* [PATCH] enhance buffer overflow warnings (and c/53562)
@ 2016-10-28 2:19 Martin Sebor
2016-10-30 22:45 ` Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-10-28 2:19 UTC (permalink / raw)
To: Gcc Patch List
[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]
The attached patch enhances the compile-time detection of buffer
overflow in functions like __builtin___memcpy_chk to consider
non-constant lengths known to be in a certain range and warn
when the lower bound of the range doesn't fit in the destination
object.
The patch does the same thing for the non-checking functions like
__builtin_memcpy and issues buffer overflow warnings for those.
For string functions like __builtin_strcpy, the patch also makes
use of ranges of lengths of non-constant strings.
To make reasoning about the warnings easier (and to help with
debugging the problems), the patch also extends the warnings to
print the ranges of lengths and sizes of the operands. The text
and content of the warning messages is based on those issued by
the -Wformat-length warning pass.
Finally, as requested in bug 53562, the patch adds a new warning
option, -Wstringop-overflow, to control these warnings (the option
is on by default). I chose a different name for the option than
suggested in the bug to avoid giving the impression that it
actually inserts the checking calls (all it does is warn on
buffer overflows detectable at compile-time).
I was originally going to submit a more modest version of this
patch as part of a bigger project I'm working on (bug 77608) but
then decided to submit this one first because it's independent of
the other.
Possible enhancements include letting the option accept a level
argument and at level 2 using the upper bound of the size or
string length ranges similarly to the -Wformat-length option.
With that, the following could be diagnosed as a potential
buffer overflow:
char d[5];
strcpy (d, x ? "123" : "123456");
Thanks
Martin
[-- Attachment #2: gcc-53562.diff --]
[-- Type: text/x-patch, Size: 40900 bytes --]
PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
gcc/ChangeLog:
2016-10-27 Martin Sebor <msebor@redhat.com>
PR c/53562
* builtins.c (check_sizes): New function.
(expand_builtin_memcpy): Call it.
(expand_builtin_mempcpy): Same.
(expand_builtin_strcpy): Same.
(expand_builtin_memset): Same.
(expand_builtin_bzero): Same.
(expand_builtin_memory_chk): Same.
(maybe_emit_sprintf_chk_warning): Same.
* doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
gcc/c-family/ChangeLog:
2016-10-27 Martin Sebor <msebor@redhat.com>
PR c/53562
* c.opt (-Wstringop-overflow): New option.
gcc/testsuite/ChangeLog:
2016-10-27 Martin Sebor <msebor@redhat.com>
PR c/53562
* gcc.dg/builtin-stringop-chk-4.c: New test.
* c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust.
* g++.dg/ext/builtin-object-size3.C: Same.
* g++.dg/ext/strncpy-chk1.C: Same.
* g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
* gcc.c-torture/execute/builtins/lib/chk.c: Same.
* gcc.c-torture/execute/builtins/mempcpy-chk.c: Same.
* gcc.dg/Wobjsize-1.c: Same.
* gcc.dg/attr-alloc_size.c (test): Same.
* gcc.dg/builtin-object-size-1.c: Same.
* gcc.dg/builtin-object-size-5.c: Same.
* gcc.dg/builtin-stringop-chk-1.c: Same.
* gcc.dg/builtin-stringop-chk-2.c: Same.
* gcc.dg/builtin-strncat-chk-1.c: Same.
* gcc.dg/memcpy-2.c: Same.
* gcc.dg/pr40340-1.c: Same.
* gcc.dg/pr40340-2.c: Same.
* gcc.dg/pr40340-5.c: Same.
* gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index facecd3..d1aef0a 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -67,7 +67,7 @@ along with GCC; see the file COPYING3. If not see
#include "internal-fn.h"
#include "case-cfn-macros.h"
#include "gimple-fold.h"
-
+#include "intl.h"
struct target_builtins default_target_builtins;
#if SWITCHABLE_TARGET
@@ -2967,6 +2967,133 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
return dest_addr;
}
+/* Try to verify that the sizes and lengths of the arguments to a string
+ manipulation function given by EXP are within valid bounds and that
+ the operation does not lead to buffer overflow. Arguments other than
+ EXP may be null. When non-null, the arguments have the following
+ meaning:
+ SIZE is the user-supplied size argument to the function (such as in
+ memcpy(d, s, SIZE).
+ N is the user-supplied length of the source sequence (such as in
+ strncpy(d, s, N).
+ LEN is the length of the source sequence (such as in strcpy(d, s),
+ LEN = strlen(s)).
+ OBJSIZE is the size of the destination object specified by the last
+ argument to the _chk builtins, typically resulting from the expansion
+ of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
+ OBJSIZE).
+
+ When SIZE is null LEN is checked to verify that it doesn't exceed
+ SIZE_MAX.
+
+ If the call is successfully verfified as safe from buffer overflow
+ the function returns EXP. Otherwise, if the call is determined to
+ overflow the function returns error_mark_node. Otherwise, if
+ the call cannot be verified, the function returns NULL. */
+
+static tree
+check_sizes (tree exp, tree size, tree n, tree len, tree objsize)
+{
+ tree minlen = NULL_TREE;
+ tree maxlen = NULL_TREE;
+
+ if (!size)
+ size = objsize;
+
+ if (!len)
+ len = size_zero_node;
+
+ if (tree_fits_uhwi_p (len))
+ minlen = maxlen = len;
+ else if (TREE_CODE (len) == SSA_NAME)
+ {
+ wide_int min, max;
+ enum value_range_type range_type = get_range_info (len, &min, &max);
+
+ if (range_type == VR_RANGE)
+ {
+ /* Interpret the bounds in the variable's type. */
+ minlen = wide_int_to_tree (TREE_TYPE (len), min);
+ maxlen = wide_int_to_tree (TREE_TYPE (len), max);
+ }
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ min = min - 1;
+ max = max + 1;
+ minlen = wide_int_to_tree (TREE_TYPE (len), min);
+ maxlen = wide_int_to_tree (TREE_TYPE (len), max);
+ }
+ }
+
+ /* The SIZE is known if it's non-null, constant, and in range
+ of unsigned HOST_WIDE_INT. */
+ bool knownsize = size && tree_fits_uhwi_p (size);
+ if (minlen || !knownsize || integer_all_onesp (size))
+ {
+ if ((!knownsize &&
+ minlen && tree_int_cst_lt (TYPE_MAX_VALUE (ssizetype), minlen))
+ || (knownsize
+ && (tree_int_cst_lt (size, minlen))))
+ {
+ unsigned HOST_WIDE_INT uwilen = tree_to_uhwi (minlen);
+
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (!knownsize)
+ warning_at (loc, OPT_Wstringop_overflow,
+ (minlen == maxlen
+ ? G_("%K%D writing %wu bytes overflows "
+ "the destination")
+ : G_("%K%D writing between %wu and %wu bytes "
+ "overflows the destination")),
+ exp, get_callee_fndecl (exp), uwilen,
+ tree_to_uhwi (maxlen));
+ else if (minlen == maxlen)
+ warning_at (loc, OPT_Wstringop_overflow,
+ (uwilen == 1
+ ? G_("%K%D writing %wu byte into a region "
+ "of size %wu overflows the destination")
+ : G_("%K%D writing %wu bytes into a region "
+ "of size %wu overflows the destination")),
+ exp, get_callee_fndecl (exp), uwilen,
+ tree_to_uhwi (size));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ (ubvflow
+ ? G_("%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu may overflow "
+ "the destination")
+ : G_("%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu overflows "
+ "the destination")),
+ exp, get_callee_fndecl (exp), uwilen,
+ tree_to_uhwi (maxlen), tree_to_uhwi (size));
+
+ /* Return error when an overflow has been detected. */
+ return error_mark_node;
+ }
+
+ if (!knownsize)
+ return error_mark_node;
+ }
+
+ if (size == objsize && n)
+ size = n;
+
+ if (size && objsize && tree_fits_uhwi_p (size)
+ && tree_int_cst_lt (objsize, size))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ warning_at (loc, OPT_Wstringop_overflow,
+ "specified size %wu exceeds the size %wu "
+ "of the destination object",
+ tree_to_uhwi (size), tree_to_uhwi (objsize));
+ }
+
+ return NULL_TREE;
+}
+
/* Expand a call EXP to the memcpy builtin.
Return NULL_RTX if we failed, the caller should emit a normal call,
otherwise try to get the result in TARGET, if convenient (and in
@@ -2983,6 +3110,14 @@ expand_builtin_memcpy (tree exp, rtx target)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, objsize);
+
return expand_builtin_memcpy_args (dest, src, len, target, exp);
}
}
@@ -3037,10 +3172,22 @@ expand_builtin_mempcpy (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_mempcpy_args (dest, src, len,
- target, mode, /*endp=*/ 1,
- exp);
+
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Avoid expanding mempcpy into memcpy when the call is determined
+ to overflow the buffer. This also prevents the same overflow
+ from being diagnosed again when expanding memcpy. */
+ tree ret = check_sizes (exp, NULL_TREE, NULL_TREE, len, destsize);
+ if (ret != error_mark_node)
+ return expand_builtin_mempcpy_args (dest, src, len,
+ target, mode, /*endp=*/ 1,
+ exp);
}
+ return NULL_RTX;
}
/* Expand an instrumented call EXP to the mempcpy builtin.
@@ -3224,6 +3371,30 @@ expand_builtin_strcpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
return expand_builtin_strcpy_args (dest, src, target);
}
return NULL_RTX;
@@ -3442,6 +3613,15 @@ expand_builtin_memset (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree val = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, objsize);
+
return expand_builtin_memset_args (dest, val, len, target, mode, exp);
}
}
@@ -3633,6 +3813,14 @@ expand_builtin_bzero (tree exp)
dest = CALL_EXPR_ARG (exp, 0);
size = CALL_EXPR_ARG (exp, 1);
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, NULL_TREE, NULL_TREE, size, objsize);
+
/* New argument list transforming bzero(ptr x, int y) to
memset(ptr x, int 0, size_t y). This is done this way
so that if it isn't expanded inline, we fallback to
@@ -9212,22 +9408,15 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
len = CALL_EXPR_ARG (exp, 2);
size = CALL_EXPR_ARG (exp, 3);
- if (! tree_fits_uhwi_p (size))
- return NULL_RTX;
-
- if (tree_fits_uhwi_p (len) || integer_all_onesp (size))
+ if (tree ret = check_sizes (exp, NULL_TREE, NULL_TREE, len, size))
{
- tree fn;
-
- if (! integer_all_onesp (size) && tree_int_cst_lt (size, len))
- {
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return NULL_RTX;
- }
+ /* Avoid transforming the checking call to an ordinary one when
+ an overflow has been detected or when the call couldn't be
+ validated because the size is not constant. */
+ if (ret == error_mark_node)
+ return NULL_RTX;
- fn = NULL_TREE;
+ tree fn = NULL_TREE;
/* If __builtin_mem{cpy,pcpy,move,set}_chk is used, assume
mem{cpy,pcpy,move,set} is available. */
switch (fcode)
@@ -9313,68 +9502,96 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
static void
maybe_emit_chk_warning (tree exp, enum built_in_function fcode)
{
- int is_strlen = 0;
- tree len, size;
- location_t loc = tree_nonartificial_location (exp);
+ /* The length of the source sequence of the memory operation, and
+ the size of the destination object. */
+ tree srclen = NULL_TREE;
+ tree objsize = NULL_TREE;
+ /* The length of the sequence that the source sequence is being
+ concatenated with (as with __strcat_chk) or null if it isn't. */
+ tree catlen = NULL_TREE;
+ /* The maximum length of the source sequence in a bounded operation
+ (such as __strncat_chk) or null if the operation isn't bounded
+ (such as __strcat_chk). */
+ tree maxlen = NULL_TREE;
switch (fcode)
{
case BUILT_IN_STRCPY_CHK:
case BUILT_IN_STPCPY_CHK:
- /* For __strcat_chk the warning will be emitted only if overflowing
- by at least strlen (dest) + 1 bytes. */
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
+ break;
+
case BUILT_IN_STRCAT_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 2);
- is_strlen = 1;
+ /* For __strcat_chk the warning will be emitted only if overflowing
+ by at least strlen (dest) + 1 bytes. */
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
break;
+
case BUILT_IN_STRNCAT_CHK:
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
+ break;
+
case BUILT_IN_STRNCPY_CHK:
case BUILT_IN_STPNCPY_CHK:
- len = CALL_EXPR_ARG (exp, 2);
- size = CALL_EXPR_ARG (exp, 3);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
+
case BUILT_IN_SNPRINTF_CHK:
case BUILT_IN_VSNPRINTF_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 3);
+ maxlen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
default:
gcc_unreachable ();
}
- if (!len || !size)
- return;
-
- if (! tree_fits_uhwi_p (size) || integer_all_onesp (size))
- return;
+ /* When the type of SRCLEN is a pointer compute the length of string
+ the pointer points to. Otherwise it is an integer that gives the
+ upper bound on the length of the operation (as in __strncpy_chk). */
+ if (srclen && TREE_CODE (TREE_TYPE (srclen)) == POINTER_TYPE)
+ srclen = c_strlen (srclen, 1);
- if (is_strlen)
- {
- len = c_strlen (len, 1);
- if (! len || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- }
- else if (fcode == BUILT_IN_STRNCAT_CHK)
+ if (catlen)
{
- tree src = CALL_EXPR_ARG (exp, 1);
- if (! src || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- src = c_strlen (src, 1);
- if (! src || ! tree_fits_uhwi_p (src))
+ if ((!srclen || !tree_fits_uhwi_p (srclen))
+ && (!maxlen
+ || (tree_fits_uhwi_p (maxlen)
+ && tree_fits_uhwi_p (objsize)
+ && !tree_int_cst_lt (maxlen, objsize))))
{
+ location_t loc = tree_nonartificial_location (exp);
+
warning_at (loc, 0, "%Kcall to %D might overflow destination buffer",
exp, get_callee_fndecl (exp));
return;
}
- else if (tree_int_cst_lt (src, size))
+
+ if (!srclen)
return;
+
+ catlen = c_strlen (catlen, 1);
+ if (catlen)
+ srclen = fold_build2 (PLUS_EXPR, TREE_TYPE (srclen), srclen, catlen);
+ }
+
+ if (srclen)
+ {
+ srclen = fold_build2 (PLUS_EXPR, TREE_TYPE (srclen), srclen,
+ size_one_node);
+ if (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
}
- else if (! tree_fits_uhwi_p (len) || ! tree_int_cst_lt (size, len))
- return;
- warning_at (loc, 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ check_sizes (exp, NULL_TREE, maxlen, srclen, objsize);
}
/* Emit warning if a buffer overflow is detected at compile time
@@ -9428,10 +9645,9 @@ maybe_emit_sprintf_chk_warning (tree exp, enum built_in_function fcode)
else
return;
- if (! tree_int_cst_lt (len, size))
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ /* Add one for the terminating nul. */
+ len = fold_build2 (PLUS_EXPR, TREE_TYPE (len), len, size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, size);
}
/* Emit warning if a free is called with address of a variable. */
diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
index e146781..6635464 100644
--- a/gcc/c-family/c.opt
+++ b/gcc/c-family/c.opt
@@ -647,6 +647,10 @@ Wsizeof-array-argument
C ObjC C++ ObjC++ Var(warn_sizeof_array_argument) Warning Init(1)
Warn when sizeof is applied on a parameter declared as an array.
+Wstringop-overflow
+C ObjC C++ ObjC++ Var(warn_stringop_overflow) Init(1) Warning
+Warn about buffer overflow in string manipulation functions.
+
Wsuggest-attribute=format
C ObjC C++ ObjC++ Var(warn_suggest_attribute_format) Warning
Warn about functions which might be candidates for format attributes.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index d9667e7..81cbe63 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -299,6 +299,7 @@ Objective-C and Objective-C++ Dialects}.
-Wsizeof-pointer-memaccess -Wsizeof-array-argument @gol
-Wstack-protector -Wstack-usage=@var{len} -Wstrict-aliasing @gol
-Wstrict-aliasing=n -Wstrict-overflow -Wstrict-overflow=@var{n} @gol
+-Wstringop-overflow @gol
-Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]} @gol
-Wsuggest-final-types @gol -Wsuggest-final-methods -Wsuggest-override @gol
-Wmissing-format-attribute -Wsubobject-linkage @gol
@@ -4831,6 +4832,27 @@ comparisons, so this warning level gives a very large number of
false positives.
@end table
+@item -Wstringop-overflow
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+Warn for calls to string manipulation functions such as memcpy and strcpy
+hat are determined to overflow the destination buffer. The option works
+best with optimization enabled but it can detect a small subset of buffer
+overflows even without optimization. In any case, the option warns about
+just a subset of buffer overflows detected by the corresponding overflow
+checking built-ins. @xref{Object Size Checking}. For example,
+@option{-Wstringop-overflow} will warn on the following:
+
+@smallexample
+char buf[6];
+void f (int i)
+@{
+ strcpy (buf, i < 0 ? "yellow" : "orange");
+@};
+@end smallexample
+
+The @option{-Wstringop-overflow} option is enabled by default.
