When a valid pointer into an array that has been derived from a past-the-end pointer to a member array of an initialized constant struct is used in a call to a string built-in like strlen GCC issues a bogus -Warray-bounds warning indicating that the offset into the array is out of its bounds. $ cat q.c && gcc -S -Wall q.c struct S { char n, a[3]; }; const char a[3] = { 2, 1, 0 }; const struct S s = { 3, { 2, 1, 0 } }; int f (void) { const char *p = &a[sizeof a]; return __builtin_strlen (p - sizeof a); // no warning (good) } int g (void) { const char *p = &s.a[sizeof s.a]; return __builtin_strlen (p - sizeof s.a); // bogus -Warray-bounds } q.c: In function ‘g’: q.c:15:10: warning: offset ‘1’ outside bounds of constant string [-Warray-bounds] 15 | return __builtin_strlen (p - sizeof s.a); // bogus -Warray-bounds | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ q.c:4:16: note: ‘s’ declared here 4 | const struct S s = { 3, { 2, 1, 0 } }; | ^
The false positive was introduced in r274837: commit 14b7950f126f84fa585e3a057940ff10d4c5b3f8 Author: Martin Sebor <msebor@redhat.com> Date: Thu Aug 22 23:09:26 2019 +0000 PR middle-end/91490 - bogus argument missing terminating nul warning on strlen of a flexible array member gcc/c-family/ChangeLog: PR middle-end/91490 * c-common.c (braced_list_to_string): Add argument and overload. Handle flexible length arrays and unions. gcc/ChangeLog: PR middle-end/91490 * builtins.c (c_strlen): Rename argument and introduce new local. Set no-warning bit on original argument. * expr.c (string_constant): Pass argument type to fold_ctor_reference. Fold empty and zero constructors into empty strings. * gimple-fold.c (fold_nonarray_ctor_reference): Return a STRING_CST for missing initializers. * tree.c (build_string_literal): Handle optional argument. * tree.h (build_string_literal): Add defaulted argument. * gimple-ssa-warn-restrict.c (maybe_diag_access_bounds): Check no-warning bit on original expression.
The underlying cause is fold_nonarray_ctor_reference() returning a scalar zero for apparently out-of-bounds references when determining the initializer for s.a from &s.a[sizeof s.a]. Its caller, constant_byte_string(), then interprets that as an array of single element initialized to zero, but it incorrectly returns the offset from the beginning of s (i.e., 4 rather than 3 minus 3 for sizeof s.a). Its caller, c_strlen(), then uses the size of the one-element initializer (for "") and the offset (positive 1) as the basis for issuing the warning.
This is also a missed optimization opportunity. Another test case that shows both the bogus warning and the suboptimal codegen is the following. Because there is no explicit initializer for a.b, fold_nonarray_ctor_reference() returns a scalar zero, which again triggers the warning and prevents the strlen call from being folded. The optimization never worked in this case so that part is not a regression. $ cat z.c && gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout z.c struct A { char n, a[4], b[4]; }; const struct A a = { }; int f (void) { const char *p = &a.b[2]; return __builtin_strlen (p - 2); } z.c: In function ‘f’: z.c:7:10: warning: offset ‘5’ outside bounds of constant string [-Warray-bounds] 7 | return __builtin_strlen (p - 2); | ^~~~~~~~~~~~~~~~~~~~~~~~ z.c:2:16: note: ‘a’ declared here 2 | const struct A a = { }; | ^ ;; Function f (f, funcdef_no=0, decl_uid=1935, cgraph_uid=1, symbol_order=1) f () { long unsigned int _1; int _3; <bb 2> [local count: 1073741824]: _1 = __builtin_strlen (&MEM <const char> [(void *)&a + 5B]); _3 = (int) _1; return _3; }
Confirmed. See also pr84050 for another bug caused by fold_nonarray_ctor_reference() returning a scalar zero for out-of-bounds references (that one is a false negative).
GCC 9.4 is being released, retargeting bugs to GCC 9.5.
GCC 9 branch is being closed
GCC 10.4 is being released, retargeting bugs to GCC 10.5.
GCC 10 branch is being closed.