6 files changed, 380 insertions, 6 deletions

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 84578a3..b9229e9 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,4 +1,14 @@
 2018-09-14  Martin Sebor  <msebor@redhat.com>
+
+	* builtins.c (unterminated_array): Handle ARRAY_REF.
+	(expand_builtin_stpcpy_1): Detect unterminated char arrays.
+	* builtins.h (unterminated_array): Declare extern.
+	* gimple-fold.c (gimple_fold_builtin_stpcpy): Detect unterminated
+	arrays.
+	(gimple_fold_builtin_sprintf): Propagate NO_WARNING to transformed
+	calls.
+
+2018-09-14  Martin Sebor  <msebor@redhat.com>
 	    Jeff Law  <law@redhat.com>
 
 	* builtins.c (unterminated_array): New.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index be813db..b2b7ca3 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -567,7 +567,7 @@ warn_string_no_nul (location_t loc, const char *fn, tree arg, tree decl)
    the declaration of the object of which the array is a member or
    element.  Otherwise return null.  */
 
-static tree
+tree
 unterminated_array (tree exp)
 {
   if (TREE_CODE (exp) == SSA_NAME)
@@ -578,7 +578,10 @@ unterminated_array (tree exp)
 
       tree rhs1 = gimple_assign_rhs1 (stmt);
       tree_code code = gimple_assign_rhs_code (stmt);
-      if (code != POINTER_PLUS_EXPR)
+      if (code == ADDR_EXPR
+	  && TREE_CODE (TREE_OPERAND (rhs1, 0)) == ARRAY_REF)
+	rhs1 = rhs1;
+      else if (code != POINTER_PLUS_EXPR)
 	return NULL_TREE;
 
       exp = rhs1;
@@ -3981,9 +3984,14 @@ expand_builtin_stpcpy_1 (tree exp, rtx target, machine_mode mode)
 	 compile-time, not an expression containing a string.  This is
 	 because the latter will potentially produce pessimized code
 	 when used to produce the return value.  */
-      if (! c_getstr (src) || ! (len = c_strlen (src, 0)))
+      tree nonstr = NULL_TREE;
+      if (!c_getstr (src, NULL)
+	  || !(len = c_strlen (src, 0, &nonstr, 1)))
 	return expand_movstr (dst, src, target, /*endp=*/2);
 
+      if (nonstr && !TREE_NO_WARNING (exp))
+	warn_string_no_nul (EXPR_LOCATION (exp), "stpcpy", src, nonstr);
+
       lenp1 = size_binop_loc (loc, PLUS_EXPR, len, ssize_int (1));
       ret = expand_builtin_mempcpy_args (dst, src, lenp1,
 					 target, exp, /*endp=*/2);
diff --git a/gcc/builtins.h b/gcc/builtins.h
index 7790c85..45ad684 100644
--- a/gcc/builtins.h
+++ b/gcc/builtins.h
@@ -104,6 +104,7 @@ extern internal_fn associated_internal_fn (tree);
 extern internal_fn replacement_internal_fn (gcall *);
 
 extern void warn_string_no_nul (location_t, const char *, tree, tree);
+extern tree unterminated_array (tree);
 extern tree max_object_size ();
 
 #endif /* GCC_BUILTINS_H */
diff --git a/gcc/gimple-fold.c b/gcc/gimple-fold.c
index e873320..362ab59 100644
--- a/gcc/gimple-fold.c
+++ b/gcc/gimple-fold.c
@@ -2798,7 +2798,7 @@ gimple_fold_builtin_stpcpy (gimple_stmt_iterator *gsi)
   location_t loc = gimple_location (stmt);
   tree dest = gimple_call_arg (stmt, 0);
   tree src = gimple_call_arg (stmt, 1);
-  tree fn, len, lenp1;
+  tree fn, lenp1;
 
   /* If the result is unused, replace stpcpy with strcpy.  */
   if (gimple_call_lhs (stmt) == NULL_TREE)
@@ -2811,10 +2811,25 @@ gimple_fold_builtin_stpcpy (gimple_stmt_iterator *gsi)
       return true;
     }
 
