https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106757
Bug ID: 106757 Summary: Incorrect "writing 1 byte into a region of size 0" warning Product: gcc Version: 12.2.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: jonathan.leffler at gmail dot com Target Milestone: --- Created attachment 53515 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53515&action=edit Source code (gcc-bug.c) for the repro GCC 11.2.0 is happy with this code (and I believe it is correct). Neither GCC 12.1.0 nor GCC 12.2.0 are happy with this code (and I believe this is a bug). There are no preprocessor directives in the source code. $ /usr/gcc/v12.2.0/bin/gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/work1/gcc/v12.2.0/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.2.0/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: ../gcc-12.2.0/configure --prefix=/usr/gcc/v12.2.0 CC=/usr/bin/gcc CXX=/usr/bin/g++ Thread model: posix Supported LTO compression algorithms: zlib gcc version 12.2.0 (GCC) $ Compilation: $ /usr/gcc/v11.2.0/bin/gcc -c -std=c99 -O3 -Wall -Werror -pedantic -Wextra gcc-bug.c $ /usr/gcc/v12.2.0/bin/gcc -c -std=c99 -O3 -Wall -Werror -pedantic -Wextra gcc-bug.c gcc-bug.c: In function ‘pqr_scanner’: gcc-bug.c:16:24: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] 16 | tmpchar[k] = mbs[k]; | ~~~~~~~~~~~^~~~~~~~ gcc-bug.c:14:14: note: at offset 4 into destination object ‘tmpchar’ of size 4 14 | char tmpchar[MBC_MAX]; | ^~~~~~~ gcc-bug.c:16:24: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] 16 | tmpchar[k] = mbs[k]; | ~~~~~~~~~~~^~~~~~~~ gcc-bug.c:14:14: note: at offset 5 into destination object ‘tmpchar’ of size 4 14 | char tmpchar[MBC_MAX]; | ^~~~~~~ cc1: all warnings being treated as errors $ The -Wall, -Wextra, -pedantic options are not necessary to generate the warning; the -Werror gives an error instead of a warning, of course. $ cat gcc-bug.i # 0 "gcc-bug.c" # 0 "<built-in>" # 0 "<command-line>" # 1 "/usr/include/stdc-predef.h" 1 3 4 # 0 "<command-line>" 2 # 1 "gcc-bug.c" enum { MBC_MAX = 4 }; extern int pqr_scanner(char *mbs); extern int pqr_mbc_len(char *mbs, int n); extern void pqr_use_mbs(const char *mbs, int len); extern char *pqr_mbs_nxt(char *mbs); int pqr_scanner(char *mbs) { while (mbs != 0 && *mbs != '\0') { int len = pqr_mbc_len(mbs, MBC_MAX); char tmpchar[MBC_MAX]; for (int k = 0; k < len; k++) tmpchar[k] = mbs[k]; pqr_use_mbs(tmpchar, len); mbs = pqr_mbs_nxt(mbs); } return 0; } $ The source code contains a comment noting that if I replace `mbs = pqr_nbs_nxt(mbs);` with `mbs += len;`, the bug does not reproduce. In the original code (which was doing work with multi-byte characters and strings), the analogue of pqr_mbc_len() returns either -1 or a value 1..MBC_MAX. The code for the pqr_mbc_len() function was not part of the TU. There was a test for `if (len < 0) return -1;` after the call to pqr_mbc_len() but it wasn't needed for the repro. Just in case - GCC 11.2.0 specs and output from uname -a: $ /usr/gcc/v11.2.0/bin/gcc -v Using built-in specs. COLLECT_GCC=/usr/gcc/v11.2.0/bin/gcc COLLECT_LTO_WRAPPER=/work1/gcc/v11.2.0/bin/../libexec/gcc/x86_64-pc-linux-gnu/11.2.0/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: ../gcc-11.2.0/configure --prefix=/usr/gcc/v11.2.0 CC=/usr/bin/gcc CXX=/usr/bin/g++ Thread model: posix Supported LTO compression algorithms: zlib gcc version 11.2.0 (GCC) $ uname -a Linux njdc-ldev04 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux $ The original function was 100 lines of code in a file of 2600 lines, including 20 headers directly.