{"id":2219521,"url":"http://patchwork.ozlabs.org/api/patches/2219521/?format=json","web_url":"http://patchwork.ozlabs.org/project/gcc/patch/ac9-w0Cbkq_2NfXV@tucnak/","project":{"id":17,"url":"http://patchwork.ozlabs.org/api/projects/17/?format=json","name":"GNU Compiler Collection","link_name":"gcc","list_id":"gcc-patches.gcc.gnu.org","list_email":"gcc-patches@gcc.gnu.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<ac9-w0Cbkq_2NfXV@tucnak>","list_archive_url":null,"date":"2026-04-03T08:48:03","name":"strlen: Fix up memcpy/strcpy/strcat handling [PR124754]","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"dbf71d774072a41d94513cae6bb131e582afd233","submitter":{"id":671,"url":"http://patchwork.ozlabs.org/api/people/671/?format=json","name":"Jakub Jelinek","email":"jakub@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/gcc/patch/ac9-w0Cbkq_2NfXV@tucnak/mbox/","series":[{"id":498604,"url":"http://patchwork.ozlabs.org/api/series/498604/?format=json","web_url":"http://patchwork.ozlabs.org/project/gcc/list/?series=498604","date":"2026-04-03T08:48:03","name":"strlen: Fix up memcpy/strcpy/strcat handling [PR124754]","version":1,"mbox":"http://patchwork.ozlabs.org/series/498604/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2219521/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219521/checks/","tags":{},"related":[],"headers":{"Return-Path":"<gcc-patches-bounces~incoming=patchwork.ozlabs.org@gcc.gnu.org>","X-Original-To":["incoming@patchwork.ozlabs.org","gcc-patches@gcc.gnu.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","gcc-patches@gcc.gnu.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=VtM6M0+L;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=gcc-patches-bounces~incoming=patchwork.ozlabs.org@gcc.gnu.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=VtM6M0+L","sourceware.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com","sourceware.org; spf=pass smtp.mailfrom=redhat.com","server2.sourceware.org;\n arc=none smtp.remote-ip=170.10.133.124"],"Received":["from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnC7X1zBdz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 19:48:55 +1100 (AEDT)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id DE0054BA23D9\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  3 Apr 2026 08:48:51 +0000 (GMT)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by sourceware.org (Postfix) with ESMTP id BBAA04BA2E06\n for <gcc-patches@gcc.gnu.org>; Fri,  3 Apr 2026 08:48:23 +0000 (GMT)","from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-594-WRtmgiiYO0awLfQ4EFVNwA-1; Fri,\n 03 Apr 2026 04:48:09 -0400","from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id D247B18005B4; Fri,  3 Apr 2026 08:48:07 +0000 (UTC)","from tucnak.zalov.cz (unknown [10.44.32.9])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 338053000223; Fri,  3 Apr 2026 08:48:06 +0000 (UTC)","from tucnak.zalov.cz (localhost [127.0.0.1])\n by tucnak.zalov.cz (8.18.1/8.18.1) with ESMTPS id 6338m48F3680549\n (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);\n Fri, 3 Apr 2026 10:48:04 +0200","(from jakub@localhost)\n by tucnak.zalov.cz (8.18.1/8.18.1/Submit) id 6338m32L3680548;\n Fri, 3 Apr 2026 10:48:03 +0200"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org DE0054BA23D9","OpenDKIM Filter v2.11.0 sourceware.org BBAA04BA2E06"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org BBAA04BA2E06","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org