Bug 102466 - -O3 -fsanitize=undefined causes warnings (writing 2 bytes into a region of size 0)
Summary: -O3 -fsanitize=undefined causes warnings (writing 2 bytes into a region of s...
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 12.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: diagnostic
Depends on:
Blocks: Wstringop-overflow
  Show dependency treegraph
 
Reported: 2021-09-23 07:08 UTC by cqwrteur
Modified: 2022-05-30 19:34 UTC (History)
6 users (show)

See Also:
Host: x86_64-ubuntu-linux-gnu
Target: x86_64-ubuntu-linux-gnu
Build: x86_64-ubuntu-linux-gnu
Known to work:
Known to fail:
Last reconfirmed: 2021-09-27 00:00:00


Attachments
Preprocessed file (107.59 KB, text/plain)
2021-09-23 07:08 UTC, cqwrteur
Details

Note You need to log in before you can comment on or make changes to this bug.
Description cqwrteur 2021-09-23 07:08:27 UTC
Created attachment 51503 [details]
Preprocessed file

without -fsanitize=undefined or use -O2 won't trigger the warning here

cqwrteur@Home-Server:~/fast_io/examples/0021.kernel_driver$ g++ -S main.cc -std=c++20 -I../../include  -s -fno-exceptions -fno-rtti -fsanitize=undefined -O3 -ffreestanding
In function 'constexpr void fast_io::linux::print_status_define(fast_io::linux::basic_kpr<ch_type>, Args ...) [with bool line = true; ch_type = char; Args = {fast_io::basic_io_scatter_t<char>, fast_io::manipulators::scalar_manip_t<fast_io::manipulators::scalar_flags{10, false, false, false, false, false, false, false, true, false, false, false, fast_io::manipulators::scalar_placement::none, fast_io::manipulators::floating_format::fixed, fast_io::manipulators::lc_time_flag::none}, int>, fast_io::basic_io_scatter_t<char>, fast_io::basic_io_scatter_t<char>, fast_io::manipulators::scalar_manip_t<fast_io::manipulators::scalar_flags{10, false, false, false, false, false, false, false, true, false, false, false, fast_io::manipulators::scalar_placement::none, fast_io::manipulators::floating_format::fixed, fast_io::manipulators::lc_time_flag::none}, int>, fast_io::manipulators::scalar_manip_t<fast_io::manipulators::scalar_flags{10, false, false, false, false, false, false, false, true, false, false, false, fast_io::manipulators::scalar_placement::none, fast_io::manipulators::floating_format::fixed, fast_io::manipulators::lc_time_flag::none}, unsigned int>}]':
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]
cc1plus: warning: writing 2 bytes into a region of size 0 [-Wstringop-overflow=]



This is freestanding code to reduce size of processor file. You can just treat printk function as printf. -ffreestanding does not affect whether the warning would emit or not.

Do not know whether it is a false positive.
Comment 1 Martin Liška 2021-09-27 14:00:41 UTC
It's very likely a false positive. We have quite some duplicates where we explain that enabling sanitizers can lead to false-positive warnings.
Comment 2 Martin Sebor 2021-09-27 21:37:30 UTC
Confirmed.  As Martin indicated in comment #1, the UBSAN sanitization is causing the warning to trigger.  The IL the first instance is issued for is below (-fdump-tree-strlen):

  if (iter_554 == 0B)
    goto <bb 31>; [0.00%]
  else
    goto <bb 32>; [100.00%]

  <bb 31> [count: 0]:
  __builtin___ubsan_handle_nonnull_arg (&*.Lubsan_data478);

  <bb 32> [local count: 850510933]:
  if (_560 == 0B)
    goto <bb 33>; [0.00%]
  else
    goto <bb 34>; [100.00%]

  <bb 33> [count: 0]:
  __builtin___ubsan_handle_nonnull_arg (&*.Lubsan_data479);

  <bb 34> [local count: 850510933]:                               <<< iter_554 is null
  _565 = MEM <short unsigned int> [(char * {ref-all})_558];
  MEM <short unsigned int> [(char * {ref-all})iter_554] = _565;   <<< -Wstringop-overflow
  .UBSAN_PTR (iter_554, 2);

The problem is likely a duplicate of one of the existing reports of the same problem.
Comment 3 Mathieu Malaterre 2022-03-29 14:20:14 UTC
This is also triggered in libjxl codebase:

* https://github.com/libjxl/libjxl/blob/main/tools/fuzzer_corpus.cc

/usr/include/c++/11/bits/stl_algobase.h:431:30: warning: 'void* __builtin_memmove(void*, const void*, long unsigned int)' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
  431 |             __builtin_memmove(__result, __first, sizeof(_Tp) * _Num);
      |             ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 4 Mathieu Malaterre 2022-03-29 14:22:29 UTC
I can reproduce it using -Wall -fsanitize=undefined  -O2

* https://github.com/malaterre/PublicRep/tree/master/gcc/libjxl