[committed] libstdc++: Disable over-zealous warnings about std::string copies [PR103332]
| Message ID | 20211209232453.1568609-1-jwakely@redhat.com |
|---|---|
| State | Committed |
| Commit | f8463b0e3ec2438b4cfb8c9a468d59761db2c8a0 |
| Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B67503858402 for <patchwork@sourceware.org>; Thu, 9 Dec 2021 23:26:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B67503858402 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1639092388; bh=qj2XaNiHAxglwEiA2t1Ueh60PlFuA6HBfdXVHjv2hHY=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=kgDGCG42t1MlTjS9+/TTGrH8KyjUlf9lvKNMvpJfp0wioCEl6VuDwcLzGAMuN3/B4 lWEyF+uFRRjQxV/NZy/ZgXYB7AC9luqAkF3V971tP7SUVfmLr098QFfzXC6CcSimjY sepQVEje2Lg2QOa9yUMss7c/bIis0PX9n8WvQsn0= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 0DFA4385801E for <gcc-patches@gcc.gnu.org>; Thu, 9 Dec 2021 23:24:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0DFA4385801E Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-446-tPok0jHLN1aXYpFqUSpDaw-1; Thu, 09 Dec 2021 18:24:56 -0500 X-MC-Unique: tPok0jHLN1aXYpFqUSpDaw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9F539760C0; Thu, 9 Dec 2021 23:24:55 +0000 (UTC) Received: from localhost (unknown [10.33.36.71]) by smtp.corp.redhat.com (Postfix) with ESMTP id 153995D9D5; Thu, 9 Dec 2021 23:24:54 +0000 (UTC) To: libstdc++@gcc.gnu.org, gcc-patches@gcc.gnu.org Subject: [committed] libstdc++: Disable over-zealous warnings about std::string copies [PR103332] Date: Thu, 9 Dec 2021 23:24:53 +0000 Message-Id: <20211209232453.1568609-1-jwakely@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: Jonathan Wakely via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Jonathan Wakely <jwakely@redhat.com> Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
| Series |
[committed] libstdc++: Disable over-zealous warnings about std::string copies [PR103332]
|
|
Commit Message
Jonathan Wakely
Dec. 9, 2021, 11:24 p.m. UTC
These warnings are triggered by perfectly valid code using std::string. They're particularly bad when --enable-fully-dynamic-string is used, because even std::string().begin() will give a warning. Use pragmas to stop the troublesome warnings for copies done by std::char_traits. libstdc++-v3/ChangeLog: PR libstdc++/103332 PR libstdc++/102958 PR libstdc++/103483 * include/bits/char_traits.h: Suppress stringop and array-bounds warnings. --- libstdc++-v3/include/bits/char_traits.h | 7 +++++++ 1 file changed, 7 insertions(+)
Comments
On 12/9/21 4:24 PM, Jonathan Wakely via Gcc-patches wrote: > These warnings are triggered by perfectly valid code using std::string. > They're particularly bad when --enable-fully-dynamic-string is used, > because even std::string().begin() will give a warning. > > Use pragmas to stop the troublesome warnings for copies done by > std::char_traits. I'm still experimenting with some of the approaches we discussed last week, but based on my findings so far this was going to be my suggestion at lest for now, until or unless the problem turns out to affect more code than just std::string. That said, I noticed a typo in the patch: > > libstdc++-v3/ChangeLog: > > PR libstdc++/103332 > PR libstdc++/102958 > PR libstdc++/103483 > * include/bits/char_traits.h: Suppress stringop and array-bounds > warnings. > --- > libstdc++-v3/include/bits/char_traits.h | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/libstdc++-v3/include/bits/char_traits.h b/libstdc++-v3/include/bits/char_traits.h > index da3e0ffffaa..3f7befcf8b2 100644 > --- a/libstdc++-v3/include/bits/char_traits.h > +++ b/libstdc++-v3/include/bits/char_traits.h > @@ -54,6 +54,11 @@ namespace __gnu_cxx _GLIBCXX_VISIBILITY(default) > { > _GLIBCXX_BEGIN_NAMESPACE_VERSION > > +#pragma GCC diagnostic push > +#pragma GCC diagnostic ignored "-Wstringop-overflow" > +#pragma GCC diagnostic ignored "-Wstringop-overread" > +#pragma GCC diagnostic ignored "-Warray-bounds" (Just for reference, as I mentioned in my private mail, at -O1 the same code also triggers -Wfree-nonheap-object.) > + > /** > * @brief Mapping from character type to associated types. > * > @@ -990,6 +995,8 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION > } // namespace __detail > #endif // C++20 > > +#pragma GCC diagnostic push This should be pop. Martin > + > _GLIBCXX_END_NAMESPACE_VERSION > } // namespace > >
