[Bug c++/108197] New: -Wstringop-overread emitted on simple boost small_vector code

[Bug c++/108197] New: -Wstringop-overread emitted on simple boost small_vector code

[steveire at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108197

            Bug ID: 108197
           Summary: -Wstringop-overread emitted on simple boost
                    small_vector code
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: steveire at gmail dot com
  Target Milestone: ---

```

#include <boost/container/small_vector.hpp>

struct MyThing
{
    int d0 = {};
};

void modify(boost::container::small_vector<MyThing, 10> &pp)
{
    pp.resize(1);

    pp[0].d0 = 3;
}

void foo()
{
    boost::container::small_vector<MyThing, 10> pp2;

    boost::container::small_vector<MyThing, 10> pp;

    pp.resize(1);

    pp[0].d0 = 2;

    pp2 = std::move(pp);
}
```

gives

```
/opt/compiler-explorer/libs/boost_1_80_0/boost/container/detail/copy_move_algo.hpp:184:19:
warning: 'void* __builtin_memcpy(void*, const void*, long unsigned int)'
reading between 41 and 9223372036854775804 bytes from a region of size 40
[-Wstringop-overread]
  184 |       std::memmove(dest_raw, beg_raw, sizeof(value_type)*n);
```

https://godbolt.org/z/rs3oj3YoE

Even though modify is never called, it must be in the code to reproduce the
bug.

[Bug tree-optimization/108197] [12/13 Regression] -Wstringop-overread emitted on simple boost small_vector code

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108197

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
          Component|c++                         |tree-optimization
      Known to work|                            |11.3.1
             Status|UNCONFIRMED                 |NEW
            Summary|-Wstringop-overread emitted |[12/13 Regression]
                   |on simple boost             |-Wstringop-overread emitted
                   |small_vector code           |on simple boost
                   |                            |small_vector code
           Keywords|                            |diagnostic
             Blocks|                            |97048
   Last reconfirmed|                            |2022-12-22
   Target Milestone|---                         |12.3

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.  We have

<bb 6> [local count: 321929297]:
_58 = _43 * 4;
_40 = (signed long) _58;
_67 = _40 /[ex] 4;
sz_68 = (const size_type) _67;
if (_58 > 40)
  goto <bb 7>; [51.12%]
else
  goto <bb 16>; [48.88%]

<bb 7> [local count: 164570258]:
if (_58 > 9223372036854775804)
  goto <bb 8>; [0.00%]
else
  goto <bb 9>; [100.00%]

...

<bb 14> [local count: 133301908]:
__builtin_memcpy (_82, &MEM[(const struct small_vector_base
*)&pp].m_storage_start.data, _58);

so we get a constraint on _58, the lower bound causes us to warn.  The
.data field is only 4 bytes in size, so the access is clearly out
of bounds.  Maybe it is unreachable, the initialization seems to happen
in a function not inlined:

boost::container::expand_forward_and_insert_alloc.isra (&MEM[(struct
small_vector_base *)&pp].m_storage_start.data, &MEM[(struct small_vector_base
*)&pp].m_storage_start.data, 1);
_42 = MEM[(struct vector_alloc_holder *)&pp].m_size;

it looks like boost already uses always_inline a lot but it doesn't
forcefully expose the setting of m_size, so there's not much we can
do about this diagnostic.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97048
[Bug 97048] [meta-bug] bogus/missing -Wstringop-overread warnings

[Bug tree-optimization/108197] [12/13 Regression] -Wstringop-overread emitted on simple boost small_vector code

[steveire at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108197

--- Comment #2 from Stephen <steveire at gmail dot com> ---
Richard, are you saying this a bug in the boost code? It's not quite clear to
me from your message. Can you be more specific about what the bug is in that
case?

[Bug tree-optimization/108197] [12/13 Regression] -Wstringop-overread emitted on simple boost small_vector code

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108197

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
(In reply to Stephen from comment #2)
> Richard, are you saying this a bug in the boost code? It's not quite clear
> to me from your message. Can you be more specific about what the bug is in
> that case?

I wouldn't call it a bug in boost, it's simply unfortunate circumstances that
trigger GCC diagnosing this which is likely dead code (but I see no way for
GCC to prove it is dead)

[Bug tree-optimization/108197] [12/13 Regression] -Wstringop-overread emitted on simple boost small_vector code

[law at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108197

Jeffrey A. Law <law at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |law at gcc dot gnu.org
           Priority|P3                          |P2

[Bug tree-optimization/108197] [12/13/14 Regression] -Wstringop-overread emitted on simple boost small_vector code

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108197

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|12.3                        |12.4

--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 12.3 is being released, retargeting bugs to GCC 12.4.