From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 1CBC43858CDB; Thu, 4 May 2023 11:11:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1CBC43858CDB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1683198679; bh=roi5Gn/zGSbTtJCBZNlIabT7eOA3axm3g/lzsNZQocQ=; h=From:To:Subject:Date:In-Reply-To:References:From; b=M/jhZ4bHZtOveJhpyNXDuqkAeCUhxftjtQJ7kprQMl+EbQ65bnUYFhiRa9Ltg9o5s N3VOT6v025hUN0KLz6DbTFYgFdH4Vt/3NTx5MeKYEFMEdpzuSpqQryoe46fPnmW2hV MGYRcW7kHYTWitTRZ5NwwBt9AQ5xL3ELGR0kOvKo= From: "rguenth at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug libstdc++/109717] -Warray-bound error with gnu++20 and fmt library Date: Thu, 04 May 2023 11:11:18 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: libstdc++ X-Bugzilla-Version: 13.1.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: rguenth at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc everconfirmed bug_status component cf_reconfirmed_on Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109717 Richard Biener changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jwakely.gcc at gmail dot c= om, | |rguenth at gcc dot gnu.org Ever confirmed|0 |1 Status|UNCONFIRMED |NEW Component|tree-optimization |libstdc++ Last reconfirmed| |2023-05-04 --- Comment #5 from Richard Biener --- So we see [local count: 14986075]: _60 =3D operator new (4); _43 =3D MEM[(const struct buffer *)this_10(D)].size_; _44 =3D _43 * 4; _63 =3D (signed long) _44; if (_63 > 4) goto ; [90.00%] else goto ; [10.00%] [local count: 12138721]: __builtin_memmove (_60, pretmp_118, _44); goto ; [100.00%] and if _63 > 4 then the memmove will write out of bounds of the allocated storage. The stringop-overflow diagnostic is about the same thing. There's eventually a missed optimization that we do not discover this path as not taken, but I do not see any write to size_ in the function. There's [local count: 272474101]: *pretmp_118 =3D 1; if (pretmp_154 =3D=3D 0) goto ; [50.00%] else goto ; [50.00%] and [local count: 148083751]: pretmp_118 =3D MEM[(struct buffer *)this_10(D)].ptr_; pretmp_154 =3D MEM[(struct buffer *)this_10(D)].capacity_; if (exp_6(D) =3D=3D 0) goto ; [20.24%] else goto ; [79.76%] but given capacity is zero on this path size_ is probably zero as well (but that's not visible here). An assertion in the library that size_ <=3D capacity_ would maybe help. To sum up, there's nothing the diagnostic code can do here - it simply doesn't have sufficient information to prune this diagnostic.=