[Bug tree-optimization/97631] New: bogus "writing one too many bytes" warning for memcpy with strlen argument

[Bug tree-optimization/97631] New: bogus "writing one too many bytes" warning for memcpy with strlen argument

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

            Bug ID: 97631
           Summary: bogus "writing one too many bytes" warning for memcpy
                    with strlen argument
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

The -Wstringop-overflow instance in f() is correct and intended but the one in
g() is neither.  It most likely crept in by mistake in r279392.  The test case
was reduced from libfido2.

$ cat xxx.c && gcc -O2 -S -Wall xxx.c
typedef __SIZE_TYPE__ size_t;

char* f (char *s)
{
  size_t n = __builtin_strlen (s);
  if (n == 0)
    return 0;

  char *d = __builtin_malloc (n);
  __builtin_strcpy (d, s);       // -Wstringop-overflow (good)
  return d;
}

char* g (char *s)
{
  size_t n = __builtin_strlen (s);
  if (n == 0)
    return 0;

  char *d = __builtin_malloc (n);
  __builtin_memcpy (d, s, n);    // bogus overflow warning
  return d;
}

xxx.c: In function ‘f’:
xxx.c:10:3: warning: ‘__builtin_strcpy’ writing one too many bytes into a
region of a size that depends on ‘strlen’ [-Wstringop-overflow=]
   10 |   __builtin_strcpy (d, s);       // -Wstringop-overflow (good)
      |   ^~~~~~~~~~~~~~~~~~~~~~~
xxx.c:9:13: note: at offset 0 to an object allocated by ‘__builtin_malloc’ here
    9 |   char *d = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~
xxx.c: In function ‘g’:
xxx.c:21:3: warning: ‘__builtin_memcpy’ writing one too many bytes into a
region of a size that depends on ‘strlen’ [-Wstringop-overflow=]
   21 |   __builtin_memcpy (d, s, n);    // bogus overflow warning
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~
xxx.c:20:13: note: at offset 0 to an object allocated by ‘__builtin_malloc’
here
   20 |   char *d = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~

[Bug tree-optimization/97631] [10/11 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED
      Known to fail|                            |10.2.0, 11.0
           Keywords|                            |diagnostic
           Assignee|unassigned at gcc dot gnu.org      |msebor at gcc dot gnu.org
      Known to work|                            |9.3.0
             Blocks|                            |88443
   Last reconfirmed|                            |2020-10-29
            Summary|bogus "writing one too many |[10/11 Regression] bogus
                   |bytes" warning for memcpy   |"writing one too many
                   |with strlen argument        |bytes" warning for memcpy
                   |                            |with strlen argument


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88443
[Bug 88443] [meta-bug] bogus/missing -Wstringop-overflow warnings

[Bug tree-optimization/97631] [10/11 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
While playing with the test case I added to pr97631 I noticed that when I
change the type of len to int, the warning disappears for the call to strcpy
(where it's intended) but the false positive stays for the call to memcpy. 
When I change the type to unsigned int, the warning then moves to strcpy and
disappears for memcpy.  This should get cleaned up too.

$ (set -x && cat xxx.c && gcc -DINT=int -O2 -S -Wall xxx.c && gcc
-DINT=unsigned -O2 -S -Wall xxx.c)
+ cat xxx.c
char* f (char *s)
{
  INT n = __builtin_strlen (s);
  if (n == 0)
    return 0;

  char *d = __builtin_malloc (n);
  __builtin_strcpy (d, s);       // -Wstringop-overflow (good)
  return d;
}

char* g (char *s)
{
  INT n = __builtin_strlen (s);
  if (n == 0)
    return 0;

  char *d = __builtin_malloc (n);
  __builtin_memcpy (d, s, n);    // bogus overflow warning
  return d;
}

