[Bug c++/104012] New: -Wformat-truncation warnings not taking previous length check into account

[Bug c++/104012] New: -Wformat-truncation warnings not taking previous length check into account

[eike@sf-mail.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

            Bug ID: 104012
           Summary: -Wformat-truncation warnings not taking previous
                    length check into account
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: eike@sf-mail.de
  Target Milestone: ---

This code is from CMake's Source/cmLocalUnixMakefileGenerator3.cxx:

std::string cmLocalUnixMakefileGenerator3::CreateMakeVariable(
  std::string const& s, std::string const& s2)
{
[…]
    char buffer[5];
    int ni = 0;
    snprintf(buffer, sizeof(buffer), "%04d", ni);
    ret = str1 + str2 + buffer;
    while (this->ShortMakeVariableMap.count(ret) && ni < 1000) {
      ++ni;
      snprintf(buffer, sizeof(buffer), "%04d", ni);
      ret = str1 + str2 + buffer;
    }


The second snprintf() causes this warning:

…/CMake/Source/cmLocalUnixMakefileGenerator3.cxx:1311:41: warning: '%04d'
directive output may be truncated writing between 4 and 11 bytes into a region
of size 5 [-Wformat-truncation=]
 1311 |       snprintf(buffer, sizeof(buffer), "%04d", ni);
      |                                         ^~~~
…/CMake/Source/cmLocalUnixMakefileGenerator3.cxx:1311:40: note: directive
argument in the range [-2147483647, 2147483647]
 1311 |       snprintf(buffer, sizeof(buffer), "%04d", ni);
      |                                        ^~~~~~

The second warning line shows that the argument range is not correctly limited
to [0, 1000], which would have avoided the warning. A similar warning is shown
~30 lines earlier in the same file for basically the same code.

My current version is:

gcc-12.0.0 (Gentoo 12.0.0_pre9999 p2, commit
8b35f02ed599a70cce752e3cb544a7c9f808fce8) 12.0.0 20220111 (experimental)

The version used previously has been built on 2021-08-14T20:47:39 and didn't
show that warning.

[Bug tree-optimization/104012] [12 regression] -Wformat-truncation warnings not taking previous length check into account

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|c++                         |tree-optimization
   Target Milestone|---                         |12.0
           Keywords|                            |diagnostic
            Summary|-Wformat-truncation         |[12 regression]
                   |warnings not taking         |-Wformat-truncation
                   |previous length check into  |warnings not taking
                   |account                     |previous length check into
                   |                            |account

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Can you attach the preprocessed source?

[Bug tree-optimization/104012] [12 regression] -Wformat-truncation warnings not taking previous length check into account

[eike@sf-mail.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

--- Comment #2 from Rolf Eike Beer <eike@sf-mail.de> ---
Created attachment 52182
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52182&action=edit
preprocessed source

[Bug tree-optimization/104012] [12 regression] -Wformat-truncation warnings not taking previous length check into account

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |msebor at gcc dot gnu.org

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
I'm not able to reproduce a warning for the test case in attachment 52182 with
the top of GCC trunk configured for x86_64 at -O2 or -O3 and with -m32.  There
are three calls to snprintf() in CreateMakeVariable() and for each call GCC
determines the output of the %04d directive is exactly four bytes (see the dump
produced by -ftree-dump-strlen):

/home/buildbot/repos/CMake/Source/cmLocalUnixMakefileGenerator3.cxx:1307:
snprintf: objsize = 5, fmtstr = "%04d"
  Directive 1 at offset 0: "%04d"
    Result: 4, 4, 4, 4 (4, 4, 4, 4)
  Directive 2 at offset 4: "", length = 1
  Substituting 4 for return value.

/home/buildbot/repos/CMake/Source/cmLocalUnixMakefileGenerator3.cxx:1311:
snprintf: objsize = 5, fmtstr = "%04d"
  Directive 1 at offset 0: "%04d"
    Result: 4, 4, 4, 4 (4, 4, 4, 4)
  Directive 2 at offset 4: "", length = 1
  Substituting 4 for return value.

/home/buildbot/repos/CMake/Source/cmLocalUnixMakefileGenerator3.cxx:1282:
snprintf: objsize = 5, fmtstr = "%04d"
  Directive 1 at offset 0: "%04d"
    Result: 4, 4, 4, 4 (4, 4, 4, 4)
  Directive 2 at offset 4: "", length = 1
  Substituting 4 for return value.

If you see the warning with the latest GCC 12 please provide the full command
line (see https://gcc.gnu.org/bugs/#need for a detailed list of what we ask
users to provide in order to reproduce issues).

[Bug tree-optimization/104012] [12 regression] -Wformat-truncation warnings not taking previous length check into account

[eike@sf-mail.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

--- Comment #4 from Rolf Eike Beer <eike@sf-mail.de> ---
I have rebuilt gcc today, now at commit
b77e3b4e4589e56c01511fabdbaadb029cd47f5c.

