From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 1177D3858D33; Fri, 31 Mar 2023 14:30:41 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1177D3858D33
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1680273041;
	bh=BfBrnIG3rIJHKX074Y0kU+rY0nD1OTDq6rAU1FPmq6g=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=h3fNifT/UV4ySH+hHxwx3pniaGtSxL9zVwE1OIaVpyNJpI9YcybXnUYLdpA8wVwZu
	 4r+BXPLMT/g7wZz1hZZbiUWnzfr/8bAQvMWcKTP6jO707uIpCSYibPjGV+/fkJkoyU
	 HyCWfiDClA/1TVdXkrwfLTHqXizvMLYcYshmMcJg=
From: "amacleod at redhat dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug tree-optimization/109350] FAIL:
 g++.dg/warn/Wstringop-overflow-4.C
Date: Fri, 31 Mar 2023 14:30:40 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: tree-optimization
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: diagnostic
X-Bugzilla-Severity: normal
X-Bugzilla-Who: amacleod at redhat dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-109350-4-wGd3nnerPP@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-109350-4@http.gcc.gnu.org/bugzilla/>
References: <bug-109350-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109350

--- Comment #3 from Andrew Macleod <amacleod at redhat dot com> ---
On 3/31/23 03:17, rguenth at gcc dot gnu.org wrote:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109350
>
> Richard Biener <rguenth at gcc dot gnu.org> changed:
>
>             What    |Removed                     |Added
> -------------------------------------------------------------------------=
---
>                   CC|                            |amacleod at redhat dot =
com
>
> --- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
> Hmm, the same reproduces with r_imin_imax as ptrdiff_t but the IL is a bit
> more obvious:
>
> <bb 2> [local count: 1073741824]:
> _27 =3D{v} signed_value_source;
> _4 =3D (unsigned long) _27;
> _8 =3D _4 + 2147483648;
> if (_8 > 4294967295)
>    goto <bb 8>; [50.00%]
> else
>    goto <bb 3>; [50.00%]
>
> <bb 3> [local count: 536870913]:
> _30 =3D _27 + 1;
> _28 =3D (sizetype) _30;
> if (_4 <=3D 4611686018427387900)
>    goto <bb 4>; [50.00%]
> else
>    goto <bb 5>; [50.00%]
>
> <bb 5> [local count: 268435458]:
> _12 =3D operator new [] (18446744073709551615);
> __builtin_memcpy (_12, &MEM <const char[37]> [(void
> *)"0123456789abcdefghijklmnopqrstuvwxyz" + 35B], 2);
> sink (_12);
> if (_28 <=3D 4611686018427387900)
>    goto <bb 9>; [100.00%]
> else
>    goto <bb 7>; [0.00%]
>
> <bb 9> [local count: 0]:
> iftmp.2_37 =3D _28 * 2;
> _39 =3D operator new [] (iftmp.2_37);
> __builtin_memcpy (_39, &MEM <const char[37]> [(void
> *)"0123456789abcdefghijklmnopqrstuvwxyz" + 34B], 3);
>
> so we have (unsigned long)[int_min, int_max] > 4611686018427387900
> && (unsigned long)[int_min+1, int_max+1] <=3D 4611686018427387900 to
> constrain _4.  I don't see how we can arrive at [0,0] for iftmp.2_37.


Looking at what ranger produces for vrp2 (same code just a few passes=20
later):

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BB 2 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Imports: _28
Exports: _4=C2=A0 _10=C2=A0 _28
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 _4 : _28(I)
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 _10 : _4=C2=A0 _28(I)
Partial equiv (_4 pe64 _28)
Relational : (_10 !=3D _4)
 =C2=A0=C2=A0=C2=A0 <bb 2> [local count: 1073741824]:
 =C2=A0=C2=A0=C2=A0 _28 =3D{v} signed_value_source;
 =C2=A0=C2=A0=C2=A0 _4 =3D (unsigned long) _28;
 =C2=A0=C2=A0=C2=A0 _10 =3D _4 + 2147483648;
 =C2=A0=C2=A0=C2=A0 if (_10 > 4294967295)
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 goto <bb 8>; [50.00%]
 =C2=A0=C2=A0=C2=A0 else
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 goto <bb 3>; [50.00%]

2->3=C2=A0 (F) _4 :=C2=A0 [irange] unsigned long [0,=20
2147483647][18446744071562067968, +INF]
2->3=C2=A0 (F) _10 :=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irang=
e] unsigned long [0, 4294967295] NONZERO=20
0xffffffff
2->3=C2=A0 (F) _28 :=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irang=
e] long int [-2147483648, 2147483647]

on entry top BB3 , _28 has the full range of a signed int in a long int=20
body.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BB 3 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

