public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
@ 2024-03-27 6:20 akihiko.odaki at daynix dot com
2024-03-27 6:24 ` [Bug sanitizer/114494] " pinskia at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: akihiko.odaki at daynix dot com @ 2024-03-27 6:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
Bug ID: 114494
Summary: false-positive with -O2 -Wstringop-overflow=2
-fsanitize=address
Product: gcc
Version: 13.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: akihiko.odaki at daynix dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Target Milestone: ---
Building
https://gitlab.com/qemu-project/qemu/-/commits/v9.0.0-rc1?ref_type=tags causes
the following warning:
cc -m64 -mcx16 -Ilibcommon.fa.p -Isubprojects/dtc/libfdt
-I../subprojects/dtc/libfdt -I/usr/include/glib-2.0
-I/usr/lib64/glib-2.0/include -I/usr/include/libmount -I/usr/include/blkid
-I/usr/include/sysprof-6 -I/usr/include/gio-unix-2.0 -fdiagnostics-color=auto
-Wall -Winvalid-pch -Werror -std=gnu11 -O2 -g -fsanitize=address
-fstack-protector-strong -Wempty-body -Wendif-labels -Wexpansion-to-defined
-Wformat-security -Wformat-y2k -Wignored-qualifiers -Wimplicit-fallthrough=2
-Winit-self -Wmissing-format-attribute -Wmissing-prototypes -Wnested-externs
-Wold-style-declaration -Wold-style-definition -Wredundant-decls -Wshadow=local
-Wstrict-prototypes -Wtype-limits -Wundef -Wvla -Wwrite-strings
-Wno-missing-include-dirs -Wno-psabi -Wno-shift-negative-value -isystem
/home/me/qemu/linux-headers -isystem linux-headers -iquote . -iquote
/home/me/qemu -iquote /home/me/qemu/include -iquote
/home/me/qemu/host/include/x86_64 -iquote /home/me/qemu/host/include/generic
-iquote /home/me/qemu/tcg/i386 -pthread -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
-D_LARGEFILE_SOURCE -fno-strict-aliasing -fno-common -fwrapv
-ftrivial-auto-var-init=zero -fzero-call-used-regs=used-gpr -fPIE -MD -MQ
libcommon.fa.p/hw_net_rtl8139.c.o -MF libcommon.fa.p/hw_net_rtl8139.c.o.d -o
libcommon.fa.p/hw_net_rtl8139.c.o -c ../hw/net/rtl8139.c
../hw/net/rtl8139.c: In function 'rtl8139_io_writeb':
../hw/net/rtl8139.c:2273:17: error: writing 8 bytes into a region of size 0
[-Werror=stringop-overflow=]
2273 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
Below is a minimized reproduction case:
gcc -O2 -Wstringop-overflow=2 -fsanitize=address -c -x c - <<EOF
#include <string.h>
struct ip_header {
char ip_ver_len;
};
void rtl8139_cplus_transmit_one(char *saved_buffer)
{
struct ip_header *ip;
int hlen;
char *eth_payload_data = saved_buffer + 4;
ip = (struct ip_header*)eth_payload_data;
hlen = ip->ip_ver_len;
if (hlen < sizeof(struct ip_header)) {
return;
}
char saved_ip_header[1];
memcpy(saved_ip_header, eth_payload_data, hlen);
memcpy(eth_payload_data + hlen, saved_ip_header, 1);
}
EOF
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug sanitizer/114494] false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
@ 2024-03-27 6:24 ` pinskia at gcc dot gnu.org
2024-03-27 6:27 ` pinskia at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-03-27 6:24 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Please note this part of the documentation:
Note that sanitizers tend to increase the rate of false positive warnings, most
notably those around -Wmaybe-uninitialized. We recommend against combining
-Werror and [the use of] sanitizers.
https://gcc.gnu.org/onlinedocs/gcc-13.2.0/gcc/Instrumentation-Options.html#index-fsanitize_003daddress
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug sanitizer/114494] false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
2024-03-27 6:24 ` [Bug sanitizer/114494] " pinskia at gcc dot gnu.org
@ 2024-03-27 6:27 ` pinskia at gcc dot gnu.org
2024-03-27 6:33 ` akihiko.odaki at daynix dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-03-27 6:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Note the minimized testcase seems to be a real issue. hlen can either be 1 (the
only value that works) or more than 1.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug sanitizer/114494] false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
2024-03-27 6:24 ` [Bug sanitizer/114494] " pinskia at gcc dot gnu.org
2024-03-27 6:27 ` pinskia at gcc dot gnu.org
@ 2024-03-27 6:33 ` akihiko.odaki at daynix dot com
2024-03-27 7:37 ` pinskia at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: akihiko.odaki at daynix dot com @ 2024-03-27 6:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
--- Comment #3 from Akihiko Odaki <akihiko.odaki at daynix dot com> ---
(In reply to Andrew Pinski from comment #2)
> Note the minimized testcase seems to be a real issue. hlen can either be 1
> (the only value that works) or more than 1.