BBAA04BA2E06","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1775206103; cv=none;\n b=LJ6BAS2prbXNyQHP/Z1DOcaDFrFnrHC5rxNsjmGPa7TBjcemjGS7cBfuQVVIhlXJa+ZvfI34jCxymFjcQ+jOgN1KPv0/mdxIdDbicPcl/MqoCvksE05FMdmiCVTJSIdKwinBt84V01BxxkaTPnhHdGHazQjFbwAn5AasPcDg0A8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1775206103; c=relaxed/simple;\n bh=AmrNXJwMD9e2SiGGgZ5PJGPWOuVlH63uDTViGTjC/7o=;\n h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version;\n b=PVmkcv3EYcgW5Po4y1msvYkD9h6lyFTaynfQjqx389CD3MN6Zz7AKrQ7ryF1ForNirqdWJTOrWbiig+ZGJnQzgELcD3dqnhP8Px6k64WRTUzGjlH/m6rqhDnYGP8EH0/ihJDupAtsALeMsqZFEfTX4Z3e6XllPzGEpfwlwZ7hFg=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1775206103;\n h=from:from:reply-to:reply-to:subject:subject:date:date:\n message-id:message-id:to:to:cc:cc:mime-version:mime-version:\n content-type:content-type; bh=rgHQ8pjuWFml2tg6Nn+3hhO+5dyBDP0+k7tKB8aXurQ=;\n b=VtM6M0+LwSlR4efH58lIP3h0urG06RNeJYao0uswoE/RZ69xXD0LrywHaFeSmyPkdZEqYT\n 9jEFwzFaJaEnUfmFGfLQt33hpRaXL52FAp5HUfHT/YvhFT1+xoluaup7pAQj3fyUmEQ9NF\n d2v2YCB1QitB79J4CngxnpO+aPxZwGU=","X-MC-Unique":"WRtmgiiYO0awLfQ4EFVNwA-1","X-Mimecast-MFC-AGG-ID":"WRtmgiiYO0awLfQ4EFVNwA_1775206088","Date":"Fri, 3 Apr 2026 10:48:03 +0200","From":"Jakub Jelinek <jakub@redhat.com>","To":"Richard Biener <rguenther@suse.de>,\n Andrew Pinski <andrew.pinski@oss.qualcomm.com>,\n Jeff Law <jeffreyalaw@gmail.com>","Cc":"gcc-patches@gcc.gnu.org","Subject":"[PATCH] strlen: Fix up memcpy/strcpy/strcat handling [PR124754]","Message-ID":"<ac9-w0Cbkq_2NfXV@tucnak>","MIME-Version":"1.0","X-Scanned-By":"MIMEDefang 3.4.1 on 10.30.177.4","X-Mimecast-Spam-Score":"0","X-Mimecast-MFC-PROC-ID":"sZm29nc05GsJmWADXOd4oCdVgzFjtPlRwtCNZsmEfg8_1775206088","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","X-BeenThere":"gcc-patches@gcc.gnu.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Gcc-patches mailing list <gcc-patches.gcc.gnu.org>","List-Unsubscribe":"<https://gcc.gnu.org/mailman/options/gcc-patches>,\n <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>","List-Archive":"<https://gcc.gnu.org/pipermail/gcc-patches/>","List-Post":"<mailto:gcc-patches@gcc.gnu.org>","List-Help":"<mailto:gcc-patches-request@gcc.gnu.org?subject=help>","List-Subscribe":"<https://gcc.gnu.org/mailman/listinfo/gcc-patches>,\n <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>","Reply-To":"Jakub Jelinek <jakub@redhat.com>","Errors-To":"gcc-patches-bounces~incoming=patchwork.ozlabs.org@gcc.gnu.org"},"content":"Hi!\n\nThe following testcase ICEs because it tries to use a freed strinfo.\nstrinfo uses refcounting and vectors of pointers to those are either shared\nin between bbs or unshared when some later bb needs to modify something.\n\nThe ICE is due to the second memcpy handling.  Since r10-5451 it first\ncalls get_stridx on dst (&a), then get_strinfo with the returned index and\nthen get_stridx on src (&a + 24).  &a has been referenced earlier and\nthe pass knows some details on its string length (let's ignore that the\ntestcase invokes UB for now, I think it can happen even on valid code,\njust haven't managed to adjust the testcase, but supposedly the unreduced\noriginal is valid), so the strinfo is shared with other bbs.\nWHen get_stridx is called for &a + 24, it sees it doesn't know anything\nabout that yet and wants to create a strinfo for it.  