Configuration line:

/var/tmp/portage/sys-devel/gcc-12.0.0_pre9999/work/gcc-12.0.0_pre9999/configure
--host=sparc-unknown-linux-gnu --build=sparc-unknown-linux-gnu --prefix=/usr
--bindir=/usr/sparc-unknown-linux-gnu/gcc-bin/12.0.0
--includedir=/usr/lib/gcc/sparc-unknown-linux-gnu/12.0.0/include
--datadir=/usr/share/gcc-data/sparc-unknown-linux-gnu/12.0.0
--mandir=/usr/share/gcc-data/sparc-unknown-linux-gnu/12.0.0/man
--infodir=/usr/share/gcc-data/sparc-unknown-linux-gnu/12.0.0/info
--with-gxx-include-dir=/usr/lib/gcc/sparc-unknown-linux-gnu/12.0.0/include/g++-v12
--with-python-dir=/share/gcc-data/sparc-unknown-linux-gnu/12.0.0/python
--enable-languages=c,c++,fortran --enable-obsolete --enable-secureplt
--disable-werror --with-system-zlib --disable-nls
--disable-libunwind-exceptions --enable-checking=release
--with-bugurl=https://bugs.gentoo.org/ --with-pkgversion=Gentoo 12.0.0_pre9999,
commit b77e3b4e4589e56c01511fabdbaadb029cd47f5c --disable-esp
--enable-libstdcxx-time --disable-libstdcxx-pch --enable-shared
--enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
--disable-multilib --disable-fixed-point --enable-targets=all --enable-libgomp
--disable-libssp --disable-libada --disable-cet --disable-systemtap
--disable-valgrind-annotations --disable-vtable-verify --disable-libvtv
--without-zstd --enable-lto --with-isl --disable-isl-version-check
--enable-default-pie --enable-default-ssp

I can still trigger the warning:

cd /tmp/cmtest/Source && /usr/bin/c++ -DCURL_STATICLIB -DLIBARCHIVE_STATIC
-D_FILE_OFFSET_BITS=64 -I/tmp/cmtest/Utilities -I/tmp/cmtest/Source
-I/home/buildbot/repos/CMake/Source
-I/home/buildbot/repos/CMake/Source/LexerParser
-I/home/buildbot/repos/CMake/Source/CTest
-I/home/buildbot/repos/CMake/Source/CPack -isystem
/home/buildbot/repos/CMake/Utilities/std -isystem
/home/buildbot/repos/CMake/Utilities -Wnon-virtual-dtor -Wcast-align
-Wchar-subscripts -Wall -W -Wshadow -Wpointer-arith -Wformat-security -Wundef
-g -std=c++17 -MD -MT
Source/CMakeFiles/CMakeLib.dir/cmLocalUnixMakefileGenerator3.cxx.o -MF
CMakeFiles/CMakeLib.dir/cmLocalUnixMakefileGenerator3.cxx.o.d -o
CMakeFiles/CMakeLib.dir/cmLocalUnixMakefileGenerator3.cxx.o -c
/home/buildbot/repos/CMake/Source/cmLocalUnixMakefileGenerator3.cxx
-Wformat-truncation=2

I still have the full gcc build log if that matters.

[Bug tree-optimization/104012] [12 regression] -Wformat-truncation warnings not taking previous length check into account

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Blocks|                            |85741
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> ---
I can reproduce the warning now with the command line options provided in
comment #4: -O0 and -Wformat-truncation=2 are needed to trigger it.  The
interaction of the warning with optimizations (or their absence) is documented
in the manual:

  When the exact number of bytes written by a format directive cannot be
determined at compile-time it is estimated based on heuristics that depend on
the level argument and on optimization. While enabling optimization will in
most cases improve the accuracy of the warning, it may also result in false
positives.

  -Wformat-truncation=2

    Level 2 warns also about calls to bounded functions whose return value is
used and that might result in truncation given an argument of sufficient length
or magnitude. 

Not enabling optimization and using -Wformat-truncation=2 increases the chance
that the heuristic of assuming the argument with greatest magnitude (for %04d
it would be INT_MIN) will be used.  GCC still does some value and range
propagation even at -O0 but it doesn't inline function calls (like those to
std::string members) or do other optimizations that might otherwise help it
track data flow more accurately.  Regardless of optimization, the intent of
level 2 is to guide the programmer to provide a buffer that's big enough for
the largest possible output (i.e., you have to either prove to GCC that the
truncation isn't possible or handle it).  At level 1 it's more like the other
way around (GCC has to prove that the call will result in truncation in order
to warn, although there's some fuzziness here and some heuristics apply as
well).

In short, this is not a bug.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85741
[Bug 85741] [meta-bug] bogus/missing -Wformat-overflow

[Bug tree-optimization/104012] [12 regression] -Wformat-truncation warnings not taking previous length check into account

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104012

--- Comment #6 from Martin Sebor <msebor at gcc dot gnu.org> ---
To expand a bit on the fuzziness at level 1.  The logic is documented under the
-Wformat-overflow warning like so:

  Numeric arguments that are known to be bounded to a subrange of their type,
or string arguments whose output is bounded either by their directive’s
precision or by a finite set of string literals, are assumed to take on the
value within the range that results in the most bytes on output.