On 12/9/21 5:38 PM, Martin Sebor wrote: > On 12/9/21 4:24 PM, Jonathan Wakely via Gcc-patches wrote: >> These warnings are triggered by perfectly valid code using std::string. >> They're particularly bad when --enable-fully-dynamic-string is used, >> because even std::string().begin() will give a warning. >> >> Use pragmas to stop the troublesome warnings for copies done by >> std::char_traits. > > I'm still experimenting with some of the approaches we discussed > last week, but based on my findings so far this was going to be > my suggestion at lest for now, until or unless the problem turns > out to affect more code than just std::string. Just minutes after I wrote this I tried following the clue in the note printed for the test case from PR 103534 with an enhancement I'm experimenting with: /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: warning: ‘void* __builtin_memcpy(void*, const void*, long unsigned int)’ specified size between 18446744073709551600 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] 426 | return static_cast<char_type*>(__builtin_memcpy(__s1, __s2, __n)); | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~ /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: note: when ‘(<anonymous>.std::__cxx11::basic_string<char>::_M_string_length > 18446744073709551599)’ and adding an assert to string::size(): constexpr size_type size() const noexcept { if (_M_string_length >= -1LU >> 1) __builtin_unreachable (); return _M_string_length; } That gets rid of the false positive in this PR. I realize the others happen for other reasons but this approach at least suggests that there might be other ways to suppress them than the #pragma. Unlike it, the alternative approaches should also improve codegen. > > That said, I noticed a typo in the patch: > >> >> libstdc++-v3/ChangeLog: >> >> PR libstdc++/103332 >> PR libstdc++/102958 >> PR libstdc++/103483 >> * include/bits/char_traits.h: Suppress stringop and array-bounds >> warnings. >> --- >> libstdc++-v3/include/bits/char_traits.h | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/libstdc++-v3/include/bits/char_traits.h >> b/libstdc++-v3/include/bits/char_traits.h >> index da3e0ffffaa..3f7befcf8b2 100644 >> --- a/libstdc++-v3/include/bits/char_traits.h >> +++ b/libstdc++-v3/include/bits/char_traits.h >> @@ -54,6 +54,11 @@ namespace __gnu_cxx _GLIBCXX_VISIBILITY(default) >> { >> _GLIBCXX_BEGIN_NAMESPACE_VERSION >> +#pragma GCC diagnostic push >> +#pragma GCC diagnostic ignored "-Wstringop-overflow" >> +#pragma GCC diagnostic ignored "-Wstringop-overread" >> +#pragma GCC diagnostic ignored "-Warray-bounds" > > (Just for reference, as I mentioned in my private mail, at -O1 > the same code also triggers -Wfree-nonheap-object.) > >> + >> /** >> * @brief Mapping from character type to associated types. >> * >> @@ -990,6 +995,8 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION >> } // namespace __detail >> #endif // C++20 >> +#pragma GCC diagnostic push > > This should be pop. > > Martin > >> + >> _GLIBCXX_END_NAMESPACE_VERSION >> } // namespace >> >
On Fri, 10 Dec 2021 at 00:39, Martin Sebor via Libstdc++ <libstdc++@gcc.gnu.org> wrote: > > On 12/9/21 4:24 PM, Jonathan Wakely via Gcc-patches wrote: > > These warnings are triggered by perfectly valid code using std::string. > > They're particularly bad when --enable-fully-dynamic-string is used, > > because even std::string().begin() will give a warning. > > > > Use pragmas to stop the troublesome warnings for copies done by > > std::char_traits. > > I'm still experimenting with some of the approaches we discussed > last week, but based on my findings so far this was going to be > my suggestion at lest for now, until or unless the problem turns > out to affect more code than just std::string. > > That said, I noticed a typo in the patch: > > > > > libstdc++-v3/ChangeLog: > > > > PR libstdc++/103332 > > PR libstdc++/102958 > > PR libstdc++/103483 > > * include/bits/char_traits.h: Suppress stringop and array-bounds > > warnings. > > --- > > libstdc++-v3/include/bits/char_traits.h | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/libstdc++-v3/include/bits/char_traits.h b/libstdc++-v3/include/bits/char_traits.h > > index da3e0ffffaa..3f7befcf8b2 100644 > > --- a/libstdc++-v3/include/bits/char_traits.h > > +++ b/libstdc++-v3/include/bits/char_traits.h > > @@ -54,6 +54,11 @@ namespace __gnu_cxx _GLIBCXX_VISIBILITY(default) > > { > > _GLIBCXX_BEGIN_NAMESPACE_VERSION > > > > +#pragma GCC diagnostic push > > +#pragma GCC diagnostic ignored "-Wstringop-overflow" > > +#pragma GCC diagnostic ignored "-Wstringop-overread" > > +#pragma GCC diagnostic ignored "-Warray-bounds" > > (Just for reference, as I mentioned in my private mail, at -O1 > the same code also triggers -Wfree-nonheap-object.) > > > + > > /** > > * @brief Mapping from character type to associated types. > > * > > @@ -990,6 +995,8 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION > > } // namespace __detail > > #endif // C++20 > > > > +#pragma GCC diagnostic push > > This should be pop. Oops! thanks, fixed at r12-5888 by the attached patch. Tested x86_64-linux, pushed to trunk. commit db184a3453b6fe810e2d9765ef8ed9028f96e968 Author: Jonathan Wakely <jwakely@redhat.com> Date: Fri Dec 10 09:06:37 2021 libstdc++: Fix diagnostic pragma push that should be pop libstdc++-v3/ChangeLog: * include/bits/char_traits.h: Change pragma push to pop. diff --git a/libstdc++-v3/include/bits/char_traits.h b/libstdc++-v3/include/bits/char_traits.h index 3f7befcf8b2..13239580622 100644 --- a/libstdc++-v3/include/bits/char_traits.h +++ b/libstdc++-v3/include/bits/char_traits.h @@ -995,7 +995,7 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION } // namespace __detail #endif // C++20 -#pragma GCC diagnostic push +#pragma GCC diagnostic pop _GLIBCXX_END_NAMESPACE_VERSION } // namespace
On Fri, 10 Dec 2021 at 01:50, Martin Sebor via Libstdc++ <libstdc++@gcc.gnu.org> wrote: > > On 12/9/21 5:38 PM, Martin Sebor wrote: > > On 12/9/21 4:24 PM, Jonathan Wakely via Gcc-patches wrote: > >> These warnings are triggered by perfectly valid code using std::string. > >> They're particularly bad when --enable-fully-dynamic-string is used, > >> because even std::string().begin() will give a warning. > >> > >> Use pragmas to stop the troublesome warnings for copies done by > >> std::char_traits. > > > > I'm still experimenting with some of the approaches we discussed > > last week, but based on my findings so far this was going to be > > my suggestion at lest for now, until or unless the problem turns > > out to affect more code than just std::string. > > Just minutes after I wrote this I tried following the clue > in the note printed for the test case from PR 103534 with > an enhancement I'm experimenting with: > > /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: > warning: ‘void* __builtin_memcpy(void*, const void*, long unsigned int)’ > specified size between 18446744073709551600 and 18446744073709551615 > exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] > 426 | return static_cast<char_type*>(__builtin_memcpy(__s1, > __s2, __n)); > | > ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~ > /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: > note: when > ‘(<anonymous>.std::__cxx11::basic_string<char>::_M_string_length > > 18446744073709551599)’ > > and adding an assert to string::size(): > > constexpr > size_type > size() const noexcept > { > if (_M_string_length >= -1LU >> 1) I think that will be wrong for 64-bit Windows, where long is 32-bit, but the string's max size is closer to -1LLU >> 2, and we don't want to just use -1LLU because that's wrong for 32-bit targets. Technically the max size is (N - 1)/2 where N is the allocator's max size, which is PTRDIFF_MAX for std::allocator, SIZE_MAX for allocators that use the default value from std::allocator_traits, or some other value that the allocator defines. And the value is reduced appropriately if sizeof(char_type) > 1. But if we call this->max_size() which calls _Alloc_traits::max_size() which potentially calls allocator_type::max_size(), will the compiler actually make those calls to mark the path unreachable, or will it just ignore the unreachable if it can't fold all those calls at compile time? We could just use __SIZE_MAX__/2 which might be larger than the real maximum, but will never be smaller. Jason made a suggestion last week which was that if the warning code has a range like [2,INT_MAX] or [2UL,ULONG_MAX] that it should assume that is really [2,infinity] and so not warn. If the upper bound is the maximum possible value for the type, that's effectively