+
@item -Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]}
@opindex Wsuggest-attribute=
@opindex Wno-suggest-attribute=
diff --git a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
index d9ec7e2..9a02373 100644
--- a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
+++ b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
@@ -481,4 +481,4 @@ f4 (char *x, char **y, int z, char w[64])
stpncpy (x, s3, sizeof (s3));
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
index 09263e5..0207f9a 100644
--- a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
+++ b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
@@ -20,7 +20,7 @@ bar ()
{
int *p = new int;
int *q = new int[4];
- MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
- MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
+ MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "writing" }
+ MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "writing" }
baz (p, q);
}
diff --git a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
index ebafc99..85b3977 100644
--- a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
+++ b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
@@ -9,7 +9,7 @@ struct B { char z[50]; };
inline void
foo (char *dest, const char *__restrict src, __SIZE_TYPE__ n)
{
- __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "will always overflow" }
+ __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "overflows" }
}
void bar (const char *, int);
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
index 8b5c33e..2e6189b 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
@@ -713,4 +713,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-// { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" }
+// { dg-prune-output "\[\n\r\]*overflows\[\n\r\]*" }
diff --git a/gcc/testsuite/gcc.c-torture/execute/builtins/lib/chk.c b/gcc/testsuite/gcc.c-torture/execute/builtins/lib/chk.c
index b19d7bf..d2ea835 100644
--- a/gcc/testsuite/gcc.c-torture/execute/builtins/lib/chk.c
+++ b/gcc/testsuite/gcc.c-torture/execute/builtins/lib/chk.c
@@ -5,6 +5,11 @@
extern void abort (void);
+#define abort() \
+ (__builtin_printf ("failure at %s:%i: %s\n", \
+ __FILE__, __LINE__, __FUNCTION__), \
+ __builtin_abort ())
+
extern int inside_main;
void *chk_fail_buf[256] __attribute__((aligned (16)));
volatile int chk_fail_allowed, chk_calls;
diff --git a/gcc/testsuite/gcc.c-torture/execute/builtins/mempcpy-chk.c b/gcc/testsuite/gcc.c-torture/execute/builtins/mempcpy-chk.c
index 7a1737c..f8cb0f4 100644
--- a/gcc/testsuite/gcc.c-torture/execute/builtins/mempcpy-chk.c
+++ b/gcc/testsuite/gcc.c-torture/execute/builtins/mempcpy-chk.c
@@ -17,6 +17,8 @@ volatile char *s2 = "defg"; /* prevent constant propagation to happen when whole
volatile char *s3 = "FGH"; /* prevent constant propagation to happen when whole program assumptions are made. */
volatile size_t l1 = 1; /* prevent constant propagation to happen when whole program assumptions are made. */
+#define abort() (__builtin_printf ("failure on line %i\n", __LINE__), __builtin_abort ())
+
void
__attribute__((noinline))
test1 (void)
@@ -326,6 +328,8 @@ test4 (void)
char buf3[20];
chk_fail_allowed = 1;
+ mempcpy_disallowed = 0;
+
/* Runtime checks. */
if (__builtin_setjmp (chk_fail_buf) == 0)
{
@@ -343,7 +347,9 @@ test4 (void)
vx = mempcpy (&buf3[19], "ab", 2);
abort ();
}
+
chk_fail_allowed = 0;
+ mempcpy_disallowed = 1;
}
#ifndef MAX_OFFSET
diff --git a/gcc/testsuite/gcc.dg/Wobjsize-1.c b/gcc/testsuite/gcc.dg/Wobjsize-1.c
index 291cfb9..211e068 100644
--- a/gcc/testsuite/gcc.dg/Wobjsize-1.c
+++ b/gcc/testsuite/gcc.dg/Wobjsize-1.c
@@ -10,6 +10,6 @@ int main(int argc, char **argv)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 6 } */
+/* { dg-warning "writing" "" { target *-*-* } 6 } */
/* { dg-message "file included" "included" { target *-*-* } 0 } */
/* { dg-message "inlined from" "inlined" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/attr-alloc_size.c b/gcc/testsuite/gcc.dg/attr-alloc_size.c
index e8129ce..f50ba7c 100644
--- a/gcc/testsuite/gcc.dg/attr-alloc_size.c
+++ b/gcc/testsuite/gcc.dg/attr-alloc_size.c
@@ -22,15 +22,15 @@ test (void)
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-object-size-1.c b/gcc/testsuite/gcc.dg/builtin-object-size-1.c
index 8cdae49..2919503 100644
--- a/gcc/testsuite/gcc.dg/builtin-object-size-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-object-size-1.c
@@ -12,6 +12,8 @@ extern void *memcpy (void *, const void *, size_t);
extern void *memset (void *, int, size_t);
extern char *strcpy (char *, const char *);
+#define abort() (__builtin_printf ("failure in %s on line %i\n", __func__, __LINE__), __builtin_abort ())
+
struct A
{
char a[10];
diff --git a/gcc/testsuite/gcc.dg/builtin-object-size-5.c b/gcc/testsuite/gcc.dg/builtin-object-size-5.c
index 7c274cd..35f1350 100644
--- a/gcc/testsuite/gcc.dg/builtin-object-size-5.c
+++ b/gcc/testsuite/gcc.dg/builtin-object-size-5.c
@@ -2,7 +2,10 @@
/* { dg-options "-O2" } */
typedef __SIZE_TYPE__ size_t;
-extern void abort (void);
+extern void abort1 (void);
+extern void abort2 (void);
+extern void abort3 (void);
+extern void abort4 (void);
extern char buf[0x40000000];
void
@@ -14,7 +17,7 @@ test1 (size_t x)
for (i = 0; i < x; ++i)
p = p + 4;
if (__builtin_object_size (p, 0) != sizeof (buf) - 8)
- abort ();
+ abort1 ();
}
void
@@ -26,7 +29,7 @@ test2 (size_t x)
for (i = 0; i < x; ++i)
p = p + 4;
if (__builtin_object_size (p, 1) != sizeof (buf) - 8)
- abort ();
+ abort2 ();
}
void
@@ -38,7 +41,7 @@ test3 (size_t x)
for (i = 0; i < x; ++i)
p = p + 4;
if (__builtin_object_size (p, 2) != 0)
- abort ();
+ abort3 ();
}
void
@@ -50,7 +53,7 @@ test4 (size_t x)
for (i = 0; i < x; ++i)
p = p + 4;
if (__builtin_object_size (p, 3) != 0)
- abort ();
+ abort4 ();
}
/* { dg-final { scan-assembler-not "abort" } } */
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
index e491ff5..49e7f95 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
@@ -8,7 +8,10 @@
extern void abort (void);
#include "../gcc.c-torture/execute/builtins/chk.h"
-#include <stdarg.h>
+
+#define va_list __builtin_va_list
+#define va_start __builtin_va_start
+#define va_end __builtin_va_end
volatile void *vx;
char buf1[20];
@@ -22,60 +25,61 @@ test (int arg, ...)
char *p = &buf1[10], *q;
memcpy (&buf2[19], "ab", 1);
- memcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy" } */
vx = mempcpy (&buf2[19], "ab", 1);
- vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "mempcpy" } */
+ vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 " "mempcpy" } */
memmove (&buf2[18], &buf1[10], 2);
- memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "will always overflow" "memmove" } */
+ memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "writing 3 " "memmove" } */
memset (&buf2[16], 'a', 4);
- memset (&buf2[15], 'b', 6); /* { dg-warning "will always overflow" "memset" } */
+ memset (&buf2[15], 'b', 6); /* { dg-warning "writing 6 " "memset" } */
strcpy (&buf2[18], "a");
- strcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcpy" } */
vx = stpcpy (&buf2[18], "a");
- vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "stpcpy" } */
+ vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "writing 3" "stpcpy" } */
strncpy (&buf2[18], "a", 2);
- strncpy (&buf2[18], "a", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "a", 3); /* { dg-warning "specified size 3 exceeds the size 2 of the destination" "strncpy" } */
strncpy (&buf2[18], "abc", 2);
- strncpy (&buf2[18], "abc", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "abc", 3); /* { dg-warning "writing 3 " "strncpy" } */
memset (buf2, '\0', sizeof (buf2));
strcat (&buf2[18], "a");
memset (buf2, '\0', sizeof (buf2));
- strcat (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcat" } */
+ strcat (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcat" } */
sprintf (&buf2[18], "%s", buf1);
sprintf (&buf2[18], "%s", "a");
- sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "writing 3 " "sprintf" } */
sprintf (&buf2[18], "a");
- sprintf (&buf2[18], "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "ab"); /* { dg-warning "writing 3 " "sprintf" } */
snprintf (&buf2[18], 2, "%d", x);
/* N argument to snprintf is the size of the buffer.
Although this particular call wouldn't overflow buf2,
incorrect buffer size was passed to it and therefore
we want a warning and runtime failure. */
- snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "will always overflow" "snprintf" } */
+ snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "specified size 3 exceeds the size 2 of the destination" "snprintf" } */
va_start (ap, arg);
vsprintf (&buf2[18], "a", ap);
va_end (ap);
+
va_start (ap, arg);
- vsprintf (&buf2[18], "ab", ap); /* { dg-warning "will always overflow" "vsprintf" } */
+ vsprintf (&buf2[18], "ab", ap); /* { dg-warning "writing 3" "vsprintf" } */
va_end (ap);
va_start (ap, arg);
vsnprintf (&buf2[18], 2, "%s", ap);
va_end (ap);
va_start (ap, arg);
/* See snprintf above. */
- vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "will always overflow" "vsnprintf" } */
+ vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "specified size 3 exceeds the size 2 of the destination object" "vsnprintf" } */
va_end (ap);
p = p + 10;
memset (p, 'd', 0);
- q = strcpy (p, ""); /* { dg-warning "will always overflow" "strcpy" } */
+ q = strcpy (p, ""); /* { dg-warning "writing 1 " "strcpy" } */
/* This invokes undefined behavior, since we are past the end of buf1. */
p = p + 10;
- memset (p, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (p, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
memset (q, 'd', 0);
- memset (q, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (q, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
q = q - 10;
memset (q, 'd', 10);
}
@@ -90,26 +94,26 @@ void
test2 (const H h)
{
char c;
- strncpy (&c, str, 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&c, str, 3); /* { dg-warning "specified size 3 exceeds the size 1 of the destination object" "strncpy" } */
struct { char b[4]; } x;
- sprintf (x.b, "%s", "ABCD"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (x.b, "%s", "ABCD"); /* { dg-warning "writing 5" "sprintf" } */
unsigned int i;
- memcpy (&i, &h, sizeof (h)); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&i, &h, sizeof (h)); /* { dg-warning "writing 16 " "memcpy" } */
unsigned char buf[21];
- memset (buf + 16, 0, 8); /* { dg-warning "will always overflow" "memset" } */
+ memset (buf + 16, 0, 8); /* { dg-warning "writing 8 " "memset" } */
typedef struct { int i, j, k, l; } S;
S *s[3];
- memset (s, 0, sizeof (S) * 3); /* { dg-warning "will always overflow" "memset" } */
+ memset (s, 0, sizeof (S) * 3); /* { dg-warning "writing 48 " "memset" } */
struct T { char a[8]; char b[4]; char c[10]; } t;
- stpcpy (t.c,"Testing..."); /* { dg-warning "will always overflow" "stpcpy" } */
+ stpcpy (t.c,"Testing..."); /* { dg-warning "writing" "stpcpy" } */
char b1[7];
char b2[4];
memset (b1, 0, sizeof (b1));
- memset (b2, 0, sizeof (b1)); /* { dg-warning "will always overflow" "memset" } */
+ memset (b2, 0, sizeof (b1)); /* { dg-warning "writing 7" "memset" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
index 7c2bb60..d537fb0 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
@@ -6,7 +6,7 @@
/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
#include "../gcc.c-torture/execute/builtins/chk.h"
-
+
void *bar (int);
extern void *malloc (__SIZE_TYPE__);
@@ -115,7 +115,7 @@ baz (const struct A *x, const unsigned char *z)
else
do
{
- memcpy (e, d, 513); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (e, d, 513); /* { dg-warning "writing" "memcpy" } */
e += 4;
}
while (--h);
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
new file mode 100644
index 0000000..4e12193
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
@@ -0,0 +1,145 @@
+/* Test exercising buffer overflow warnings emitted for __*_chk builtins
+ in cases where the destination involves a non-constant offset into
+ an object of known size. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+#define memcpy(d, s, n) (memcpy ((d), (s), (n)), sink ((d)))
+extern void* (memcpy)(void*, const void*, size_t);
+
+#define mempcpy(d, s, n) (mempcpy ((d), (s), (n)), sink ((d)))
+extern void* (mempcpy)(void*, const void*, size_t);
+
+#define memset(d, c, n) (memset ((d), (c), (n)), sink ((d)))
+extern void* (memset)(void*, int, size_t);
+
+#define strcpy(d, s) (strcpy ((d), (s)), sink ((d)))
+extern char* (strcpy)(char*, const char*);
+
+void sink (void*);
+
+/* Function to "generate" a unique number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+ptrdiff_t random_value (void);
+
+/* Return a random value between MIN and MAX. */
+static inline size_t
+value_range (size_t min, size_t max)
+{
+ const size_t val = random_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* For brevity. */
+#define R(min, max) value_range (min, max)
+
+/* Test memcpy with a number of bytes bounded by a known range. */
+
+void test_memcpy_range (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf, p, R (0, 5));
+ memcpy (buf, p, R (1, 5));
+ memcpy (buf, p, R (2, 5));
+ memcpy (buf, p, R (3, 5));
+ memcpy (buf, p, R (4, 5));
+
+ memcpy (buf, p, R (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ const size_t max = SIZE_MAX;
+ memcpy (buf, p, R (max - 1, max)); /* { dg-warning "writing" } */
+
+ memcpy (buf, p, R (max / 2 + 1, max)); /* { dg-warning "writing" } */
+}
+
+/* Test mempcpy with a number of bytes bounded by a known range. */
+
+void test_mempcpy_range (const void *p)
+{
+ char buf[5];
+
+ mempcpy (buf, p, R (0, 5));
+ mempcpy (buf, p, R (1, 5));
+ mempcpy (buf, p, R (2, 5));
+ mempcpy (buf, p, R (3, 5));
+ mempcpy (buf, p, R (4, 5));
+
+ mempcpy (buf, p, R (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ const size_t max = SIZE_MAX;
+ mempcpy (buf, p, R (max - 1, max)); /* { dg-warning "writing" } */
+
+ mempcpy (buf, p, R (max / 2 + 1, max)); /* { dg-warning "writing" } */
+}
+
+/* Test memset with a number of bytes bounded by a known range. */
+
+void test_memset_range (const void *p)
+{
+ char buf[5];
+
+ memset (buf, 0, R (0, 5));
+ memset (buf, 1, R (1, 5));
+ memset (buf, 2, R (2, 5));
+ memset (buf, 3, R (3, 5));
+ memset (buf, 4, R (4, 5));
+
+ memset (buf, 5, R (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ const size_t max = SIZE_MAX;
+ memset (buf, 6, R (max - 1, max)); /* { dg-warning "writing" } */
+
+ memset (buf, 7, R (max / 2 + 1, max)); /* { dg-warning "writing" } */
+}
+
+/* Return a pointer to constant string whose length is at least MINLEN
+ and at most 10. */
+static inline const char*
+string_range (size_t minlen)
+{
+ static const char str[] = "0123456789";
+
+ const size_t len = value_range (minlen, sizeof str - 1);
+
+ switch (len)
+ {
+ case 10: return "0123456789";
+ case 9: return "012345678";
+ case 8: return "01234567";
+ case 7: return "0123456";
+ case 6: return "012345";
+ case 5: return "01234";
+ case 4: return "0123";
+ case 3: return "012";
+ case 2: return "01";
+ case 1: return "0";
+ case 0: return "";
+ }
+}
+
+#define S(minlen) string_range (minlen)
+
+void test_strcpy_range (const char *s)
+{
+ char buf[5];
+
+ strcpy (buf, S (0));
+ strcpy (buf, S (1));
+ strcpy (buf, S (2));
+ strcpy (buf, S (4));
+ strcpy (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+ strcpy (buf, S (6)); /* { dg-warning "writing 7 bytes into a region of size 5 " } */
+ strcpy (buf, S (7)); /* { dg-warning "writing 8 bytes into a region of size 5 " } */
+ strcpy (buf, S (8)); /* { dg-warning "writing 9 bytes into a region of size 5 " } */
+ strcpy (buf, S (9)); /* { dg-warning "writing 10 bytes into a region of size 5 " } */
+ strcpy (buf, S (10)); /* { dg-warning "writing 11 bytes into a region of size 5 " } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
index 44677f1..4568680 100644
--- a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
@@ -24,11 +24,11 @@ test (int arg, ...)
*p = 0;
strncat (p, "abcdefghi", 10);
*p = 0;
- strncat (p, "abcdefghij", 10); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghij", 10); /* { dg-warning "writing 11 bytes" } */
*p = 0;
strncat (p, "abcdefgh", 11);
*p = 0;
- strncat (p, "abcdefghijkl", 11); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghijkl", 11); /* { dg-warning "writing 11 bytes" } */
*p = 0;
strncat (p, q, 9);
*p = 0;
diff --git a/gcc/testsuite/gcc.dg/memcpy-2.c b/gcc/testsuite/gcc.dg/memcpy-2.c
index 24464abd..7f839d2 100644
--- a/gcc/testsuite/gcc.dg/memcpy-2.c
+++ b/gcc/testsuite/gcc.dg/memcpy-2.c
@@ -7,7 +7,7 @@ typedef __SIZE_TYPE__ size_t;
extern inline __attribute__((gnu_inline, always_inline, artificial)) void *
memcpy (void *__restrict dest, const void *__restrict src, size_t len)
{
- return __builtin___memcpy_chk (dest, /* { dg-warning "will always overflow destination buffer" } */
+ return __builtin___memcpy_chk (dest, /* { dg-warning "writing" } */
src, len, __builtin_object_size (dest, 0));
}
diff --git a/gcc/testsuite/gcc.dg/pr40340-1.c b/gcc/testsuite/gcc.dg/pr40340-1.c
index aae84c6..78540a2 100644
--- a/gcc/testsuite/gcc.dg/pr40340-1.c
+++ b/gcc/testsuite/gcc.dg/pr40340-1.c
@@ -20,5 +20,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-2.c b/gcc/testsuite/gcc.dg/pr40340-2.c
index a0d6e084..1dc21d1 100644
--- a/gcc/testsuite/gcc.dg/pr40340-2.c
+++ b/gcc/testsuite/gcc.dg/pr40340-2.c
@@ -12,5 +12,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-5.c b/gcc/testsuite/gcc.dg/pr40340-5.c
index f50514c..e517147 100644
--- a/gcc/testsuite/gcc.dg/pr40340-5.c
+++ b/gcc/testsuite/gcc.dg/pr40340-5.c
@@ -13,5 +13,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
index 7ce9eae..b5a59f4 100644
--- a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
+++ b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
@@ -710,4 +710,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-10-28 2:19 [PATCH] enhance buffer overflow warnings (and c/53562) Martin Sebor
@ 2016-10-30 22:45 ` Martin Sebor
2016-10-31 12:39 ` Tobias Burnus
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-10-30 22:45 UTC (permalink / raw)
To: Gcc Patch List
[-- Attachment #1: Type: text/plain, Size: 2954 bytes --]
Attached is an updated patch that adds checks for excessive sizes
and bounds (those in excess of SIZE_MAX / 2), and also enables
the same checking for strcat and strncat). This version also
fixes an issue with the interpretation of anti-ranges in the
first patch. The improvements exposed two bugs in the regression
tests.
I'm wondering if it would make sense to either tighten up a bit
the checks for excessive sizes and bounds or add a customization
option to make it possible to specify a lower threshold. The
patch currently warns on sizes and bounds that exceed
SIZE_MAX / 2. It's very unlikely that any string or memory
operation will involve anywhere near that much data, and more
likely that such large numbers indicate bugs. I would expect
even half that to be generous in ILP32, and even less in LP64.
Reducing the threshold for the warning could help find even
more bugs and the risk of false positives is IMO negligible.
Providing an option to specify the threshold would be in line
with other such options, including the -Walloca checker. Does
anyone have any concerns with going down this path or suggestions?
Martin
On 10/27/2016 08:19 PM, Martin Sebor wrote:
> The attached patch enhances the compile-time detection of buffer
> overflow in functions like __builtin___memcpy_chk to consider
> non-constant lengths known to be in a certain range and warn
> when the lower bound of the range doesn't fit in the destination
> object.
>
> The patch does the same thing for the non-checking functions like
> __builtin_memcpy and issues buffer overflow warnings for those.
> For string functions like __builtin_strcpy, the patch also makes
> use of ranges of lengths of non-constant strings.
>
> To make reasoning about the warnings easier (and to help with
> debugging the problems), the patch also extends the warnings to
> print the ranges of lengths and sizes of the operands. The text
> and content of the warning messages is based on those issued by
> the -Wformat-length warning pass.
>
> Finally, as requested in bug 53562, the patch adds a new warning
> option, -Wstringop-overflow, to control these warnings (the option
> is on by default). I chose a different name for the option than
> suggested in the bug to avoid giving the impression that it
> actually inserts the checking calls (all it does is warn on
> buffer overflows detectable at compile-time).
>
> I was originally going to submit a more modest version of this
> patch as part of a bigger project I'm working on (bug 77608) but
> then decided to submit this one first because it's independent of
> the other.
>
> Possible enhancements include letting the option accept a level
> argument and at level 2 using the upper bound of the size or
> string length ranges similarly to the -Wformat-length option.
> With that, the following could be diagnosed as a potential
> buffer overflow:
>
> char d[5];
> strcpy (d, x ? "123" : "123456");
>
> Thanks
> Martin
[-- Attachment #2: gcc-53562.diff --]
[-- Type: text/x-patch, Size: 75562 bytes --]
PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
gcc/c-family/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
* c.opt (-Wstringop-overflow): New option.
gcc/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
* builtins.c (expand_builtin_strcat, expand_builtin_strncat): New
functions.
(get_size_range, check_sizes, check_strncat_sizes): Same.
(expand_builtin_memcpy): Call check sizes.
(expand_builtin_mempcpy): Same.
(expand_builtin_strcpy): Same.
(expand_builtin_strncpy): Same.
(expand_builtin_memset): Same,
(expand_builtin_bzero): Same.
(expand_builtin_memory_chk): Same.
(maybe_emit_sprintf_chk_warning): Same.
(expand_builtin): Handle strcat and strncat.
* doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
gcc/testsuite/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
* c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust expected diagnostic.
* g++.dg/ext/builtin-object-size3.C (bar): Same.
* g++.dg/ext/strncpy-chk1.C: Same.
* g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
* gcc.c-torture/compile/pr55569.c: Disable -Wstringop-overflow.
* gcc.dg/Wobjsize-1.c: Adjust expected diagnostic.
* gcc.dg/attr-alloc_size.c: Same.
* gcc.dg/builtin-stringop-chk-1.c: Adjust expected diagnostic.
* gcc.dg/builtin-stringop-chk-2.c: Same.
* gcc.dg/builtin-stringop-chk-4.c: New test.
* gcc.dg/builtin-strncat-chk-1.c: Adjust expected diagnostic..
* gcc.dg/memcpy-2.c: Same.
* gcc.dg/pr40340-1.c: Same.
* gcc.dg/pr40340-2.c (main): Same.
* gcc.dg/pr40340-5.c (main): Same.
* gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
* gcc.dg/torture/pr71132.c: Disable -Wstringop-overflow.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index facecd3..f505ec2 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -67,7 +67,7 @@ along with GCC; see the file COPYING3. If not see
#include "internal-fn.h"
#include "case-cfn-macros.h"
#include "gimple-fold.h"
-
+#include "intl.h"
struct target_builtins default_target_builtins;
#if SWITCHABLE_TARGET
@@ -125,9 +125,11 @@ static rtx expand_builtin_mempcpy (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_with_bounds (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_args (tree, tree, tree, rtx,
machine_mode, int, tree);
+static rtx expand_builtin_strcat (tree, rtx);
static rtx expand_builtin_strcpy (tree, rtx);
static rtx expand_builtin_strcpy_args (tree, tree, rtx);
static rtx expand_builtin_stpcpy (tree, rtx, machine_mode);
+static rtx expand_builtin_strncat (tree, rtx);
static rtx expand_builtin_strncpy (tree, rtx);
static rtx builtin_memset_gen_str (void *, HOST_WIDE_INT, machine_mode);
static rtx expand_builtin_memset (tree, rtx, machine_mode);
@@ -2967,6 +2969,211 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
return dest_addr;
}
+/* Fill the 2-element RANGE array with the minimum and maximum values
+ EXP is known to have and return true, otherwise null and return
+ false. */
+
+static bool
+get_size_range (tree exp, tree range[2])
+{
+ if (tree_fits_uhwi_p (exp))
+ {
+ range[0] = range[1] = exp;
+ return true;
+ }
+
+ if (TREE_CODE (exp) == SSA_NAME)
+ {
+ wide_int min, max;
+ enum value_range_type range_type = get_range_info (exp, &min, &max);
+
+ if (range_type == VR_RANGE)
+ {
+ /* Interpret the bound in the variable's type. */
+ range[0] = wide_int_to_tree (TREE_TYPE (exp), min);
+ range[1] = wide_int_to_tree (TREE_TYPE (exp), max);
+ return true;
+ }
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ /* An anti-range implies the original variable is signed and
+ its lower bound is negative and the upper bound positive.
+ Since that means that the expression's value could be zero
+ nothing interesting can be inferred from this. */
+ }
+ }
+
+ range[0] = NULL_TREE;
+ range[1] = NULL_TREE;
+ return false;
+}
+
+/* Try to verify that the sizes and lengths of the arguments to a string
+ manipulation function given by EXP are within valid bounds and that
+ the operation does not lead to buffer overflow. Arguments other than
+ EXP may be null. When non-null, the arguments have the following
+ meaning:
+ SIZE is the user-supplied size argument to the function (such as in
+ memcpy(d, s, SIZE) or strncpy(d, s, SIZE). It specifies the exact
+ number of bytes to write.
+ MAXLEN is the user-supplied bound on the length of the source sequence
+ (such as in strncat(d, s, N). It specifies the upper limit on the number
+ of bytes to write.
+ SLEN is the length of the source sequence (such as in strcpy(d, s),
+ SLEN = strlen(s)).
+ OBJSIZE is the size of the destination object specified by the last
+ argument to the _chk builtins, typically resulting from the expansion
+ of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
+ OBJSIZE).
+
+ When SIZE is null LEN is checked to verify that it doesn't exceed
+ SIZE_MAX.
+
+ If the call is successfully verfified as safe from buffer overflow
+ the function returns true, otherwise false.. */
+
+static bool
+check_sizes (tree exp, tree size, tree maxlen, tree slen, tree objsize)
+{
+ /* The size of the largest object. (This is way too permissive.) */
+ tree maxobjsize = TYPE_MAX_VALUE (ptrdiff_type_node);
+
+ tree range[2] = { NULL_TREE, NULL_TREE };
+
+ if (!size && !maxlen)
+ {
+ /* Handle strlen but not snprintf. */
+ size = slen ? slen : maxobjsize;
+ }
+
+ if (!objsize)
+ objsize = maxobjsize;
+
+ /* The SIZE is exact if it's non-null, constant, and in range of
+ unsigned HOST_WIDE_INT. */
+ bool exactsize = size && tree_fits_uhwi_p (size);
+
+ if (size)
+ get_size_range (size, range);
+
+ /* First check the number of bytes to be written against the maximum
+ object size. */
+ if (range[0] && tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified size %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified size between %wu and %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+ return false;
+ }
+
+ /* Next check the number of bytes to be written against the destination
+ object size. */
+ if (range[0] || !exactsize || integer_all_onesp (size))
+ {
+ if (range[0]
+ && ((tree_fits_uhwi_p (objsize)
+ && tree_int_cst_lt (objsize, range[0]))
+ || (tree_fits_uhwi_p (size)
+ && tree_int_cst_lt (size, range[0]))))
+ {
+ unsigned HOST_WIDE_INT uwir0 = tree_to_uhwi (range[0]);
+
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ (uwir0 == 1
+ ? G_("%K%D writing %wu byte into a region "
+ "of size %wu overflows the destination")
+ : G_("%K%D writing %wu bytes into a region "
+ "of size %wu overflows the destination")),
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu overflows "
+ "the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (range[1]), tree_to_uhwi (objsize));
+
+ /* Return error when an overflow has been detected. */
+ return false;
+ }
+ }
+
+ /* Check the maximum length of the source sequence against the size
+ of the destination object if known, or against the maximum size
+ of an object. */
+ if (maxlen)
+ {
+ get_size_range (maxlen, range);
+
+ if (range[0] && objsize && tree_fits_uhwi_p (objsize))
+ {
+ if (objsize != maxobjsize && tree_int_cst_lt (objsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound %wu "
+ "exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (objsize));
+ return false;
+ }
+ else if (tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
/* Expand a call EXP to the memcpy builtin.
Return NULL_RTX if we failed, the caller should emit a normal call,
otherwise try to get the result in TARGET, if convenient (and in
@@ -2983,6 +3190,14 @@ expand_builtin_memcpy (tree exp, rtx target)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, len, /*maxlen=*/NULL_TREE, NULL_TREE, objsize);
+
return expand_builtin_memcpy_args (dest, src, len, target, exp);
}
}
@@ -3037,10 +3252,21 @@ expand_builtin_mempcpy (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_mempcpy_args (dest, src, len,
- target, mode, /*endp=*/ 1,
- exp);
+
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Avoid expanding mempcpy into memcpy when the call is determined
+ to overflow the buffer. This also prevents the same overflow
+ from being diagnosed again when expanding memcpy. */
+ if (check_sizes (exp, len, NULL_TREE, NULL_TREE, destsize))
+ return expand_builtin_mempcpy_args (dest, src, len,
+ target, mode, /*endp=*/ 1,
+ exp);
}
+ return NULL_RTX;
}
/* Expand an instrumented call EXP to the mempcpy builtin.
@@ -3212,6 +3438,50 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
return target;
}
+/* Do some very basic size validation of a call to the strcpy builtin
+ given by EXP. Return NULL_RTX to have the built-in expand to a call
+ to the library function. */
+
+static rtx
+expand_builtin_strcat (tree exp, rtx)
+{
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* There is no way here to determine the length of the string in
+ the destination to which the SRC string is being appended so
+ just diagnose cases when the srouce string is longer than
+ the destination object. */
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strcpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call, otherwise
try to get the result in TARGET, if convenient (and in mode MODE if that's
@@ -3224,6 +3494,30 @@ expand_builtin_strcpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
return expand_builtin_strcpy_args (dest, src, target);
}
return NULL_RTX;
@@ -3334,6 +3628,130 @@ builtin_strncpy_read_str (void *data, HOST_WIDE_INT offset,
return c_readstr (str + offset, mode);
}
+/* Helper to check the sizes of sequences and the destination of calls
+ to __builtin_strncat and __builtin___strncat_chk. Returns true on
+ success (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_strncat_sizes (tree exp, tree objsize)
+{
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ if (!objsize)
+ {
+ /* If it hasn't been provided by __strncat_chk, try to determine
+ the size of the destination object into which the source is
+ being copied. */
+ unsigned HOST_WIDE_INT destsize;
+ if (compute_builtin_object_size (dest, 1, &destsize))
+ objsize = build_int_cst (sizetype, destsize);
+ }
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (objsize)
+ && tree_int_cst_equal (objsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return false;
+ }
+
+ if (!srclen || tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ return check_sizes (exp, /*size=*/NULL_TREE, maxlen, srclen, objsize);
+}
+
+/* Similar to expand_builtin_strcat, do some very basic size validation
+ of a call to the strcpy builtin given by EXP. Return NULL_RTX to have
+ the built-in expand to a call to the library function. */
+
+static rtx
+expand_builtin_strncat (tree exp, rtx)
+{
+ if (!validate_arglist (exp,
+ POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ /* The upper bound on the number of bytes to write. */
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
+ tree slen = c_strlen (src, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ /* Try to determine the size of the destination object into which
+ the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (destsize)
+ && tree_int_cst_equal (destsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return NULL_RTX;
+ }
+
+
+ if (!srclen || tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (exp, /*size=*/NULL_TREE, maxlen, srclen, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strncpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call. */
@@ -3347,9 +3765,39 @@ expand_builtin_strncpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+ /* The number of bytes to write (not the maximum). */
tree len = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
tree slen = c_strlen (src, 1);
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+
+ /* Try to determine the size of the destination object into which
+ the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (exp, len, /*maxlen=*/NULL_TREE, srclen, destsize);
+
/* We must be passed a constant len and src parameter. */
if (!tree_fits_uhwi_p (len) || !slen || !tree_fits_uhwi_p (slen))
return NULL_RTX;
@@ -3442,6 +3890,15 @@ expand_builtin_memset (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree val = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, len, NULL_TREE, NULL_TREE, objsize);
+
return expand_builtin_memset_args (dest, val, len, target, mode, exp);
}
}
@@ -3633,6 +4090,14 @@ expand_builtin_bzero (tree exp)
dest = CALL_EXPR_ARG (exp, 0);
size = CALL_EXPR_ARG (exp, 1);
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, size, NULL_TREE, NULL_TREE, objsize);
+
/* New argument list transforming bzero(ptr x, int y) to
memset(ptr x, int 0, size_t y). This is done this way
so that if it isn't expanded inline, we fallback to
@@ -6119,12 +6584,24 @@ expand_builtin (tree exp, rtx target, rtx subtarget, machine_mode mode,
return target;
break;
+ case BUILT_IN_STRCAT:
+ target = expand_builtin_strcat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRCPY:
target = expand_builtin_strcpy (exp, target);
if (target)
return target;
break;
+ case BUILT_IN_STRNCAT:
+ target = expand_builtin_strncat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRNCPY:
target = expand_builtin_strncpy (exp, target);
if (target)
@@ -9185,6 +9662,14 @@ expand_builtin_object_size (tree exp)
object_size_type = tree_to_shwi (ost);
+ unsigned HOST_WIDE_INT bytes;
+ compute_builtin_object_size (CALL_EXPR_ARG (exp, 0), object_size_type, &bytes);
+ if (wi::fits_to_tree_p (bytes, size_type_node))
+ {
+ tree node = build_int_cstu (size_type_node, bytes);
+ return expand_normal (node);
+ }
+
return object_size_type < 2 ? constm1_rtx : const0_rtx;
}
@@ -9212,22 +9697,20 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
len = CALL_EXPR_ARG (exp, 2);
size = CALL_EXPR_ARG (exp, 3);
- if (! tree_fits_uhwi_p (size))
+ bool sizes_ok = check_sizes (exp, len, NULL_TREE, NULL_TREE, size);
+
+ if (!tree_fits_uhwi_p (size))
return NULL_RTX;
if (tree_fits_uhwi_p (len) || integer_all_onesp (size))
{
- tree fn;
-
- if (! integer_all_onesp (size) && tree_int_cst_lt (size, len))
- {
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return NULL_RTX;
- }
+ /* Avoid transforming the checking call to an ordinary one when
+ an overflow has been detected or when the call couldn't be
+ validated because the size is not constant. */
+ if (!sizes_ok && !integer_all_onesp (size) && tree_int_cst_lt (size, len))
+ return NULL_RTX;
- fn = NULL_TREE;
+ tree fn = NULL_TREE;
/* If __builtin_mem{cpy,pcpy,move,set}_chk is used, assume
mem{cpy,pcpy,move,set} is available. */
switch (fcode)
@@ -9313,68 +9796,84 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
static void
maybe_emit_chk_warning (tree exp, enum built_in_function fcode)
{
- int is_strlen = 0;
- tree len, size;
- location_t loc = tree_nonartificial_location (exp);
+ /* The length of the source sequence of the memory operation, and
+ the size of the destination object. */
+ tree srclen = NULL_TREE;
+ tree objsize = NULL_TREE;
+ /* The length of the sequence that the source sequence is being
+ concatenated with (as with __strcat_chk) or null if it isn't. */
+ tree catlen = NULL_TREE;
+ /* The maximum length of the source sequence in a bounded operation
+ (such as __strncat_chk) or null if the operation isn't bounded
+ (such as __strcat_chk). */
+ tree maxlen = NULL_TREE;
switch (fcode)
{
case BUILT_IN_STRCPY_CHK:
case BUILT_IN_STPCPY_CHK:
- /* For __strcat_chk the warning will be emitted only if overflowing
- by at least strlen (dest) + 1 bytes. */
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
+ break;
+
case BUILT_IN_STRCAT_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 2);
- is_strlen = 1;
+ /* For __strcat_chk the warning will be emitted only if overflowing
+ by at least strlen (dest) + 1 bytes. */
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
break;
+
case BUILT_IN_STRNCAT_CHK:
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
+ break;
+
case BUILT_IN_STRNCPY_CHK:
case BUILT_IN_STPNCPY_CHK:
- len = CALL_EXPR_ARG (exp, 2);
- size = CALL_EXPR_ARG (exp, 3);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
+
case BUILT_IN_SNPRINTF_CHK:
case BUILT_IN_VSNPRINTF_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 3);
+ maxlen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
default:
gcc_unreachable ();
}
- if (!len || !size)
- return;
-
- if (! tree_fits_uhwi_p (size) || integer_all_onesp (size))
- return;
+ /* Compute the length of shortest string the source pointer points to. */
+ if (srclen)
+ {
+ tree lenrange[2];
+ get_range_strlen (srclen, lenrange);
+ srclen = lenrange[0];
+ }
- if (is_strlen)
+ if (catlen && maxlen)
{
- len = c_strlen (len, 1);
- if (! len || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
+ /* Check __strncat_chk. There is no way to determine the length
+ of the string to which the source string is being appended so
+ just warn when the length of the source string is not known. */
+ if (!check_strncat_sizes (exp, objsize))
return;
}
- else if (fcode == BUILT_IN_STRNCAT_CHK)
+
+ if (srclen)
{
- tree src = CALL_EXPR_ARG (exp, 1);
- if (! src || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- src = c_strlen (src, 1);
- if (! src || ! tree_fits_uhwi_p (src))
- {
- warning_at (loc, 0, "%Kcall to %D might overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return;
- }
- else if (tree_int_cst_lt (src, size))
- return;
+ srclen = fold_build2 (PLUS_EXPR, TREE_TYPE (srclen), srclen,
+ size_one_node);
+ if (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
}
- else if (! tree_fits_uhwi_p (len) || ! tree_int_cst_lt (size, len))
- return;
- warning_at (loc, 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ check_sizes (exp, NULL_TREE, maxlen, srclen, objsize);
}
/* Emit warning if a buffer overflow is detected at compile time
@@ -9428,10 +9927,9 @@ maybe_emit_sprintf_chk_warning (tree exp, enum built_in_function fcode)
else
return;
- if (! tree_int_cst_lt (len, size))
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ /* Add one for the terminating nul. */
+ len = fold_build2 (PLUS_EXPR, TREE_TYPE (len), len, size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, size);
}
/* Emit warning if a free is called with address of a variable. */
diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
index e146781..6635464 100644
--- a/gcc/c-family/c.opt
+++ b/gcc/c-family/c.opt
@@ -647,6 +647,10 @@ Wsizeof-array-argument
C ObjC C++ ObjC++ Var(warn_sizeof_array_argument) Warning Init(1)
Warn when sizeof is applied on a parameter declared as an array.
+Wstringop-overflow
+C ObjC C++ ObjC++ Var(warn_stringop_overflow) Init(1) Warning
+Warn about buffer overflow in string manipulation functions.
+
Wsuggest-attribute=format
C ObjC C++ ObjC++ Var(warn_suggest_attribute_format) Warning
Warn about functions which might be candidates for format attributes.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index d9667e7..81cbe63 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -299,6 +299,7 @@ Objective-C and Objective-C++ Dialects}.
-Wsizeof-pointer-memaccess -Wsizeof-array-argument @gol
-Wstack-protector -Wstack-usage=@var{len} -Wstrict-aliasing @gol
-Wstrict-aliasing=n -Wstrict-overflow -Wstrict-overflow=@var{n} @gol
+-Wstringop-overflow @gol
-Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]} @gol
-Wsuggest-final-types @gol -Wsuggest-final-methods -Wsuggest-override @gol
-Wmissing-format-attribute -Wsubobject-linkage @gol
@@ -4831,6 +4832,27 @@ comparisons, so this warning level gives a very large number of
false positives.
@end table
+@item -Wstringop-overflow
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+Warn for calls to string manipulation functions such as memcpy and strcpy
+hat are determined to overflow the destination buffer. The option works
+best with optimization enabled but it can detect a small subset of buffer
+overflows even without optimization. In any case, the option warns about
+just a subset of buffer overflows detected by the corresponding overflow
+checking built-ins. @xref{Object Size Checking}. For example,
+@option{-Wstringop-overflow} will warn on the following:
+
+@smallexample
+char buf[6];
+void f (int i)
+@{
+ strcpy (buf, i < 0 ? "yellow" : "orange");
+@};
+@end smallexample
+
+The @option{-Wstringop-overflow} option is enabled by default.
+
@item -Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]}
@opindex Wsuggest-attribute=
@opindex Wno-suggest-attribute=
diff --git a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
index d9ec7e2..9a02373 100644
--- a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
+++ b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
@@ -481,4 +481,4 @@ f4 (char *x, char **y, int z, char w[64])
stpncpy (x, s3, sizeof (s3));
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
index 09263e5..0207f9a 100644
--- a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
+++ b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
@@ -20,7 +20,7 @@ bar ()
{
int *p = new int;
int *q = new int[4];
- MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
- MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
+ MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "writing" }
+ MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "writing" }
baz (p, q);
}
diff --git a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
index ebafc99..85b3977 100644
--- a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
+++ b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
@@ -9,7 +9,7 @@ struct B { char z[50]; };
inline void
foo (char *dest, const char *__restrict src, __SIZE_TYPE__ n)
{
- __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "will always overflow" }
+ __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "overflows" }
}
void bar (const char *, int);
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
index 8b5c33e..2e6189b 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
@@ -713,4 +713,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-// { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" }
+// { dg-prune-output "\[\n\r\]*overflows\[\n\r\]*" }
diff --git a/gcc/testsuite/gcc.c-torture/compile/pr55569.c b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
index cffbcfc..7708f21 100644
--- a/gcc/testsuite/gcc.c-torture/compile/pr55569.c
+++ b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
@@ -1,4 +1,4 @@
-/* { dg-options "-ftree-vectorize" } */
+/* { dg-options "-Wno-stringop-overflow -ftree-vectorize" } */
int *bar (void);
void
@@ -6,6 +6,10 @@ foo (void)
{
long x;
int *y = bar ();
- for (x = -1 / sizeof (int); x; --x, ++y)
- *y = 0;
+
+ /* The loop below may be optimized to a call to memset with a size
+ that's in excess of the maximum object size. This is diagnosed
+ by the -Wstringop-overflow option. */
+ for (x = -1 / sizeof (int); x; --x, ++y)
+ *y = 0;
}
diff --git a/gcc/testsuite/gcc.dg/Wobjsize-1.c b/gcc/testsuite/gcc.dg/Wobjsize-1.c
index 291cfb9..211e068 100644
--- a/gcc/testsuite/gcc.dg/Wobjsize-1.c
+++ b/gcc/testsuite/gcc.dg/Wobjsize-1.c
@@ -10,6 +10,6 @@ int main(int argc, char **argv)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 6 } */
+/* { dg-warning "writing" "" { target *-*-* } 6 } */
/* { dg-message "file included" "included" { target *-*-* } 0 } */
/* { dg-message "inlined from" "inlined" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/attr-alloc_size.c b/gcc/testsuite/gcc.dg/attr-alloc_size.c
index e8129ce..f50ba7c 100644
--- a/gcc/testsuite/gcc.dg/attr-alloc_size.c
+++ b/gcc/testsuite/gcc.dg/attr-alloc_size.c
@@ -22,15 +22,15 @@ test (void)
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
index e491ff5..7689287 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
@@ -8,7 +8,10 @@
extern void abort (void);
#include "../gcc.c-torture/execute/builtins/chk.h"
-#include <stdarg.h>
+
+#define va_list __builtin_va_list
+#define va_start __builtin_va_start
+#define va_end __builtin_va_end
volatile void *vx;
char buf1[20];
@@ -22,60 +25,61 @@ test (int arg, ...)
char *p = &buf1[10], *q;
memcpy (&buf2[19], "ab", 1);
- memcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy" } */
vx = mempcpy (&buf2[19], "ab", 1);
- vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "mempcpy" } */
+ vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 " "mempcpy" } */
memmove (&buf2[18], &buf1[10], 2);
- memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "will always overflow" "memmove" } */
+ memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "writing 3 " "memmove" } */
memset (&buf2[16], 'a', 4);
- memset (&buf2[15], 'b', 6); /* { dg-warning "will always overflow" "memset" } */
+ memset (&buf2[15], 'b', 6); /* { dg-warning "writing 6 " "memset" } */
strcpy (&buf2[18], "a");
- strcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcpy" } */
vx = stpcpy (&buf2[18], "a");
- vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "stpcpy" } */
+ vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "writing 3" "stpcpy" } */
strncpy (&buf2[18], "a", 2);
- strncpy (&buf2[18], "a", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "a", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
strncpy (&buf2[18], "abc", 2);
- strncpy (&buf2[18], "abc", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "abc", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
memset (buf2, '\0', sizeof (buf2));
strcat (&buf2[18], "a");
memset (buf2, '\0', sizeof (buf2));
- strcat (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcat" } */
+ strcat (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcat" } */
sprintf (&buf2[18], "%s", buf1);
sprintf (&buf2[18], "%s", "a");
- sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "writing 3 " "sprintf" } */
sprintf (&buf2[18], "a");
- sprintf (&buf2[18], "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "ab"); /* { dg-warning "writing 3 " "sprintf" } */
snprintf (&buf2[18], 2, "%d", x);
/* N argument to snprintf is the size of the buffer.
