public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher
@ 2024-05-12 23:27 weilercdale at gmail dot com
2024-05-12 23:29 ` [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) " sjames at gcc dot gnu.org
` (12 more replies)
0 siblings, 13 replies; 14+ messages in thread
From: weilercdale at gmail dot com @ 2024-05-12 23:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
Bug ID: 115056
Summary: Miscompilation triggering -Wstringop-overflow and
-Warray-bounds warning when -O2 or higher
Product: gcc
Version: 14.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: rtl-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: weilercdale at gmail dot com
Target Milestone: ---
I've isolated what appears to be an unsound __builtin_memset optimization
applied by gcc 14.1.1 on a hash function in a cryptographic library where it
writes one byte beyond the end of a buffer. The compiler thankfully reports two
warnings when it happens.
The isolated test case is small so I'll provide it inline
#include <string.h>
#include <stdio.h>
typedef union {
unsigned char as_bytes[64];
unsigned long long as_chunks[64 / sizeof(unsigned long long)];
} Block;
int main(int argc, char **argv) {
Block block;
int i = strlen(argv[0]), j = 0;
for (; j < i; j++) block.as_bytes[j] = argv[0][j];
while (++j & 7) block.as_bytes[j] = 0;
if (j > 56) while (j < 64) block.as_bytes[j++] = 0;
while (j < 56) block.as_bytes[j++] = 0;
for (j = 0; j < 8; j++) printf("%d\n", (int)block.as_chunks[j]);
}
Compiling this with -O2 produces the following warning
t.c: In function ‘main’:
t.c:12:56: warning: ‘__builtin_memset’ writing 8 bytes into a region of size 7
overflows the destination [-Wstringop-overflow=]
12 | if (j > 56) while (j < 64) block.as_bytes[j++] = 0;
| ~~~~~~~~~~~~~~~~~~~~^~~
t.c:8:15: note: at offset [57, 63] into destination object ‘block’ of size 64
8 | Block block;
| ^~~~~
Compiling this with -O2 and -Wall produces the following warning
t.c: In function ‘main’:
t.c:12:56: warning: ‘__builtin_memset’ forming offset 64 is out of the bounds
[0, 64] of object ‘block’ with type ‘Block’ [-Warray-bounds=]
12 | if (j > 56) while (j < 64) block.as_bytes[j++] = 0;
| ~~~~~~~~~~~~~~~~~~~~^~~
t.c:8:15: note: ‘block’ declared here
8 | Block block;
| ^~~~~
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
@ 2024-05-12 23:29 ` sjames at gcc dot gnu.org
2024-05-12 23:32 ` sjames at gcc dot gnu.org
` (11 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-12 23:29 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
Sam James <sjames at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sjames at gcc dot gnu.org
Keywords| |wrong-code
Summary|Miscompilation triggering |[14 regression]
|-Wstringop-overflow and |Miscompilation (also
|-Warray-bounds warning when |triggering
|-O2 or higher |-Wstringop-overflow and
| |-Warray-bounds warning)
| |when -O2 or higher
--- Comment #1 from Sam James <sjames at gcc dot gnu.org> ---
Just to be clear as it might be easy to misread: the warnings are maybe a hint
about what's going on, and not the complaint here.
I can reproduce diff. results w/ 13 vs 14, not looked further yet.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
2024-05-12 23:29 ` [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) " sjames at gcc dot gnu.org
@ 2024-05-12 23:32 ` sjames at gcc dot gnu.org
2024-05-12 23:34 ` weilercdale at gmail dot com
` (10 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-12 23:32 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #2 from Sam James <sjames at gcc dot gnu.org> ---
(In reply to Dale Weiler from comment #0)
> I've isolated what appears to be an unsound __builtin_memset optimization
> applied by gcc 14.1.1 on a hash function in a cryptographic library where it
> writes one byte beyond the end of a buffer.
You don't have to share, but I find it useful to know where stuff was reduced
from. Was it a public library? If so, what? It is OK to not answer.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
2024-05-12 23:29 ` [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) " sjames at gcc dot gnu.org
2024-05-12 23:32 ` sjames at gcc dot gnu.org
@ 2024-05-12 23:34 ` weilercdale at gmail dot com
2024-05-12 23:35 ` sjames at gcc dot gnu.org
` (9 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: weilercdale at gmail dot com @ 2024-05-12 23:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #3 from Dale Weiler <weilercdale at gmail dot com> ---
> You don't have to share, but I find it useful to know where stuff was reduced from. Was it a public library? If so, what? It is OK to not answer.
It's the inner part of the Tiger Hash cryptographic hash function. This one is
just my own implementation. This is a pretty standard construction of how the
function works so it would presumably affect any Tiger Hash implementation.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (2 preceding siblings ...)
