[Bug tree-optimization/107038] New: [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[Bug tree-optimization/107038] New: [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

            Bug ID: 107038
           Summary: [13 Regression] Bogus -Wstringop-overflow= since
                    r13-2789-gb40b3035879cf695
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: amacleod at redhat dot com, msebor at gcc dot gnu.org
  Target Milestone: ---

Created attachment 53627
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53627&action=edit
Original unreduced test-case

Reduced from elfutils:

$ cat core-file.c
#include <unistd.h>
struct ar_hdr {
  char ar_mode[8];
  char ar_size[10];
};

int r;

struct Elf {
  int fildes;
} pread_retry(int fd, void *buf, size_t len, off_t offset) {
  ssize_t recvd;
  r = pread(fd, buf + recvd, len - recvd, offset);
}

void elf_begin_rand() {
  struct Elf *parent;
  struct ar_hdr h;
  pread_retry(parent->fildes, h.ar_size, sizeof(h.ar_size), 0);
}

$ gcc core-file.c -c -O2 -Werror=stringop-overflow -D_FORTIFY_SOURCE=3
In file included from /usr/include/features.h:490,
                 from /usr/include/unistd.h:25,
                 from core-file.c:1:
In function ‘pread’,
    inlined from ‘pread_retry’ at core-file.c:13:7,
    inlined from ‘elf_begin_rand’ at core-file.c:19:3:
/usr/include/bits/unistd.h:74:10: error: ‘__pread_alias’ writing 18 or more
bytes into a region of size 10 overflows the destination
[-Werror=stringop-overflow=]
   74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
      |          ^~~~~~~~~~~~~~~
core-file.c: In function ‘elf_begin_rand’:
core-file.c:4:8: note: destination object ‘ar_size’ of size 10
    4 |   char ar_size[10];
      |        ^~~~~~~
/usr/include/bits/unistd.h:50:16: note: in a call to function ‘__pread_alias’
declared with attribute ‘access (write_only, 2, 3)’
   50 | extern ssize_t __REDIRECT (__pread_alias,
      |                ^~~~~~~~~~
cc1: some warnings being treated as errors

I'm attaching also original unreduced test-case.

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |diagnostic
   Target Milestone|---                         |13.0

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #1 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
recvd is uninitialized and it seems to be preventing optimization of the
fortify macro one way or for some reason.  I can take a look at why the
condition does not get folded away but a reproducer without undefined behaviour
may be more persuasive.  I assume this is elfutils #29614?

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
> I assume this is elfutils #29614?

Yes.

Please take a look at the original unreduced testcase I attached here.

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
Just a quick note from what I see in GDB.  The warning is issued by the 2nd run
of the waccess pass (-fdump-tree-waccess2) for the following statement in bb 22
in pread():

  iftmp.21_88 = __pread_alias (_50, _82, _81, _79);

_81's range reported by range_query::range_of_expr (vr, exp, stmt) is [58,
ULONG_MAX], matching the range in the warning.

A partial output of debug_ranger() for the function is below.  I must be
reading it wrong because  I don't see what the range above is derived from.

=========== BB 19 ============
Imports: recvd_78  _83  
Exports: _51  recvd_78  recvd.17_80  _83  _94  _116  _125  
_83     [irange] UNDEFINED
    <bb 19> [local count: 169058114]:
    if (_83 == 18446744073709551615)
      goto <bb 22>; [34.00%]
    else
      goto <bb 20>; [66.00%]

19->22  (T) _83 :       [irange] UNDEFINED
19->20  (F) _83 :       [irange] UNDEFINED

=========== BB 20 ============
Imports: _81  _83  
Exports: _81  _83  _85  _86  _87  
         _85 : _81(I)  _83(I)  
         _86 : _81(I)  _83(I)  _85  
         _87 : _81(I)  _83(I)  _85  _86  
_81     [irange] long unsigned int VARYING
_83     [irange] long unsigned int VARYING
    <bb 20> [local count: 280636469]:
    _85 = _81 <= _83;
    _86 = (int) _85;
    _87 = __builtin_constant_p (_86);
    if (_87 != 0)
      goto <bb 21>; [50.00%]
    else
      goto <bb 24>; [50.00%]

_86 : [irange] int [0, 1] NONZERO 0x1
_87 : [irange] int [0, 0] NONZERO 0x0
20->21  (T) _81 :       [irange] UNDEFINED
20->21  (T) _83 :       [irange] UNDEFINED
20->21  (T) _85 :       [irange] UNDEFINED
20->21  (T) _86 :       [irange] UNDEFINED
20->21  (T) _87 :       [irange] UNDEFINED
20->24  (F) _86 :       [irange] int [0, 1] NONZERO 0x1
20->24  (F) _87 :       [irange] int [0, 0] NONZERO 0x0

=========== BB 21 ============
Imports: recvd_78  _81  _83  
Exports: _51  recvd_78  recvd.17_80  _81  _83  _94  _116  _125  
_81     [irange] UNDEFINED
_83     [irange] UNDEFINED
    <bb 21> [local count: 140318235]:
    if (_81 <= _83)
      goto <bb 22>; [50.00%]
    else
      goto <bb 23>; [50.00%]

21->22  (T) _81 :       [irange] UNDEFINED
21->22  (T) _83 :       [irange] UNDEFINED
21->23  (F) _81 :       [irange] UNDEFINED
21->23  (F) _83 :       [irange] UNDEFINED

=========== BB 22 ============
    <bb 22> [local count: 127638877]:
    iftmp.21_88 = __pread_alias (_50, _82, _81, _79);
    goto <bb 25>; [100.00%]

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #4 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
(In reply to Martin Liška from comment #2)
> > I assume this is elfutils #29614?
> 
> Yes.
> 
> Please take a look at the original unreduced testcase I attached here.

