https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107087
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[13 Regression] |[12/13 Regression]
|bits/stl_algobase.h:431: |bits/stl_algobase.h:431:
|warning: 'void* |warning: 'void*
|__builtin_memcpy(void*, |__builtin_memcpy(void*,
|const void*, unsigned int)' |const void*, unsigned int)'
|reading between 8 and |reading between 8 and
|2147483644 bytes from a |2147483644 bytes from a
|region of size 4 |region of size 4
|[-Wstringop-overread] |[-Wstringop-overread]
Status|RESOLVED |REOPENED
Assignee|rguenth at gcc dot gnu.org |unassigned at gcc dot
gnu.org
Resolution|FIXED |---
Target Milestone|13.0 |12.3
--- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> ---
Only comment#1 is fixed, the original testcase is 22_locale/money_get/cons/3.cc
which still fails with the settings from comment#7
We have
<bb 25> [local count: 268328082]:
_187 = MEM[(struct _Rep *)&_S_empty_rep_storage].D.58774._M_length;
_189 = MIN_EXPR <_170, _187>;
if (_189 != 0)
goto <bb 26>; [50.00%]
else
goto <bb 29>; [50.00%]
<bb 26> [local count: 134164041]:
if (_189 == 1)
goto <bb 27>; [34.00%]
else
goto <bb 28>; [66.00%]
<bb 27> [local count: 45615775]:
MEM[(struct char_type *)_172] = MEM[(const struct character
&)&_S_empty_rep_storage + 12];
goto <bb 29>; [100.00%]
<bb 28> [local count: 88548267]:
_173 = _189 * 4;
__builtin_memcpy (_172, &MEM <size_type[4]> [(void *)&_S_empty_rep_storage +
12B], _173); // <--- diagnosed
<bb 29> [local count: 268328083]:
__negative_sign ={v} {CLOBBER};
so we know that _173 is [2, +INF] * 4 and that's enough to diagnose the
call as we seem to have an idea about the source size (the embedded
string length).
There's an intervening operator new preventing CSE of the length of the
destination and while there's a condition of != &_S_empty_rep_storage
control flow converges again before this, so it seems we handle both
here.
It's incredibly branchy code :/