2024-05-12 23:34 ` weilercdale at gmail dot com
@ 2024-05-12 23:35 ` sjames at gcc dot gnu.org
2024-05-12 23:38 ` weilercdale at gmail dot com
` (8 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-12 23:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #4 from Sam James <sjames at gcc dot gnu.org> ---
With Clang, I get:
```
¢ clang /tmp/foo.c -o /tmp/foo
$ /tmp/foo
1886221359
0
0
0
0
0
0
-733536256
```
and
```
$ clang /tmp/foo.c -o /tmp/foo -fsanitize=address,undefined
$ /tmp/foo
1886221359
0
0
0
0
0
0
0
```
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (3 preceding siblings ...)
2024-05-12 23:35 ` sjames at gcc dot gnu.org
@ 2024-05-12 23:38 ` weilercdale at gmail dot com
2024-05-12 23:39 ` sjames at gcc dot gnu.org
` (7 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: weilercdale at gmail dot com @ 2024-05-12 23:38 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #5 from Dale Weiler <weilercdale at gmail dot com> ---
I should note that there is a byte in-between these two pieces of code I
removed
for (; j < i; j++) block.as_bytes[j] = argv[0][j];
block.as_bytes[j] = 0x01; // I removed this line
while (++j & 7) block.as_bytes[j] = 0;
Just to make the repro smaller, but I guess that causes that one byte to be
uninitialized in this case. Adding it back doesn't change anything, but it
should be noted it exists here.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (4 preceding siblings ...)
2024-05-12 23:38 ` weilercdale at gmail dot com
@ 2024-05-12 23:39 ` sjames at gcc dot gnu.org
2024-05-13 0:57 ` [Bug rtl-optimization/115056] [14/15 " sjames at gcc dot gnu.org
` (6 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-12 23:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #6 from Sam James <sjames at gcc dot gnu.org> ---
I was just about to comment that, thanks!
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14/15 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (5 preceding siblings ...)
2024-05-12 23:39 ` sjames at gcc dot gnu.org
@ 2024-05-13 0:57 ` sjames at gcc dot gnu.org
2024-05-13 1:14 ` weilercdale at gmail dot com
` (5 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-13 0:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #7 from Sam James <sjames at gcc dot gnu.org> ---
Isn't there still an uninitialised read?
```
$ valgrind /tmp/foo
[...]
==814922==
1886221359
1
0
0
0
0
0
==814922== Use of uninitialised value of size 8
==814922== at 0x48F7D3A: _itoa_word (_itoa.c:183)
==814922== by 0x49029A6: __printf_buffer (vfprintf-process-arg.c:155)
==814922== by 0x4904BD0: __vfprintf_internal (vfprintf-internal.c:1544)
==814922== by 0x49C55AE: __printf_chk (printf_chk.c:33)
==814922== by 0x10938D: main (/tmp/foo.c:16)
==814922==
```
with:
```
#include <string.h>
#include <stdio.h>
typedef union {
unsigned char as_bytes[64];
unsigned long long as_chunks[64 / sizeof(unsigned long long)];
} Block;
int main(int argc, char **argv) {
Block block;
int i = strlen(argv[0]), j = 0;
for (; j < i; j++) block.as_bytes[j] = argv[0][j];
block.as_bytes[j] = 0x01; // I removed this line
while (++j & 7) block.as_bytes[j] = 0;
if (j > 56) while (j < 64) block.as_bytes[j++] = 0;
while (j < 56) block.as_bytes[j++] = 0;
for (j = 0; j < 8; j++) printf("%d\n", (int)block.as_chunks[j]);
}
```
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14/15 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (6 preceding siblings ...)
2024-05-13 0:57 ` [Bug rtl-optimization/115056] [14/15 " sjames at gcc dot gnu.org
@ 2024-05-13 1:14 ` weilercdale at gmail dot com
2024-05-13 1:18 ` sjames at gcc dot gnu.org
` (4 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: weilercdale at gmail dot com @ 2024-05-13 1:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #8 from Dale Weiler <weilercdale at gmail dot com> ---
Yeah, you can add another `while (j < 64) block.as_bytes[j] = 0;` to the end if
you want. I really should've done a better job reducing it so as not to create
uninitialized memory. You can also just memset the block at the start to all
zeros if you want.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14/15 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (7 preceding siblings ...)
2024-05-13 1:14 ` weilercdale at gmail dot com
@ 2024-05-13 1:18 ` sjames at gcc dot gnu.org
2024-05-13 1:18 ` sjames at gcc dot gnu.org
` (3 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-13 1:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #9 from Sam James <sjames at gcc dot gnu.org> ---
The issue is we need a program which no UB which has the bad symptoms.
I can fix it up but that doesn't mean it has the symptoms you originally saw
which made you report a bug.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14/15 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (8 preceding siblings ...)
2024-05-13 1:18 ` sjames at gcc dot gnu.org
@ 2024-05-13 1:18 ` sjames at gcc dot gnu.org
2024-05-13 1:51 ` weilercdale at gmail dot com
` (2 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-13 1:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
Sam James <sjames at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2024-05-13
Ever confirmed|0 |1
Status|UNCONFIRMED |WAITING
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14/15 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (9 preceding siblings ...)
