From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 61A893858D20; Tue, 15 Mar 2022 09:56:05 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 61A893858D20
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/104929] UBSAN: false positive with sprintf
Date: Tue, 15 Mar 2022 09:56:05 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 11.2.1
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jakub at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-104929-4-BY4q3a53es@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-104929-4@http.gcc.gnu.org/bugzilla/>
References: <bug-104929-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 09:56:05 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104929

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
In this particular case the problem is that UBSAN adds the non-NULL tests, =
so
the IL becomes if (!s) __ubsan_handle_nonnull_arg (...); sprintf(s,  " "); =
if
(!s) __ubsan_handle_nonnull_arg (...); return __builtin_strlen(s);
and then jump threading thinks it is a good idea to thread it, so turns it =
into
if (!s) { __ubsan_handle_nonnull_arg (...); sprintf(NULL, " ");
__ubsan_handle_nonnull_arg (...); } else sprintf(s, " ");
and that is why the warning is emitted (pain of all the middle-end warnings=
).
The ways out of this might be convince jump threading to punt in such cases
(when  those are clearly ubsan tests) because we expect them to be extremely
unlikely,
or use some new internal function from between the ubsan pass and sanopt, w=
here
the test for non-NULL wouldn't be explicit in the IL until very late (that
would also prevent the jump threading), or during the jump threading when we
detect these ubsan-ish tests suppress some of the warnings on the threaded
stmts.=