From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 56DA63973028; Fri, 11 Dec 2020 16:32:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 56DA63973028 From: "vince.a.bridgers at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/98247] New: gcc analyzer does not detect Flexible Array Member misuse Date: Fri, 11 Dec 2020 16:32:03 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 11.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: vince.a.bridgers at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 16:32:03 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D98247 Bug ID: 98247 Summary: gcc analyzer does not detect Flexible Array Member misuse Product: gcc Version: 11.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: vince.a.bridgers at gmail dot com Target Milestone: --- This is more of a query than a bug at this point (or possible "feature enhancement request"). This initial request follows a similar (but differen= t) issue filed against clang, see https://bugs.llvm.org/show_bug.cgi?id=3D4813= 6.=20 The modified reproducer is shown below. While I understand generally the compiler cannot know how large a FAM is allocated to be, the question becom= es is there some way gcc analysis can track a beyond bounds memory access at static analysis time and flag the below case as suspicious? Perhaps this ca= n be done by constraining the idiom, and indeed that is what some reliable and secure programming standards do when this matters. Perhaps this is already covered by gcc, and if so my apologies for missing it - feel free to close = this an invalid with explanation. If there's way to address this already in gcc = 11 (or beyond) I'm interested in understanding this.=20 Thanks=20 $ gcc --version gcc (GCC) 11.0.0 20200516 (experimental) Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ gcc -fanalyzer fam.c=20 $ # no output, interpreted to mean no errors found.=20 #include #include struct str { size_t len; char data[]; }; int main(void) { struct str *str =3D malloc(sizeof(str) + 10); if (str) { str->len =3D 10; memset(str->data, 'x', 10); free(str); } return 0; }=