public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "siddhesh at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code Date: Fri, 07 Oct 2022 19:06:51 +0000 [thread overview] Message-ID: <bug-107038-4-VZ3VrKLBv8@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-107038-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038 Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[13 Regression] Bogus |Bogus -Wstringop-overflow |-Wstringop-overflow= since |in dead code |r13-2789-gb40b3035879cf695 | --- Comment #7 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> --- [Removing the commit ref and regression since this has been known to fail for elfutils with __bdos] OK so here's a reduced reproducer that ought to avoid undefined behaviour. It is in fact a case of warning on unreachable code: typedef long int off_t; typedef long int ssize_t; typedef long unsigned int size_t; extern ssize_t foo_chk (void *buf, size_t nbytes, off_t offset, size_t sz) __attribute__((__access__(__write_only__, 1, 2))); extern ssize_t foo_alias (void *buf, size_t nbytes, off_t offset) __attribute__((__access__(__write_only__, 1, 2))); struct ar_hdr { int buf; char ar_size[10]; }; int elf_begin_rand(void) { struct ar_hdr h = {.ar_size = {0}}; size_t len = sizeof(h.ar_size); ssize_t recvd = 0; do { ssize_t ret; do { char *buf = h.ar_size + recvd; size_t nbytes = len - recvd; off_t offset = recvd + __builtin_offsetof (struct ar_hdr, ar_size); size_t bdos = __builtin_dynamic_object_size (buf, 0); if (__builtin_constant_p (bdos) && bdos == (size_t) -1) ret = foo_alias (buf, nbytes, offset); else ret = foo_chk (buf, nbytes, offset, bdos); } while (ret < 0); recvd += ret; } while ((size_t) recvd < len); return recvd; } So what's happening here is that ranger tries to infer the ranges backwards from the possibly taken branch foo_alias to start from the fact that bdos == -1. Here's the IR snippet: <bb 4> [local count: 1073741824]: # recvd_6 = PHI <recvd_2(3), 0(2)> recvd.0_1 = (sizetype) recvd_6; _25 = recvd.0_1 + 4; _26 = MAX_EXPR <_25, 16>; _27 = _26 - recvd.0_1; _24 = _27 + 18446744073709551612; buf_13 = &h.ar_size + recvd.0_1; nbytes_14 = 10 - recvd.0_1; _3 = recvd.0_1 + 4; offset_15 = (off_t) _3; bdos_16 = _24; Working backwards, _24 is seen to be +INF like bdos_16, which gives _27 the range of [3,3]. Given that _26 has range of [16, +INF], recvd.0_1 ends up with a range of [13, 18446744073709551612], leaving nbytes with a range of [14, 18446744073709551613]. Ideally somewhere in that chain there ought to have been some hint to indicate that one of those ranges is impossible, but there isn't. The nbytes range for example ought to be limited to [1-10]. Initializing ret in the above program allows ranger to see that correct range.
next prev parent reply other threads:[~2022-10-07 19:06 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-09-26 8:36 [Bug tree-optimization/107038] New: [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695 marxin at gcc dot gnu.org 2022-09-26 9:30 ` [Bug tree-optimization/107038] " rguenth at gcc dot gnu.org 2022-09-26 14:29 ` siddhesh at gcc dot gnu.org 2022-09-26 14:31 ` marxin at gcc dot gnu.org 2022-09-26 16:16 ` msebor at gcc dot gnu.org 2022-09-26 18:32 ` siddhesh at gcc dot gnu.org 2022-09-26 18:41 ` siddhesh at gcc dot gnu.org 2022-09-26 19:16 ` marxin at gcc dot gnu.org 2022-10-07 19:06 ` siddhesh at gcc dot gnu.org [this message] 2022-10-07 19:08 ` [Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code siddhesh at gcc dot gnu.org 2022-10-07 19:09 ` siddhesh at gcc dot gnu.org 2023-04-26 6:56 ` rguenth at gcc dot gnu.org 2023-07-27 9:23 ` rguenth at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-107038-4-VZ3VrKLBv8@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).