[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 Martin Sebor changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #9 from Martin Sebor --- Fixed, but not without a price: some false negatives (pr103637).
[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 --- Comment #8 from CVS Commits --- The master branch has been updated by Martin Sebor : https://gcc.gnu.org/g:243a980437b5e7fca56587bf86667005bdf343a7 commit r12-5871-g243a980437b5e7fca56587bf86667005bdf343a7 Author: Martin Sebor Date: Thu Dec 9 12:49:28 2021 -0700 Extend the offset and size of merged object references [PR103215]. Resolves: PR tree-optimization/103215 - bogus -Warray-bounds with two pointers with different offsets each gcc/ChangeLog: PR tree-optimization/103215 * pointer-query.cc (access_ref::merge_ref): Extend the offset and size of the merged object instead of using the larger. gcc/testsuite/ChangeLog: PR tree-optimization/103215 * gcc.dg/Wstringop-overflow-58.c: Adjust and xfail expected warnings. * gcc.dg/Wstringop-overflow-59.c: Same. * gcc.dg/warn-strnlen-no-nul.c: Same. * gcc.dg/Warray-bounds-91.c: New test. * gcc.dg/Warray-bounds-92.c: New test. * gcc.dg/Wstringop-overflow-85.c: New test. * gcc.dg/Wstringop-overflow-87.c: New test.
[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 Martin Sebor changed: What|Removed |Added Keywords||patch --- Comment #7 from Martin Sebor --- Patch: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/585180.html
[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 Martin Sebor changed: What|Removed |Added Status|NEW |ASSIGNED Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org
[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 Martin Sebor changed: What|Removed |Added Blocks||56456 --- Comment #6 from Martin Sebor --- The warning follows the type_3 pointer to determine the object it points to. That leads it to either name_and_type or name_and_type + OFFSET where OFFSET is in [1, 254]. Between those two, it conservatively picks the former because it has more space (this is done to avoid false positives for stores). What it neglects to do is adjust the bounds of the offset to reflect that of the other. So the code ends up determining that type_43 points to name_and_type with a zero offset when it should instead arrive at name_and_type with an offset in [0, 254]. (If the code also considered the ASSERT_EXPR conditions it should end up with an offset in [1, 254].) [local count: 1073741824]: extract (_and_type); type_7 = __builtin_strrchr (_and_type, 95); if (type_7 != 0B) goto ; [70.00%] else goto ; [30.00%] [local count: 751619281]: type_9 = type_7 + 1; [local count: 1073741824]: # type_3 = PHI _1 = __builtin_strcmp ("hot", type_3); if (_1 == 0) goto ; [50.00%] else goto ; [50.00%] [local count: 536870913]: type_10 = type_3 + 18446744073709551615; if (_and_type == type_3) goto ; [17.43%] else goto ; [82.57%] [local count: 443294313]: type_11 = [(void *)type_3 + -2B]; if (_and_type == type_10) goto ; [17.43%] else goto ; [82.57%] Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456 [Bug 56456] [meta-bug] bogus/missing -Warray-bounds
[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 --- Comment #5 from Andrew Pinski --- (In reply to Sergei Trofimovich from comment #4) > Created attachment 51792 [details] > gdb-bug.cc That was filed as PR 102216.
[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215 --- Comment #4 from Sergei Trofimovich --- Created attachment 51792 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51792=edit gdb-bug.cc Found similar bug in gdb/c++ at gdb/language.c. It might have slightly better loop structure. As a downside it relies on very complex std::sort definition. Extracted example: #include enum language_t { language_unknown, language_auto, language_foo, nr_languages }; extern const language_t languages_[nr_languages] /* = { auto, foo, unk } */; bool lc (language_t, language_t); const language_t* add_set_language_command () { language_t *ls = new language_t[nr_languages]; // pull auto, unk in front. sort the rest language_t* ls_p = ls; *ls_p++ = language_auto; *ls_p++ = language_unknown; language_t* sort_begin = ls_p; for (const auto lang : languages_) { // already present if (lang == language_auto || lang == language_unknown) continue; *ls_p++ = lang; } std::sort (sort_begin, ls_p, lc); return ls; } $ ./gcc12/bin/g++-12.0.0 -O2 gdb-bug.cc -Werror=array-bounds In file included from /...-gcc-12.0.0/include/c++/12.0.0/algorithm:61, from gdb-bug.cc:1: In function 'void std::__final_insertion_sort(_RandomAccessIterator, _RandomAccessIterator, _Compare) [with _RandomAccessIterator = language_t*; _Compare = __gnu_cxx::__ops::_Iter_comp_iter]', inlined from 'void std::__sort(_RandomAccessIterator, _RandomAccessIterator, _Compare) [with _RandomAccessIterator = language_t*; _Compare = __gnu_cxx::__ops::_Iter_comp_iter]' at /...-gcc-12.0.0/include/c++/12.0.0/bits/stl_algo.h:1940:31, inlined from 'void std::sort(_RAIter, _RAIter, _Compare) [with _RAIter = language_t*; _Compare = bool (*)(language_t, language_t)]' at /nix/store/kckkq6280kixj8wxg4d0ks9lck8nai73-gcc-12.0.0/include/c++/12.0.0/bits/stl_algo.h:4853:18, inlined from 'const language_t* add_set_language_command()' at gdb-bug.cc:28:19: /...-gcc-12.0.0/include/c++/12.0.0/bits/stl_algo.h:1849:32: error: array subscript 18 is outside array bounds of 'language_t [3]' [-Werror=array-bounds] 1849 | std::__insertion_sort(__first, __first + int(_S_threshold), __comp); | ~^~ gdb-bug.cc: In function 'const language_t* add_set_language_command()': gdb-bug.cc:12:53: note: at offset 72 into object of size 12 allocated by 'operator new []' 12 | language_t *ls = new language_t[nr_languages]; | ^ cc1plus: some warnings being treated as errors