Although this particular call wouldn't overflow buf2,
incorrect buffer size was passed to it and therefore
we want a warning and runtime failure. */
- snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "will always overflow" "snprintf" } */
+ snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "snprintf" } */
va_start (ap, arg);
vsprintf (&buf2[18], "a", ap);
va_end (ap);
+
va_start (ap, arg);
- vsprintf (&buf2[18], "ab", ap); /* { dg-warning "will always overflow" "vsprintf" } */
+ vsprintf (&buf2[18], "ab", ap); /* { dg-warning "writing 3" "vsprintf" } */
va_end (ap);
va_start (ap, arg);
vsnprintf (&buf2[18], 2, "%s", ap);
va_end (ap);
va_start (ap, arg);
/* See snprintf above. */
- vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "will always overflow" "vsnprintf" } */
+ vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "vsnprintf" } */
va_end (ap);
p = p + 10;
memset (p, 'd', 0);
- q = strcpy (p, ""); /* { dg-warning "will always overflow" "strcpy" } */
+ q = strcpy (p, ""); /* { dg-warning "writing 1 " "strcpy" } */
/* This invokes undefined behavior, since we are past the end of buf1. */
p = p + 10;
- memset (p, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (p, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
memset (q, 'd', 0);
- memset (q, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (q, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
q = q - 10;
memset (q, 'd', 10);
}
@@ -90,26 +94,26 @@ void
test2 (const H h)
{
char c;
- strncpy (&c, str, 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&c, str, 3); /* { dg-warning "specified bound 3 exceeds the size 1 of the destination" "strncpy" } */
struct { char b[4]; } x;
- sprintf (x.b, "%s", "ABCD"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (x.b, "%s", "ABCD"); /* { dg-warning "writing 5" "sprintf" } */
unsigned int i;
- memcpy (&i, &h, sizeof (h)); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&i, &h, sizeof (h)); /* { dg-warning "writing 16 " "memcpy" } */
unsigned char buf[21];
- memset (buf + 16, 0, 8); /* { dg-warning "will always overflow" "memset" } */
+ memset (buf + 16, 0, 8); /* { dg-warning "writing 8 " "memset" } */
typedef struct { int i, j, k, l; } S;
S *s[3];
- memset (s, 0, sizeof (S) * 3); /* { dg-warning "will always overflow" "memset" } */
+ memset (s, 0, sizeof (S) * 3); /* { dg-warning "writing 48 " "memset" } */
struct T { char a[8]; char b[4]; char c[10]; } t;
- stpcpy (t.c,"Testing..."); /* { dg-warning "will always overflow" "stpcpy" } */
+ stpcpy (t.c,"Testing..."); /* { dg-warning "writing" "stpcpy" } */
char b1[7];
char b2[4];
memset (b1, 0, sizeof (b1));
- memset (b2, 0, sizeof (b1)); /* { dg-warning "will always overflow" "memset" } */
+ memset (b2, 0, sizeof (b1)); /* { dg-warning "writing 7" "memset" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
index 7c2bb60..d537fb0 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
@@ -6,7 +6,7 @@
/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
#include "../gcc.c-torture/execute/builtins/chk.h"
-
+
void *bar (int);
extern void *malloc (__SIZE_TYPE__);
@@ -115,7 +115,7 @@ baz (const struct A *x, const unsigned char *z)
else
do
{
- memcpy (e, d, 513); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (e, d, 513); /* { dg-warning "writing" "memcpy" } */
e += 4;
}
while (--h);
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c
new file mode 100644
index 0000000..3b0ba0f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c
@@ -0,0 +1,344 @@
+/* Test exercising buffer overflow warnings emitted for __*_chk builtins
+ in cases where the destination involves a non-constant offset into
+ an object of known size. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+void sink (void*);
+
+/* Define memcpy as a macro (as opposed to an inline function) so that
+ warnings point to its invocation in the tests (as opposed to its
+ definition), making sure its first argument is evaluated exactly
+ once. */
+#define memcpy(d, s, n) \
+ do { \
+ __typeof__ (d) __d = (d); \
+ __builtin___memcpy_chk (__d, s, n, __builtin_object_size (__d, 1)); \
+ sink (__d); \
+ } while (0)
+
+/* Function to generate a unique offset each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+ptrdiff_t random_value (void);
+
+/* For brevity. */
+#define X() random_value ()
+
+/* Test memcpy with a variable offset not known to be in any range
+ and with a constant number of bytes. */
+
+void test_var_const (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf + X(), p, 6); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+
+ memcpy (&buf[X()], p, 6); /* { dg-warning "writing" } */
+
+ /* Since X() below can be assumed to be non-negative (otherwise it would
+ result in forming a pointer before the beginning of BUF), then because
+ of the +1 added to the resulting address there must be at most enough
+ room for (sizeof(buf) - 1) or 4 bytes. */
+ memcpy (&buf[X()] + 1, p, 4);
+
+ memcpy (&buf[X()] + 1, p, 5); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] + 5, p, 6); /* { dg-warning "writing" } */
+
+ /* The negative constant offset below must have no effect on the maximum
+ size of the buffer. */
+ memcpy (&buf[X()] - 1, p, 5);
+
+ memcpy (&buf[X()] - 1, p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] - 5, p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] + X(), p, 5);
+
+ memcpy (&buf[X()] + X(), p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] - X(), p, 5);
+
+ memcpy (&buf[X()] - X(), p, 6); /* { dg-warning "writing" } */
+}
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Test memcpy with a variable offset not known to be in any range
+ and with a number of bytes bounded by a known range. */
+
+void test_var_range (void *dst, const void *p)
+{
+ char buf[5];
+
+ memcpy (&buf[X()], p, range (0, 5));
+ memcpy (&buf[X()], p, range (1, 5));
+ memcpy (&buf[X()], p, range (2, 5));
+ memcpy (&buf[X()], p, range (3, 5));
+ memcpy (&buf[X()], p, range (4, 5));
+
+ memcpy (&buf[X()], p, range (6, 7)); /* { dg-warning "writing" } */
+
+ const size_t max = SIZE_MAX;
+ memcpy (&buf[X()], p, range (max - 1, max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (dst, p, range (max / 2 + 1, max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Return an ingeger in the range [MIN, MASK]. Use bitwise operations
+ rather than inequality to avoid relying on optimization passes
+ beyond Early Value Range Propagation that __builtin_object_size
+ doesn't make use of (yet). */
+
+static inline size_t
+simple_range (unsigned min, unsigned mask)
+{
+ return ((unsigned)random_value () & mask) | (min & mask);
+}
+
+/* For brevity. */
+#define R(min, max) simple_range (min, max)
+
+void test_range_auto (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf + R (0, 1), p, 6); /* { dg-warning "writing" } */
+
+ /* Some of these could be diagnosed as an extension because they would
+ overflow when (if) the non-const index were sufficiently large.
+ The challenge is distinguishing a range where a variable is likely
+ to exceed the minimum required for the overflow to occur from one
+ where it isn't so likely. */
+ memcpy (buf + R (0, 1), p, 5);
+
+ memcpy (buf + R (0, 1), p, 4);
+
+ memcpy (buf + R (0, 2), p, 3);
+
+ memcpy (buf + R (0, 3), p, 2);
+
+ memcpy (buf + R (0, 7), p, 1);
+
+ memcpy (buf + R (0, 5), p, 0);
+
+ /* The offset is known to be at least 1 so the size of the object
+ is at most 4. */
+ memcpy (buf + R (1, 2), p, 3);
+
+ memcpy (buf + R (1, 3), p, 3);
+
+ memcpy (buf + R (1, 2), p, 4);
+
+ memcpy (buf + R (1, 3) + 1, p, 4); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (1, 3), p, 5); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (2, 3), p, 2);
+
+ memcpy (buf + R (2, 3), p, 3);
+
+ memcpy (buf + R (2, 3) + 1, p, 3); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (2, 3), p, 4); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (3, 4), p, 2);
+
+ memcpy (buf + R (3, 7), p, 3); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (3, 7), p, 9); /* { dg-warning "writing" } */
+
+ memcpy (&buf[R (0, 1)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 2)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 3)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 4)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 5)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 2)] + 2, p, 4); /* { dg-warning "writing" } */
+
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+
+ memcpy (&buf[R (5, 15)], p, 1); /* { dg-warning "writing" } */
+
+ /* With the offset given by the two ranges below there is at most
+ 1 byte left. */
+ memcpy (buf + R (1, 2) + R (3, 4), p, 1);
+
+ memcpy (buf + R (1, 3) + R (3, 7), p, 2); /* { dg-warning "writing" } */
+
+ /* Unfortunately, the following isn't handled quite right: only
+ the lower bound given by the first range is used, the second
+ one is disregarded. */
+ memcpy (&buf [R (1, 2)] + R (3, 4), p, 2); /* { dg-warning "writing" "index in range plus offset in range" { xfail *-*-* } } */
+
+ memcpy (buf + R (2, 3) + R (2, 3), p, 1);
+
+ memcpy (buf + R (2, 3) + R (2, 3), p, 2); /* { dg-warning "writing" } */
+}
+
+void test_range_malloc (const void *p)
+{
+ char *buf = __builtin_malloc (5);
+
+ memcpy (buf + R (0, 1), p, 6); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (0, 1), p, 5);
+
+ memcpy (buf + R (0, 1), p, 4);
+
+ memcpy (buf + R (0, 2), p, 3);
+
+ memcpy (buf + R (0, 3), p, 2);
+
+ memcpy (buf + R (0, 4), p, 1);
+
+ memcpy (buf + R (0, 5), p, 0);
+}
+
+void test_range_schar (signed char i, const void *s)
+{
+ char a [130];
+
+ /* The range of I is [-128, 127] so the size of the destination below
+ is at most 2 (i.e., 130 - 128) bytes. */
+ memcpy (&a [130] + i, s, 2);
+
+ /* Strictly, the range of I below is [0, 127] because a negative value
+ would result in forming an invalid pointer, so the destination is at
+ most 2 bytes. */
+ memcpy (&a [i] + 128, s, 2);
+
+ /* Reset I's range just in case it gets set above. */
+ i = random_value ();
+ memcpy (&a [130] + i, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 128, s, 3); /* { dg-warning "writing" } */
+}
+
+void test_range_uchar (unsigned char i, const void *s)
+{
+ char a [260];
+
+ /* The range of I is [0, 255] so the size of the destination below
+ is at most 2 (i.e., 260 - 258 + 0) bytes. */
+ memcpy (&a [258] + i, s, 2);
+
+ memcpy (&a [i] + 128, s, 2);
+
+ /* Reset I's range just in case it gets set above. */
+ i = random_value ();
+ memcpy (&a [258] + i, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 258, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [259] + i, s, 2); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 259, s, 2); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [260] + i, s, 1); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 260, s, 1); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [260] + i, s, 0);
+
+ i = random_value ();
+ memcpy (&a [i] + 260, s, 0);
+}
+
+void test_range_int (int i, const void *s)
+{
+ const size_t max = (size_t)INT_MAX * 2 + 1;
+
+ char *a = __builtin_malloc (max);
+
+ memcpy (&a [max] + i, s, INT_MAX);
+ memcpy (&a [max] - i, s, INT_MAX);
+ /* &*/
+ memcpy (&a [max] + i, s, INT_MAX + (size_t)1);
+ memcpy (&a [max] - i, s, INT_MAX + (size_t)1); /* { dg-warning "writing" } */
+ memcpy (&a [max] + i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+ memcpy (&a [max] - i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+
+ char *end = &a [max];
+ memcpy (end + i, s, INT_MAX);
+ memcpy (end - i, s, INT_MAX);
+ /* &*/
+ memcpy (end + i, s, INT_MAX + (size_t)1);
+ memcpy (end - i, s, INT_MAX + (size_t)1); /* { dg-warning "writing" } */
+ memcpy (end + i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+ memcpy (end - i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+
+ memcpy (&a [i] + max, s, 1);
+}
+
+
+void test_range_ptrdiff_t (ptrdiff_t i, const void *s)
+{
+ const size_t max = PTRDIFF_MAX;
+
+ char *a = __builtin_malloc (max);
+
+ memcpy (&a [max] + i, s, max);
+
+ memcpy (&a [i] + max - 1, s, 1);
+}
+
+void test_range_size_t (size_t i, const void *s)
+{
+ const size_t diffmax = PTRDIFF_MAX;
+
+ char *a = __builtin_malloc (diffmax);
+
+ memcpy (&a [diffmax] + i, s, 0);
+ memcpy (&a [i] + diffmax, s, 0);
+
+ memcpy (&a [diffmax] + i, s, 1); /* { dg-warning "writing" } */
+
+ memcpy (&a [i] + diffmax, s, 1); /* { dg-warning "writing" } */
+}
+
+struct S {
+ int i;
+ char a7[7];
+ int b;
+};
+
+void test_range_member_array (struct S *s, const void *p)
+{
+ memcpy (s->a7 + R (0, 1), p, 6);
+
+ memcpy (s->a7 + R (0, 1), p, 7);
+
+ memcpy (s->a7 + R (0, 1), p, 8); /* { dg-warning "writing" } */
+
+ memcpy (&s->a7 [R (0, 1)], p, 7);
+
+ memcpy (&s->a7 [R (1, 3)], p, 7); /* { dg-warning "writing" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
new file mode 100644
index 0000000..7979a13
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
@@ -0,0 +1,459 @@
+/* Test exercising buffer overflow warnings emitted for __*_chk builtins
+ in cases where the destination involves a non-constant offset into
+ an object of known size. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+static const size_t ssize_max = SIZE_MAX / 2;
+static const size_t size_max = SIZE_MAX;
+
+extern signed char schar_val;
+extern signed short sshrt_val;
+extern signed int sint_val;
+extern signed long slong_val;
+extern unsigned char uchar_val;
+extern unsigned short ushrt_val;
+extern unsigned int uint_val;
+extern unsigned long ulong_val;
+
+#define memcpy(d, s, n) (memcpy ((d), (s), (n)), sink ((d)))
+extern void* (memcpy)(void*, const void*, size_t);
+
+#define mempcpy(d, s, n) (mempcpy ((d), (s), (n)), sink ((d)))
+extern void* (mempcpy)(void*, const void*, size_t);
+
+#define memset(d, c, n) (memset ((d), (c), (n)), sink ((d)))
+extern void* (memset)(void*, int, size_t);
+
+#define bzero(d, n) (bzero ((d), (n)), sink ((d)))
+extern void (bzero)(void*, size_t);
+
+#define strcat(d, s) (strcat ((d), (s)), sink ((d)))
+extern char* (strcat)(char*, const char*);
+
+#define strncat(d, s, n) (strncat ((d), (s), (n)), sink ((d)))
+extern char* (strncat)(char*, const char*, size_t);
+
+#define strcpy(d, s) (strcpy ((d), (s)), sink ((d)))
+extern char* (strcpy)(char*, const char*);
+
+#define strncpy(d, s, n) (strncpy ((d), (s), (n)), sink ((d)))
+extern char* (strncpy)(char*, const char*, size_t);
+
+void sink (void*);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+ptrdiff_t random_signed_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+unsigned_range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Return a random signed value between MIN and MAX. */
+
+static inline ptrdiff_t
+signed_range (ptrdiff_t min, ptrdiff_t max)
+{
+ const ptrdiff_t val = random_signed_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* For brevity. */
+#define UR(min, max) unsigned_range (min, max)
+#define SR(min, max) signed_range (min, max)
+
+/* UReturn a pointer to constant string whose length is at least MINLEN
+ and at most 10. */
+static inline const char*
+string_range (size_t minlen)
+{
+ static const char str[] = "0123456789";
+
+ const size_t len = unsigned_range (minlen, sizeof str - 1);
+
+ switch (len)
+ {
+ case 10: return "0123456789";
+ case 9: return "012345678";
+ case 8: return "01234567";
+ case 7: return "0123456";
+ case 6: return "012345";
+ case 5: return "01234";
+ case 4: return "0123";
+ case 3: return "012";
+ case 2: return "01";
+ case 1: return "0";
+ case 0: return "";
+ }
+}
+
+#define S(minlen) string_range (minlen)
+
+/* Test memcpy with a number of bytes bounded by a known range. */
+
+void test_memcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ memcpy (buf, s, UR (0, 5));
+ memcpy (buf, s, UR (1, 5));
+ memcpy (buf, s, UR (2, 5));
+ memcpy (buf, s, UR (3, 5));
+ memcpy (buf, s, UR (4, 5));
+
+ memcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memcpy into a destination of unknown size with excessive
+ number of bytes. */
+ memcpy (d, s, UR (ssize_max, size_max));
+ memcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (buf, s, SR (-1, 1));
+ memcpy (buf, s, SR (-3, 2));
+ memcpy (buf, s, SR (-5, 3));
+ memcpy (buf, s, SR (-7, 4));
+ memcpy (buf, s, SR (-9, 5));
+ memcpy (buf, s, SR (-11, 6));
+
+ memcpy (d, s, SR (-1, 1));
+ memcpy (d, s, SR (-3, 2));
+ memcpy (d, s, SR (-5, 3));
+ memcpy (d, s, SR (-7, 4));
+ memcpy (d, s, SR (-9, 5));
+ memcpy (d, s, SR (-11, 6));
+
+ memcpy (buf, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (d, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Even though the following calls are bounded by the range of N's
+ type they must not cause a warning for obvious reasons. */
+ memcpy (buf, s, schar_val);
+ memcpy (buf, s, sshrt_val);
+ memcpy (buf, s, sint_val);
+ memcpy (buf, s, slong_val);
+
+ memcpy (buf, s, uchar_val);
+ memcpy (buf, s, ushrt_val);
+ memcpy (buf, s, uint_val);
+ memcpy (buf, s, ulong_val);
+
+ memcpy (buf, s, schar_val + 1);
+ memcpy (buf, s, sshrt_val + 2);
+ memcpy (buf, s, sint_val + 3);
+ memcpy (buf, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+
+ memcpy (d, s, schar_val);
+ memcpy (d, s, sshrt_val);
+ memcpy (d, s, sint_val);
+ memcpy (d, s, slong_val);
+
+ memcpy (d, s, uchar_val);
+ memcpy (d, s, ushrt_val);
+ memcpy (d, s, uint_val);
+ memcpy (d, s, ulong_val);
+
+ memcpy (d, s, schar_val + 1);
+ memcpy (d, s, sshrt_val + 2);
+ memcpy (d, s, sint_val + 3);
+ memcpy (d, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+}
+
+/* Test mempcpy with a number of bytes bounded by a known range. */
+
+void test_mempcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ mempcpy (buf, s, UR (0, 5));
+ mempcpy (buf, s, UR (1, 5));
+ mempcpy (buf, s, UR (2, 5));
+ mempcpy (buf, s, UR (3, 5));
+ mempcpy (buf, s, UR (4, 5));
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ mempcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ mempcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise mempcpy into a destination of unknown size with excessive
+ number of bytes. */
+ mempcpy (d, s, UR (ssize_max, size_max));
+ mempcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test memset with a number of bytes bounded by a known range. */
+
+void test_memset_range (void *d)
+{
+ char buf[5];
+
+ memset (buf, 0, UR (0, 5));
+ memset (buf, 0, UR (1, 5));
+ memset (buf, 0, UR (2, 5));
+ memset (buf, 0, UR (3, 5));
+ memset (buf, 0, UR (4, 5));
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memset (buf, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memset (buf, 0, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memset into a destination of unknown size with excessive
+ number of bytes. */
+ memset (d, 0, UR (ssize_max, size_max));
+ memset (d, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test bzero with a number of bytes bounded by a known range. */
+
+void test_bzero_range (void *d)
+{
+ char buf[5];
+
+ bzero (buf, UR (0, 5));
+ bzero (buf, UR (1, 5));
+ bzero (buf, UR (2, 5));
+ bzero (buf, UR (3, 5));
+ bzero (buf, UR (4, 5));
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ bzero (buf, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ bzero (buf, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise bzero into a destination of unknown size with excessive
+ number of bytes. */
+ bzero (d, UR (ssize_max, size_max));
