From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 97D6B3858D35; Wed, 29 Jul 2020 22:07:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 97D6B3858D35 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1596060432; bh=6uC0OcWui0TjePm7Q+5YZH0kcI3AMtN8N3KVYTQXYNU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Ndt0gKltlvI2+fGC5bzDGMtWMMJx+tCoIA9xX1xA3YdnHUQvyJv/Z8BaT1aOls+mi cCuN+pZC+iYGHOO3k5QXKvqcca88LvgehV6mkiYadOQFdqpN9W5lU5SFaHAULF5d6+ RU87JRSMfLyXJ9/fZa0LEuq/qV5GMM8L5mJv4ri0= From: "msebor at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/96384] [11 Regression] bogus -Wstringop-overflow= storing into multidimensional array with index in range Date: Wed, 29 Jul 2020 22:07:12 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: middle-end X-Bugzilla-Version: 11.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: msebor at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2020 22:07:12 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D96384 --- Comment #1 from Martin Sebor --- It looks like a false positive caused by the weirdo signed vs unsigned conversions between wide_int and offset_int. It happens in this piece of c= ode in compute_objsize: offset_int orng[2]; tree off =3D TREE_OPERAND (ptr, 1); if (!get_range (off, SIGNED, orng, rvals)) /* Fail unless the size of the object is zero. */ return pref->sizrng[0] =3D=3D 0 && pref->sizrng[0] =3D=3D pref->sizrng[= 1]; ... if (ostype && TREE_CODE (eltype) =3D=3D ARRAY_TYPE) { /* Execpt for the permissive raw memory functions which use the size of the whole object determined above, use the size of the referenced array. */ pref->sizrng[0] =3D pref->offrng[0] + orng[0] + sz; pref->sizrng[1] =3D pref->offrng[1] + orng[1] + sz; } } We get orng indirectly by converting the get_range_info() result in get_ran= ge() in tree-ssa-strlen.c to wide_int first, and then converting it to offset_in= t.=20 We do this dance because some clients use wide_int and others offset_int. We get vr->max (): cons= tant 4294967294> the result of converting it to wide_int: minmax[1] =3D wi::to_wide (vr->max ()); is (gdb) p minmax[1] $39 =3D { =3D {val =3D {-2, 24874380, 0}, len =3D 1, prec= ision =3D 32}, static is_sign_extended =3D true} We then take it and convert it to offset_int in the get_range() helper in builtins.c: r[1] =3D offset_int::from (wr[1], sgn); Because it's an offset, sgn is SIGNED so we end up with -2 instead of the original positive 4294967294. We use that -2 to compute the upper bound on the size of the object and sto= re it in pref->sizrng[1], which becomes negative. In the end, we compare the lower bound of the overall offset into the object (it's 0) to the upper bou= nd of the size (which is -6) to see if it's less. It's not so the result is z= ero bytes of space.=