Below is the the error message for the minimized testcase:
<stdin>: In function 'rtl8139_cplus_transmit_one':
<stdin>:23:5: warning: writing 1 byte into a region of size 0
[-Wstringop-overflow=]
<stdin>:4:11: note: at offset 1 into destination object 'ip_ver_len' of size 1
It does not seem to care if hlen == 1 or not.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug sanitizer/114494] false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
` (2 preceding siblings ...)
2024-03-27 6:33 ` akihiko.odaki at daynix dot com
@ 2024-03-27 7:37 ` pinskia at gcc dot gnu.org
2024-04-01 18:18 ` hp at gcc dot gnu.org
2024-04-03 5:21 ` akihiko.odaki at daynix dot com
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-03-27 7:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Dup of bug 99673.
```
_14 = &MEM[(struct ip_header *)saved_buffer_5(D) + 4B].ip_ver_len;
...
_3 = _14 + _2;
...
MEM[(char * {ref-all})_3] = _10;
```
Without -fsanitize=address, there is no `&MEM[(struct ip_header
*)saved_buffer_5(D) + 4B].ip_ver_len` but rather just `eth_payload_data_6 =
saved_buffer_5(D) + 4`.
See the duplicate bug for more analysis of the issue.
*** This bug has been marked as a duplicate of bug 99673 ***
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug sanitizer/114494] false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
` (3 preceding siblings ...)
2024-03-27 7:37 ` pinskia at gcc dot gnu.org
@ 2024-04-01 18:18 ` hp at gcc dot gnu.org
2024-04-03 5:21 ` akihiko.odaki at daynix dot com
5 siblings, 0 replies; 7+ messages in thread
From: hp at gcc dot gnu.org @ 2024-04-01 18:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
Hans-Peter Nilsson <hp at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hp at gcc dot gnu.org
--- Comment #5 from Hans-Peter Nilsson <hp at gcc dot gnu.org> ---
(In reply to Akihiko Odaki from comment #0)
> if (hlen < sizeof(struct ip_header)) {
Is this a typo for "if (hlen > sizeof(struct ip_header)) {" which makes a bot
more sense to me?
(I can't find it in Linux/drivers, so can't check "upstream" status.)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug sanitizer/114494] false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
` (4 preceding siblings ...)
2024-04-01 18:18 ` hp at gcc dot gnu.org
@ 2024-04-03 5:21 ` akihiko.odaki at daynix dot com
5 siblings, 0 replies; 7+ messages in thread
From: akihiko.odaki at daynix dot com @ 2024-04-03 5:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
--- Comment #6 from Akihiko Odaki <akihiko.odaki at daynix dot com> ---
(In reply to Hans-Peter Nilsson from comment #5)
> (In reply to Akihiko Odaki from comment #0)
> > if (hlen < sizeof(struct ip_header)) {
>
> Is this a typo for "if (hlen > sizeof(struct ip_header)) {" which makes a
> bot more sense to me?
>
> (I can't find it in Linux/drivers, so can't check "upstream" status.)
It is not Linux but QEMU. Please look at:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494#c0
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-04-03 5:21 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-27 6:20 [Bug sanitizer/114494] New: false-positive with -O2 -Wstringop-overflow=2 -fsanitize=address akihiko.odaki at daynix dot com
2024-03-27 6:24 ` [Bug sanitizer/114494] " pinskia at gcc dot gnu.org
2024-03-27 6:27 ` pinskia at gcc dot gnu.org
2024-03-27 6:33 ` akihiko.odaki at daynix dot com
2024-03-27 7:37 ` pinskia at gcc dot gnu.org
2024-04-01 18:18 ` hp at gcc dot gnu.org
2024-04-03 5:21 ` akihiko.odaki at daynix dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).