From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id C99153858435; Mon, 22 Apr 2024 21:19:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C99153858435 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1713820743; bh=q0yInoc5tdyMKe91em5BBwcc/RQK2tjYp5CyWOU8Pu8=; h=From:To:Subject:Date:In-Reply-To:References:From; b=UxQBs+AObJQ2tZTP1fnybPNyLRe7bSsqJe89FjXvehCgTqHINuyeXgl0dimRbfZEx fyQOpqKBUlb7TXi42i7F2fLXYRwchmB2sRe4E5sU3V7CbljfM3rYFgwMLIxmfOz30M oVUV7VnT3IzB9MerIb60rwuvpG8u7l/4X3fJJA80= From: "qinzhao at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/109071] -Warray-bounds false positive warnings due to code duplication from jump threading Date: Mon, 22 Apr 2024 21:19:03 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: qinzhao at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: qinzhao at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109071 --- Comment #9 from qinzhao at gcc dot gnu.org --- (In reply to Kees Cook from comment #8) > Normally -Warray-bounds doesn't warn when a value is totally unknown (i.e. > "index" here can be [-INT_MAX,INT_MAX]). Why does the warning change when > the MAX_ENTRIES test is moved inside assign()? it's due to both inline transformation + thread jump optimization (and some other compiler transformation inbetween).=20 ***After GCC inlines both calls to "assign" into the caller "sparx5_set" and applies some other optimizations on the caller body before thread jump phas= e, the body of the routine "sparx5_set" is (logically): void sparx5_set (int * ptr, struct nums * sg, int index) { if (index >=3D 4) warn (); *ptr =3D 0; *val =3D sg->vals[index]; if (index >=3D 4) warn (); *ptr =3D *val; return; } ***Thread jump optimization tried to reduce the # of branches inside the routine "sparx5_set", in order to do this, sometime it needs to duplicate t= he code. for the above routine, after thread jump optimization, the body of the routine "sparx5_set" becomes (logically): void sparx5_set (int * ptr, struct nums * sg, int index) { if (index >=3D 4) {=20 warn (); *ptr =3D 0; // code duplications since "warn" does retu= rn; *val =3D sg->vals[index]; // same this line. in this path, since it's= under // the condition "index >=3D 4", the compiler= knows // the value of "index" is larger then 4, therefore // the out-of-bound warning. warn (); } else {=20 *ptr =3D 0; *val =3D sg->vals[index]; } *ptr =3D *val; return; } with the thread jump optimization, the # of branches inside the routine "sparx5_set" is reduced from 2 to 1, however, due to the code duplication (which is needed for the correctness of the code), we got a out-of-bound warning.=20 actually, I don't think that the compiler's behavior is wrong. and it's not very reasonable for the users of -Warray-bounds to assume there is zero fal= se positive warnings.=20 However, it might be reasonable to put such warnings to -Warray-bounds=3D2 = but not in -Warray-bounds=3D1?=