+ bzero (d, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strcat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strcat_range (void)
+{
+ char buf[5] = "";
+
+ strcat (buf, S (0));
+ strcat (buf, S (1));
+ strcat (buf, S (2));
+ strcat (buf, S (3));
+ strcat (buf, S (4));
+ strcat (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strcat. */
+ char buf2[5] = "12";
+ strcat (buf2, S (4)); /* { dg-warning "writing 5 bytes into a region of size 3" "strcat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strcpy with a non-constant source string of length in a known
+ range. */
+
+void test_strcpy_range (void)
+{
+ char buf[5];
+
+ strcpy (buf, S (0));
+ strcpy (buf, S (1));
+ strcpy (buf, S (2));
+ strcpy (buf, S (4));
+ strcpy (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+ strcpy (buf, S (6)); /* { dg-warning "writing 7 bytes into a region of size 5 " } */
+ strcpy (buf, S (7)); /* { dg-warning "writing 8 bytes into a region of size 5 " } */
+ strcpy (buf, S (8)); /* { dg-warning "writing 9 bytes into a region of size 5 " } */
+ strcpy (buf, S (9)); /* { dg-warning "writing 10 bytes into a region of size 5 " } */
+ strcpy (buf, S (10)); /* { dg-warning "writing 11 bytes into a region of size 5 " } */
+}
+
+/* Test strncat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strncat_range (void)
+{
+ char buf[5] = "";
+
+ strncat (buf, S (0), 0);
+ strncat (buf, S (0), 1);
+ strncat (buf, S (0), 2);
+ strncat (buf, S (0), 3);
+ strncat (buf, S (0), 4);
+ /* Strncat always appends a terminating null after copying the N
+ characters so the following triggers a warning pointing out
+ that specifying sizeof(buf) as the upper bound may cause
+ the nul to overflow the destination. */
+ strncat (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (0), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ strncat (buf, S (1), 0);
+ strncat (buf, S (1), 1);
+ strncat (buf, S (1), 2);
+ strncat (buf, S (1), 3);
+ strncat (buf, S (1), 4);
+ strncat (buf, S (1), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (1), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+ strncat (buf, S (2), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ /* The following could just as well say "writing 6 bytes into a region
+ of size 5. Either would be correct and probably equally as clear
+ in this case. But when the length of the source string is not known
+ at all then the bound warning seems clearer. */
+ strncat (buf, S (5), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination " } */
+ strncat (buf, S (7), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strncpy. */
+ char buf2[5] = "12";
+ strncat (buf2, S (4), 4); /* { dg-warning "writing 5 bytes into a region of size 3" "strncat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strncat_chk with an argument referencing a non-constant string
+ of lengths in a known range. */
+
+void test_strncat_chk_range (char *d)
+{
+ char buf[5] = "";
+
+#define strncat_chk(d, s, n) \
+ __builtin___strncat_chk ((d), (s), (n), __builtin_object_size (d, 1));
+
+ strncat_chk (buf, S (0), 1);
+ strncat_chk (buf, S (0), 2);
+ strncat_chk (buf, S (0), 3);
+ strncat_chk (buf, S (0), 4);
+ strncat_chk (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), 1);
+ strncat_chk (buf, S (5), 2);
+ strncat_chk (buf, S (5), 3);
+ strncat_chk (buf, S (5), 4);
+ strncat_chk (buf, S (5), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds the size 5 of the destination " } */
+
+ strncat_chk (d, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size " } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a constant number of bytes. */
+
+void test_strncpy_string_range (char *d)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), 0);
+ strncpy (buf, S (0), 1);
+ strncpy (buf, S (0), 2);
+ strncpy (buf, S (0), 3);
+ strncpy (buf, S (0), 4);
+ strncpy (buf, S (0), 5);
+ strncpy (buf, S (0), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (6), 4);
+ strncpy (buf, S (7), 5);
+ strncpy (buf, S (8), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (1), ssize_max - 1); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (2), ssize_max); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (buf, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (1), ssize_max - 1);
+ strncpy (d, S (2), ssize_max);
+ strncpy (d, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (d, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a non-constant number of bytes also in a known range. */
+
+void test_strncpy_string_count_range (char *d, const char *s)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), UR (0, 1));
+ strncpy (buf, S (0), UR (0, 2));
+ strncpy (buf, S (0), UR (0, 3));
+ strncpy (buf, S (0), UR (0, 4));
+ strncpy (buf, S (0), UR (0, 5));
+ strncpy (buf, S (0), UR (0, 6));
+ strncpy (buf, S (0), UR (1, 6));
+ strncpy (buf, S (0), UR (2, 6));
+ strncpy (buf, S (0), UR (3, 6));
+ strncpy (buf, S (0), UR (4, 6));
+ strncpy (buf, S (0), UR (5, 6));
+
+ strncpy (buf, S (9), UR (0, 1));
+ strncpy (buf, S (8), UR (0, 2));
+ strncpy (buf, S (7), UR (0, 3));
+ strncpy (buf, S (6), UR (0, 4));
+ strncpy (buf, S (8), UR (0, 5));
+ strncpy (buf, S (7), UR (0, 6));
+ strncpy (buf, S (6), UR (1, 6));
+ strncpy (buf, S (5), UR (2, 6));
+ strncpy (buf, S (9), UR (3, 6));
+ strncpy (buf, S (8), UR (4, 6));
+ strncpy (buf, S (7), UR (5, 6));
+
+ strncpy (buf, S (0), UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+ strncpy (buf, S (1), UR (7, 8)); /* { dg-warning "writing between 7 and 8 bytes into a region of size 5 " } */
+ strncpy (buf, S (2), UR (ssize_max, ssize_max + 1)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 " } */
+
+ strncpy (buf, S (2), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (0), UR (5, 6));
+ strncpy (d, S (1), UR (6, 7));
+ strncpy (d, S (2), UR (7, 8));
+
+ strncpy (d, S (3), UR (ssize_max, ssize_max + 1));
+
+ strncpy (d, S (4), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
index 44677f1..daff680 100644
--- a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
@@ -24,15 +24,15 @@ test (int arg, ...)
*p = 0;
strncat (p, "abcdefghi", 10);
*p = 0;
- strncat (p, "abcdefghij", 10); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghij", 10); /* { dg-warning "writing 11 bytes into a region of size 10 overflows the destination" } */
*p = 0;
strncat (p, "abcdefgh", 11);
*p = 0;
- strncat (p, "abcdefghijkl", 11); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghijkl", 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
*p = 0;
strncat (p, q, 9);
*p = 0;
- strncat (p, q, 10); /* { dg-warning "might overflow" } */
+ strncat (p, q, 10); /* { dg-warning "specified bound 10 equals the size of the destination" } */
*p = 0;
- strncat (p, q, 11); /* { dg-warning "might overflow" } */
+ strncat (p, q, 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
}
diff --git a/gcc/testsuite/gcc.dg/memcpy-2.c b/gcc/testsuite/gcc.dg/memcpy-2.c
index 24464abd..7f839d2 100644
--- a/gcc/testsuite/gcc.dg/memcpy-2.c
+++ b/gcc/testsuite/gcc.dg/memcpy-2.c
@@ -7,7 +7,7 @@ typedef __SIZE_TYPE__ size_t;
extern inline __attribute__((gnu_inline, always_inline, artificial)) void *
memcpy (void *__restrict dest, const void *__restrict src, size_t len)
{
- return __builtin___memcpy_chk (dest, /* { dg-warning "will always overflow destination buffer" } */
+ return __builtin___memcpy_chk (dest, /* { dg-warning "writing" } */
src, len, __builtin_object_size (dest, 0));
}
diff --git a/gcc/testsuite/gcc.dg/pr40340-1.c b/gcc/testsuite/gcc.dg/pr40340-1.c
index aae84c6..78540a2 100644
--- a/gcc/testsuite/gcc.dg/pr40340-1.c
+++ b/gcc/testsuite/gcc.dg/pr40340-1.c
@@ -20,5 +20,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-2.c b/gcc/testsuite/gcc.dg/pr40340-2.c
index a0d6e084..1dc21d1 100644
--- a/gcc/testsuite/gcc.dg/pr40340-2.c
+++ b/gcc/testsuite/gcc.dg/pr40340-2.c
@@ -12,5 +12,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-5.c b/gcc/testsuite/gcc.dg/pr40340-5.c
index f50514c..e517147 100644
--- a/gcc/testsuite/gcc.dg/pr40340-5.c
+++ b/gcc/testsuite/gcc.dg/pr40340-5.c
@@ -13,5 +13,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
index 7ce9eae..b5a59f4 100644
--- a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
+++ b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
@@ -710,4 +710,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/gcc.dg/torture/pr71132.c b/gcc/testsuite/gcc.dg/torture/pr71132.c
index 2991718..2544eb1 100644
--- a/gcc/testsuite/gcc.dg/torture/pr71132.c
+++ b/gcc/testsuite/gcc.dg/torture/pr71132.c
@@ -1,4 +1,9 @@
/* { dg-do compile } */
+/* { dg-additional-options "-Wno-stringop-overflow" } */
+/* The loop below writes past the end of the global object a.
+ When the loop is transformed into a call to memcpy the buffer
+ overflow is detected and diagnosed by the -Wstringop-overflow
+ option enabled by default. */
typedef unsigned size_t;
struct {
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-10-30 22:45 ` Martin Sebor
@ 2016-10-31 12:39 ` Tobias Burnus
2016-10-31 16:44 ` Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Tobias Burnus @ 2016-10-31 12:39 UTC (permalink / raw)
To: gcc-patches, Martin Sebor
Martin Sebor wrote:
> Attached is an updated patch that adds checks for excessive sizes
> and bounds (those in excess of SIZE_MAX / 2), and also enables
> the same checking for strcat and strncat). This version also
> fixes an issue with the interpretation of anti-ranges in the
> first patch. The improvements exposed two bugs in the regression
> tests.
If I apply this patch to my local trunk - and try to bootstrap GCC,
bootstrapping fails (on x86-64_gnu-linux) as following. I have not
tried to figure out whether the warning (-Werror) makes sense or not.
../../gcc/emit-rtl.c: In function ‘rtx_note* make_note_raw(insn_note)’:
../../gcc/emit-rtl.c:3933:59: error: void* memset(void*, int, size_t) writing 8 bytes into a region of size 0 overflows the destination [-Werror=stringop-overflow]
memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
where NOTE_DATA is defined in rtl.h as
/* Opaque data. */
#define NOTE_DATA(INSN) RTL_CHECKC1 (INSN, 3, NOTE)
Cheers,
Tobias
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-10-31 12:39 ` Tobias Burnus
@ 2016-10-31 16:44 ` Martin Sebor
2016-11-01 2:39 ` Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-10-31 16:44 UTC (permalink / raw)
To: Tobias Burnus, gcc-patches
On 10/31/2016 06:39 AM, Tobias Burnus wrote:
> Martin Sebor wrote:
>> Attached is an updated patch that adds checks for excessive sizes
>> and bounds (those in excess of SIZE_MAX / 2), and also enables
>> the same checking for strcat and strncat). This version also
>> fixes an issue with the interpretation of anti-ranges in the
>> first patch. The improvements exposed two bugs in the regression
>> tests.
>
> If I apply this patch to my local trunk - and try to bootstrap GCC,
> bootstrapping fails (on x86-64_gnu-linux) as following. I have not
> tried to figure out whether the warning (-Werror) makes sense or not.
>
> ../../gcc/emit-rtl.c: In function ‘rtx_note* make_note_raw(insn_note)’:
> ../../gcc/emit-rtl.c:3933:59: error: void* memset(void*, int, size_t) writing 8 bytes into a region of size 0 overflows the destination [-Werror=stringop-overflow]
> memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
>
>
> where NOTE_DATA is defined in rtl.h as
>
> /* Opaque data. */
> #define NOTE_DATA(INSN) RTL_CHECKC1 (INSN, 3, NOTE)
Thanks for trying it out! The patch bootstrapped and passed regression
tests for me yesterday, also on x86_64, and today on powepc64le, but
just now I reproduced the error with the top of today's trunk on
x86_64. I think the error is justified because the call to memset
in the make_note_raw function references a fourth element
(rtx_note::rtx_insn::rtx_def::u.fld[3]) of what is just a single
element array. After macro expansion, the memset call itself:
memset (&((note)->u.fld[3]), 0, sizeof (((note)->u.fld[3])));
is within the bounds of the object pointed to by note but the index
3 is out of bounds for note->u.fld and so undefined. An unpatched
GCC issues a similar error when the call to memset is replaced with
__builtin___memset_chk like so:
__builtin___memset_chk (&((note)->u.fld[3]), 0,
sizeof (((note)->u.fld[3])),
__builtin_object_size (&((note)->u.fld[3]), 1));
/src/gcc/53562/gcc/emit-rtl.c: In function ‘rtx_note*
make_note_raw(insn_note)’:
/src/gcc/53562/gcc/emit-rtl.c:3941:53: warning: call to void*
__builtin___memset_chk(void*, int, long unsigned int, long unsigned int)
will always overflow destination buffer
The code can be made valid and the warning avoided by deriving
the same address not from an invalid pointer/subscript but rather
from a pointer to the beginning of the union itself and adding
the offset of the fourth element, like so:
char *p = (char*) &(note)->u.fld[0];
p += sizeof (((note)->u.fld[0])) * 3;
memset (p, 0, sizeof *p);
Unfortunately, because the invalid subscript is the result of
the expansion of the RTL_CHECK1() macro fixing this isn't as
straightforward as that. What really should be fixed is the macro
itself. Until then, it can be worked (hacked would be a better
term) around it by storing the result of &NOTE_DATA (note)
expression in a volatile pointer, like so:
diff --git a/gcc/emit-rtl.c b/gcc/emit-rtl.c
index 8afcfbe..6dd9439 100644
--- a/gcc/emit-rtl.c
+++ b/gcc/emit-rtl.c
@@ -3930,7 +3930,8 @@ make_note_raw (enum insn_note subtype)
INSN_UID (note) = cur_insn_uid++;
NOTE_KIND (note) = subtype;
BLOCK_FOR_INSN (note) = NULL;
- memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
+ void* volatile p = &NOTE_DATA (note);
+ memset (p, 0, sizeof (NOTE_DATA (note)));
return note;
}
Martin
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-10-31 16:44 ` Martin Sebor
@ 2016-11-01 2:39 ` Martin Sebor
2016-11-01 14:10 ` Jakub Jelinek
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-01 2:39 UTC (permalink / raw)
To: gcc-patches; +Cc: Tobias Burnus
[-- Attachment #1: Type: text/plain, Size: 4893 bytes --]
Attached is an updated patch that works around the problem with
the definition of the NOTE_DATA macro discussed below. I've
raised bug 78174 for it and temporarily worked around it in
the patch. I'll see if I can come up with a patch to fix the
macro the "right way" but would prefer to do that separately.
The NOTE_DATA macro is implemented in terms of the RTL_CHECK1
macro that will need to change and that macro is used in many
others, so I would rather not mess around with those as part
of this patch.
I tested the updated patch with today's top of trunk on x86_64.
The reason why I missed the problem in the previous patch is
because I accidentally tested an earlier version of it.
In following up on bug 78174 it occurred to me that the warning
option added by the patch for the non-checking functions could
perhaps be enhanced to specify the object size checking type
(right now it hardcodes type 1 for all non-checking functions).
That would make it possible to request looser checking for some
functions (e.g., memset, for compatibility with Glibc's setting
of zero even at _FORTIFY_SOURCE=2), and stricter checking for
others (e.g., strcpy where Glibc uses type-1 with
_FORTIFY_SOURCE=2). If this is something people would think
would be worthwhile please let me know.
Martin
On 10/31/2016 10:44 AM, Martin Sebor wrote:
> On 10/31/2016 06:39 AM, Tobias Burnus wrote:
>> Martin Sebor wrote:
>>> Attached is an updated patch that adds checks for excessive sizes
>>> and bounds (those in excess of SIZE_MAX / 2), and also enables
>>> the same checking for strcat and strncat). This version also
>>> fixes an issue with the interpretation of anti-ranges in the
>>> first patch. The improvements exposed two bugs in the regression
>>> tests.
>>
>> If I apply this patch to my local trunk - and try to bootstrap GCC,
>> bootstrapping fails (on x86-64_gnu-linux) as following. I have not
>> tried to figure out whether the warning (-Werror) makes sense or not.
>>
>> ../../gcc/emit-rtl.c: In function ‘rtx_note* make_note_raw(insn_note)’:
>> ../../gcc/emit-rtl.c:3933:59: error: void* memset(void*, int, size_t)
>> writing 8 bytes into a region of size 0 overflows the destination
>> [-Werror=stringop-overflow]
>> memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
>>
>>
>> where NOTE_DATA is defined in rtl.h as
>>
>> /* Opaque data. */
>> #define NOTE_DATA(INSN) RTL_CHECKC1 (INSN, 3, NOTE)
>
> Thanks for trying it out! The patch bootstrapped and passed regression
> tests for me yesterday, also on x86_64, and today on powepc64le, but
> just now I reproduced the error with the top of today's trunk on
> x86_64. I think the error is justified because the call to memset
> in the make_note_raw function references a fourth element
> (rtx_note::rtx_insn::rtx_def::u.fld[3]) of what is just a single
> element array. After macro expansion, the memset call itself:
>
> memset (&((note)->u.fld[3]), 0, sizeof (((note)->u.fld[3])));
>
> is within the bounds of the object pointed to by note but the index
> 3 is out of bounds for note->u.fld and so undefined. An unpatched
> GCC issues a similar error when the call to memset is replaced with
> __builtin___memset_chk like so:
>
> __builtin___memset_chk (&((note)->u.fld[3]), 0,
> sizeof (((note)->u.fld[3])),
> __builtin_object_size (&((note)->u.fld[3]), 1));
>
> /src/gcc/53562/gcc/emit-rtl.c: In function ‘rtx_note*
> make_note_raw(insn_note)’:
> /src/gcc/53562/gcc/emit-rtl.c:3941:53: warning: call to void*
> __builtin___memset_chk(void*, int, long unsigned int, long unsigned int)
> will always overflow destination buffer
>
> The code can be made valid and the warning avoided by deriving
> the same address not from an invalid pointer/subscript but rather
> from a pointer to the beginning of the union itself and adding
> the offset of the fourth element, like so:
>
> char *p = (char*) &(note)->u.fld[0];
> p += sizeof (((note)->u.fld[0])) * 3;
> memset (p, 0, sizeof *p);
>
> Unfortunately, because the invalid subscript is the result of
> the expansion of the RTL_CHECK1() macro fixing this isn't as
> straightforward as that. What really should be fixed is the macro
> itself. Until then, it can be worked (hacked would be a better
> term) around it by storing the result of &NOTE_DATA (note)
> expression in a volatile pointer, like so:
>
> diff --git a/gcc/emit-rtl.c b/gcc/emit-rtl.c
> index 8afcfbe..6dd9439 100644
> --- a/gcc/emit-rtl.c
> +++ b/gcc/emit-rtl.c
> @@ -3930,7 +3930,8 @@ make_note_raw (enum insn_note subtype)
> INSN_UID (note) = cur_insn_uid++;
> NOTE_KIND (note) = subtype;
> BLOCK_FOR_INSN (note) = NULL;
> - memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
> + void* volatile p = &NOTE_DATA (note);
> + memset (p, 0, sizeof (NOTE_DATA (note)));
> return note;
> }
>
> Martin
[-- Attachment #2: gcc-53562.diff --]
[-- Type: text/x-patch, Size: 76272 bytes --]
PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
PR middle-end/78149 - missing warning on strncpy buffer overflow due to an excessive bound
PR middle-end/78138 - missing warnings on buffer overflow with non-constant source length
gcc/c-family/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
* c.opt (-Wstringop-overflow): New option.
gcc/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
PR middle-end/78149
PR middle-end/78138
* builtins.c (expand_builtin_strcat, expand_builtin_strncat): New
functions.
