With r242674 having enabled the -fprintf-return-value option by default, when warnings are disabled the gimple-ssa-sprintf pass is now exercised in ways it was not being tested. One of these untested use cases exposed a bug in the logic used to compute the minimum number of bytes output by a %.*s directive with a known precision and a string of unknown length. The bug manifested itself by triggering an ICE. The attached patch corrects this problem.
Thanks Martin
PR middle-end/78461 - [7 Regression] ICE: in operator+= gcc/testsuite/ChangeLog: PR middle-end/78461 * gcc.dg/tree-ssa/builtin-sprintf-4.c: New test. * gcc.dg/tree-ssa/builtin-sprintf-warn-2.c: Adjust warning text. gcc/ChangeLog: PR middle-end/78461 * gimple-ssa-sprintf.c (format_string): Correct the maxima and set the minimum number of bytes for an unknown string to zero. Index: gcc/gimple-ssa-sprintf.c =================================================================== --- gcc/gimple-ssa-sprintf.c (revision 242703) +++ gcc/gimple-ssa-sprintf.c (working copy) @@ -1533,18 +1533,15 @@ format_string (const conversion_spec &spec, tree a fmtresult res; /* The maximum number of bytes for an unknown wide character argument - to a "%lc" directive adjusted for precision but not field width. */ + to a "%lc" directive adjusted for precision but not field width. + 6 is the longest UTF-8 sequence for a single wide character. */ const unsigned HOST_WIDE_INT max_bytes_for_unknown_wc - = (1 == warn_format_length ? 0 <= prec ? prec : 0 - : 2 == warn_format_length ? 0 <= prec ? prec : 1 - : 0 <= prec ? prec : 6 /* Longest UTF-8 sequence. */); + = (0 <= prec ? prec : 1 < warn_format_length ? 6 : 1); /* The maximum number of bytes for an unknown string argument to either a "%s" or "%ls" directive adjusted for precision but not field width. */ const unsigned HOST_WIDE_INT max_bytes_for_unknown_str - = (1 == warn_format_length ? 0 <= prec ? prec : 0 - : 2 == warn_format_length ? 0 <= prec ? prec : 1 - : HOST_WIDE_INT_MAX); + = (0 <= prec ? prec : 1 < warn_format_length); /* The result is bounded unless overriddden for a non-constant string of an unknown length. */ @@ -1648,7 +1645,7 @@ format_string (const conversion_spec &spec, tree a if (0 <= prec) { if (slen.range.min >= target_int_max ()) - slen.range.min = max_bytes_for_unknown_str; + slen.range.min = 0; else if ((unsigned)prec < slen.range.min) slen.range.min = prec; Index: gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-4.c =================================================================== --- gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-4.c (revision 0) +++ gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-4.c (working copy) @@ -0,0 +1,69 @@ +/* PR middle-end/78461 - [7 Regression] ICE: in operator+=, at + gimple-ssa-sprintf.c:214 + Disable warnings to exercise code paths through the pass that may + not be exercised when the -Wformat-length option is in effect. */ +/* { dg-compile } + { dg-options "-O2 -fdump-tree-optimized -w" } */ + + +#define CAT(s, n) s ## n +#define FAIL(line) CAT (failure_on_line_, line) + +/* Emit a call to a function named failure_on_line_NNN when EXPR is false. */ +#define ASSERT(expr) \ + do { \ + extern void FAIL (__LINE__)(void); \ + if (!(expr)) FAIL (__LINE__)(); \ + } while (0) + +#define KEEP(line) CAT (keep_call_on_line_, line) + +/* Emit a call to a function named keep_call_on_line_NNN when EXPR is true. + Used to verify that the expression need not be the only one that holds. */ +#define ASSERT_MAYBE(expr) \ + do { \ + extern void KEEP (__LINE__)(void); \ + if (expr) KEEP (__LINE__)(); \ + } while (0) + +int f0 (const char *s) +{ + int n = __builtin_snprintf (0, 0, "%.*s%08x", 1, s, 1); + + ASSERT (7 < n && n < 10); + + ASSERT_MAYBE (8 == n); + ASSERT_MAYBE (9 == n); + + return n; +} + +char buf[64]; + +int f1 (const char *s) +{ + int n = __builtin_snprintf (buf, 64, "%.*s%08x", 1, s, 1); + + ASSERT (7 < n && n < 10); + + ASSERT_MAYBE (8 == n); + ASSERT_MAYBE (9 == n); + + return n; +} + +int f2 (const char *s) +{ + int n = __builtin_snprintf (0, 0, "%.*s", 2, s); + + ASSERT (0 <= n && n <= 2); + + ASSERT_MAYBE (0 == n); + ASSERT_MAYBE (1 == n); + ASSERT_MAYBE (2 == n); + + return n; +} + +/* { dg-final { scan-tree-dump-not "failure_on_line" "optimized"} } + { dg-final { scan-tree-dump-times "keep_call_on_line" 7 "optimized"} } */ Index: gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c =================================================================== --- gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c (revision 242703) +++ gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c (working copy) @@ -93,10 +93,10 @@ void test_s_nonconst (const char *s, const wchar_t T (1, "%s", s); /* { dg-warning "nul past the end" "sprintf transformed into strcpy" { xfail *-*-* } } */ T (1, "%1s", s); /* { dg-warning "nul past the end" } */ T (1, "%.0s", s); - T (1, "%.1s", s); /* { dg-warning "writing a terminating nul" } */ + T (1, "%.1s", s); /* { dg-warning "may write a terminating nul" } */ T (1, "%.0ls", ws); - T (1, "%.1ls", ws); /* { dg-warning "writing a terminating nul" } */ + T (1, "%.1ls", ws); /* { dg-warning "may write a terminating nul" } */ T (1, "%ls", ws); /* { dg-warning "writing a terminating nul" } */ /* Verify that the size of the array is used in lieu of its length.