public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member
@ 2011-05-12 23:38 msebor at gmail dot com
2011-05-13 9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: msebor at gmail dot com @ 2011-05-12 23:38 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985
Summary: bogus buffer overflow warning and abort on static
flexible array member
Product: gcc
Version: 4.6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
AssignedTo: unassigned@gcc.gnu.org
ReportedBy: msebor@gmail.com
GCC emits a bogus warning on the program below which then aborts at runtime.
Note that when the strncpy (s.c, "012", 4) call in line 24 is removed GCC
doesn't emit a warning but the program still aborts even though there is no
buffer overflow.
For statically allocated flexible array members I would expect
__builtin_object_size() to report the actual size of the array rather than
zero, analogously to the case when the array is allocated dynamically.
$ cat z.c && gcc -D_FORTIFY_SOURCE -O2 z.c && ./a.out
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct s {
int i;
char c[];
} s = { 1, "01234" };
size_t f (void) { return __builtin_object_size(&s.c, 0); }
size_t g (struct s *p) { return __builtin_object_size(p->c, 0); }
int main (void) {
struct s *p;
p = (struct s*)malloc (sizeof *p + 6);
printf ("%zu %zu\n", f (), g (p));
fflush (stdout);
strncpy (p->c, "012", strlen(s.c));
if (puts ("###"))
strncpy (s.c, "012", 4); /* line 24 */
strncpy (s.c, "012", strlen(s.c) + 1);
return 0;
}
In file included from /usr/include/string.h:642:0,
from z.c:3:
In function ‘strncpy’,
inlined from ‘main’ at z.c:24:17:
/usr/include/bits/string3.h:121:3: warning: call to __builtin___strncpy_chk
will always overflow destination buffer [enabled by default]
0 6
###
*** buffer overflow detected ***: ./a.out terminated
...
Aborted (core dumped)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
@ 2011-05-13 9:48 ` rguenth at gcc dot gnu.org
2011-05-19 10:58 ` rguenth at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-13 9:48 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985
Richard Guenther <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |wrong-code
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2011.05.13 09:27:38
AssignedTo|unassigned at gcc dot |rguenth at gcc dot gnu.org
|gnu.org |
Ever Confirmed|0 |1
Known to fail| |4.3.0, 4.6.1, 4.7.0
--- Comment #1 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-13 09:27:38 UTC ---
The issue is that the type of the static declaration is never adjusted and
we take the total size from the type instead of from the decl.
Instead doing sth like
Index: gcc/tree-object-size.c
===================================================================
--- gcc/tree-object-size.c (revision 173724)
+++ gcc/tree-object-size.c (working copy)
@@ -205,6 +205,12 @@ addr_object_size (struct object_size_inf
pt_var_size = size_int (sz);
}
else if (pt_var
+ && DECL_P (pt_var)
+ && host_integerp (DECL_SIZE_UNIT (pt_var), 1)
+ && (unsigned HOST_WIDE_INT)
+ tree_low_cst (DECL_SIZE_UNIT (pt_var), 1) < offset_limit)
+ pt_var_size = DECL_SIZE_UNIT (pt_var);
+ else if (pt_var
&& (SSA_VAR_P (pt_var) || TREE_CODE (pt_var) == STRING_CST)
&& TYPE_SIZE_UNIT (TREE_TYPE (pt_var))
&& host_integerp (TYPE_SIZE_UNIT (TREE_TYPE (pt_var)), 1)
fixes it for me (returns 6).
I suppose returning zero for a field that has incomplete type is wrong-code.
We should return -1 instead.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
2011-05-13 9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
@ 2011-05-19 10:58 ` rguenth at gcc dot gnu.org
2011-05-31 12:49 ` rguenth at gcc dot gnu.org
2011-05-31 13:30 ` rguenth at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-19 10:58 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985
--- Comment #2 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-19 10:45:29 UTC ---
Author: rguenth
Date: Thu May 19 10:45:26 2011
New Revision: 173901
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=173901
Log:
2011-05-19 Richard Guenther <rguenther@suse.de>
PR middle-end/48985
* tree-object-size.c (addr_object_size): If the pointed-to
variable is a decl use DECL_SIZE_UNIT instead of TYPE_SIZE_UNIT.
* gcc.dg/builtin-object-size-11.c: New testcase.
Added:
trunk/gcc/testsuite/gcc.dg/builtin-object-size-11.c
Modified:
trunk/gcc/ChangeLog
trunk/gcc/testsuite/ChangeLog
trunk/gcc/tree-object-size.c
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
2011-05-13 9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
2011-05-19 10:58 ` rguenth at gcc dot gnu.org
@ 2011-05-31 12:49 ` rguenth at gcc dot gnu.org
2011-05-31 13:30 ` rguenth at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-31 12:49 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985
Richard Guenther <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Known to work| |4.6.1
Resolution| |FIXED
Target Milestone|--- |4.6.1
Known to fail|4.6.1 |4.6.0
--- Comment #4 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-31 12:26:26 UTC ---
Fixed for 4.6.1.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug c/48985] bogus buffer overflow warning and abort on static flexible array member
2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
` (2 preceding siblings ...)
2011-05-31 12:49 ` rguenth at gcc dot gnu.org
@ 2011-05-31 13:30 ` rguenth at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-05-31 13:30 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48985
--- Comment #3 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-05-31 12:25:59 UTC ---
Author: rguenth
Date: Tue May 31 12:25:52 2011
New Revision: 174476
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=174476
Log:
2011-05-31 Richard Guenther <rguenther@suse.de>
Backport from mainline
2011-05-19 Richard Guenther <rguenther@suse.de>
PR middle-end/48985
* tree-object-size.c (addr_object_size): If the pointed-to
variable is a decl use DECL_SIZE_UNIT instead of TYPE_SIZE_UNIT.
* gcc.dg/builtin-object-size-11.c: New testcase.
Added:
branches/gcc-4_6-branch/gcc/testsuite/gcc.dg/builtin-object-size-11.c
Modified:
branches/gcc-4_6-branch/gcc/ChangeLog
branches/gcc-4_6-branch/gcc/testsuite/ChangeLog
branches/gcc-4_6-branch/gcc/tree-object-size.c
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-05-31 12:55 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-12 23:38 [Bug c/48985] New: bogus buffer overflow warning and abort on static flexible array member msebor at gmail dot com
2011-05-13 9:48 ` [Bug c/48985] " rguenth at gcc dot gnu.org
2011-05-19 10:58 ` rguenth at gcc dot gnu.org
2011-05-31 12:49 ` rguenth at gcc dot gnu.org
2011-05-31 13:30 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).