unbounded, and the warning could assume it's simply not got enough information to give a useful warning. If it has a range like [2,300] for a buffer of length 100, that should warn. But [2,infinity] is effectively ranger saying "I have no idea what this value is" and the warning machinery should not be issuing warnings on the basis of "I have no idea what this value is". > __builtin_unreachable (); > return _M_string_length; > } > > That gets rid of the false positive in this PR. I realize > the others happen for other reasons but this approach at least > suggests that there might be other ways to suppress them than > the #pragma. Unlike it, the alternative approaches should also > improve codegen.
On 12/10/21 3:12 AM, Jonathan Wakely wrote: > On Fri, 10 Dec 2021 at 01:50, Martin Sebor via Libstdc++ > <libstdc++@gcc.gnu.org> wrote: >> >> On 12/9/21 5:38 PM, Martin Sebor wrote: >>> On 12/9/21 4:24 PM, Jonathan Wakely via Gcc-patches wrote: >>>> These warnings are triggered by perfectly valid code using std::string. >>>> They're particularly bad when --enable-fully-dynamic-string is used, >>>> because even std::string().begin() will give a warning. >>>> >>>> Use pragmas to stop the troublesome warnings for copies done by >>>> std::char_traits. >>> >>> I'm still experimenting with some of the approaches we discussed >>> last week, but based on my findings so far this was going to be >>> my suggestion at lest for now, until or unless the problem turns >>> out to affect more code than just std::string. >> >> Just minutes after I wrote this I tried following the clue >> in the note printed for the test case from PR 103534 with >> an enhancement I'm experimenting with: >> >> /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: >> warning: ‘void* __builtin_memcpy(void*, const void*, long unsigned int)’ >> specified size between 18446744073709551600 and 18446744073709551615 >> exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] >> 426 | return static_cast<char_type*>(__builtin_memcpy(__s1, >> __s2, __n)); >> | >> ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~ >> /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: >> note: when >> ‘(<anonymous>.std::__cxx11::basic_string<char>::_M_string_length > >> 18446744073709551599)’ >> >> and adding an assert to string::size(): >> >> constexpr >> size_type >> size() const noexcept >> { >> if (_M_string_length >= -1LU >> 1) > > I think that will be wrong for 64-bit Windows, where long is 32-bit, > but the string's max size is closer to -1LLU >> 2, and we don't want > to just use -1LLU because that's wrong for 32-bit targets. > > Technically the max size is (N - 1)/2 where N is the allocator's max > size, which is PTRDIFF_MAX for std::allocator, SIZE_MAX for allocators > that use the default value from std::allocator_traits, or some other > value that the allocator defines. And the value is reduced > appropriately if sizeof(char_type) > 1. > > But if we call this->max_size() which calls _Alloc_traits::max_size() > which potentially calls allocator_type::max_size(), will the compiler > actually make those calls to mark the path unreachable, or will it > just ignore the unreachable if it can't fold all those calls at > compile time? The above was just a quick proof of concept experiment. You're of course right that the final solution can't be so crude(*). But if the required functions are always_inline (I think member functions defined in the body of the class implicitly are) then I'd expect them to be folded at compile time at all optimization levels. That's what makes -Winvalid-memory-order work in C++ even at -O0 in the patch I posted earlier this week. If I still remember my C++-library-fu, even though the standard requires containers to call max_size() etc., since std::string is (or can be) an explicit specialization, there shouldn't be a way for a conforming program to find out if it does, so it could take shortcuts. That makes me wonder if it could even call malloc instead of operator new to get around the problem with the operator's replaceability. > > We could just use __SIZE_MAX__/2 which might be larger than the real > maximum, but will never be smaller. > > Jason made a suggestion last week which was that if the warning code > has a range like [2,INT_MAX] or [2UL,ULONG_MAX] that it should assume > that is really [2,infinity] and so not warn. If the upper bound is the > maximum possible value for the type, that's effectively unbounded, and > the warning could assume it's simply not got enough information to > give a useful warning. If it has a range like [2,300] for a buffer of > length 100, that should warn. But [2,infinity] is effectively ranger > saying "I have no idea what this value is" and the warning machinery > should not be issuing warnings on the basis of "I have no idea what > this value is". The warnings use the lower bound of the access size and ignore the upper bound. They use the upper bound of the space remaining in the destination(s) and ignore the lower bound. In a call to memcpy (P + I, s, N) the access size is N, and the space remaining in A is the upper bound of the size of the largest array A that P points to (it might point to any number of them, and some might be dynamically allocated with a size in some range) minus the lower bound of I or zero, whichever is greater. This is the most conservative strategy. There are other strategies where we could get more true positives but also more false positives. Those might be appropriate for the "maybe" kind of warnings. Martin >> __builtin_unreachable (); >> return _M_string_length; >> } >> >> That gets rid of the false positive in this PR. I realize >> the others happen for other reasons but this approach at least >> suggests that there might be other ways to suppress them than >> the #pragma. Unlike it, the alternative approaches should also >> improve codegen.
On Fri, Dec 10, 2021 at 09:35:50AM -0700, Martin Sebor via Gcc-patches wrote: > The above was just a quick proof of concept experiment. You're > of course right that the final solution can't be so crude(*). > But if the required functions are always_inline (I think member > functions defined in the body of the class implicitly are They are not, and can't be, nothing says that such member functions can't use constructs that make it uninlinable (with always_inline that would be an error), or are way too large that inlining is not desirable, etc. They are just implicitly inline. Jakub
On 12/10/21 9:41 AM, Jakub Jelinek wrote: > On Fri, Dec 10, 2021 at 09:35:50AM -0700, Martin Sebor via Gcc-patches wrote: >> The above was just a quick proof of concept experiment. You're >> of course right that the final solution can't be so crude(*). >> But if the required functions are always_inline (I think member >> functions defined in the body of the class implicitly are > > They are not, and can't be, nothing says that such member functions > can't use constructs that make it uninlinable (with always_inline > that would be an error), or are way too large that inlining is not > desirable, etc. They are just implicitly inline. The functions we're talking about are the trivial max_size() members of std::string and allocator traits. They just return a constant. But I see I was wrong, even member functions have to be explicitly declared always_inline to be guaranteed to be inlined even at -O0. I don't think that should be an issue for the trivial max_size() (at least not for the std::string specialization). Martin
On Fri, Dec 10, 2021 at 10:11:04AM -0700, Martin Sebor via Gcc-patches wrote: > On 12/10/21 9:41 AM, Jakub Jelinek wrote: > > On Fri, Dec 10, 2021 at 09:35:50AM -0700, Martin Sebor via Gcc-patches wrote: > > > The above was just a quick proof of concept experiment. You're > > > of course right that the final solution can't be so crude(*). > > > But if the required functions are always_inline (I think member > > > functions defined in the body of the class implicitly are > > > > They are not, and can't be, nothing says that such member functions > > can't use constructs that make it uninlinable (with always_inline > > that would be an error), or are way too large that inlining is not > > desirable, etc. They are just implicitly inline. > > The functions we're talking about are the trivial max_size() > members of std::string and allocator traits. They just return > a constant. > > But I see I was wrong, even member functions have to be explicitly > declared always_inline to be guaranteed to be inlined even at -O0. > I don't think that should be an issue for the trivial max_size() > (at least not for the std::string specialization). Note, if those functions are declared constexpr, without -fno-inline (default at -O0), then cp_fold will try to evaluate such calls to constant expressions already, effectively "inlining" them. Jakub