-  len = c_strlen (src, 1);
+  /* Set to non-null if ARG refers to an unterminated array.  */
+  tree nonstr = NULL;
+  tree len = c_strlen (src, 1, &nonstr, 1);
   if (!len
       || TREE_CODE (len) != INTEGER_CST)
-    return false;
+    {
+      nonstr = unterminated_array (src);
+      if (!nonstr)
+	return false;
+    }
+
+  if (nonstr)
+    {
+      /* Avoid folding calls with unterminated arrays.  */
+      if (!gimple_no_warning_p (stmt))
+	warn_string_no_nul (loc, "stpcpy", src, nonstr);
+      gimple_set_no_warning (stmt, true);
+      return false;
+    }
 
   if (optimize_function_for_size_p (cfun)
       /* If length is zero it's small enough.  */
@@ -3077,6 +3092,12 @@ gimple_fold_builtin_sprintf (gimple_stmt_iterator *gsi)
 	 'format' is known to contain no % formats.  */
       gimple_seq stmts = NULL;
       gimple *repl = gimple_build_call (fn, 2, dest, fmt);
+
+      /* Propagate the NO_WARNING bit to avoid issuing the same
+	 warning more than once.  */
+      if (gimple_no_warning_p (stmt))
+	gimple_set_no_warning (repl, true);
+
       gimple_seq_add_stmt_without_update (&stmts, repl);
       if (gimple_call_lhs (stmt))
 	{
@@ -3125,6 +3146,12 @@ gimple_fold_builtin_sprintf (gimple_stmt_iterator *gsi)
       /* Convert sprintf (str1, "%s", str2) into strcpy (str1, str2).  */
       gimple_seq stmts = NULL;
       gimple *repl = gimple_build_call (fn, 2, dest, orig);
+
+      /* Propagate the NO_WARNING bit to avoid issuing the same
+	 warning more than once.  */
+      if (gimple_no_warning_p (stmt))
+	gimple_set_no_warning (repl, true);
+
       gimple_seq_add_stmt_without_update (&stmts, repl);
       if (gimple_call_lhs (stmt))
 	{
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index df6c904..36867ba 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,4 +1,8 @@
 2018-09-14  Martin Sebor  <msebor@redhat.com>
+
+	* gcc.dg/warn-stpcpy-no-nul.c: New test.
+
+2018-09-14  Martin Sebor  <msebor@redhat.com>
 	    Jeff Law  <law@redhat.com>
 
