[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-12-09 Thread msebor at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

Martin Sebor  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

--- Comment #9 from Martin Sebor  ---
Fixed, but not without a price: some false negatives (pr103637).

[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-12-09 Thread cvs-commit at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

--- Comment #8 from CVS Commits  ---
The master branch has been updated by Martin Sebor :

https://gcc.gnu.org/g:243a980437b5e7fca56587bf86667005bdf343a7

commit r12-5871-g243a980437b5e7fca56587bf86667005bdf343a7
Author: Martin Sebor 
Date:   Thu Dec 9 12:49:28 2021 -0700

Extend the offset and size of merged object references [PR103215].

Resolves:
PR tree-optimization/103215 - bogus -Warray-bounds with two pointers with
different offsets each

gcc/ChangeLog:

PR tree-optimization/103215
* pointer-query.cc (access_ref::merge_ref): Extend the offset and
size of the merged object instead of using the larger.

gcc/testsuite/ChangeLog:

PR tree-optimization/103215
* gcc.dg/Wstringop-overflow-58.c: Adjust and xfail expected
warnings.
* gcc.dg/Wstringop-overflow-59.c: Same.
* gcc.dg/warn-strnlen-no-nul.c: Same.
* gcc.dg/Warray-bounds-91.c: New test.
* gcc.dg/Warray-bounds-92.c: New test.
* gcc.dg/Wstringop-overflow-85.c: New test.
* gcc.dg/Wstringop-overflow-87.c: New test.

[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-11-22 Thread msebor at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

Martin Sebor  changed:

   What|Removed |Added

   Keywords||patch

--- Comment #7 from Martin Sebor  ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/585180.html

[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-11-15 Thread msebor at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

Martin Sebor  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED
   Assignee|unassigned at gcc dot gnu.org  |msebor at gcc dot 
gnu.org

[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-11-15 Thread msebor at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

Martin Sebor  changed:

   What|Removed |Added

 Blocks||56456

--- Comment #6 from Martin Sebor  ---
The warning follows the type_3 pointer to determine the object it points to. 
That leads it to either name_and_type or name_and_type + OFFSET where OFFSET is
in [1, 254].  Between those two, it conservatively picks the former because it
has more space (this is done to avoid false positives for stores).  What it
neglects to do is adjust the bounds of the offset to reflect that of the other.
 So the code ends up determining that type_43 points to name_and_type with a
zero offset when it should instead arrive at name_and_type with an offset in
[0, 254].  (If the code also considered the ASSERT_EXPR conditions it should
end up with an offset in [1, 254].)

   [local count: 1073741824]:
  extract (_and_type);
  type_7 = __builtin_strrchr (_and_type, 95);
  if (type_7 != 0B)
goto ; [70.00%]
  else
goto ; [30.00%]

   [local count: 751619281]:
  type_9 = type_7 + 1;

   [local count: 1073741824]:
  # type_3 = PHI 
  _1 = __builtin_strcmp ("hot", type_3);
  if (_1 == 0)
goto ; [50.00%]
  else
goto ; [50.00%]

   [local count: 536870913]:
  type_10 = type_3 + 18446744073709551615;
  if (_and_type == type_3)
goto ; [17.43%]
  else
goto ; [82.57%]

   [local count: 443294313]:
  type_11 =   [(void *)type_3 + -2B];
  if (_and_type == type_10)
goto ; [17.43%]
  else
goto ; [82.57%]


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456
[Bug 56456] [meta-bug] bogus/missing -Warray-bounds

[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-11-14 Thread pinskia at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

--- Comment #5 from Andrew Pinski  ---
(In reply to Sergei Trofimovich from comment #4)
> Created attachment 51792 [details]
> gdb-bug.cc


That was filed as PR 102216.

[Bug tree-optimization/103215] [12 regression] gcc generates unexpected warnings on libx11-1.7.2: error: array subscript -2 is outside array bounds of since r12-3124-g820f0940d7ace130

2021-11-14 Thread slyfox at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103215

--- Comment #4 from Sergei Trofimovich  ---
Created attachment 51792
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51792=edit
gdb-bug.cc

Found similar bug in gdb/c++ at gdb/language.c. It might have slightly better
loop structure.
As a downside it relies on very complex std::sort definition. Extracted
example:

#include 
enum language_t {
language_unknown,
language_auto,
language_foo,
nr_languages
};
extern const language_t languages_[nr_languages] /* = { auto, foo, unk }
*/;
bool lc (language_t, language_t);
const language_t* add_set_language_command ()
{
language_t *ls = new language_t[nr_languages];

// pull auto, unk in front. sort the rest
language_t* ls_p = ls;
*ls_p++ = language_auto;
*ls_p++ = language_unknown;

language_t* sort_begin = ls_p;
for (const auto lang : languages_)
{
// already present
if (lang == language_auto || lang == language_unknown)
continue;

   *ls_p++ = lang;
}
std::sort (sort_begin, ls_p, lc);
return ls;
}

$ ./gcc12/bin/g++-12.0.0 -O2 gdb-bug.cc -Werror=array-bounds

In file included from /...-gcc-12.0.0/include/c++/12.0.0/algorithm:61,
 from gdb-bug.cc:1:
In function 'void std::__final_insertion_sort(_RandomAccessIterator,
_RandomAccessIterator, _Compare) [with _RandomAccessIterator = language_t*;
_Compare = __gnu_cxx::__ops::_Iter_comp_iter]',
inlined from 'void std::__sort(_RandomAccessIterator,
_RandomAccessIterator, _Compare) [with _RandomAccessIterator = language_t*;
_Compare = __gnu_cxx::__ops::_Iter_comp_iter]' at /...-gcc-12.0.0/include/c++/12.0.0/bits/stl_algo.h:1940:31,
inlined from 'void std::sort(_RAIter, _RAIter, _Compare) [with _RAIter =
language_t*; _Compare = bool (*)(language_t, language_t)]' at
/nix/store/kckkq6280kixj8wxg4d0ks9lck8nai73-gcc-12.0.0/include/c++/12.0.0/bits/stl_algo.h:4853:18,
inlined from 'const language_t* add_set_language_command()' at
gdb-bug.cc:28:19:
/...-gcc-12.0.0/include/c++/12.0.0/bits/stl_algo.h:1849:32: error: array
subscript 18 is outside array bounds of 'language_t [3]' [-Werror=array-bounds]
 1849 |   std::__insertion_sort(__first, __first + int(_S_threshold),
__comp);
  |  
~^~
gdb-bug.cc: In function 'const language_t* add_set_language_command()':
gdb-bug.cc:12:53: note: at offset 72 into object of size 12 allocated by
'operator new []'
   12 | language_t *ls = new language_t[nr_languages];
  | ^
cc1plus: some warnings being treated as errors