On Fri, 10 Dec 2021 at 16:35, Martin Sebor <msebor@gmail.com> wrote: > > On 12/10/21 3:12 AM, Jonathan Wakely wrote: > > On Fri, 10 Dec 2021 at 01:50, Martin Sebor via Libstdc++ > > <libstdc++@gcc.gnu.org> wrote: > >> > >> On 12/9/21 5:38 PM, Martin Sebor wrote: > >>> On 12/9/21 4:24 PM, Jonathan Wakely via Gcc-patches wrote: > >>>> These warnings are triggered by perfectly valid code using std::string. > >>>> They're particularly bad when --enable-fully-dynamic-string is used, > >>>> because even std::string().begin() will give a warning. > >>>> > >>>> Use pragmas to stop the troublesome warnings for copies done by > >>>> std::char_traits. > >>> > >>> I'm still experimenting with some of the approaches we discussed > >>> last week, but based on my findings so far this was going to be > >>> my suggestion at lest for now, until or unless the problem turns > >>> out to affect more code than just std::string. > >> > >> Just minutes after I wrote this I tried following the clue > >> in the note printed for the test case from PR 103534 with > >> an enhancement I'm experimenting with: > >> > >> /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: > >> warning: ‘void* __builtin_memcpy(void*, const void*, long unsigned int)’ > >> specified size between 18446744073709551600 and 18446744073709551615 > >> exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=] > >> 426 | return static_cast<char_type*>(__builtin_memcpy(__s1, > >> __s2, __n)); > >> | > >> ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~ > >> /build/gcc-master/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:426:56: > >> note: when > >> ‘(<anonymous>.std::__cxx11::basic_string<char>::_M_string_length > > >> 18446744073709551599)’ > >> > >> and adding an assert to string::size(): > >> > >> constexpr > >> size_type > >> size() const noexcept > >> { > >> if (_M_string_length >= -1LU >> 1) > > > > I think that will be wrong for 64-bit Windows, where long is 32-bit, > > but the string's max size is closer to -1LLU >> 2, and we don't want > > to just use -1LLU because that's wrong for 32-bit targets. > > > > Technically the max size is (N - 1)/2 where N is the allocator's max > > size, which is PTRDIFF_MAX for std::allocator, SIZE_MAX for allocators > > that use the default value from std::allocator_traits, or some other > > value that the allocator defines. And the value is reduced > > appropriately if sizeof(char_type) > 1. > > > > But if we call this->max_size() which calls _Alloc_traits::max_size() > > which potentially calls allocator_type::max_size(), will the compiler > > actually make those calls to mark the path unreachable, or will it > > just ignore the unreachable if it can't fold all those calls at > > compile time? > > The above was just a quick proof of concept experiment. You're > of course right that the final solution can't be so crude(*). > But if the required functions are always_inline (I think member > functions defined in the body of the class implicitly are) then They're implicitly inline, but not implicitly always_inline. > I'd expect them to be folded at compile time at all optimization > levels. That's what makes -Winvalid-memory-order work in C++ > even at -O0 in the patch I posted earlier this week. > > If I still remember my C++-library-fu, even though the standard > requires containers to call max_size() etc., since std::string > is (or can be) an explicit specialization, there shouldn't be > a way for a conforming program to find out if it does, so it > could take shortcuts. That makes me wonder if it could even > call malloc instead of operator new to get around the problem > with the operator's replaceability. std::string is required to use std::allocator<char> and users can't specialize that to observe its allocations, but it does require: The storage for the array is obtained by calling ::operator new (17.6.3), but it is unspecified when or how often this function is called. Users can certainly observe whether std::string *never* calls their replaced operator new (and if they've replaced it specifically to ensure allocations use their own source, and not malloc, they wouldn't be happy).