But related strinfos\nare chained, so &a's next should be &a + 24 in this testcase, that means\nwe need to unshare the &a strinfo so that we can modify it while keeping\nthe one entry used by earlier bbs unmodified.  The problem is that\nhandle_builtin_memcpy called get_strinfo before this, so it got hands on\nthe old still not unshared strinfo for &a and because it isn't refreshed\nafter the get_stridx call by another get_strinfo call, we try to unshare\nit again and break the refcounting.\n\nSo, basically for calls which call get_stridx twice, we need top make sure\nwe do both get_stridx calls before the first get_strinfo call, or repeat\nget_strinfo after the second get_stridx call.\n\nIn handle_builtin_memcpy it used to be right and got broken by r10-5451,\nbut I'm in strcpy/strcat handling I've screwed it up since the pass was\nadded.\n\nFixed thusly, bootstrapped/regtested on x86_64-linux and i686-linux,\nok for trunk and eventually backports?\n\n2026-04-03  Jakub Jelinek  <jakub@redhat.com>\n\n\tPR tree-optimization/124754\n\t* tree-ssa-strlen.cc (strlen_pass::handle_builtin_strcpy): Make\n\tsure both get_stridx calls are done before first get_strinfo call.\n\t(strlen_pass::handle_builtin_memcpy): Likewise.\n\t(strlen_pass::handle_builtin_strcat): Likewise.\n\n\t* g++.dg/tree-ssa/strlenopt-3.C: New test.\n\n\n\tJakub","diff":"--- gcc/tree-ssa-strlen.cc.jj\t2026-03-27 10:17:21.501210523 +0100\n+++ gcc/tree-ssa-strlen.cc\t2026-04-02 13:13:19.846651782 +0200\n@@ -2523,11 +2523,11 @@ strlen_pass::handle_builtin_strcpy (buil\n   dst = gimple_call_arg (stmt, 0);\n   lhs = gimple_call_lhs (stmt);\n   idx = get_stridx (src, stmt);\n+  didx = get_stridx (dst, stmt);\n   si = NULL;\n   if (idx > 0)\n     si = get_strinfo (idx);\n \n-  didx = get_stridx (dst, stmt);\n   olddsi = NULL;\n   oldlen = NULL_TREE;\n   if (didx > 0)\n@@ -3341,11 +3341,12 @@ strlen_pass::handle_builtin_memcpy (buil\n   tree dst = gimple_call_arg (stmt, 0);\n \n   int didx = get_stridx (dst, stmt);\n+  if (didx < 0)\n+    return;\n+  int idx = get_stridx (src, stmt);\n   strinfo *olddsi = NULL;\n   if (didx > 0)\n     olddsi = get_strinfo (didx);\n-  else if (didx < 0)\n-    return;\n \n   if (olddsi != NULL\n       && !integer_zerop (len))\n@@ -3355,7 +3356,6 @@ strlen_pass::handle_builtin_memcpy (buil\n \tadjust_last_stmt (olddsi, stmt, false);\n     }\n \n-  int idx = get_stridx (src, stmt);\n   if (idx == 0)\n     return;\n \n@@ -3533,6 +3533,7 @@ strlen_pass::handle_builtin_strcat (buil\n   didx = get_stridx (dst, stmt);\n   if (didx < 0)\n     return;\n+  idx = get_stridx (src, stmt);\n \n   dsi = NULL;\n   if (didx > 0)\n@@ -3540,7 +3541,6 @@ strlen_pass::handle_builtin_strcat (buil\n \n   srclen = NULL_TREE;\n   si = NULL;\n-  idx = get_stridx (src, stmt);\n   if (idx < 0)\n     srclen = build_int_cst (size_type_node, ~idx);\n   else if (idx > 0)\n--- gcc/testsuite/g++.dg/tree-ssa/strlenopt-3.C.jj\t2026-04-02 13:19:20.318550491 +0200\n+++ gcc/testsuite/g++.dg/tree-ssa/strlenopt-3.C\t2026-04-02 13:17:39.475257439 +0200\n@@ -0,0 +1,21 @@\n+// PR tree-optimization/124754\n+// { dg-do compile }\n+// { dg-options \"-O2 -Wno-stringop-overflow -Wno-stringop-overread\" }\n+\n+char a[3], *c, *d;\n+\n+void\n+foo ()\n+{\n+  try\n+    {\n+      __builtin_memcpy (&a, \"ABCDEFGHIJKLMNOPQRSTUVWX\", 24);\n+      c = new char ('@');\n+      d = new char ('@');\n+      __builtin_memcpy (&a, &a + 8, 1);\n+    }\n+  catch (...)\n+    {\n+      __builtin_abort ();\n+    }\n+}\n","prefixes":[]}