(get_size_range, check_sizes, check_strncat_sizes): Same.
(expand_builtin_memcpy): Call check sizes.
(expand_builtin_mempcpy): Same.
(expand_builtin_strcpy): Same.
(expand_builtin_strncpy): Same.
(expand_builtin_memset): Same,
(expand_builtin_bzero): Same.
(expand_builtin_memory_chk): Same.
(maybe_emit_sprintf_chk_warning): Same.
(expand_builtin): Handle strcat and strncat.
* gcc/emit-rtl.c (make_note_raw): Temporarily work around a bug
in the definition of the NOTE_DATA macro.
* doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
gcc/testsuite/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
PR middle-end/78149
PR middle-end/78138
* c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust expected diagnostic.
* g++.dg/ext/builtin-object-size3.C (bar): Same.
* g++.dg/ext/strncpy-chk1.C: Same.
* g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
* gcc.c-torture/compile/pr55569.c: Disable -Wstringop-overflow.
* gcc.dg/Wobjsize-1.c: Adjust expected diagnostic.
* gcc.dg/attr-alloc_size.c: Same.
* gcc.dg/builtin-stringop-chk-1.c: Adjust expected diagnostic.
* gcc.dg/builtin-stringop-chk-2.c: Same.
* gcc.dg/builtin-stringop-chk-4.c: New test.
* gcc.dg/builtin-strncat-chk-1.c: Adjust expected diagnostic..
* gcc.dg/memcpy-2.c: Same.
* gcc.dg/pr40340-1.c: Same.
* gcc.dg/pr40340-2.c (main): Same.
* gcc.dg/pr40340-5.c (main): Same.
* gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
* gcc.dg/torture/pr71132.c: Disable -Wstringop-overflow.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index facecd3..02f118c 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -67,7 +67,7 @@ along with GCC; see the file COPYING3. If not see
#include "internal-fn.h"
#include "case-cfn-macros.h"
#include "gimple-fold.h"
-
+#include "intl.h"
struct target_builtins default_target_builtins;
#if SWITCHABLE_TARGET
@@ -125,9 +125,11 @@ static rtx expand_builtin_mempcpy (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_with_bounds (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_args (tree, tree, tree, rtx,
machine_mode, int, tree);
+static rtx expand_builtin_strcat (tree, rtx);
static rtx expand_builtin_strcpy (tree, rtx);
static rtx expand_builtin_strcpy_args (tree, tree, rtx);
static rtx expand_builtin_stpcpy (tree, rtx, machine_mode);
+static rtx expand_builtin_strncat (tree, rtx);
static rtx expand_builtin_strncpy (tree, rtx);
static rtx builtin_memset_gen_str (void *, HOST_WIDE_INT, machine_mode);
static rtx expand_builtin_memset (tree, rtx, machine_mode);
@@ -2967,6 +2969,211 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
return dest_addr;
}
+/* Fill the 2-element RANGE array with the minimum and maximum values
+ EXP is known to have and return true, otherwise null and return
+ false. */
+
+static bool
+get_size_range (tree exp, tree range[2])
+{
+ if (tree_fits_uhwi_p (exp))
+ {
+ range[0] = range[1] = exp;
+ return true;
+ }
+
+ if (TREE_CODE (exp) == SSA_NAME)
+ {
+ wide_int min, max;
+ enum value_range_type range_type = get_range_info (exp, &min, &max);
+
+ if (range_type == VR_RANGE)
+ {
+ /* Interpret the bound in the variable's type. */
+ range[0] = wide_int_to_tree (TREE_TYPE (exp), min);
+ range[1] = wide_int_to_tree (TREE_TYPE (exp), max);
+ return true;
+ }
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ /* An anti-range implies the original variable is signed and
+ its lower bound is negative and the upper bound positive.
+ Since that means that the expression's value could be zero
+ nothing interesting can be inferred from this. */
+ }
+ }
+
+ range[0] = NULL_TREE;
+ range[1] = NULL_TREE;
+ return false;
+}
+
+/* Try to verify that the sizes and lengths of the arguments to a string
+ manipulation function given by EXP are within valid bounds and that
+ the operation does not lead to buffer overflow. Arguments other than
+ EXP may be null. When non-null, the arguments have the following
+ meaning:
+ SIZE is the user-supplied size argument to the function (such as in
+ memcpy(d, s, SIZE) or strncpy(d, s, SIZE). It specifies the exact
+ number of bytes to write.
+ MAXLEN is the user-supplied bound on the length of the source sequence
+ (such as in strncat(d, s, N). It specifies the upper limit on the number
+ of bytes to write.
+ SLEN is the length of the source sequence (such as in strcpy(d, s),
+ SLEN = strlen(s)).
+ OBJSIZE is the size of the destination object specified by the last
+ argument to the _chk builtins, typically resulting from the expansion
+ of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
+ OBJSIZE).
+
+ When SIZE is null LEN is checked to verify that it doesn't exceed
+ SIZE_MAX.
+
+ If the call is successfully verfified as safe from buffer overflow
+ the function returns true, otherwise false.. */
+
+static bool
+check_sizes (tree exp, tree size, tree maxlen, tree slen, tree objsize)
+{
+ /* The size of the largest object. (This is way too permissive.) */
+ tree maxobjsize = build_int_cst (sizetype, HOST_WIDE_INT_MAX);
+
+ tree range[2] = { NULL_TREE, NULL_TREE };
+
+ if (!size && !maxlen)
+ {
+ /* Handle strlen but not snprintf. */
+ size = slen ? slen : maxobjsize;
+ }
+
+ if (!objsize)
+ objsize = maxobjsize;
+
+ /* The SIZE is exact if it's non-null, constant, and in range of
+ unsigned HOST_WIDE_INT. */
+ bool exactsize = size && tree_fits_uhwi_p (size);
+
+ if (size)
+ get_size_range (size, range);
+
+ /* First check the number of bytes to be written against the maximum
+ object size. */
+ if (range[0] && tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified size %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified size between %wu and %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+ return false;
+ }
+
+ /* Next check the number of bytes to be written against the destination
+ object size. */
+ if (range[0] || !exactsize || integer_all_onesp (size))
+ {
+ if (range[0]
+ && ((tree_fits_uhwi_p (objsize)
+ && tree_int_cst_lt (objsize, range[0]))
+ || (tree_fits_uhwi_p (size)
+ && tree_int_cst_lt (size, range[0]))))
+ {
+ unsigned HOST_WIDE_INT uwir0 = tree_to_uhwi (range[0]);
+
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ (uwir0 == 1
+ ? G_("%K%D writing %wu byte into a region "
+ "of size %wu overflows the destination")
+ : G_("%K%D writing %wu bytes into a region "
+ "of size %wu overflows the destination")),
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu overflows "
+ "the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (range[1]), tree_to_uhwi (objsize));
+
+ /* Return error when an overflow has been detected. */
+ return false;
+ }
+ }
+
+ /* Check the maximum length of the source sequence against the size
+ of the destination object if known, or against the maximum size
+ of an object. */
+ if (maxlen)
+ {
+ get_size_range (maxlen, range);
+
+ if (range[0] && objsize && tree_fits_uhwi_p (objsize))
+ {
+ if (objsize != maxobjsize && tree_int_cst_lt (objsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound %wu "
+ "exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (objsize));
+ return false;
+ }
+ else if (tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, OPT_Wstringop_overflow,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
/* Expand a call EXP to the memcpy builtin.
Return NULL_RTX if we failed, the caller should emit a normal call,
otherwise try to get the result in TARGET, if convenient (and in
@@ -2983,6 +3190,14 @@ expand_builtin_memcpy (tree exp, rtx target)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, len, /*maxlen=*/NULL_TREE, NULL_TREE, objsize);
+
return expand_builtin_memcpy_args (dest, src, len, target, exp);
}
}
@@ -3037,10 +3252,21 @@ expand_builtin_mempcpy (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_mempcpy_args (dest, src, len,
- target, mode, /*endp=*/ 1,
- exp);
+
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Avoid expanding mempcpy into memcpy when the call is determined
+ to overflow the buffer. This also prevents the same overflow
+ from being diagnosed again when expanding memcpy. */
+ if (check_sizes (exp, len, NULL_TREE, NULL_TREE, destsize))
+ return expand_builtin_mempcpy_args (dest, src, len,
+ target, mode, /*endp=*/ 1,
+ exp);
}
+ return NULL_RTX;
}
/* Expand an instrumented call EXP to the mempcpy builtin.
@@ -3212,6 +3438,50 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
return target;
}
+/* Do some very basic size validation of a call to the strcpy builtin
+ given by EXP. Return NULL_RTX to have the built-in expand to a call
+ to the library function. */
+
+static rtx
+expand_builtin_strcat (tree exp, rtx)
+{
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* There is no way here to determine the length of the string in
+ the destination to which the SRC string is being appended so
+ just diagnose cases when the srouce string is longer than
+ the destination object. */
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strcpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call, otherwise
try to get the result in TARGET, if convenient (and in mode MODE if that's
@@ -3224,6 +3494,30 @@ expand_builtin_strcpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
return expand_builtin_strcpy_args (dest, src, target);
}
return NULL_RTX;
@@ -3334,6 +3628,130 @@ builtin_strncpy_read_str (void *data, HOST_WIDE_INT offset,
return c_readstr (str + offset, mode);
}
+/* Helper to check the sizes of sequences and the destination of calls
+ to __builtin_strncat and __builtin___strncat_chk. Returns true on
+ success (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_strncat_sizes (tree exp, tree objsize)
+{
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ if (!objsize)
+ {
+ /* If it hasn't been provided by __strncat_chk, try to determine
+ the size of the destination object into which the source is
+ being copied. */
+ unsigned HOST_WIDE_INT destsize;
+ if (compute_builtin_object_size (dest, 1, &destsize))
+ objsize = build_int_cst (sizetype, destsize);
+ }
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (objsize)
+ && tree_int_cst_equal (objsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return false;
+ }
+
+ if (!srclen || tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ return check_sizes (exp, /*size=*/NULL_TREE, maxlen, srclen, objsize);
+}
+
+/* Similar to expand_builtin_strcat, do some very basic size validation
+ of a call to the strcpy builtin given by EXP. Return NULL_RTX to have
+ the built-in expand to a call to the library function. */
+
+static rtx
+expand_builtin_strncat (tree exp, rtx)
+{
+ if (!validate_arglist (exp,
+ POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ /* The upper bound on the number of bytes to write. */
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
+ tree slen = c_strlen (src, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ /* Try to determine the size of the destination object into which
+ the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (destsize)
+ && tree_int_cst_equal (destsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return NULL_RTX;
+ }
+
+
+ if (!srclen || tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (exp, /*size=*/NULL_TREE, maxlen, srclen, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strncpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call. */
@@ -3347,9 +3765,39 @@ expand_builtin_strncpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+ /* The number of bytes to write (not the maximum). */
tree len = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
tree slen = c_strlen (src, 1);
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+
+ /* Try to determine the size of the destination object into which
+ the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (exp, len, /*maxlen=*/NULL_TREE, srclen, destsize);
+
/* We must be passed a constant len and src parameter. */
if (!tree_fits_uhwi_p (len) || !slen || !tree_fits_uhwi_p (slen))
return NULL_RTX;
@@ -3442,6 +3890,15 @@ expand_builtin_memset (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree val = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, len, NULL_TREE, NULL_TREE, objsize);
+
return expand_builtin_memset_args (dest, val, len, target, mode, exp);
}
}
@@ -3633,6 +4090,14 @@ expand_builtin_bzero (tree exp)
dest = CALL_EXPR_ARG (exp, 0);
size = CALL_EXPR_ARG (exp, 1);
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (exp, size, NULL_TREE, NULL_TREE, objsize);
+
/* New argument list transforming bzero(ptr x, int y) to
memset(ptr x, int 0, size_t y). This is done this way
so that if it isn't expanded inline, we fallback to
@@ -6119,12 +6584,24 @@ expand_builtin (tree exp, rtx target, rtx subtarget, machine_mode mode,
return target;
break;
+ case BUILT_IN_STRCAT:
+ target = expand_builtin_strcat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRCPY:
target = expand_builtin_strcpy (exp, target);
if (target)
return target;
break;
+ case BUILT_IN_STRNCAT:
+ target = expand_builtin_strncat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRNCPY:
target = expand_builtin_strncpy (exp, target);
if (target)
@@ -9212,22 +9689,20 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
len = CALL_EXPR_ARG (exp, 2);
size = CALL_EXPR_ARG (exp, 3);
- if (! tree_fits_uhwi_p (size))
+ bool sizes_ok = check_sizes (exp, len, NULL_TREE, NULL_TREE, size);
+
+ if (!tree_fits_uhwi_p (size))
return NULL_RTX;
if (tree_fits_uhwi_p (len) || integer_all_onesp (size))
{
- tree fn;
-
- if (! integer_all_onesp (size) && tree_int_cst_lt (size, len))
- {
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return NULL_RTX;
- }
+ /* Avoid transforming the checking call to an ordinary one when
+ an overflow has been detected or when the call couldn't be
+ validated because the size is not constant. */
+ if (!sizes_ok && !integer_all_onesp (size) && tree_int_cst_lt (size, len))
+ return NULL_RTX;
- fn = NULL_TREE;
+ tree fn = NULL_TREE;
/* If __builtin_mem{cpy,pcpy,move,set}_chk is used, assume
mem{cpy,pcpy,move,set} is available. */
switch (fcode)
@@ -9313,68 +9788,84 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
static void
maybe_emit_chk_warning (tree exp, enum built_in_function fcode)
{
- int is_strlen = 0;
- tree len, size;
- location_t loc = tree_nonartificial_location (exp);
+ /* The length of the source sequence of the memory operation, and
+ the size of the destination object. */
+ tree srclen = NULL_TREE;
+ tree objsize = NULL_TREE;
+ /* The length of the sequence that the source sequence is being
+ concatenated with (as with __strcat_chk) or null if it isn't. */
+ tree catlen = NULL_TREE;
+ /* The maximum length of the source sequence in a bounded operation
+ (such as __strncat_chk) or null if the operation isn't bounded
+ (such as __strcat_chk). */
+ tree maxlen = NULL_TREE;
switch (fcode)
{
case BUILT_IN_STRCPY_CHK:
case BUILT_IN_STPCPY_CHK:
- /* For __strcat_chk the warning will be emitted only if overflowing
- by at least strlen (dest) + 1 bytes. */
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
+ break;
+
case BUILT_IN_STRCAT_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 2);
- is_strlen = 1;
+ /* For __strcat_chk the warning will be emitted only if overflowing
+ by at least strlen (dest) + 1 bytes. */
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
break;
+
case BUILT_IN_STRNCAT_CHK:
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
+ break;
+
case BUILT_IN_STRNCPY_CHK:
case BUILT_IN_STPNCPY_CHK:
- len = CALL_EXPR_ARG (exp, 2);
- size = CALL_EXPR_ARG (exp, 3);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
+
case BUILT_IN_SNPRINTF_CHK:
case BUILT_IN_VSNPRINTF_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 3);
+ maxlen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
default:
gcc_unreachable ();
}
- if (!len || !size)
- return;
-
- if (! tree_fits_uhwi_p (size) || integer_all_onesp (size))
- return;
+ /* Compute the length of shortest string the source pointer points to. */
+ if (srclen)
+ {
+ tree lenrange[2];
+ get_range_strlen (srclen, lenrange);
+ srclen = lenrange[0];
+ }
- if (is_strlen)
+ if (catlen && maxlen)
{
- len = c_strlen (len, 1);
- if (! len || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
+ /* Check __strncat_chk. There is no way to determine the length
+ of the string to which the source string is being appended so
+ just warn when the length of the source string is not known. */
+ if (!check_strncat_sizes (exp, objsize))
return;
}
- else if (fcode == BUILT_IN_STRNCAT_CHK)
+
+ if (srclen)
{
- tree src = CALL_EXPR_ARG (exp, 1);
- if (! src || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- src = c_strlen (src, 1);
- if (! src || ! tree_fits_uhwi_p (src))
- {
- warning_at (loc, 0, "%Kcall to %D might overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return;
- }
- else if (tree_int_cst_lt (src, size))
- return;
+ srclen = fold_build2 (PLUS_EXPR, TREE_TYPE (srclen), srclen,
+ size_one_node);
+ if (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
}
- else if (! tree_fits_uhwi_p (len) || ! tree_int_cst_lt (size, len))
- return;
- warning_at (loc, 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ check_sizes (exp, NULL_TREE, maxlen, srclen, objsize);
}
/* Emit warning if a buffer overflow is detected at compile time
@@ -9428,10 +9919,9 @@ maybe_emit_sprintf_chk_warning (tree exp, enum built_in_function fcode)
else
return;
- if (! tree_int_cst_lt (len, size))
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ /* Add one for the terminating nul. */
+ len = fold_build2 (PLUS_EXPR, TREE_TYPE (len), len, size_one_node);
+ check_sizes (exp, NULL_TREE, NULL_TREE, len, size);
}
/* Emit warning if a free is called with address of a variable. */
diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
index e146781..6635464 100644
--- a/gcc/c-family/c.opt
+++ b/gcc/c-family/c.opt
@@ -647,6 +647,10 @@ Wsizeof-array-argument
C ObjC C++ ObjC++ Var(warn_sizeof_array_argument) Warning Init(1)
Warn when sizeof is applied on a parameter declared as an array.
+Wstringop-overflow
+C ObjC C++ ObjC++ Var(warn_stringop_overflow) Init(1) Warning
+Warn about buffer overflow in string manipulation functions.
+
Wsuggest-attribute=format
C ObjC C++ ObjC++ Var(warn_suggest_attribute_format) Warning
Warn about functions which might be candidates for format attributes.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index d9667e7..81cbe63 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -299,6 +299,7 @@ Objective-C and Objective-C++ Dialects}.
-Wsizeof-pointer-memaccess -Wsizeof-array-argument @gol
-Wstack-protector -Wstack-usage=@var{len} -Wstrict-aliasing @gol
-Wstrict-aliasing=n -Wstrict-overflow -Wstrict-overflow=@var{n} @gol
+-Wstringop-overflow @gol
-Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]} @gol
-Wsuggest-final-types @gol -Wsuggest-final-methods -Wsuggest-override @gol
-Wmissing-format-attribute -Wsubobject-linkage @gol
@@ -4831,6 +4832,27 @@ comparisons, so this warning level gives a very large number of
false positives.
@end table
+@item -Wstringop-overflow
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+Warn for calls to string manipulation functions such as memcpy and strcpy
+hat are determined to overflow the destination buffer. The option works
+best with optimization enabled but it can detect a small subset of buffer
+overflows even without optimization. In any case, the option warns about
+just a subset of buffer overflows detected by the corresponding overflow
+checking built-ins. @xref{Object Size Checking}. For example,
+@option{-Wstringop-overflow} will warn on the following:
+
+@smallexample
+char buf[6];
+void f (int i)
+@{
+ strcpy (buf, i < 0 ? "yellow" : "orange");
+@};
+@end smallexample
+
+The @option{-Wstringop-overflow} option is enabled by default.
