Bug 103637 - [12/13/14 Regression] missing warning writing past the end of one of multiple elements of the same array
Summary: [12/13/14 Regression] missing warning writing past the end of one of multiple...
Status: NEW
Alias: None
Product: gcc
Classification: Unclassified
Component: middle-end (show other bugs)
Version: 12.0
: P2 normal
Target Milestone: 12.4
Assignee: Not yet assigned to anyone
URL:
Keywords: diagnostic
Depends on:
Blocks: Wstringop-overflow
  Show dependency treegraph
 
Reported: 2021-12-09 19:46 UTC by Martin Sebor
Modified: 2023-05-08 12:23 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail: 13.0
Last reconfirmed: 2023-02-21 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sebor 2021-12-09 19:46:05 UTC
The fix for pr103215 is too conservative and causes false negatives for past the end accesses to array elements like in gcc.dg/warn-strnlen-no-nul.c.  A simple test case that shows the problem is below.  The dump shows that both strcpy calls are plainly out of bounds and both could and should be diagnosed.

$ cat y.c && gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout y.c
extern int x;

extern char b[5][7];

void f (const char *s)
{
  __builtin_strncpy (b[3], s, 9);  // warning (good)
}

void g (int i, const char *s)
{
  char *d = i ? b[3] : b[4];
  __builtin_strncpy (d, s, 9);     // warning in GCC 11, missing in 12
}

;; Function f (f, funcdef_no=0, decl_uid=1980, cgraph_uid=1, symbol_order=0)

void f (const char * s)
{
  <bb 2> [local count: 1073741824]:
  __builtin_strncpy (&b[3], s_2(D), 9); [tail call]
  return;

}


y.c: In function ‘f’:
y.c:7:3: warning: ‘__builtin_strncpy’ writing 9 bytes into a region of size 7 overflows the destination [-Wstringop-overflow=]
    7 |   __builtin_strncpy (b[3], s, 9);  // warning (good)
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
y.c:3:13: note: at offset 21 into destination object ‘b’ of size 28
    3 | extern char b[5][7];
      |             ^

;; Function g (g, funcdef_no=1, decl_uid=1984, cgraph_uid=2, symbol_order=1)

Removing basic block 3
void g (int i, const char * s)
{
  char * iftmp.0_1;

  <bb 2> [local count: 1073741824]:
  if (i_2(D) != 0)
    goto <bb 4>; [50.00%]
  else
    goto <bb 3>; [50.00%]

  <bb 3> [local count: 536870912]:

  <bb 4> [local count: 1073741824]:
  # iftmp.0_1 = PHI <&b[3](2), &b[4](3)>
  __builtin_strncpy (iftmp.0_1, s_4(D), 9); [tail call]
  return;

}
Comment 1 Jakub Jelinek 2022-05-06 08:32:07 UTC
GCC 12.1 is being released, retargeting bugs to GCC 12.2.
Comment 2 Richard Biener 2022-08-19 08:25:15 UTC
GCC 12.2 is being released, retargeting bugs to GCC 12.3.
Comment 3 Richard Biener 2023-02-21 15:01:38 UTC
Confirmed on trunk.
Comment 4 Richard Biener 2023-05-08 12:23:25 UTC
GCC 12.3 is being released, retargeting bugs to GCC 12.4.