public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]
@ 2024-02-04 4:34 hjl.tools at gmail dot com
2024-02-04 4:47 ` [Bug tree-optimization/113752] " pinskia at gcc dot gnu.org
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: hjl.tools at gmail dot com @ 2024-02-04 4:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Bug ID: 113752
Summary: [14 Regression] warning: ‘%s’ directive writing up to
10218 bytes into a region of size between 0 and 10240
[-Wformat-overflow=]
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: hjl.tools at gmail dot com
Target Milestone: ---
Created attachment 57315
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57315&action=edit
A testcase
[hjl@gnu-tgl-2 tmp]$ /usr/gcc-14.0.1-x32-apx/bin/gcc -O3 -S x.i -Wall
In file included from tests-mbwc/tst_wctype.c:8:
tests-mbwc/tsp_common.c: In function ‘result.constprop.isra’:
tests-mbwc/tsp_common.c:55:24: warning: ‘%s’ directive writing up to 10218
bytes into a region of size between 0 and 10240 [-Wformat-overflow=]
tests-mbwc/tsp_common.c:55:3: note: ‘sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
[hjl@gnu-tgl-2 tmp]$
GCC 13 is OK.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
@ 2024-02-04 4:47 ` pinskia at gcc dot gnu.org
2024-02-04 5:58 ` hjl.tools at gmail dot com
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-02-04 4:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |needs-bisection,
| |needs-reduction
Target Milestone|--- |14.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
2024-02-04 4:47 ` [Bug tree-optimization/113752] " pinskia at gcc dot gnu.org
@ 2024-02-04 5:58 ` hjl.tools at gmail dot com
2024-02-04 6:15 ` hjl.tools at gmail dot com
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: hjl.tools at gmail dot com @ 2024-02-04 5:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Last reconfirmed| |2024-02-04
CC| |aldyh at redhat dot com
Status|UNCONFIRMED |NEW
--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
It is caused by r14-261.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
2024-02-04 4:47 ` [Bug tree-optimization/113752] " pinskia at gcc dot gnu.org
2024-02-04 5:58 ` hjl.tools at gmail dot com
@ 2024-02-04 6:15 ` hjl.tools at gmail dot com
2024-02-12 9:46 ` [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c aldyh at gcc dot gnu.org
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: hjl.tools at gmail dot com @ 2024-02-04 6:15 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
[hjl@gnu-skx-1 gcc]$ cat /tmp/foo.i
char a[10256];
char b;
char *c, *g;
int d, e, f;
int sprintf(char *, char *, ...);
unsigned long strlen(char *);
int h(char *j) {
if (strlen(j) + strlen(c) + strlen(g) + 32 > 10256)
return 0;
sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
return 1;
}
void i() { h("wctype"); }
[hjl@gnu-skx-1 gcc]$ ./xgcc -B./ -O3 -Wall -S /tmp/foo.i
/tmp/foo.i: In function ?i?:
/tmp/foo.i:10:33: warning: ?%s? directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
10 | sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
| ^~
In function ?h?,
inlined from ?i? at /tmp/foo.i:13:12:
/tmp/foo.i:10:3: note: ?sprintf? output between 18 and 20484 bytes into a
destination of size 10256
10 | sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[hjl@gnu-skx-1 gcc]$
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (2 preceding siblings ...)
2024-02-04 6:15 ` hjl.tools at gmail dot com
@ 2024-02-12 9:46 ` aldyh at gcc dot gnu.org
2024-02-12 10:09 ` jakub at gcc dot gnu.org
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: aldyh at gcc dot gnu.org @ 2024-02-12 9:46 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Aldy Hernandez <aldyh at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|aldyh at redhat dot com |
--- Comment #3 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
Can't reproduce on x86-64 on recent trunk:
abulafia:~/bld/t/gcc []$ ./xgcc -B./ -c -O3 -Wall a.c
abulafia:~/bld/t/gcc []$ cat a.c
char a[10256];
char b;
char *c, *g;
int d, e, f;
int sprintf(char *, char *, ...);
unsigned long strlen(char *);
int h(char *j) {
if (strlen(j) + strlen(c) + strlen(g) + 32 > 10256)
return 0;
sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
return 1;
}
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (3 preceding siblings ...)
