[Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]

[Bug c/113752] New: [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

            Bug ID: 113752
           Summary: [14 Regression] warning: ‘%s’ directive writing up to
                    10218 bytes into a region of size between 0 and 10240
                    [-Wformat-overflow=]
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: hjl.tools at gmail dot com
  Target Milestone: ---

Created attachment 57315
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57315&action=edit
A testcase

[hjl@gnu-tgl-2 tmp]$  /usr/gcc-14.0.1-x32-apx/bin/gcc -O3 -S x.i -Wall 
In file included from tests-mbwc/tst_wctype.c:8:
tests-mbwc/tsp_common.c: In function ‘result.constprop.isra’:
tests-mbwc/tsp_common.c:55:24: warning: ‘%s’ directive writing up to 10218
bytes into a region of size between 0 and 10240 [-Wformat-overflow=]
tests-mbwc/tsp_common.c:55:3: note: ‘sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
[hjl@gnu-tgl-2 tmp]$ 

GCC 13 is OK.

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |needs-bisection,
                   |                            |needs-reduction
   Target Milestone|---                         |14.0

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2024-02-04
                 CC|                            |aldyh at redhat dot com
             Status|UNCONFIRMED                 |NEW

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
It is caused by r14-261.

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=]

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
[hjl@gnu-skx-1 gcc]$ cat /tmp/foo.i
char a[10256];
char b;
char *c, *g;
int d, e, f;
int sprintf(char *, char *, ...);
unsigned long strlen(char *);
int h(char *j) {
  if (strlen(j) + strlen(c) + strlen(g) + 32 > 10256)
    return 0;
  sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  return 1;
}
void i() { h("wctype"); }
[hjl@gnu-skx-1 gcc]$ ./xgcc -B./ -O3 -Wall -S /tmp/foo.i
/tmp/foo.i: In function ?i?:
/tmp/foo.i:10:33: warning: ?%s? directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
   10 |   sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
      |                                 ^~
In function ?h?,
    inlined from ?i? at /tmp/foo.i:13:12:
/tmp/foo.i:10:3: note: ?sprintf? output between 18 and 20484 bytes into a
destination of size 10256
   10 |   sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[hjl@gnu-skx-1 gcc]$

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Aldy Hernandez <aldyh at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|aldyh at redhat dot com            |

--- Comment #3 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
Can't reproduce on x86-64 on recent trunk:

abulafia:~/bld/t/gcc []$ ./xgcc -B./ -c -O3 -Wall a.c
abulafia:~/bld/t/gcc []$ cat a.c
char a[10256];
char b;
char *c, *g;
int d, e, f;
int sprintf(char *, char *, ...);
unsigned long strlen(char *);
int h(char *j) {
  if (strlen(j) + strlen(c) + strlen(g) + 32 > 10256)
    return 0;
  sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  return 1;
}

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Strange, it certainly does reproduce for me:
char a[10256], b, *c, *g;
int d, e, f;

int
foo (char *j)
{
  if (__builtin_strlen (j) + __builtin_strlen (c) + __builtin_strlen (g) + 32 >
10256)
    return 0;
  __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  return 1;
}

void
bar (void)
{
  foo ("wctype");
}
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-8919 -quiet -O3 -Wall
pr113752.c
pr113752.c: In function ‘bar’:
pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
    9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
      |                                            ^~
In function ‘foo’,
    inlined from ‘bar’ at pr113752.c:16:3:
pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
    9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-260 -quiet -O3 -Wall
pr113752.c
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-261 -quiet -O3 -Wall
pr113752.c
pr113752.c: In function ‘bar’:
pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
    9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
      |                                            ^~
In function ‘foo’,
    inlined from ‘bar’ at pr113752.c:16:3:
pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
    9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
That said, the math at least in the reduced testcase is weird.
%d output is at most 11 bytes - strlen ("-2147483648"), + 9 other chars, so
that
is 42, not 32.  But even using + 42 in there instead of 32 doesn't fix it.
It wouldn't surprise me if the misdesigned warning just sees that each of the
strlens clearly has a range [0, 10256-42], after all, when expressed as a range
there isn't much more to derive about it, and then uses that [0, 10214] range
for each of the %s
specifiers.  Though, that is not what the warning says.  Ah, maybe it is
because j is known short after inlining or some IPA opts.
Also, because the strlen + strlen + strlen + cst > cst2 condition uses unsigned
type, wrap around is theoretically possible, e.g. one could have some
PTRDIFF_MAX - epsilon sized string and call it with c = g = j that string.

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #6 from H.J. Lu <hjl.tools at gmail dot com> ---
I can reproduce it with r14-8930-g1e94648ab7b370

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Anyway, I think the testcase is very similar to
char a[256], *c, *g;

int
foo (void)
{
  if (__builtin_strlen (c) + __builtin_strlen (g) + 5 > 256)
    return 0;
  __builtin_sprintf (a, "abcd%s%s", c, g);
  return 1;
}
which has started diagnosing this with
r12-5014-g6b8b959675a3e14cfdd2145bd62e4260eb193765 at -O2 -Wall -W

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[law at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Jeffrey A. Law <law at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |law at gcc dot gnu.org
           Priority|P3                          |P2

[Bug tree-optimization/113752] [14/15 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|14.0                        |14.2

--- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 14.1 is being released, retargeting bugs to GCC 14.2.