+
@item -Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]}
@opindex Wsuggest-attribute=
@opindex Wno-suggest-attribute=
diff --git a/gcc/emit-rtl.c b/gcc/emit-rtl.c
index 2d6d1eb..9de68d0 100644
--- a/gcc/emit-rtl.c
+++ b/gcc/emit-rtl.c
@@ -3929,7 +3929,14 @@ make_note_raw (enum insn_note subtype)
INSN_UID (note) = cur_insn_uid++;
NOTE_KIND (note) = subtype;
BLOCK_FOR_INSN (note) = NULL;
- memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
+
+ /* FIXME: The NOTE_DATA() macro uses an invalid array subscript
+ that causes a -Wstringop-overflow warning in the call to memset
+ below. The resulting pointer is valid but the way it's derived
+ is undefined. Hide the pointer computation from memset to avoid
+ the warning until the macro is fixed. */
+ void* volatile p = &NOTE_DATA (note);
+ memset (p, 0, sizeof (NOTE_DATA (note)));
return note;
}
\f
diff --git a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
index d9ec7e2..9a02373 100644
--- a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
+++ b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
@@ -481,4 +481,4 @@ f4 (char *x, char **y, int z, char w[64])
stpncpy (x, s3, sizeof (s3));
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
index 09263e5..0207f9a 100644
--- a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
+++ b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
@@ -20,7 +20,7 @@ bar ()
{
int *p = new int;
int *q = new int[4];
- MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
- MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
+ MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "writing" }
+ MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "writing" }
baz (p, q);
}
diff --git a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
index ebafc99..85b3977 100644
--- a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
+++ b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
@@ -9,7 +9,7 @@ struct B { char z[50]; };
inline void
foo (char *dest, const char *__restrict src, __SIZE_TYPE__ n)
{
- __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "will always overflow" }
+ __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "overflows" }
}
void bar (const char *, int);
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
index 8b5c33e..2e6189b 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
@@ -713,4 +713,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-// { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" }
+// { dg-prune-output "\[\n\r\]*overflows\[\n\r\]*" }
diff --git a/gcc/testsuite/gcc.c-torture/compile/pr55569.c b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
index cffbcfc..7708f21 100644
--- a/gcc/testsuite/gcc.c-torture/compile/pr55569.c
+++ b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
@@ -1,4 +1,4 @@
-/* { dg-options "-ftree-vectorize" } */
+/* { dg-options "-Wno-stringop-overflow -ftree-vectorize" } */
int *bar (void);
void
@@ -6,6 +6,10 @@ foo (void)
{
long x;
int *y = bar ();
- for (x = -1 / sizeof (int); x; --x, ++y)
- *y = 0;
+
+ /* The loop below may be optimized to a call to memset with a size
+ that's in excess of the maximum object size. This is diagnosed
+ by the -Wstringop-overflow option. */
+ for (x = -1 / sizeof (int); x; --x, ++y)
+ *y = 0;
}
diff --git a/gcc/testsuite/gcc.dg/Wobjsize-1.c b/gcc/testsuite/gcc.dg/Wobjsize-1.c
index 291cfb9..211e068 100644
--- a/gcc/testsuite/gcc.dg/Wobjsize-1.c
+++ b/gcc/testsuite/gcc.dg/Wobjsize-1.c
@@ -10,6 +10,6 @@ int main(int argc, char **argv)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 6 } */
+/* { dg-warning "writing" "" { target *-*-* } 6 } */
/* { dg-message "file included" "included" { target *-*-* } 0 } */
/* { dg-message "inlined from" "inlined" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/attr-alloc_size.c b/gcc/testsuite/gcc.dg/attr-alloc_size.c
index e8129ce..f50ba7c 100644
--- a/gcc/testsuite/gcc.dg/attr-alloc_size.c
+++ b/gcc/testsuite/gcc.dg/attr-alloc_size.c
@@ -22,15 +22,15 @@ test (void)
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
index e491ff5..7689287 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
@@ -8,7 +8,10 @@
extern void abort (void);
#include "../gcc.c-torture/execute/builtins/chk.h"
-#include <stdarg.h>
+
+#define va_list __builtin_va_list
+#define va_start __builtin_va_start
+#define va_end __builtin_va_end
volatile void *vx;
char buf1[20];
@@ -22,60 +25,61 @@ test (int arg, ...)
char *p = &buf1[10], *q;
memcpy (&buf2[19], "ab", 1);
- memcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy" } */
vx = mempcpy (&buf2[19], "ab", 1);
- vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "mempcpy" } */
+ vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 " "mempcpy" } */
memmove (&buf2[18], &buf1[10], 2);
- memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "will always overflow" "memmove" } */
+ memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "writing 3 " "memmove" } */
memset (&buf2[16], 'a', 4);
- memset (&buf2[15], 'b', 6); /* { dg-warning "will always overflow" "memset" } */
+ memset (&buf2[15], 'b', 6); /* { dg-warning "writing 6 " "memset" } */
strcpy (&buf2[18], "a");
- strcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcpy" } */
vx = stpcpy (&buf2[18], "a");
- vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "stpcpy" } */
+ vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "writing 3" "stpcpy" } */
strncpy (&buf2[18], "a", 2);
- strncpy (&buf2[18], "a", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "a", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
strncpy (&buf2[18], "abc", 2);
- strncpy (&buf2[18], "abc", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "abc", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
memset (buf2, '\0', sizeof (buf2));
strcat (&buf2[18], "a");
memset (buf2, '\0', sizeof (buf2));
- strcat (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcat" } */
+ strcat (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcat" } */
sprintf (&buf2[18], "%s", buf1);
sprintf (&buf2[18], "%s", "a");
- sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "writing 3 " "sprintf" } */
sprintf (&buf2[18], "a");
- sprintf (&buf2[18], "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "ab"); /* { dg-warning "writing 3 " "sprintf" } */
snprintf (&buf2[18], 2, "%d", x);
/* N argument to snprintf is the size of the buffer.
Although this particular call wouldn't overflow buf2,
incorrect buffer size was passed to it and therefore
we want a warning and runtime failure. */
- snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "will always overflow" "snprintf" } */
+ snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "snprintf" } */
va_start (ap, arg);
vsprintf (&buf2[18], "a", ap);
va_end (ap);
+
va_start (ap, arg);
- vsprintf (&buf2[18], "ab", ap); /* { dg-warning "will always overflow" "vsprintf" } */
+ vsprintf (&buf2[18], "ab", ap); /* { dg-warning "writing 3" "vsprintf" } */
va_end (ap);
va_start (ap, arg);
vsnprintf (&buf2[18], 2, "%s", ap);
va_end (ap);
va_start (ap, arg);
/* See snprintf above. */
- vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "will always overflow" "vsnprintf" } */
+ vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "vsnprintf" } */
va_end (ap);
p = p + 10;
memset (p, 'd', 0);
- q = strcpy (p, ""); /* { dg-warning "will always overflow" "strcpy" } */
+ q = strcpy (p, ""); /* { dg-warning "writing 1 " "strcpy" } */
/* This invokes undefined behavior, since we are past the end of buf1. */
p = p + 10;
- memset (p, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (p, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
memset (q, 'd', 0);
- memset (q, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (q, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
q = q - 10;
memset (q, 'd', 10);
}
@@ -90,26 +94,26 @@ void
test2 (const H h)
{
char c;
- strncpy (&c, str, 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&c, str, 3); /* { dg-warning "specified bound 3 exceeds the size 1 of the destination" "strncpy" } */
struct { char b[4]; } x;
- sprintf (x.b, "%s", "ABCD"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (x.b, "%s", "ABCD"); /* { dg-warning "writing 5" "sprintf" } */
unsigned int i;
- memcpy (&i, &h, sizeof (h)); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&i, &h, sizeof (h)); /* { dg-warning "writing 16 " "memcpy" } */
unsigned char buf[21];
- memset (buf + 16, 0, 8); /* { dg-warning "will always overflow" "memset" } */
+ memset (buf + 16, 0, 8); /* { dg-warning "writing 8 " "memset" } */
typedef struct { int i, j, k, l; } S;
S *s[3];
- memset (s, 0, sizeof (S) * 3); /* { dg-warning "will always overflow" "memset" } */
+ memset (s, 0, sizeof (S) * 3); /* { dg-warning "writing 48 " "memset" } */
struct T { char a[8]; char b[4]; char c[10]; } t;
- stpcpy (t.c,"Testing..."); /* { dg-warning "will always overflow" "stpcpy" } */
+ stpcpy (t.c,"Testing..."); /* { dg-warning "writing" "stpcpy" } */
char b1[7];
char b2[4];
memset (b1, 0, sizeof (b1));
- memset (b2, 0, sizeof (b1)); /* { dg-warning "will always overflow" "memset" } */
+ memset (b2, 0, sizeof (b1)); /* { dg-warning "writing 7" "memset" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
index 7c2bb60..d537fb0 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
@@ -6,7 +6,7 @@
/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
#include "../gcc.c-torture/execute/builtins/chk.h"
-
+
void *bar (int);
extern void *malloc (__SIZE_TYPE__);
@@ -115,7 +115,7 @@ baz (const struct A *x, const unsigned char *z)
else
do
{
- memcpy (e, d, 513); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (e, d, 513); /* { dg-warning "writing" "memcpy" } */
e += 4;
}
while (--h);
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c
new file mode 100644
index 0000000..3b0ba0f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c
@@ -0,0 +1,344 @@
+/* Test exercising buffer overflow warnings emitted for __*_chk builtins
+ in cases where the destination involves a non-constant offset into
+ an object of known size. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+void sink (void*);
+
+/* Define memcpy as a macro (as opposed to an inline function) so that
+ warnings point to its invocation in the tests (as opposed to its
+ definition), making sure its first argument is evaluated exactly
+ once. */
+#define memcpy(d, s, n) \
+ do { \
+ __typeof__ (d) __d = (d); \
+ __builtin___memcpy_chk (__d, s, n, __builtin_object_size (__d, 1)); \
+ sink (__d); \
+ } while (0)
+
+/* Function to generate a unique offset each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+ptrdiff_t random_value (void);
+
+/* For brevity. */
+#define X() random_value ()
+
+/* Test memcpy with a variable offset not known to be in any range
+ and with a constant number of bytes. */
+
+void test_var_const (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf + X(), p, 6); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+
+ memcpy (&buf[X()], p, 6); /* { dg-warning "writing" } */
+
+ /* Since X() below can be assumed to be non-negative (otherwise it would
+ result in forming a pointer before the beginning of BUF), then because
+ of the +1 added to the resulting address there must be at most enough
+ room for (sizeof(buf) - 1) or 4 bytes. */
+ memcpy (&buf[X()] + 1, p, 4);
+
+ memcpy (&buf[X()] + 1, p, 5); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] + 5, p, 6); /* { dg-warning "writing" } */
+
+ /* The negative constant offset below must have no effect on the maximum
+ size of the buffer. */
+ memcpy (&buf[X()] - 1, p, 5);
+
+ memcpy (&buf[X()] - 1, p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] - 5, p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] + X(), p, 5);
+
+ memcpy (&buf[X()] + X(), p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] - X(), p, 5);
+
+ memcpy (&buf[X()] - X(), p, 6); /* { dg-warning "writing" } */
+}
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Test memcpy with a variable offset not known to be in any range
+ and with a number of bytes bounded by a known range. */
+
+void test_var_range (void *dst, const void *p)
+{
+ char buf[5];
+
+ memcpy (&buf[X()], p, range (0, 5));
+ memcpy (&buf[X()], p, range (1, 5));
+ memcpy (&buf[X()], p, range (2, 5));
+ memcpy (&buf[X()], p, range (3, 5));
+ memcpy (&buf[X()], p, range (4, 5));
+
+ memcpy (&buf[X()], p, range (6, 7)); /* { dg-warning "writing" } */
+
+ const size_t max = SIZE_MAX;
+ memcpy (&buf[X()], p, range (max - 1, max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (dst, p, range (max / 2 + 1, max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Return an ingeger in the range [MIN, MASK]. Use bitwise operations
+ rather than inequality to avoid relying on optimization passes
+ beyond Early Value Range Propagation that __builtin_object_size
+ doesn't make use of (yet). */
+
+static inline size_t
+simple_range (unsigned min, unsigned mask)
+{
+ return ((unsigned)random_value () & mask) | (min & mask);
+}
+
+/* For brevity. */
+#define R(min, max) simple_range (min, max)
+
+void test_range_auto (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf + R (0, 1), p, 6); /* { dg-warning "writing" } */
+
+ /* Some of these could be diagnosed as an extension because they would
+ overflow when (if) the non-const index were sufficiently large.
+ The challenge is distinguishing a range where a variable is likely
+ to exceed the minimum required for the overflow to occur from one
+ where it isn't so likely. */
+ memcpy (buf + R (0, 1), p, 5);
+
+ memcpy (buf + R (0, 1), p, 4);
+
+ memcpy (buf + R (0, 2), p, 3);
+
+ memcpy (buf + R (0, 3), p, 2);
+
+ memcpy (buf + R (0, 7), p, 1);
+
+ memcpy (buf + R (0, 5), p, 0);
+
+ /* The offset is known to be at least 1 so the size of the object
+ is at most 4. */
+ memcpy (buf + R (1, 2), p, 3);
+
+ memcpy (buf + R (1, 3), p, 3);
+
+ memcpy (buf + R (1, 2), p, 4);
+
+ memcpy (buf + R (1, 3) + 1, p, 4); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (1, 3), p, 5); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (2, 3), p, 2);
+
+ memcpy (buf + R (2, 3), p, 3);
+
+ memcpy (buf + R (2, 3) + 1, p, 3); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (2, 3), p, 4); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (3, 4), p, 2);
+
+ memcpy (buf + R (3, 7), p, 3); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (3, 7), p, 9); /* { dg-warning "writing" } */
+
+ memcpy (&buf[R (0, 1)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 2)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 3)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 4)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 5)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 2)] + 2, p, 4); /* { dg-warning "writing" } */
+
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+
+ memcpy (&buf[R (5, 15)], p, 1); /* { dg-warning "writing" } */
+
+ /* With the offset given by the two ranges below there is at most
+ 1 byte left. */
+ memcpy (buf + R (1, 2) + R (3, 4), p, 1);
+
+ memcpy (buf + R (1, 3) + R (3, 7), p, 2); /* { dg-warning "writing" } */
+
+ /* Unfortunately, the following isn't handled quite right: only
+ the lower bound given by the first range is used, the second
+ one is disregarded. */
+ memcpy (&buf [R (1, 2)] + R (3, 4), p, 2); /* { dg-warning "writing" "index in range plus offset in range" { xfail *-*-* } } */
+
+ memcpy (buf + R (2, 3) + R (2, 3), p, 1);
+
+ memcpy (buf + R (2, 3) + R (2, 3), p, 2); /* { dg-warning "writing" } */
+}
+
+void test_range_malloc (const void *p)
+{
+ char *buf = __builtin_malloc (5);
+
+ memcpy (buf + R (0, 1), p, 6); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (0, 1), p, 5);
+
+ memcpy (buf + R (0, 1), p, 4);
+
+ memcpy (buf + R (0, 2), p, 3);
+
+ memcpy (buf + R (0, 3), p, 2);
+
+ memcpy (buf + R (0, 4), p, 1);
+
+ memcpy (buf + R (0, 5), p, 0);
+}
+
+void test_range_schar (signed char i, const void *s)
+{
+ char a [130];
+
+ /* The range of I is [-128, 127] so the size of the destination below
+ is at most 2 (i.e., 130 - 128) bytes. */
+ memcpy (&a [130] + i, s, 2);
+
+ /* Strictly, the range of I below is [0, 127] because a negative value
+ would result in forming an invalid pointer, so the destination is at
+ most 2 bytes. */
+ memcpy (&a [i] + 128, s, 2);
+
+ /* Reset I's range just in case it gets set above. */
+ i = random_value ();
+ memcpy (&a [130] + i, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 128, s, 3); /* { dg-warning "writing" } */
+}
+
+void test_range_uchar (unsigned char i, const void *s)
+{
+ char a [260];
+
+ /* The range of I is [0, 255] so the size of the destination below
+ is at most 2 (i.e., 260 - 258 + 0) bytes. */
+ memcpy (&a [258] + i, s, 2);
+
+ memcpy (&a [i] + 128, s, 2);
+
+ /* Reset I's range just in case it gets set above. */
+ i = random_value ();
+ memcpy (&a [258] + i, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 258, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [259] + i, s, 2); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 259, s, 2); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [260] + i, s, 1); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 260, s, 1); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [260] + i, s, 0);
+
+ i = random_value ();
+ memcpy (&a [i] + 260, s, 0);
+}
+
+void test_range_int (int i, const void *s)
+{
+ const size_t max = (size_t)INT_MAX * 2 + 1;
+
+ char *a = __builtin_malloc (max);
+
+ memcpy (&a [max] + i, s, INT_MAX);
+ memcpy (&a [max] - i, s, INT_MAX);
+ /* &*/
+ memcpy (&a [max] + i, s, INT_MAX + (size_t)1);
+ memcpy (&a [max] - i, s, INT_MAX + (size_t)1); /* { dg-warning "writing" } */
+ memcpy (&a [max] + i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+ memcpy (&a [max] - i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+
+ char *end = &a [max];
+ memcpy (end + i, s, INT_MAX);
+ memcpy (end - i, s, INT_MAX);
+ /* &*/
+ memcpy (end + i, s, INT_MAX + (size_t)1);
+ memcpy (end - i, s, INT_MAX + (size_t)1); /* { dg-warning "writing" } */
+ memcpy (end + i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+ memcpy (end - i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+
+ memcpy (&a [i] + max, s, 1);
+}
+
+
+void test_range_ptrdiff_t (ptrdiff_t i, const void *s)
+{
+ const size_t max = PTRDIFF_MAX;
+
+ char *a = __builtin_malloc (max);
+
+ memcpy (&a [max] + i, s, max);
+
+ memcpy (&a [i] + max - 1, s, 1);
+}
+
+void test_range_size_t (size_t i, const void *s)
+{
+ const size_t diffmax = PTRDIFF_MAX;
+
+ char *a = __builtin_malloc (diffmax);
+
+ memcpy (&a [diffmax] + i, s, 0);
+ memcpy (&a [i] + diffmax, s, 0);
+
+ memcpy (&a [diffmax] + i, s, 1); /* { dg-warning "writing" } */
+
+ memcpy (&a [i] + diffmax, s, 1); /* { dg-warning "writing" } */
+}
+
+struct S {
+ int i;
+ char a7[7];
+ int b;
+};
+
+void test_range_member_array (struct S *s, const void *p)
+{
+ memcpy (s->a7 + R (0, 1), p, 6);
+
+ memcpy (s->a7 + R (0, 1), p, 7);
+
+ memcpy (s->a7 + R (0, 1), p, 8); /* { dg-warning "writing" } */
+
+ memcpy (&s->a7 [R (0, 1)], p, 7);
+
+ memcpy (&s->a7 [R (1, 3)], p, 7); /* { dg-warning "writing" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
new file mode 100644
index 0000000..7979a13
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
@@ -0,0 +1,459 @@
+/* Test exercising buffer overflow warnings emitted for __*_chk builtins
+ in cases where the destination involves a non-constant offset into
+ an object of known size. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+static const size_t ssize_max = SIZE_MAX / 2;
+static const size_t size_max = SIZE_MAX;
+
+extern signed char schar_val;
+extern signed short sshrt_val;
+extern signed int sint_val;
+extern signed long slong_val;
+extern unsigned char uchar_val;
+extern unsigned short ushrt_val;
+extern unsigned int uint_val;
+extern unsigned long ulong_val;
+
+#define memcpy(d, s, n) (memcpy ((d), (s), (n)), sink ((d)))
+extern void* (memcpy)(void*, const void*, size_t);
+
+#define mempcpy(d, s, n) (mempcpy ((d), (s), (n)), sink ((d)))
+extern void* (mempcpy)(void*, const void*, size_t);
+
+#define memset(d, c, n) (memset ((d), (c), (n)), sink ((d)))
+extern void* (memset)(void*, int, size_t);
+
+#define bzero(d, n) (bzero ((d), (n)), sink ((d)))
+extern void (bzero)(void*, size_t);
+
+#define strcat(d, s) (strcat ((d), (s)), sink ((d)))
+extern char* (strcat)(char*, const char*);
+