2024-02-12 9:46 ` [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c aldyh at gcc dot gnu.org
@ 2024-02-12 10:09 ` jakub at gcc dot gnu.org
2024-02-12 10:23 ` jakub at gcc dot gnu.org
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-12 10:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Strange, it certainly does reproduce for me:
char a[10256], b, *c, *g;
int d, e, f;
int
foo (char *j)
{
if (__builtin_strlen (j) + __builtin_strlen (c) + __builtin_strlen (g) + 32 >
10256)
return 0;
__builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
return 1;
}
void
bar (void)
{
foo ("wctype");
}
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-8919 -quiet -O3 -Wall
pr113752.c
pr113752.c: In function ‘bar’:
pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
| ^~
In function ‘foo’,
inlined from ‘bar’ at pr113752.c:16:3:
pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-260 -quiet -O3 -Wall
pr113752.c
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-261 -quiet -O3 -Wall
pr113752.c
pr113752.c: In function ‘bar’:
pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
| ^~
In function ‘foo’,
inlined from ‘bar’ at pr113752.c:16:3:
pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
9 | __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (4 preceding siblings ...)
2024-02-12 10:09 ` jakub at gcc dot gnu.org
@ 2024-02-12 10:23 ` jakub at gcc dot gnu.org
2024-02-12 13:52 ` hjl.tools at gmail dot com
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-12 10:23 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
That said, the math at least in the reduced testcase is weird.
%d output is at most 11 bytes - strlen ("-2147483648"), + 9 other chars, so
that
is 42, not 32. But even using + 42 in there instead of 32 doesn't fix it.
It wouldn't surprise me if the misdesigned warning just sees that each of the
strlens clearly has a range [0, 10256-42], after all, when expressed as a range
there isn't much more to derive about it, and then uses that [0, 10214] range
for each of the %s
specifiers. Though, that is not what the warning says. Ah, maybe it is
because j is known short after inlining or some IPA opts.
Also, because the strlen + strlen + strlen + cst > cst2 condition uses unsigned
type, wrap around is theoretically possible, e.g. one could have some
PTRDIFF_MAX - epsilon sized string and call it with c = g = j that string.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (5 preceding siblings ...)
2024-02-12 10:23 ` jakub at gcc dot gnu.org
@ 2024-02-12 13:52 ` hjl.tools at gmail dot com
2024-02-13 11:36 ` jakub at gcc dot gnu.org
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: hjl.tools at gmail dot com @ 2024-02-12 13:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
--- Comment #6 from H.J. Lu <hjl.tools at gmail dot com> ---
I can reproduce it with r14-8930-g1e94648ab7b370
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (6 preceding siblings ...)
2024-02-12 13:52 ` hjl.tools at gmail dot com
@ 2024-02-13 11:36 ` jakub at gcc dot gnu.org
2024-03-07 20:41 ` law at gcc dot gnu.org
2024-05-07 7:44 ` [Bug tree-optimization/113752] [14/15 " rguenth at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-02-13 11:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Anyway, I think the testcase is very similar to
char a[256], *c, *g;
int
foo (void)
{
if (__builtin_strlen (c) + __builtin_strlen (g) + 5 > 256)
return 0;
__builtin_sprintf (a, "abcd%s%s", c, g);
return 1;
}
which has started diagnosing this with
r12-5014-g6b8b959675a3e14cfdd2145bd62e4260eb193765 at -O2 -Wall -W
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (7 preceding siblings ...)
2024-02-13 11:36 ` jakub at gcc dot gnu.org
@ 2024-03-07 20:41 ` law at gcc dot gnu.org
2024-05-07 7:44 ` [Bug tree-optimization/113752] [14/15 " rguenth at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-07 20:41 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Jeffrey A. Law <law at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |law at gcc dot gnu.org
Priority|P3 |P2
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug tree-optimization/113752] [14/15 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
` (8 preceding siblings ...)
2024-03-07 20:41 ` law at gcc dot gnu.org
@ 2024-05-07 7:44 ` rguenth at gcc dot gnu.org
9 siblings, 0 replies; 11+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-07 7:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|14.0 |14.2
--- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 14.1 is being released, retargeting bugs to GCC 14.2.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2024-05-07 7:44 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-04 4:34 [Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] hjl.tools at gmail dot com
2024-02-04 4:47 ` [Bug tree-optimization/113752] " pinskia at gcc dot gnu.org
2024-02-04 5:58 ` hjl.tools at gmail dot com
2024-02-04 6:15 ` hjl.tools at gmail dot com
2024-02-12 9:46 ` [Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c aldyh at gcc dot gnu.org
2024-02-12 10:09 ` jakub at gcc dot gnu.org
2024-02-12 10:23 ` jakub at gcc dot gnu.org
2024-02-12 13:52 ` hjl.tools at gmail dot com
2024-02-13 11:36 ` jakub at gcc dot gnu.org
2024-03-07 20:41 ` law at gcc dot gnu.org
2024-05-07 7:44 ` [Bug tree-optimization/113752] [14/15 " rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).