[Bug middle-end/119693] GCC assumes wrong bounds for strlen() return value, causing bogus bounds check elimination

jannh at google dot com via Gcc-bugs Wed, 09 Apr 2025 09:34:37 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119693


Jann Horn <jannh at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |amacleod at redhat dot com

--- Comment #1 from Jann Horn <jannh at google dot com> ---
It looks like the issue is in gcc/gimple-range-op.cc, in cfn_strlen, which has
a comment claiming:

```
    // To account for the terminating NULL, the maximum length
    // is one less than the maximum array size, which in turn
    // is one less than PTRDIFF_MAX (or SIZE_MAX where it's
    // smaller than the former type).
```
That sounds wrong to me; I think (and experimentally under glibc seem to be
right) that even if you were to accept that object sizes are limited by
PTRDIFF_MAX, the maximum array size would be equal to PTRDIFF_MAX.

This code was introduced in commit
https://gcc.gnu.org/cgit/gcc/commit/?id=90e88fd376bb9ad6223a1f5ccd803d1bd9539b05
("Ranger classes."), I'm CC'ing the author.

[Bug middle-end/119693] GCC assumes wrong bounds for strlen() return value, causing bogus bounds check elimination

Reply via email to