[Bug tree-optimization/110603] [14 Regression] GCC, ICE: internal compiler error: in verify_range, at value-range.cc:1104 since r14-255

["cvs-commit at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110603

--- Comment #7 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:b338fdbc2b74f25c07da263a1f5983421fac1a53

commit r14-8487-gb338fdbc2b74f25c07da263a1f5983421fac1a53
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Mon Jan 29 10:20:32 2024 +0100

    tree-ssa-strlen: Fix pdata->maxlen computation [PR110603]

    On the following testcase we emit an invalid range of [2, 1] due to
    UB in the source.  Older VRP code silently swapped the boundaries and
    made [1, 2] range out of it, but newer code just ICEs on it.

    The reason for pdata->minlen 2 is that we see a memcpy in this case
    setting both elements of the array to non-zero value, so strlen (a)
    can't be smaller than 2.  The reason for pdata->maxlen 1 is that in
    char a[2] array without UB there can be at most 1 non-zero character
    because there needs to be '\0' termination in the buffer too.

    IMHO we shouldn't create invalid ranges like that and even creating
    for that case a range [1, 2] looks wrong to me, so the following patch
    just doesn't set maxlen in that case to the array size - 1, matching
    what will really happen at runtime when triggering such UB (strlen will
    be at least 2, perhaps more or will crash).
    This is what the second hunk of the patch does.

    The first hunk fixes a fortunately harmless thinko.
    If the strlen pass knows the string length (i.e. get_string_length
    function returns non-NULL), we take a different path, we get to this
    only if all we know is that there are certain number of non-zero
    characters but we don't know what it is followed with, whether further
    non-zero characters or zero termination or either of that.
    If we know exactly how many non-zero characters it is, such as
    char a[42];
    ...
      memcpy (a, "01234567890123456789", 20);
    then we take an earlier if for the INTEGER_CST case and set correctly
    just pdata->minlen to 20 in that case, but if we have something like
      int len;
      ...
      if (len < 15 || len > 32) return;
      memcpy (a, "0123456789012345678901234567890123456789", len);
    then we have [15, 32] range for the nonzero_chars and we set pdata->minlen
    correctly to 15, but incorrectly set also pdata->maxlen to 32.  That is
    not what the above implies, it just means that in some cases we know that
    there are at least 32 non-zero characters, followed by something we don't
    know.  There is no guarantee that there is '\0' right after it, so it
    means nothing.
    The reason this is harmless, just confusing, is that the code a few lines
    later fortunately overwrites this incorrect pdata->maxlen value with
    something different (either array length - 1 or all ones etc.).

    2024-01-29  Jakub Jelinek  <jakub@redhat.com>

            PR tree-optimization/110603
            * tree-ssa-strlen.cc (get_range_strlen_dynamic): Remove incorrect
            setting of pdata->maxlen to vr.upper_bound (which is
unconditionally
            overwritten anyway).  Avoid creating invalid range with minlen
            larger than maxlen.  Formatting fix.

            * gcc.c-torture/compile/pr110603.c: New test.