_4=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irange] unsigned long [0, 2147483647][184=
46744071562067968, +INF]
_28=C2=A0=C2=A0=C2=A0=C2=A0 [irange] long int [-2147483648, 2147483647]
Partial equiv (r_imin_imax_8 pe32 _28)
Relational : (_31 > r_imin_imax_8)
 =C2=A0=C2=A0=C2=A0 <bb 3> [local count: 536870913]:
 =C2=A0=C2=A0=C2=A0 r_imin_imax_8 =3D (int) _28;=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 << THIs is=20
varying, which is why it isnt printed anywhere
 =C2=A0=C2=A0=C2=A0 _31 =3D r_imin_imax_8 + 1;=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 <<=C2=A0=C2=A0 signed traps on overflowt,=C2=A0 so=20
this would be [min+1, +INF]
 =C2=A0=C2=A0=C2=A0 _29 =3D (sizetype) _31;=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 <<=C2=A0 sizetype is a larger unsigned=20
object,so the possible values for it are [0,=20
2147483647][18446744071562067969, +INF]
 =C2=A0=C2=A0=C2=A0 if (_4 <=3D 4611686018427387900)=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 << this leaves _4 with=20
possible values of [18446744071562067968, +INF] on the FALSE branch.
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 goto <bb 4>; [50.00%]
 =C2=A0=C2=A0=C2=A0 else
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 goto <bb 5>; [50.00%]


_29 : [irange] sizetype [0, 2147483647][18446744071562067969, +INF]
_31 : [irange] int [-2147483647, +INF]

When we recalculate values based on the range of _4 on the false=20
branch,=C2=A0 intersected with their knowns ranges, it comes up with this


3->5=C2=A0 (F) _4 :=C2=A0 [irange] unsigned long [18446744071562067968, +IN=
F]
3->5=C2=A0 (F) r_imin_imax_8 :=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irange]=
 int [-INF, -1]
3->5=C2=A0 (F) _28 :=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irang=
e] long int [-2147483648, -1]
3->5=C2=A0 (F) _29 :=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irang=
e] sizetype [0, 0][18446744071562067969, +INF]
3->5=C2=A0 (F) _31 :=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 [irang=
e] int [-2147483647, 0]

when we feed that value of _4 into

[18446744071562067968, +INF] =3D (unsigned long)28

in BB2, we discover the only possible valiues of _28 are [-2147483648,=20
-1] on this branch.
We now go an recalculate r_imin_imax_8, _31 and _29 based on this new=20
value of _28 and come up with those ranges

that means when we get to bb5, and see
 =C2=A0=C2=A0=C2=A0 if (_29 <=3D 4611686018427387900)
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 goto <bb 9>; [100.00%]

the only possible value of _29 on this branch is a [0,0]=C2=A0=C2=A0 And th=
ats a=20
direct result of _31 =3D [-INF, -1] + 1=C2=A0 before _20 is created with th=
e cast.

yikes.=C2=A0 talk about convoluted...


>
> In fact if I put this into a separate testcase like
>
> void __attribute__((noipa))
> foo (long signed_value_source)
> {
>    unsigned long temu =3D signed_value_source;
>    if (temu + 2147483648 > 4294967295)
>      ;
>    else
>      {
>       long tems =3D signed_value_source + 1;
>       unsigned long temu2 =3D tems;
>       if (temu > 4611686018427387900)
>         if (temu2 <=3D 4611686018427387900)
>           {
>             unsigned long iftmp =3D temu2 * 2;
>             if (iftmp =3D=3D 0)
>               __builtin_abort ();
>           }
>      }
> }
>
> then we optimize this to
>
>    <bb 2> [local count: 1073741824]:
>    temu_3 =3D (long unsigned int) signed_value_source_2(D);
>    _1 =3D temu_3 + 2147483648;
>    if (_1 > 4294967295)
>      goto <bb 5>; [50.00%]
>    else
>      goto <bb 3>; [50.00%]
>
>    <bb 3> [local count: 536870913]:
>    if (signed_value_source_2(D) =3D=3D -1)
>      goto <bb 4>; [0.00%]
>    else
>      goto <bb 5>; [100.00%]
>
>    <bb 4> [count: 0]:
>    __builtin_abort ();
>
> and the outer if doesn't change the inner range result.
>
I bet if we used temu_3 at the abort point it would.=C2=A0 I changed it to=
=20
bar (temu) from the abort:

 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (iftmp =3D=
=3D 0)
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 b=
ar (temu);

 From EVRP:

 =C2=A0 temu_5 =3D (long unsigned int) signed_value_source_4(D);
 =C2=A0 _1 =3D temu_5 + 2147483648;
 =C2=A0 if (_1 > 4294967295)
 =C2=A0=C2=A0=C2=A0 goto <bb 6>; [INV]
 =C2=A0 else
 =C2=A0=C2=A0=C2=A0 goto <bb 3>; [INV]

 =C2=A0 <bb 3> :
 =C2=A0 tems_7 =3D signed_value_source_4(D) + 1;
 =C2=A0 temu2_8 =3D (long unsigned int) tems_7;
 =C2=A0 if (temu_5 > 4611686018427387900)
 =C2=A0=C2=A0=C2=A0 goto <bb 4>; [INV]
 =C2=A0 else
 =C2=A0=C2=A0=C2=A0 goto <bb 6>; [INV]

 =C2=A0 <bb 4> :
 =C2=A0 if (temu2_8 <=3D 4611686018427387900)
 =C2=A0=C2=A0=C2=A0 goto <bb 5>; [INV]
 =C2=A0 else
 =C2=A0=C2=A0=C2=A0 goto <bb 6>; [INV]

 =C2=A0 <bb 5> :
 =C2=A0 bar (-1);


Andrew=