https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107087
Richard Biener <rguenth at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[13 Regression] |[12/13 Regression] |bits/stl_algobase.h:431: |bits/stl_algobase.h:431: |warning: 'void* |warning: 'void* |__builtin_memcpy(void*, |__builtin_memcpy(void*, |const void*, unsigned int)' |const void*, unsigned int)' |reading between 8 and |reading between 8 and |2147483644 bytes from a |2147483644 bytes from a |region of size 4 |region of size 4 |[-Wstringop-overread] |[-Wstringop-overread] Status|RESOLVED |REOPENED Assignee|rguenth at gcc dot gnu.org |unassigned at gcc dot gnu.org Resolution|FIXED |--- Target Milestone|13.0 |12.3 --- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> --- Only comment#1 is fixed, the original testcase is 22_locale/money_get/cons/3.cc which still fails with the settings from comment#7 We have <bb 25> [local count: 268328082]: _187 = MEM[(struct _Rep *)&_S_empty_rep_storage].D.58774._M_length; _189 = MIN_EXPR <_170, _187>; if (_189 != 0) goto <bb 26>; [50.00%] else goto <bb 29>; [50.00%] <bb 26> [local count: 134164041]: if (_189 == 1) goto <bb 27>; [34.00%] else goto <bb 28>; [66.00%] <bb 27> [local count: 45615775]: MEM[(struct char_type *)_172] = MEM[(const struct character &)&_S_empty_rep_storage + 12]; goto <bb 29>; [100.00%] <bb 28> [local count: 88548267]: _173 = _189 * 4; __builtin_memcpy (_172, &MEM <size_type[4]> [(void *)&_S_empty_rep_storage + 12B], _173); // <--- diagnosed <bb 29> [local count: 268328083]: __negative_sign ={v} {CLOBBER}; so we know that _173 is [2, +INF] * 4 and that's enough to diagnose the call as we seem to have an idea about the source size (the embedded string length). There's an intervening operator new preventing CSE of the length of the destination and while there's a condition of != &_S_empty_rep_storage control flow converges again before this, so it seems we handle both here. It's incredibly branchy code :/