With Fedora gcc-12.0.1-0.12.fc36.x86_64 gcc (GCC) 12.0.1 20220308 (Red Hat 12.0.1-0) test.c: #include <stdio.h> void main(void) { char foo[3]; int i; for (i = 0; i < 16; i++) { snprintf(foo, sizeof(foo), "%d", i); } } $ gcc -Wformat-truncation test.c test.c: In function ‘main’: test.c:9:45: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 3 [-Wformat-truncation=] 9 | snprintf(foo, sizeof(foo), "%d", i); | ^~ test.c:9:44: note: directive argument in the range [-2147483647, 15] 9 | snprintf(foo, sizeof(foo), "%d", i); | ^~~~ test.c:9:17: note: ‘snprintf’ output between 2 and 12 bytes into a destination of size 3 9 | snprintf(foo, sizeof(foo), "%d", i); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The computed range seems incorrect. There are similar variants of this bug that have been found while compiling QEMU (https://patchew.org/QEMU/20220328084717.367993-1-marcandre.lureau@redhat.com/)
Confirmed. The issue is that at -O0 we do not use SCEV and thus range analysis is limited, just using i < 16. static unsigned int printf_strlen_execute (function *fun, bool warn_only) { strlen_optimize = !warn_only; calculate_dominance_info (CDI_DOMINATORS); bool use_scev = optimize > 0 && flag_printf_return_value; if (use_scev) { loop_optimizer_init (LOOPS_NORMAL); scev_initialize (); } at -O0 we call this when warn_format_overflow > 0 || warn_format_trunc > 0 so to improve we could maybe do || warn_only above. That would fix the bogus diagnostic.
(In reply to Richard Biener from comment #1) > Confirmed. The issue is that at -O0 we do not use SCEV and thus range > analysis is limited, just using i < 16. > > static unsigned int > printf_strlen_execute (function *fun, bool warn_only) > { > strlen_optimize = !warn_only; > > calculate_dominance_info (CDI_DOMINATORS); > > bool use_scev = optimize > 0 && flag_printf_return_value; > if (use_scev) > { > loop_optimizer_init (LOOPS_NORMAL); > scev_initialize (); > } > > at -O0 we call this when warn_format_overflow > 0 || warn_format_trunc > 0 so > to improve we could maybe do || warn_only above. That would fix the bogus > diagnostic. Or rather always do this, even the late pass as otherwise I see a bogus diagnostic with -fno-printf-return-value even when optimizing: > ./cc1 -quiet t.c -Wall -O -fno-printf-return-value t.c:1:6: warning: return type of 'main' is not 'int' [-Wmain] 1 | void main(void) | ^~~~ t.c: In function 'main': t.c:7:55: warning: '%d' directive output may be truncated writing between 1 and 11 bytes into a region of size 3 [-Wformat-truncation=] 7 | __builtin_snprintf(foo, sizeof(foo), "%d", i); | ^~ t.c:7:54: note: directive argument in the range [-2147483647, 2147483647] 7 | __builtin_snprintf(foo, sizeof(foo), "%d", i); | ^~~~ t.c:7:17: note: '__builtin_snprintf' output between 2 and 12 bytes into a destination of size 3 7 | __builtin_snprintf(foo, sizeof(foo), "%d", i); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GCC 11 doesn't warn.
Testgin the fix.
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>: https://gcc.gnu.org/g:28c5df79300ab354cbc381aab200f7c2bd0331ad commit r12-7870-g28c5df79300ab354cbc381aab200f7c2bd0331ad Author: Richard Biener <rguenther@suse.de> Date: Mon Mar 28 14:55:49 2022 +0200 tree-optimization/105080 - make sure SCEV is available for ranger When doing format diagnostics at -O0 we should make sure to make SCEV available to avoid false positives due to ranges we otherwise can trivially compute. 2022-03-28 Richard Biener <rguenther@suse.de> PR tree-optimization/105080 * tree-ssa-strlen.cc (printf_strlen_execute): Always init loops and SCEV. * gcc.dg/pr105080.c: New testcase.
Fixed.