i", prephi=
tmp_9,
i_6(D));
  return _8;

}

While with today's trunk:

$ gcc-12 -O2  -S -Wall -fdump-tree-strlen=3D/dev/stdout pr103161.c
extern char a[1];

int f (int i, unsigned w)
{
  if (w < 5)
    w =3D 5;

  return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is [5, INT_=
MAX]
}

int g (int i)
{
  extern unsigned w;

  if (w < 5)
    w =3D 5;

  return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is [5, INT_=
MAX]
}

;; Function f (f, funcdef_no=3D0, decl_uid=3D1980, cgraph_uid=3D1, symbol_o=
rder=3D0)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2
;; 2 succs { 1 }
pr103161.c:8: __builtin_sprintf: objsize =3D 0, fmtstr =3D "%*i"
  Directive 1 at offset 0: "%*i", width in range [5, 4294967295]
pr103161.c: In function =E2=80=98f=E2=80=99:
pr103161.c:8:37: warning: =E2=80=98%*i=E2=80=99 directive writing 5 or more=
 bytes into a region
of size 0 [-Wformat-overflow=3D]
    8 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[5,
INT_MAX]
      |                                     ^~~
    Result: 5, 5, -1, 4294967295 (5, 5, -1, -1)
  Directive 2 at offset 3: "", length =3D 1
pr103161.c:8:10: note: =E2=80=98__builtin_sprintf=E2=80=99 output 6 or more=
 bytes into a
destination of size 0
    8 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[5,
INT_MAX]
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Discarding out-of-bounds return value 0.

int f (int i, unsigned int w)
{
  unsigned int _2;
  int _6;

  <bb 2> [local count: 1073741824]:
  _2 =3D MAX_EXPR <w_1(D), 5>;
  _6 =3D __builtin_sprintf (&MEM <char[1]> [(void *)&a + 1B], "%*i", _2, i_=
4(D));
  return _6;

}



;; Function g (g, funcdef_no=3D1, decl_uid=3D1983, cgraph_uid=3D2, symbol_o=
rder=3D1)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2 3 4
;; 2 succs { 3 4 }
;; 3 succs { 4 }
;; 4 succs { 1 }
pr103161.c:18: __builtin_sprintf: objsize =3D 0, fmtstr =3D "%*i"
  Directive 1 at offset 0: "%*i", width in range [5, 4294967295]
pr103161.c: In function =E2=80=98g=E2=80=99:
pr103161.c:18:37: warning: =E2=80=98%*i=E2=80=99 directive writing 5 or mor=
e bytes into a
region of size 0 [-Wformat-overflow=3D]
   18 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[5,
INT_MAX]
      |                                     ^~~
    Result: 5, 5, -1, 4294967295 (5, 5, -1, -1)
  Directive 2 at offset 3: "", length =3D 1
pr103161.c:18:10: note: =E2=80=98__builtin_sprintf=E2=80=99 output 6 or mor=
e bytes into a
destination of size 0
   18 |   return __builtin_sprintf (a + 1, "%*i", w, i);   // w's range is =
[5,
INT_MAX]
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Discarding out-of-bounds return value 0.

int g (int i)
{
  unsigned int w.0_1;
  int _8;
  unsigned int prephitmp_9;

  <bb 2> [local count: 1073741824]:
  w.0_1 =3D w;
  if (w.0_1 <=3D 4)
    goto <bb 3>; [50.00%]
  else
    goto <bb 4>; [50.00%]

  <bb 3> [local count: 536870913]:
  w =3D 5;

  <bb 4> [local count: 1073741824]:
  # prephitmp_9 =3D PHI <w.0_1(2), 5(3)>
  _8 =3D __builtin_sprintf (&MEM <char[1]> [(void *)&a + 1B], "%*i", prephi=
tmp_9,
i_6(D));
  return _8;

}=