[Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member
@ 2011-05-12 23:38 msebor at gmail dot com
  2011-05-13  9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: msebor at gmail dot com @ 2011-05-12 23:38 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985

           Summary: bogus buffer overflow warning and abort on static
                    flexible array member
           Product: gcc
           Version: 4.6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: msebor@gmail.com


GCC emits a bogus warning on the program below which then aborts at runtime.
Note that when the strncpy (s.c, "012", 4) call in line 24 is removed GCC
doesn't emit a warning but the program still aborts even though there is no
buffer overflow.

For statically allocated flexible array members I would expect
__builtin_object_size() to report the actual size of the array rather than
zero, analogously to the case when the array is allocated dynamically.

$ cat z.c && gcc -D_FORTIFY_SOURCE -O2 z.c && ./a.out
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct s {
    int i;
    char c[];
} s = { 1, "01234" };

size_t f (void) { return __builtin_object_size(&s.c, 0); }

size_t g (struct s *p) { return __builtin_object_size(p->c, 0); }

int main (void) {
    struct s *p;
    p = (struct s*)malloc (sizeof *p + 6);

    printf ("%zu %zu\n", f (), g (p));
    fflush (stdout);

    strncpy (p->c, "012", strlen(s.c));

    if (puts ("###"))
        strncpy (s.c, "012", 4);   /* line 24 */
    strncpy (s.c, "012", strlen(s.c) + 1);

    return 0;
}
In file included from /usr/include/string.h:642:0,
                 from z.c:3:
In function ‘strncpy’,
    inlined from ‘main’ at z.c:24:17:
/usr/include/bits/string3.h:121:3: warning: call to __builtin___strncpy_chk
will always overflow destination buffer [enabled by default]
0 6
###
*** buffer overflow detected ***: ./a.out terminated
...
Aborted (core dumped)


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
  2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
@ 2011-05-13  9:48 ` rguenth at gcc dot gnu.org
  2011-05-19 10:58 ` rguenth at gcc dot gnu.org
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-13  9:48 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |wrong-code
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2011.05.13 09:27:38
         AssignedTo|unassigned at gcc dot       |rguenth at gcc dot gnu.org
                   |gnu.org                     |
     Ever Confirmed|0                           |1
      Known to fail|                            |4.3.0, 4.6.1, 4.7.0

--- Comment #1 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-13 09:27:38 UTC ---
The issue is that the type of the static declaration is never adjusted and
we take the total size from the type instead of from the decl.

Instead doing sth like

Index: gcc/tree-object-size.c
===================================================================
--- gcc/tree-object-size.c      (revision 173724)
+++ gcc/tree-object-size.c      (working copy)
@@ -205,6 +205,12 @@ addr_object_size (struct object_size_inf
        pt_var_size = size_int (sz);
     }
   else if (pt_var
+          && DECL_P (pt_var)
+          && host_integerp (DECL_SIZE_UNIT (pt_var), 1)
+          && (unsigned HOST_WIDE_INT)
+               tree_low_cst (DECL_SIZE_UNIT (pt_var), 1) < offset_limit)
+    pt_var_size = DECL_SIZE_UNIT (pt_var);
+  else if (pt_var
           && (SSA_VAR_P (pt_var) || TREE_CODE (pt_var) == STRING_CST)
           && TYPE_SIZE_UNIT (TREE_TYPE (pt_var))
           && host_integerp (TYPE_SIZE_UNIT (TREE_TYPE (pt_var)), 1)

fixes it for me (returns 6).

I suppose returning zero for a field that has incomplete type is wrong-code.
We should return -1 instead.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
  2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
  2011-05-13  9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
@ 2011-05-19 10:58 ` rguenth at gcc dot gnu.org
  2011-05-31 12:49 ` rguenth at gcc dot gnu.org
  2011-05-31 13:30 ` rguenth at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-19 10:58 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985

--- Comment #2 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-19 10:45:29 UTC ---
Author: rguenth
Date: Thu May 19 10:45:26 2011
New Revision: 173901

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=173901
Log:
2011-05-19  Richard Guenther  <rguenther@suse.de>

    PR middle-end/48985
    * tree-object-size.c (addr_object_size): If the pointed-to
    variable is a decl use DECL_SIZE_UNIT instead of TYPE_SIZE_UNIT.

    * gcc.dg/builtin-object-size-11.c: New testcase.

Added:
    trunk/gcc/testsuite/gcc.dg/builtin-object-size-11.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/tree-object-size.c


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
  2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
  2011-05-13  9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
  2011-05-19 10:58 ` rguenth at gcc dot gnu.org
@ 2011-05-31 12:49 ` rguenth at gcc dot gnu.org
  2011-05-31 13:30 ` rguenth at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-31 12:49 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
      Known to work|                            |4.6.1
         Resolution|                            |FIXED
   Target Milestone|---                         |4.6.1
      Known to fail|4.6.1                       |4.6.0

--- Comment #4 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-31 12:26:26 UTC ---
Fixed for 4.6.1.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
  2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
                   ` (2 preceding siblings ...)
  2011-05-31 12:49 ` rguenth at gcc dot gnu.org
@ 2011-05-31 13:30 ` rguenth at gcc dot gnu.org
  3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-31 13:30 UTC (permalink / raw)
  To: gcc-bugs

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985

--- Comment #3 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-31 12:25:59 UTC ---
Author: rguenth
Date: Tue May 31 12:25:52 2011
New Revision: 174476

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=174476
Log:
2011-05-31  Richard Guenther  <rguenther@suse.de>

    Backport from mainline
    2011-05-19  Richard Guenther  <rguenther@suse.de>

    PR middle-end/48985
    * tree-object-size.c (addr_object_size): If the pointed-to
    variable is a decl use DECL_SIZE_UNIT instead of TYPE_SIZE_UNIT.

    * gcc.dg/builtin-object-size-11.c: New testcase.

Added:
    branches/gcc-4_6-branch/gcc/testsuite/gcc.dg/builtin-object-size-11.c
Modified:
    branches/gcc-4_6-branch/gcc/ChangeLog
    branches/gcc-4_6-branch/gcc/testsuite/ChangeLog
    branches/gcc-4_6-branch/gcc/tree-object-size.c


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-05-31 12:55 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
2011-05-13  9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
2011-05-19 10:58 ` rguenth at gcc dot gnu.org
2011-05-31 12:49 ` rguenth at gcc dot gnu.org
2011-05-31 13:30 ` rguenth at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).