On 10/8/21 12:51 PM, Martin Sebor via Gcc-patches wrote:
I.e., in the test:
void g (char *s1, char *s2)
{
char b[1025];
size_t n = __builtin_strlen (s1), d = __builtin_strlen (s2);
if (n + d + 1 >= 1025)
return;
sprintf (b, "%s.%s", s1, s2); // { dg-bogus "\\\[-Wformat-overflow" }
the range of n and d is [0, INF] and so the sprintf call doesn't
trigger a warning. With your change, because their range is
[0, 1023] each (and there's no way to express that their sum
is less than 1025), the warning triggers because it considers
the worst case scenario (the upper bounds of both).
So the warning operates on the assumption that no info is OK, but
improved information causes them to break because it can't figure out
what to do with it?
Does this ever work when there is more than 1 string in the sprintf? It
seems that its the inherent lack of being able to associate an
expression with a predicate that is the problem here. If this is a
single string, then an accurate range should be able to come up with an
accurate answer. But as soon as there is a second string, this is bound
to fail unless the strings are known to be 1/2 their size, and likewise
if there were 3 strings, 1/3 their size...
Should we even be attempting to warn for multiple strings if we aren't
going to be able to calculate them accurately? It seems like a recipe
for a lot of false positives. And then once we figure out how to
combine the range info with the appropriate predicates, turn it back on?
Andrew
