From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id F267A385841E; Tue, 9 Apr 2024 11:41:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F267A385841E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1712662898; bh=ALotZbFzIjjjIy9JvFcfmSzHh/77EziuJONJ/uU4EF8=; h=From:To:Subject:Date:In-Reply-To:References:From; b=bx2GC/L1Adsl6rrWwB59NAnnCvKQBarcbBUVS3hiFnLvQc0L0SCfSaQRnsanAp6uY ipnQ/pOEYLkXMgKUrpUCwbernZsw+VsH1cBDza6aWppWNN1rV1JTJsk2ULfdZE2bvP WIQdORBtM744CWvC/+PIjTnnfxNF+awyGAkWSZ0w= From: "jakub at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/114472] [14 Regression] ICE: in falls_short_of_p, at analyzer/store.cc:365 (in exceeds_p, at analyzer/store.cc:342) with -fanalyzer Date: Tue, 09 Apr 2024 11:41:36 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 14.0 X-Bugzilla-Keywords: ice-on-valid-code X-Bugzilla-Severity: normal X-Bugzilla-Who: jakub at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: 14.0 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D114472 Jakub Jelinek changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jakub at gcc dot gnu.org --- Comment #2 from Jakub Jelinek --- strncpy (..., -1) is an always UB case; the testcase has UB already on &s -= 3, but get_next_bit_offset of -32 suggests that it is somehow adding the -3 * BITS_PER_UNIT offset from the source and the -1 * BITS_PER_UNIT from the si= ze.=20 That is wrong, first of all, strncpy from the source copies just at most that many bytes, = in a valid program there would need to be a '\0' far before that as one can't do pointer arithmetics in char * past half of the address space; plus the size isn't negative, it is positive 0xffffffffffffffffULL on x86-64. The reason strncpy would be UB with [LONG_MAX + 1UL, ULONG_MAX] last argume= nt is that it then has to fill the rest of the buffer with '\0's and again the pointer arithmetics isn't well defined in that case.=