[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

2024-03-07 Thread law at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Jeffrey A. Law  changed:

   What|Removed |Added

 CC||law at gcc dot gnu.org
   Priority|P3  |P2

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

2024-02-13 Thread jakub at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #7 from Jakub Jelinek  ---
Anyway, I think the testcase is very similar to
char a[256], *c, *g;

int
foo (void)
{
  if (__builtin_strlen (c) + __builtin_strlen (g) + 5 > 256)
return 0;
  __builtin_sprintf (a, "abcd%s%s", c, g);
  return 1;
}
which has started diagnosing this with
r12-5014-g6b8b959675a3e14cfdd2145bd62e4260eb193765 at -O2 -Wall -W

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

2024-02-12 Thread hjl.tools at gmail dot com via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #6 from H.J. Lu  ---
I can reproduce it with r14-8930-g1e94648ab7b370

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

2024-02-12 Thread jakub at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

--- Comment #5 from Jakub Jelinek  ---
That said, the math at least in the reduced testcase is weird.
%d output is at most 11 bytes - strlen ("-2147483648"), + 9 other chars, so
that
is 42, not 32.  But even using + 42 in there instead of 32 doesn't fix it.
It wouldn't surprise me if the misdesigned warning just sees that each of the
strlens clearly has a range [0, 10256-42], after all, when expressed as a range
there isn't much more to derive about it, and then uses that [0, 10214] range
for each of the %s
specifiers.  Though, that is not what the warning says.  Ah, maybe it is
because j is known short after inlining or some IPA opts.
Also, because the strlen + strlen + strlen + cst > cst2 condition uses unsigned
type, wrap around is theoretically possible, e.g. one could have some
PTRDIFF_MAX - epsilon sized string and call it with c = g = j that string.

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

2024-02-12 Thread jakub at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Jakub Jelinek  changed:

   What|Removed |Added

 CC||jakub at gcc dot gnu.org

--- Comment #4 from Jakub Jelinek  ---
Strange, it certainly does reproduce for me:
char a[10256], b, *c, *g;
int d, e, f;

int
foo (char *j)
{
  if (__builtin_strlen (j) + __builtin_strlen (c) + __builtin_strlen (g) + 32 >
10256)
return 0;
  __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  return 1;
}

void
bar (void)
{
  foo ("wctype");
}
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-8919 -quiet -O3 -Wall
pr113752.c
pr113752.c: In function ‘bar’:
pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  |^~
In function ‘foo’,
inlined from ‘bar’ at pr113752.c:16:3:
pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  |   ^~~~
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-260 -quiet -O3 -Wall
pr113752.c
/volume/tor/opt/notnfs/gcc-bisect/obj/gcc/cc1.r14-261 -quiet -O3 -Wall
pr113752.c
pr113752.c: In function ‘bar’:
pr113752.c:9:44: warning: ‘%s’ directive writing up to 10218 bytes into a
region of size between 0 and 10240 [-Wformat-overflow=]
9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  |^~
In function ‘foo’,
inlined from ‘bar’ at pr113752.c:16:3:
pr113752.c:9:3: note: ‘__builtin_sprintf’ output between 18 and 20484 bytes
into a destination of size 10256
9 |   __builtin_sprintf (a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  |   ^~~~

[Bug tree-optimization/113752] [14 Regression] warning: ‘%s’ directive writing up to 10218 bytes into a region of size between 0 and 10240 [-Wformat-overflow=] since r14-261-g0ef3756adf078c

2024-02-12 Thread aldyh at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113752

Aldy Hernandez  changed:

   What|Removed |Added

 CC|aldyh at redhat dot com|

--- Comment #3 from Aldy Hernandez  ---
Can't reproduce on x86-64 on recent trunk:

abulafia:~/bld/t/gcc []$ ./xgcc -B./ -c -O3 -Wall a.c
abulafia:~/bld/t/gcc []$ cat a.c
char a[10256];
char b;
char *c, *g;
int d, e, f;
int sprintf(char *, char *, ...);
unsigned long strlen(char *);
int h(char *j) {
  if (strlen(j) + strlen(c) + strlen(g) + 32 > 10256)
return 0;
  sprintf(a, "%s:%s:%d:%d:%d:%c:%s\n", j, c, d, e, f, b, g);
  return 1;
}