That looks like unpatched elfutils.  I know you mentioned[1] that you're using
the latest elfutils but can you please confirm again?  Or maybe incorrect
preprocessed file?

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=29614#c2

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #5 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
(In reply to Siddhesh Poyarekar from comment #4)
> (In reply to Martin Liška from comment #2)
> > > I assume this is elfutils #29614?
> > 
> > Yes.
> > 
> > Please take a look at the original unreduced testcase I attached here.
> 
> That looks like unpatched elfutils.  I know you mentioned[1] that you're
> using the latest elfutils but can you please confirm again?  Or maybe
> incorrect preprocessed file?
> 
> [1] https://sourceware.org/bugzilla/show_bug.cgi?id=29614#c2

OK maybe that's irrelevant from the gcc perspective because this is basically
warning on unreachable code, which we know tends to happen sometimes.  The
comment is mainly for the elfutils issue you're facing.

[Bug tree-optimization/107038] [13 Regression] Bogus -Wstringop-overflow= since r13-2789-gb40b3035879cf695

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
> That looks like unpatched elfutils.  I know you mentioned[1] that you're
> using the latest elfutils but can you please confirm again?  Or maybe
> incorrect preprocessed file?
> 
> [1] https://sourceware.org/bugzilla/show_bug.cgi?id=29614#c2

Whoops, you are right. I've got 2 tested projects where only one contains the
latest elfutils snapshot.

[Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[13 Regression] Bogus       |Bogus -Wstringop-overflow
                   |-Wstringop-overflow= since  |in dead code
                   |r13-2789-gb40b3035879cf695  |

--- Comment #7 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
[Removing the commit ref and regression since this has been known to fail for
elfutils with __bdos]

OK so here's a reduced reproducer that ought to avoid undefined behaviour.  It
is in fact a case of warning on unreachable code:

typedef long int off_t;
typedef long int ssize_t;
typedef long unsigned int size_t;

extern ssize_t foo_chk (void *buf, size_t nbytes, off_t offset, size_t sz)
    __attribute__((__access__(__write_only__, 1, 2)));

extern ssize_t foo_alias (void *buf, size_t nbytes, off_t offset)
    __attribute__((__access__(__write_only__, 1, 2)));

struct ar_hdr
{
  int buf;
  char ar_size[10];
};

int
elf_begin_rand(void)
{
  struct ar_hdr h = {.ar_size = {0}};
  size_t len = sizeof(h.ar_size);
  ssize_t recvd = 0;

  do
    {
      ssize_t ret;
      do
        {
          char *buf = h.ar_size + recvd;
          size_t nbytes = len - recvd;
          off_t offset = recvd + __builtin_offsetof (struct ar_hdr, ar_size);
          size_t bdos = __builtin_dynamic_object_size (buf, 0);

          if (__builtin_constant_p (bdos) && bdos == (size_t) -1)
            ret = foo_alias (buf, nbytes, offset);
          else
            ret = foo_chk (buf, nbytes, offset, bdos);
        }
      while (ret < 0);
      recvd += ret;
    }
  while ((size_t) recvd < len);
  return recvd;
}

So what's happening here is that ranger tries to infer the ranges backwards
from the possibly taken branch foo_alias to start from the fact that bdos ==
-1.  Here's the IR snippet:


<bb 4> [local count: 1073741824]: 
# recvd_6 = PHI <recvd_2(3), 0(2)>
recvd.0_1 = (sizetype) recvd_6;   
_25 = recvd.0_1 + 4;              
_26 = MAX_EXPR <_25, 16>;         
_27 = _26 - recvd.0_1;            
_24 = _27 + 18446744073709551612; 
buf_13 = &h.ar_size + recvd.0_1;  
nbytes_14 = 10 - recvd.0_1;       
_3 = recvd.0_1 + 4;               
offset_15 = (off_t) _3;           
bdos_16 = _24;                    

Working backwards, _24 is seen to be +INF like bdos_16, which gives _27 the
range of [3,3].

Given that _26 has range of [16, +INF], recvd.0_1 ends up with a range of [13,
18446744073709551612], leaving nbytes with a range of [14,
18446744073709551613].

Ideally somewhere in that chain there ought to have been some hint to indicate
that one of those ranges is impossible, but there isn't.  The nbytes range for
example ought to be limited to [1-10].  Initializing ret in the above program
allows ranger to see that correct range.

[Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

--- Comment #8 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
I forgot to mention that I've been building with:

gcc/cc1 -o /dev/null ../bogus-stringop-overflow.i -O2 -Werror=stringop-overflow
-quiet

to reproduce the warning:

../bogus-stringop-overflow.i: In function ‘elf_begin_rand’:
../bogus-stringop-overflow.i:35:19: error: ‘foo_alias’ writing 14 or more bytes
into a region of size 10 overflows the destination [-Werror=stringop-overflow=]
   35 |             ret = foo_alias (buf, nbytes, offset);
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../bogus-stringop-overflow.i:14:8: note: destination object ‘ar_size’ of size
10
   14 |   char ar_size[10];
      |        ^~~~~~~
../bogus-stringop-overflow.i:8:16: note: in a call to function ‘foo_alias’
declared with attribute ‘access (write_only, 1, 2)’
    8 | extern ssize_t foo_alias (void *buf, size_t nbytes, off_t offset)
      |                ^~~~~~~~~
cc1: some warnings being treated as errors

[Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2022-10-07
            Version|13.0                        |12.0
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1

[Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|13.0                        |13.2

--- Comment #9 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 13.1 is being released, retargeting bugs to GCC 13.2.

[Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|13.2                        |13.3

--- Comment #10 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 13.2 is being released, retargeting bugs to GCC 13.3.