2024-05-13 1:18 ` sjames at gcc dot gnu.org
@ 2024-05-13 1:51 ` weilercdale at gmail dot com
2024-05-13 9:49 ` rguenth at gcc dot gnu.org
2024-05-20 7:39 ` [Bug middle-end/115056] [14/15 regression] False positive -Wstringop-overflow and -Warray-bounds sjames at gcc dot gnu.org
12 siblings, 0 replies; 14+ messages in thread
From: weilercdale at gmail dot com @ 2024-05-13 1:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
--- Comment #10 from Dale Weiler <weilercdale at gmail dot com> ---
New test case without UB still exhibits the behavior
#include <string.h>
#include <stdio.h>
typedef union {
unsigned char as_bytes[64];
unsigned long long as_chunks[64 / sizeof(unsigned long long)];
} Block;
int main(int argc, char **argv) {
Block block;
int i = strlen(argv[0]), j = 0;
for (; j < i; j++) block.as_bytes[j] = argv[0][j];
block.as_bytes[j] = 0x01;
while (++j & 7) block.as_bytes[j] = 0;
if (j > 56) while (j < 64) block.as_bytes[j++] = 0;
while (j < 56) block.as_bytes[j++] = 0;
while (j < 64) block.as_bytes[j++] = 0x01;
for (j = 0; j < 8; j++) printf("%d\n", (int)block.as_chunks[j]);
}
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug rtl-optimization/115056] [14/15 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) when -O2 or higher
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (10 preceding siblings ...)
2024-05-13 1:51 ` weilercdale at gmail dot com
@ 2024-05-13 9:49 ` rguenth at gcc dot gnu.org
2024-05-20 7:39 ` [Bug middle-end/115056] [14/15 regression] False positive -Wstringop-overflow and -Warray-bounds sjames at gcc dot gnu.org
12 siblings, 0 replies; 14+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-13 9:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |14.2
^ permalink raw reply [flat|nested] 14+ messages in thread
* [Bug middle-end/115056] [14/15 regression] False positive -Wstringop-overflow and -Warray-bounds
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
` (11 preceding siblings ...)
2024-05-13 9:49 ` rguenth at gcc dot gnu.org
@ 2024-05-20 7:39 ` sjames at gcc dot gnu.org
12 siblings, 0 replies; 14+ messages in thread
From: sjames at gcc dot gnu.org @ 2024-05-20 7:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115056
Sam James <sjames at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |88443, 56456
Component|rtl-optimization |middle-end
Keywords|wrong-code |
Summary|[14/15 regression] |[14/15 regression] False
|Miscompilation (also |positive
|triggering |-Wstringop-overflow and
|-Wstringop-overflow and |-Warray-bounds
|-Warray-bounds warning) |
|when -O2 or higher |
--- Comment #11 from Sam James <sjames at gcc dot gnu.org> ---
Coming back to this: have you actually seen unexpected results from runtime
execution? (If so, please share what they were & what options you used to get
them).
The warning is a problem but it doesn't necessarily imply bad codegen. Some
warnings have FPs based on the IR that gets generated.
i.e. I think this is a FP warning bug instead.
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456
[Bug 56456] [meta-bug] bogus/missing -Warray-bounds
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88443
[Bug 88443] [meta-bug] bogus/missing -Wstringop-overflow warnings
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2024-05-20 7:39 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-12 23:27 [Bug rtl-optimization/115056] New: Miscompilation triggering -Wstringop-overflow and -Warray-bounds warning when -O2 or higher weilercdale at gmail dot com
2024-05-12 23:29 ` [Bug rtl-optimization/115056] [14 regression] Miscompilation (also triggering -Wstringop-overflow and -Warray-bounds warning) " sjames at gcc dot gnu.org
2024-05-12 23:32 ` sjames at gcc dot gnu.org
2024-05-12 23:34 ` weilercdale at gmail dot com
2024-05-12 23:35 ` sjames at gcc dot gnu.org
2024-05-12 23:38 ` weilercdale at gmail dot com
2024-05-12 23:39 ` sjames at gcc dot gnu.org
2024-05-13 0:57 ` [Bug rtl-optimization/115056] [14/15 " sjames at gcc dot gnu.org
2024-05-13 1:14 ` weilercdale at gmail dot com
2024-05-13 1:18 ` sjames at gcc dot gnu.org
2024-05-13 1:18 ` sjames at gcc dot gnu.org
2024-05-13 1:51 ` weilercdale at gmail dot com
2024-05-13 9:49 ` rguenth at gcc dot gnu.org
2024-05-20 7:39 ` [Bug middle-end/115056] [14/15 regression] False positive -Wstringop-overflow and -Warray-bounds sjames at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).