On Fri, 10 Dec 2021 at 17:17, Jakub Jelinek wrote: > > On Fri, Dec 10, 2021 at 10:11:04AM -0700, Martin Sebor via Gcc-patches wrote: > > On 12/10/21 9:41 AM, Jakub Jelinek wrote: > > > On Fri, Dec 10, 2021 at 09:35:50AM -0700, Martin Sebor via Gcc-patches wrote: > > > > The above was just a quick proof of concept experiment. You're > > > > of course right that the final solution can't be so crude(*). > > > > But if the required functions are always_inline (I think member > > > > functions defined in the body of the class implicitly are > > > > > > They are not, and can't be, nothing says that such member functions > > > can't use constructs that make it uninlinable (with always_inline > > > that would be an error), or are way too large that inlining is not > > > desirable, etc. They are just implicitly inline. > > > > The functions we're talking about are the trivial max_size() > > members of std::string and allocator traits. They just return > > a constant. > > > > But I see I was wrong, even member functions have to be explicitly > > declared always_inline to be guaranteed to be inlined even at -O0. > > I don't think that should be an issue for the trivial max_size() > > (at least not for the std::string specialization). > > Note, if those functions are declared constexpr, without -fno-inline > (default at -O0), then cp_fold will try to evaluate such calls to constant > expressions already, effectively "inlining" them. Every member function of std::string is constexpr in C++20, but not before. But we could add constexpr to internal _M_xxx functions if that benefits optimization. For std::basic_string::max_size() it has to call another function provided by the allocator, but for the std::string (i.e. std::basic_string<char, char_traits<char>, allocator<char>>) specialization we know what the allocator is going to tell us. --- a/libstdc++-v3/include/bits/basic_string.h +++ b/libstdc++-v3/include/bits/basic_string.h @@ -1071,7 +1071,12 @@ _GLIBCXX_BEGIN_NAMESPACE_CXX11 _GLIBCXX20_CONSTEXPR size_type max_size() const _GLIBCXX_NOEXCEPT - { return (_Alloc_traits::max_size(_M_get_allocator()) - 1) / 2; } + { + if _GLIBCXX17_CONSTEXPR (__are_same<allocator_type, allocator<char>>) + return size_t(-1) / 2; + else + return (_Alloc_traits::max_size(_M_get_allocator()) - 1) / 2; + } /** * @brief Resizes the %string to the specified number of characters.
diff --git a/libstdc++-v3/include/bits/char_traits.h b/libstdc++-v3/include/bits/char_traits.h index da3e0ffffaa..3f7befcf8b2 100644 --- a/libstdc++-v3/include/bits/char_traits.h +++ b/libstdc++-v3/include/bits/char_traits.h @@ -54,6 +54,11 @@ namespace __gnu_cxx _GLIBCXX_VISIBILITY(default) { _GLIBCXX_BEGIN_NAMESPACE_VERSION +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wstringop-overflow" +#pragma GCC diagnostic ignored "-Wstringop-overread" +#pragma GCC diagnostic ignored "-Warray-bounds" + /** * @brief Mapping from character type to associated types. * @@ -990,6 +995,8 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION } // namespace __detail #endif // C++20 +#pragma GCC diagnostic push + _GLIBCXX_END_NAMESPACE_VERSION } // namespace