 	* gcc.dg/warn-strcpy-no-nul.c: New test.
diff --git a/gcc/testsuite/gcc.dg/warn-stpcpy-no-nul.c b/gcc/testsuite/gcc.dg/warn-stpcpy-no-nul.c
new file mode 100644
index 0000000..78c4a7f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/warn-stpcpy-no-nul.c
@@ -0,0 +1,324 @@
+/* PR tree-optimization/86552 - missing warning for reading past the end
+   of non-string arrays
+   { dg-do compile }
+   { dg-options "-O2 -Wall -Wno-array-bounds -ftrack-macro-expansion=0" } */
+
+extern char* stpcpy (char*, const char*);
+
+const char a[5] = "12345";   /* { dg-message "declared here" } */
+
+int v0 = 0;
+int v1 = 1;
+int v2 = 1;
+int v3 = 1;
+
+void sink (char*, ...);
+
+#define T(str) sink (stpcpy (d, str))
+
+void test_one_dim_array (char *d)
+{
+  T (a);                /* { dg-warning "argument missing terminating nul" }  */
+  T (&a[0]);            /* { dg-warning "nul" }  */
+  T (&a[0] + 1);        /* { dg-warning "nul" }  */
+  T (&a[1]);            /* { dg-warning "nul" }  */
+
+  int i0 = 0;
+  int i1 = i0 + 1;
+
+  T (&a[i0]);           /* { dg-warning "nul" }  */
+  T (&a[i0] + 1);       /* { dg-warning "nul" }  */
+  T (&a[i1]);           /* { dg-warning "nul" }  */
+
+  T (&a[v0]);           /* { dg-warning "nul" }  */
+  T (&a[v0] + 1);       /* { dg-warning "nul" }  */
+  T (&a[v0] + v1);      /* { dg-warning "nul" }  */
+}
+
+const char b[][5] = { /* { dg-message "declared here" } */
+  "12", "123", "1234", "54321"
+};
+
+void test_two_dim_array (char *d)
+{
+  int i0 = 0;
+  int i1 = i0 + 1;
+  int i2 = i1 + 1;
+  int i3 = i2 + 1;
+
+  T (b[0]);
+  T (b[1]);
+  T (b[2]);
+  T (b[3]);             /* { dg-warning "nul" }  */
+  T (b[i0]);
+  T (b[i1]);
+  T (b[i2]);
+  T (b[i3]);            /* { dg-warning "nul" }  */
+  T (b[v0]);
+  T (b[v3]);
+
+  T (&b[2][1]);
+  T (&b[2][1] + 1);
+  T (&b[2][v0]);
+  T (&b[2][1] + v0);
+
+  T (&b[i2][i1]);
+  T (&b[i2][i1] + i1);
+  T (&b[i2][v0]);
+  T (&b[i2][i1] + v0);
+
+  T (&b[3][1]);         /* { dg-warning "nul" }  */
+  T (&b[3][1] + 1);     /* { dg-warning "nul" }  */
+  T (&b[3][v0]);        /* { dg-warning "nul" }  */
+  T (&b[3][1] + v0);    /* { dg-warning "nul" }  */
+  T (&b[3][v0] + v1);   /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (&b[i3][i1]);       /* { dg-warning "nul" }  */
+  T (&b[i3][i1] + i1);  /* { dg-warning "nul" }  */
+  T (&b[i3][v0]);       /* { dg-warning "nul" }  */
+  T (&b[i3][i1] + v0);  /* { dg-warning "nul" }  */
+  T (&b[i3][v0] + v1);  /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (v0 ? "" : b[0]);
+  T (v0 ? "" : b[1]);
+  T (v0 ? "" : b[2]);
+  T (v0 ? "" : b[3]);               /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? b[0] : "");
+  T (v0 ? b[1] : "");
+  T (v0 ? b[2] : "");
+  T (v0 ? b[3] : "");               /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (v0 ? "1234" : b[3]);           /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? b[3] : "1234");           /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (v0 ? a : b[3]);                /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? b[0] : b[2]);
+  T (v0 ? b[2] : b[3]);             /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? b[3] : b[2]);             /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (v0 ? b[0] : &b[3][0] + 1);     /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? b[1] : &b[3][1] + v0);    /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  /* It's possible to detect the missing nul in the following two
+     expressions but GCC doesn't do it yet.  */