+ gcc -DINT=int -O2 -S -Wall xxx.c
xxx.c: In function ‘g’:
xxx.c:19:3: warning: ‘__builtin_memcpy’ writing one too many bytes into a
region of a size that depends on ‘strlen’ [-Wstringop-overflow=]
   19 |   __builtin_memcpy (d, s, n);    // bogus overflow warning
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~
xxx.c:18:13: note: at offset 0 to an object with size between 1 and
18446744073709551615 allocated by ‘__builtin_malloc’ here
   18 |   char *d = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~
+ gcc -DINT=unsigned -O2 -S -Wall xxx.c
xxx.c: In function ‘f’:
xxx.c:8:3: warning: ‘__builtin_strcpy’ writing one too many bytes into a region
of a size that depends on ‘strlen’ [-Wstringop-overflow=]
    8 |   __builtin_strcpy (d, s);       // -Wstringop-overflow (good)
      |   ^~~~~~~~~~~~~~~~~~~~~~~
xxx.c:7:13: note: at offset 0 to an object with size at most 4294967295
allocated by ‘__builtin_malloc’ here
    7 |   char *d = __builtin_malloc (n);
      |             ^~~~~~~~~~~~~~~~~~~~

[Bug tree-optimization/97631] [10/11 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |10.3
           Priority|P3                          |P2

[Bug tree-optimization/97631] [10/11 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |patch

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2021-February/565541.html

[Bug tree-optimization/97631] [10/11 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:

https://gcc.gnu.org/g:7f5ff78ff3f971c11ec67f422b2fd34281db9123

commit r11-7562-g7f5ff78ff3f971c11ec67f422b2fd34281db9123
Author: Martin Sebor <msebor@redhat.com>
Date:   Mon Mar 8 13:28:52 2021 -0700

    PR middle-end/97631 - bogus "writing one too many bytes" warning for memcpy
with strlen argument

    gcc/ChangeLog:

            PR middle-end/97631
            * tree-ssa-strlen.c (maybe_warn_overflow): Test rawmem.
            (handle_builtin_stxncpy_strncat): Rename locals.  Determine
            destination size from allocation calls.  Issue a more appropriate
            kind of warning.
            (handle_builtin_memcpy): Pass true as rawmem to
maybe_warn_overflow.
            (handle_builtin_memset): Same.

    gcc/testsuite/ChangeLog:

            PR middle-end/97631
            * c-c++-common/Wstringop-overflow.c: Remove unexpected warnings.
            Add an xfail.
            * c-c++-common/Wstringop-truncation.c: Add expected warnings.
            * gcc.dg/Wstringop-overflow-10.c: Also enable
-Wstringop-truncation.
            * gcc.dg/Wstringop-overflow-66.c: New test.
            * gcc.dg/tree-ssa/strncpy-2.c: Adjust expected warning.

[Bug tree-optimization/97631] [10 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|11.0                        |
            Summary|[10/11 Regression] bogus    |[10 Regression] bogus
                   |"writing one too many       |"writing one too many
                   |bytes" warning for memcpy   |bytes" warning for memcpy
                   |with strlen argument        |with strlen argument
      Known to work|                            |11.0

--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
Fixed in GCC 11.

[Bug tree-optimization/97631] [10 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|10.3                        |10.4

--- Comment #5 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 10.3 is being released, retargeting bugs to GCC 10.4.

[Bug tree-optimization/97631] [10 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |NEW
           Assignee|msebor at gcc dot gnu.org          |unassigned at gcc dot gnu.org

--- Comment #6 from Martin Sebor <msebor at gcc dot gnu.org> ---
I'm no longer planning to backport the fix.

[Bug tree-optimization/97631] [10 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|10.4                        |10.5

--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
GCC 10.4 is being released, retargeting bugs to GCC 10.5.

[Bug tree-optimization/97631] [10 Regression] bogus "writing one too many bytes" warning for memcpy with strlen argument

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97631

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
      Known to fail|                            |10.5.0
   Target Milestone|10.5                        |11.0

--- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed in GCC 11.