[Bug tree-optimization/107038] Bogus -Wstringop-overflow in dead code

[siddhesh at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107038

Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[13 Regression] Bogus       |Bogus -Wstringop-overflow
                   |-Wstringop-overflow= since  |in dead code
                   |r13-2789-gb40b3035879cf695  |

--- Comment #7 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
[Removing the commit ref and regression since this has been known to fail for
elfutils with __bdos]

OK so here's a reduced reproducer that ought to avoid undefined behaviour.  It
is in fact a case of warning on unreachable code:

typedef long int off_t;
typedef long int ssize_t;
typedef long unsigned int size_t;

extern ssize_t foo_chk (void *buf, size_t nbytes, off_t offset, size_t sz)
    __attribute__((__access__(__write_only__, 1, 2)));

extern ssize_t foo_alias (void *buf, size_t nbytes, off_t offset)
    __attribute__((__access__(__write_only__, 1, 2)));

struct ar_hdr
{
  int buf;
  char ar_size[10];
};

int
elf_begin_rand(void)
{
  struct ar_hdr h = {.ar_size = {0}};
  size_t len = sizeof(h.ar_size);
  ssize_t recvd = 0;

  do
    {
      ssize_t ret;
      do
        {
          char *buf = h.ar_size + recvd;
          size_t nbytes = len - recvd;
          off_t offset = recvd + __builtin_offsetof (struct ar_hdr, ar_size);
          size_t bdos = __builtin_dynamic_object_size (buf, 0);

          if (__builtin_constant_p (bdos) && bdos == (size_t) -1)
            ret = foo_alias (buf, nbytes, offset);
          else
            ret = foo_chk (buf, nbytes, offset, bdos);
        }
      while (ret < 0);
      recvd += ret;
    }
  while ((size_t) recvd < len);
  return recvd;
}

So what's happening here is that ranger tries to infer the ranges backwards
from the possibly taken branch foo_alias to start from the fact that bdos ==
-1.  Here's the IR snippet:


<bb 4> [local count: 1073741824]: 
# recvd_6 = PHI <recvd_2(3), 0(2)>
recvd.0_1 = (sizetype) recvd_6;   
_25 = recvd.0_1 + 4;              
_26 = MAX_EXPR <_25, 16>;         
_27 = _26 - recvd.0_1;            
_24 = _27 + 18446744073709551612; 
buf_13 = &h.ar_size + recvd.0_1;  
nbytes_14 = 10 - recvd.0_1;       
_3 = recvd.0_1 + 4;               
offset_15 = (off_t) _3;           
bdos_16 = _24;                    

Working backwards, _24 is seen to be +INF like bdos_16, which gives _27 the
range of [3,3].

Given that _26 has range of [16, +INF], recvd.0_1 ends up with a range of [13,
18446744073709551612], leaving nbytes with a range of [14,
18446744073709551613].

Ideally somewhere in that chain there ought to have been some hint to indicate
that one of those ranges is impossible, but there isn't.  The nbytes range for
example ought to be limited to [1-10].  Initializing ret in the above program
allows ranger to see that correct range.