+  T (v0 ? &b[3][1] + v0 : b[2]);    /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? &b[3][v0] : &b[3][v1]);   /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+}
+
+struct A { char a[5], b[5]; };
+
+const struct A s = { "1234", "12345" };
+
+void test_struct_member (char *d)
+{
+  int i0 = 0;
+  int i1 = i0 + 1;
+
+  T (s.a);
+  T (&s.a[0]);
+  T (&s.a[0] + 1);
+  T (&s.a[0] + i0);
+  T (&s.a[1]);
+  T (&s.a[1] + 1);
+  T (&s.a[1] + i0);
+
+  T (&s.a[i0]);
+  T (&s.a[i0] + 1);
+  T (&s.a[i0] + v0);
+  T (&s.a[i1]);
+  T (&s.a[i1] + 1);
+  T (&s.a[i1] + v0);
+
+  T (s.a);
+  T (&s.a[0]);
+  T (&s.a[0] + 1);
+  T (&s.a[0] + v0);
+  T (&s.a[1]);
+  T (&s.a[1] + 1);
+  T (&s.a[1] + v0);
+
+  T (&s.a[i0]);
+  T (&s.a[i0] + 1);
+  T (&s.a[i0] + v0);
+  T (&s.a[i1]);
+  T (&s.a[i1] + 1);
+  T (&s.a[i1] + v0);
+
+  T (&s.a[v0]);
+  T (&s.a[v0] + 1);
+  T (&s.a[v0] + v0);
+  T (&s.a[v1]);
+  T (&s.a[v1] + 1);
+  T (&s.a[v1] + v0);
+
+  T (s.b);              /* { dg-warning "nul" }  */
+  T (&s.b[0]);          /* { dg-warning "nul" }  */
+  T (&s.b[0] + 1);      /* { dg-warning "nul" }  */
+  T (&s.b[0] + i0);     /* { dg-warning "nul" }  */
+  T (&s.b[1]);          /* { dg-warning "nul" }  */
+  T (&s.b[1] + 1);      /* { dg-warning "nul" }  */
+  T (&s.b[1] + i0);     /* { dg-warning "nul" }  */
+
+  T (s.b);              /* { dg-warning "nul" }  */
+  T (&s.b[0]);          /* { dg-warning "nul" }  */
+  T (&s.b[0] + 1);      /* { dg-warning "nul" }  */
+  T (&s.b[0] + v0);     /* { dg-warning "nul" }  */
+  T (&s.b[1]);          /* { dg-warning "nul" }  */
+  T (&s.b[1] + 1);      /* { dg-warning "nul" }  */
+  T (&s.b[1] + v0);     /* { dg-warning "nul" }  */
+
+  T (s.b);              /* { dg-warning "nul" }  */
+  T (&s.b[v0]);         /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (&s.b[v0] + 1);     /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (&s.b[v0] + v0);    /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (&s.b[v1]);         /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (&s.b[v1] + 1);     /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (&s.b[v1] + v0);    /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+}
+
+struct B { struct A a[2]; };
+
+const struct B ba[] = {
+  { { { "123", "12345" }, { "12345", "123" } } },
+  { { { "12345", "123" }, { "123", "12345" } } },
+  { { { "1", "12" },      { "123", "1234" } } },
+  { { { "123", "1234" },  { "12345", "12" } } }
+};
+
+void test_array_of_structs (char *d)
+{
+  T (ba[0].a[0].a);
+  T (&ba[0].a[0].a[0]);
+  T (&ba[0].a[0].a[0] + 1);
+  T (&ba[0].a[0].a[0] + v0);
+  T (&ba[0].a[0].a[1]);
+  T (&ba[0].a[0].a[1] + 1);
+  T (&ba[0].a[0].a[1] + v0);
+
+  T (ba[0].a[0].b);           /* { dg-warning "nul" }  */
+  T (&ba[0].a[0].b[0]);       /* { dg-warning "nul" }  */
+  T (&ba[0].a[0].b[0] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[0].a[0].b[0] + v0);  /* { dg-warning "nul" }  */
+  T (&ba[0].a[0].b[1]);       /* { dg-warning "nul" }  */
+  T (&ba[0].a[0].b[1] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[0].a[0].b[1] + v0);  /* { dg-warning "nul" }  */
+
+  T (ba[0].a[1].a);           /* { dg-warning "nul" }  */
+  T (&ba[0].a[1].a[0]);       /* { dg-warning "nul" }  */
+  T (&ba[0].a[1].a[0] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[0].a[1].a[0] + v0);  /* { dg-warning "nul" }  */
+  T (&ba[0].a[1].a[1]);       /* { dg-warning "nul" }  */
+  T (&ba[0].a[1].a[1] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[0].a[1].a[1] + v0);  /* { dg-warning "nul" }  */
+
+  T (ba[0].a[1].b);
+  T (&ba[0].a[1].b[0]);
+  T (&ba[0].a[1].b[0] + 1);
+  T (&ba[0].a[1].b[0] + v0);
+  T (&ba[0].a[1].b[1]);
+  T (&ba[0].a[1].b[1] + 1);
+  T (&ba[0].a[1].b[1] + v0);
+
+
+  T (ba[1].a[0].a);           /* { dg-warning "nul" }  */
+  T (&ba[1].a[0].a[0]);       /* { dg-warning "nul" }  */
+  T (&ba[1].a[0].a[0] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[1].a[0].a[0] + v0);  /* { dg-warning "nul" }  */
+  T (&ba[1].a[0].a[1]);       /* { dg-warning "nul" }  */
+  T (&ba[1].a[0].a[1] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[1].a[0].a[1] + v0);  /* { dg-warning "nul" }  */
+
+  T (ba[1].a[0].b);
+  T (&ba[1].a[0].b[0]);
+  T (&ba[1].a[0].b[0] + 1);
+  T (&ba[1].a[0].b[0] + v0);
+  T (&ba[1].a[0].b[1]);
+  T (&ba[1].a[0].b[1] + 1);
+  T (&ba[1].a[0].b[1] + v0);
+
+  T (ba[1].a[1].a);
+  T (&ba[1].a[1].a[0]);
+  T (&ba[1].a[1].a[0] + 1);
+  T (&ba[1].a[1].a[0] + v0);
+  T (&ba[1].a[1].a[1]);
+  T (&ba[1].a[1].a[1] + 1);
+  T (&ba[1].a[1].a[1] + v0);
+
+  T (ba[1].a[1].b);           /* { dg-warning "nul" }  */
+  T (&ba[1].a[1].b[0]);       /* { dg-warning "nul" }  */
+  T (&ba[1].a[1].b[0] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[1].a[1].b[0] + v0);  /* { dg-warning "nul" }  */
+  T (&ba[1].a[1].b[1]);       /* { dg-warning "nul" }  */
+  T (&ba[1].a[1].b[1] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[1].a[1].b[1] + v0);  /* { dg-warning "nul" }  */
+
+
+  T (ba[2].a[0].a);
+  T (&ba[2].a[0].a[0]);
+  T (&ba[2].a[0].a[0] + 1);
+  T (&ba[2].a[0].a[0] + v0);
+  T (&ba[2].a[0].a[1]);
+  T (&ba[2].a[0].a[1] + 1);
+  T (&ba[2].a[0].a[1] + v0);
+
+  T (ba[2].a[0].b);
+  T (&ba[2].a[0].b[0]);
+  T (&ba[2].a[0].b[0] + 1);
+  T (&ba[2].a[0].b[0] + v0);
+  T (&ba[2].a[0].b[1]);
+  T (&ba[2].a[0].b[1] + 1);
+  T (&ba[2].a[0].b[1] + v0);
+
+  T (ba[2].a[1].a);
+  T (&ba[2].a[1].a[0]);
+  T (&ba[2].a[1].a[0] + 1);
+  T (&ba[2].a[1].a[0] + v0);
+  T (&ba[2].a[1].a[1]);
+  T (&ba[2].a[1].a[1] + 1);
+  T (&ba[2].a[1].a[1] + v0);
+
+
+  T (ba[3].a[0].a);
+  T (&ba[3].a[0].a[0]);
+  T (&ba[3].a[0].a[0] + 1);
+  T (&ba[3].a[0].a[0] + v0);
+  T (&ba[3].a[0].a[1]);
+  T (&ba[3].a[0].a[1] + 1);
+  T (&ba[3].a[0].a[1] + v0);
+
+  T (ba[3].a[0].b);
+  T (&ba[3].a[0].b[0]);
+  T (&ba[3].a[0].b[0] + 1);
+  T (&ba[3].a[0].b[0] + v0);
+  T (&ba[3].a[0].b[1]);
+  T (&ba[3].a[0].b[1] + 1);
+  T (&ba[3].a[0].b[1] + v0);
+
+  T (ba[3].a[1].a);           /* { dg-warning "nul" }  */
+  T (&ba[3].a[1].a[0]);	      /* { dg-warning "nul" }  */
+  T (&ba[3].a[1].a[0] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[3].a[1].a[0] + v0);  /* { dg-warning "nul" }  */
+  T (&ba[3].a[1].a[1]);	      /* { dg-warning "nul" }  */
+  T (&ba[3].a[1].a[1] + 1);   /* { dg-warning "nul" }  */
+  T (&ba[3].a[1].a[1] + v0);  /* { dg-warning "nul" }  */
+
+  T (ba[3].a[1].b);
+  T (&ba[3].a[1].b[0]);	
+  T (&ba[3].a[1].b[0] + 1);
+  T (&ba[3].a[1].b[0] + v0);
+  T (&ba[3].a[1].b[1]);	
+  T (&ba[3].a[1].b[1] + 1);
+  T (&ba[3].a[1].b[1] + v0);
+
+
+  T (v0 ? ba[0].a[0].a : ba[0].a[0].b);           /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? ba[0].a[0].a : ba[0].a[0].b);           /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (v0 ? &ba[0].a[0].a[0] : &ba[3].a[1].a[0]);   /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+  T (v0 ? &ba[3].a[1].a[1] :  ba[0].a[0].a);      /* { dg-warning "nul" "bug ???" { xfail *-*-* } }  */
+
+  T (v0 ? ba[0].a[0].a : ba[0].a[1].b);
+  T (v0 ? ba[0].a[1].b : ba[0].a[0].a);
+}
+
+/* { dg-prune-output " reading \[1-9\]\[0-9\]? bytes from a region " } */