+#define strncat(d, s, n) (strncat ((d), (s), (n)), sink ((d)))
+extern char* (strncat)(char*, const char*, size_t);
+
+#define strcpy(d, s) (strcpy ((d), (s)), sink ((d)))
+extern char* (strcpy)(char*, const char*);
+
+#define strncpy(d, s, n) (strncpy ((d), (s), (n)), sink ((d)))
+extern char* (strncpy)(char*, const char*, size_t);
+
+void sink (void*);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+ptrdiff_t random_signed_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+unsigned_range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Return a random signed value between MIN and MAX. */
+
+static inline ptrdiff_t
+signed_range (ptrdiff_t min, ptrdiff_t max)
+{
+ const ptrdiff_t val = random_signed_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* For brevity. */
+#define UR(min, max) unsigned_range (min, max)
+#define SR(min, max) signed_range (min, max)
+
+/* UReturn a pointer to constant string whose length is at least MINLEN
+ and at most 10. */
+static inline const char*
+string_range (size_t minlen)
+{
+ static const char str[] = "0123456789";
+
+ const size_t len = unsigned_range (minlen, sizeof str - 1);
+
+ switch (len)
+ {
+ case 10: return "0123456789";
+ case 9: return "012345678";
+ case 8: return "01234567";
+ case 7: return "0123456";
+ case 6: return "012345";
+ case 5: return "01234";
+ case 4: return "0123";
+ case 3: return "012";
+ case 2: return "01";
+ case 1: return "0";
+ case 0: return "";
+ }
+}
+
+#define S(minlen) string_range (minlen)
+
+/* Test memcpy with a number of bytes bounded by a known range. */
+
+void test_memcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ memcpy (buf, s, UR (0, 5));
+ memcpy (buf, s, UR (1, 5));
+ memcpy (buf, s, UR (2, 5));
+ memcpy (buf, s, UR (3, 5));
+ memcpy (buf, s, UR (4, 5));
+
+ memcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memcpy into a destination of unknown size with excessive
+ number of bytes. */
+ memcpy (d, s, UR (ssize_max, size_max));
+ memcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (buf, s, SR (-1, 1));
+ memcpy (buf, s, SR (-3, 2));
+ memcpy (buf, s, SR (-5, 3));
+ memcpy (buf, s, SR (-7, 4));
+ memcpy (buf, s, SR (-9, 5));
+ memcpy (buf, s, SR (-11, 6));
+
+ memcpy (d, s, SR (-1, 1));
+ memcpy (d, s, SR (-3, 2));
+ memcpy (d, s, SR (-5, 3));
+ memcpy (d, s, SR (-7, 4));
+ memcpy (d, s, SR (-9, 5));
+ memcpy (d, s, SR (-11, 6));
+
+ memcpy (buf, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (d, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Even though the following calls are bounded by the range of N's
+ type they must not cause a warning for obvious reasons. */
+ memcpy (buf, s, schar_val);
+ memcpy (buf, s, sshrt_val);
+ memcpy (buf, s, sint_val);
+ memcpy (buf, s, slong_val);
+
+ memcpy (buf, s, uchar_val);
+ memcpy (buf, s, ushrt_val);
+ memcpy (buf, s, uint_val);
+ memcpy (buf, s, ulong_val);
+
+ memcpy (buf, s, schar_val + 1);
+ memcpy (buf, s, sshrt_val + 2);
+ memcpy (buf, s, sint_val + 3);
+ memcpy (buf, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+
+ memcpy (d, s, schar_val);
+ memcpy (d, s, sshrt_val);
+ memcpy (d, s, sint_val);
+ memcpy (d, s, slong_val);
+
+ memcpy (d, s, uchar_val);
+ memcpy (d, s, ushrt_val);
+ memcpy (d, s, uint_val);
+ memcpy (d, s, ulong_val);
+
+ memcpy (d, s, schar_val + 1);
+ memcpy (d, s, sshrt_val + 2);
+ memcpy (d, s, sint_val + 3);
+ memcpy (d, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+}
+
+/* Test mempcpy with a number of bytes bounded by a known range. */
+
+void test_mempcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ mempcpy (buf, s, UR (0, 5));
+ mempcpy (buf, s, UR (1, 5));
+ mempcpy (buf, s, UR (2, 5));
+ mempcpy (buf, s, UR (3, 5));
+ mempcpy (buf, s, UR (4, 5));
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ mempcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ mempcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise mempcpy into a destination of unknown size with excessive
+ number of bytes. */
+ mempcpy (d, s, UR (ssize_max, size_max));
+ mempcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test memset with a number of bytes bounded by a known range. */
+
+void test_memset_range (void *d)
+{
+ char buf[5];
+
+ memset (buf, 0, UR (0, 5));
+ memset (buf, 0, UR (1, 5));
+ memset (buf, 0, UR (2, 5));
+ memset (buf, 0, UR (3, 5));
+ memset (buf, 0, UR (4, 5));
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memset (buf, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memset (buf, 0, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memset into a destination of unknown size with excessive
+ number of bytes. */
+ memset (d, 0, UR (ssize_max, size_max));
+ memset (d, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test bzero with a number of bytes bounded by a known range. */
+
+void test_bzero_range (void *d)
+{
+ char buf[5];
+
+ bzero (buf, UR (0, 5));
+ bzero (buf, UR (1, 5));
+ bzero (buf, UR (2, 5));
+ bzero (buf, UR (3, 5));
+ bzero (buf, UR (4, 5));
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ bzero (buf, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ bzero (buf, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise bzero into a destination of unknown size with excessive
+ number of bytes. */
+ bzero (d, UR (ssize_max, size_max));
+ bzero (d, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strcat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strcat_range (void)
+{
+ char buf[5] = "";
+
+ strcat (buf, S (0));
+ strcat (buf, S (1));
+ strcat (buf, S (2));
+ strcat (buf, S (3));
+ strcat (buf, S (4));
+ strcat (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strcat. */
+ char buf2[5] = "12";
+ strcat (buf2, S (4)); /* { dg-warning "writing 5 bytes into a region of size 3" "strcat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strcpy with a non-constant source string of length in a known
+ range. */
+
+void test_strcpy_range (void)
+{
+ char buf[5];
+
+ strcpy (buf, S (0));
+ strcpy (buf, S (1));
+ strcpy (buf, S (2));
+ strcpy (buf, S (4));
+ strcpy (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+ strcpy (buf, S (6)); /* { dg-warning "writing 7 bytes into a region of size 5 " } */
+ strcpy (buf, S (7)); /* { dg-warning "writing 8 bytes into a region of size 5 " } */
+ strcpy (buf, S (8)); /* { dg-warning "writing 9 bytes into a region of size 5 " } */
+ strcpy (buf, S (9)); /* { dg-warning "writing 10 bytes into a region of size 5 " } */
+ strcpy (buf, S (10)); /* { dg-warning "writing 11 bytes into a region of size 5 " } */
+}
+
+/* Test strncat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strncat_range (void)
+{
+ char buf[5] = "";
+
+ strncat (buf, S (0), 0);
+ strncat (buf, S (0), 1);
+ strncat (buf, S (0), 2);
+ strncat (buf, S (0), 3);
+ strncat (buf, S (0), 4);
+ /* Strncat always appends a terminating null after copying the N
+ characters so the following triggers a warning pointing out
+ that specifying sizeof(buf) as the upper bound may cause
+ the nul to overflow the destination. */
+ strncat (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (0), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ strncat (buf, S (1), 0);
+ strncat (buf, S (1), 1);
+ strncat (buf, S (1), 2);
+ strncat (buf, S (1), 3);
+ strncat (buf, S (1), 4);
+ strncat (buf, S (1), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (1), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+ strncat (buf, S (2), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ /* The following could just as well say "writing 6 bytes into a region
+ of size 5. Either would be correct and probably equally as clear
+ in this case. But when the length of the source string is not known
+ at all then the bound warning seems clearer. */
+ strncat (buf, S (5), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination " } */
+ strncat (buf, S (7), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strncpy. */
+ char buf2[5] = "12";
+ strncat (buf2, S (4), 4); /* { dg-warning "writing 5 bytes into a region of size 3" "strncat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strncat_chk with an argument referencing a non-constant string
+ of lengths in a known range. */
+
+void test_strncat_chk_range (char *d)
+{
+ char buf[5] = "";
+
+#define strncat_chk(d, s, n) \
+ __builtin___strncat_chk ((d), (s), (n), __builtin_object_size (d, 1));
+
+ strncat_chk (buf, S (0), 1);
+ strncat_chk (buf, S (0), 2);
+ strncat_chk (buf, S (0), 3);
+ strncat_chk (buf, S (0), 4);
+ strncat_chk (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), 1);
+ strncat_chk (buf, S (5), 2);
+ strncat_chk (buf, S (5), 3);
+ strncat_chk (buf, S (5), 4);
+ strncat_chk (buf, S (5), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds the size 5 of the destination " } */
+
+ strncat_chk (d, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size " } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a constant number of bytes. */
+
+void test_strncpy_string_range (char *d)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), 0);
+ strncpy (buf, S (0), 1);
+ strncpy (buf, S (0), 2);
+ strncpy (buf, S (0), 3);
+ strncpy (buf, S (0), 4);
+ strncpy (buf, S (0), 5);
+ strncpy (buf, S (0), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (6), 4);
+ strncpy (buf, S (7), 5);
+ strncpy (buf, S (8), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (1), ssize_max - 1); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (2), ssize_max); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (buf, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (1), ssize_max - 1);
+ strncpy (d, S (2), ssize_max);
+ strncpy (d, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (d, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a non-constant number of bytes also in a known range. */
+
+void test_strncpy_string_count_range (char *d, const char *s)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), UR (0, 1));
+ strncpy (buf, S (0), UR (0, 2));
+ strncpy (buf, S (0), UR (0, 3));
+ strncpy (buf, S (0), UR (0, 4));
+ strncpy (buf, S (0), UR (0, 5));
+ strncpy (buf, S (0), UR (0, 6));
+ strncpy (buf, S (0), UR (1, 6));
+ strncpy (buf, S (0), UR (2, 6));
+ strncpy (buf, S (0), UR (3, 6));
+ strncpy (buf, S (0), UR (4, 6));
+ strncpy (buf, S (0), UR (5, 6));
+
+ strncpy (buf, S (9), UR (0, 1));
+ strncpy (buf, S (8), UR (0, 2));
+ strncpy (buf, S (7), UR (0, 3));
+ strncpy (buf, S (6), UR (0, 4));
+ strncpy (buf, S (8), UR (0, 5));
+ strncpy (buf, S (7), UR (0, 6));
+ strncpy (buf, S (6), UR (1, 6));
+ strncpy (buf, S (5), UR (2, 6));
+ strncpy (buf, S (9), UR (3, 6));
+ strncpy (buf, S (8), UR (4, 6));
+ strncpy (buf, S (7), UR (5, 6));
+
+ strncpy (buf, S (0), UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+ strncpy (buf, S (1), UR (7, 8)); /* { dg-warning "writing between 7 and 8 bytes into a region of size 5 " } */
+ strncpy (buf, S (2), UR (ssize_max, ssize_max + 1)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 " } */
+
+ strncpy (buf, S (2), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (0), UR (5, 6));
+ strncpy (d, S (1), UR (6, 7));
+ strncpy (d, S (2), UR (7, 8));
+
+ strncpy (d, S (3), UR (ssize_max, ssize_max + 1));
+
+ strncpy (d, S (4), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
index 44677f1..daff680 100644
--- a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
@@ -24,15 +24,15 @@ test (int arg, ...)
*p = 0;
strncat (p, "abcdefghi", 10);
*p = 0;
- strncat (p, "abcdefghij", 10); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghij", 10); /* { dg-warning "writing 11 bytes into a region of size 10 overflows the destination" } */
*p = 0;
strncat (p, "abcdefgh", 11);
*p = 0;
- strncat (p, "abcdefghijkl", 11); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghijkl", 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
*p = 0;
strncat (p, q, 9);
*p = 0;
- strncat (p, q, 10); /* { dg-warning "might overflow" } */
+ strncat (p, q, 10); /* { dg-warning "specified bound 10 equals the size of the destination" } */
*p = 0;
- strncat (p, q, 11); /* { dg-warning "might overflow" } */
+ strncat (p, q, 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
}
diff --git a/gcc/testsuite/gcc.dg/memcpy-2.c b/gcc/testsuite/gcc.dg/memcpy-2.c
index 24464abd..7f839d2 100644
--- a/gcc/testsuite/gcc.dg/memcpy-2.c
+++ b/gcc/testsuite/gcc.dg/memcpy-2.c
@@ -7,7 +7,7 @@ typedef __SIZE_TYPE__ size_t;
extern inline __attribute__((gnu_inline, always_inline, artificial)) void *
memcpy (void *__restrict dest, const void *__restrict src, size_t len)
{
- return __builtin___memcpy_chk (dest, /* { dg-warning "will always overflow destination buffer" } */
+ return __builtin___memcpy_chk (dest, /* { dg-warning "writing" } */
src, len, __builtin_object_size (dest, 0));
}
diff --git a/gcc/testsuite/gcc.dg/pr40340-1.c b/gcc/testsuite/gcc.dg/pr40340-1.c
index aae84c6..78540a2 100644
--- a/gcc/testsuite/gcc.dg/pr40340-1.c
+++ b/gcc/testsuite/gcc.dg/pr40340-1.c
@@ -20,5 +20,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-2.c b/gcc/testsuite/gcc.dg/pr40340-2.c
index a0d6e084..1dc21d1 100644
--- a/gcc/testsuite/gcc.dg/pr40340-2.c
+++ b/gcc/testsuite/gcc.dg/pr40340-2.c
@@ -12,5 +12,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-5.c b/gcc/testsuite/gcc.dg/pr40340-5.c
index f50514c..e517147 100644
--- a/gcc/testsuite/gcc.dg/pr40340-5.c
+++ b/gcc/testsuite/gcc.dg/pr40340-5.c
@@ -13,5 +13,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
index 7ce9eae..b5a59f4 100644
--- a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
+++ b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
@@ -710,4 +710,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/gcc.dg/torture/pr71132.c b/gcc/testsuite/gcc.dg/torture/pr71132.c
index 2991718..2544eb1 100644
--- a/gcc/testsuite/gcc.dg/torture/pr71132.c
+++ b/gcc/testsuite/gcc.dg/torture/pr71132.c
@@ -1,4 +1,9 @@
/* { dg-do compile } */
+/* { dg-additional-options "-Wno-stringop-overflow" } */
+/* The loop below writes past the end of the global object a.
+ When the loop is transformed into a call to memcpy the buffer
+ overflow is detected and diagnosed by the -Wstringop-overflow
+ option enabled by default. */
typedef unsigned size_t;
struct {
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-01 2:39 ` Martin Sebor
@ 2016-11-01 14:10 ` Jakub Jelinek
2016-11-01 19:12 ` Jeff Law
0 siblings, 1 reply; 22+ messages in thread
From: Jakub Jelinek @ 2016-11-01 14:10 UTC (permalink / raw)
To: Martin Sebor; +Cc: gcc-patches, Tobias Burnus
On Mon, Oct 31, 2016 at 08:39:15PM -0600, Martin Sebor wrote:
> Attached is an updated patch that works around the problem with
> the definition of the NOTE_DATA macro discussed below. I've
> raised bug 78174 for it and temporarily worked around it in
> the patch. I'll see if I can come up with a patch to fix the
> macro the "right way" but would prefer to do that separately.
> The NOTE_DATA macro is implemented in terms of the RTL_CHECK1
> macro that will need to change and that macro is used in many
> others, so I would rather not mess around with those as part
> of this patch.
No, you just shouldn't use __bos (*, 1) in the warning code
for mem* like builtins.
Jakub
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-01 14:10 ` Jakub Jelinek
@ 2016-11-01 19:12 ` Jeff Law
2016-11-01 19:14 ` Jakub Jelinek
0 siblings, 1 reply; 22+ messages in thread
From: Jeff Law @ 2016-11-01 19:12 UTC (permalink / raw)
To: Jakub Jelinek, Martin Sebor; +Cc: gcc-patches, Tobias Burnus
On 11/01/2016 08:10 AM, Jakub Jelinek wrote:
> On Mon, Oct 31, 2016 at 08:39:15PM -0600, Martin Sebor wrote:
>> Attached is an updated patch that works around the problem with
>> the definition of the NOTE_DATA macro discussed below. I've
>> raised bug 78174 for it and temporarily worked around it in
>> the patch. I'll see if I can come up with a patch to fix the
>> macro the "right way" but would prefer to do that separately.
>> The NOTE_DATA macro is implemented in terms of the RTL_CHECK1
>> macro that will need to change and that macro is used in many
>> others, so I would rather not mess around with those as part
>> of this patch.
>
> No, you just shouldn't use __bos (*, 1) in the warning code
> for mem* like builtins.
Can you explain to Martin why so that he can adjust accordingly?
jeff
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-01 19:12 ` Jeff Law
@ 2016-11-01 19:14 ` Jakub Jelinek
2016-11-02 2:55 ` Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Jakub Jelinek @ 2016-11-01 19:14 UTC (permalink / raw)
To: Jeff Law; +Cc: Martin Sebor, gcc-patches, Tobias Burnus
On Tue, Nov 01, 2016 at 01:12:55PM -0600, Jeff Law wrote:
> On 11/01/2016 08:10 AM, Jakub Jelinek wrote:
> >On Mon, Oct 31, 2016 at 08:39:15PM -0600, Martin Sebor wrote:
> >>Attached is an updated patch that works around the problem with
> >>the definition of the NOTE_DATA macro discussed below. I've
> >>raised bug 78174 for it and temporarily worked around it in
> >>the patch. I'll see if I can come up with a patch to fix the
> >>macro the "right way" but would prefer to do that separately.
> >>The NOTE_DATA macro is implemented in terms of the RTL_CHECK1
> >>macro that will need to change and that macro is used in many
> >>others, so I would rather not mess around with those as part
> >>of this patch.
> >
> >No, you just shouldn't use __bos (*, 1) in the warning code
> >for mem* like builtins.
> Can you explain to Martin why so that he can adjust accordingly?
I've tried to explain that in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78174#c7
Jakub
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-01 19:14 ` Jakub Jelinek
@ 2016-11-02 2:55 ` Martin Sebor
2016-11-02 7:38 ` Jakub Jelinek
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-02 2:55 UTC (permalink / raw)
To: Jakub Jelinek, Jeff Law; +Cc: gcc-patches, Tobias Burnus
[-- Attachment #1: Type: text/plain, Size: 4114 bytes --]
On 11/01/2016 01:14 PM, Jakub Jelinek wrote:
> On Tue, Nov 01, 2016 at 01:12:55PM -0600, Jeff Law wrote:
>> On 11/01/2016 08:10 AM, Jakub Jelinek wrote:
>>> On Mon, Oct 31, 2016 at 08:39:15PM -0600, Martin Sebor wrote:
>>>> Attached is an updated patch that works around the problem with
>>>> the definition of the NOTE_DATA macro discussed below. I've
>>>> raised bug 78174 for it and temporarily worked around it in
>>>> the patch. I'll see if I can come up with a patch to fix the
>>>> macro the "right way" but would prefer to do that separately.
>>>> The NOTE_DATA macro is implemented in terms of the RTL_CHECK1
>>>> macro that will need to change and that macro is used in many
>>>> others, so I would rather not mess around with those as part
>>>> of this patch.
>>>
>>> No, you just shouldn't use __bos (*, 1) in the warning code
>>> for mem* like builtins.
>> Can you explain to Martin why so that he can adjust accordingly?
>
> I've tried to explain that in
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78174#c7
I'm not sure I understand the concern you raised there. I would
find specific examples helpful. My concern is that with bos 0
GCC doesn't point out or protect against far too many cases of
even obvious buffer overflows. See the example below.
I'm also not convinced by the argument that this sort of code is
so common and safe and that warning about it would cause too many
false positives. The patch found just one instance of such code
in GCC and it's a real bug. It points out 8 issues in the Linux
kernel at least some of which look suspicious to me. It found
nothing in Binutils. (There, however, GCC complains about dozens
of fallthrough cases, making me wonder why the same concern about
false positives doesn't apply to that warning.)
In any event, I've enhanced the patch to both accept an argument
to -Wstringop-overflow=N, and add another option for raw memory
functions like memcpy, -Wrawmem-overflow=N, and to treat (N - 1)
as the object size type. While the defaults for the patch are
what I understand you would be comfortable with I would prefer
to go with bos 1 for both instead. I understand and agree that
the checking functions enabled by _FORTIFY_SOURCE need to be
conservative to avoid aborting on benign code. But this patch
only issues warnings and does not cause aborts. In my view,
it's not only acceptable but appropriate for the warnings to
be more strict. That said, if you can suggest a code base that
you're worried about might be adversely affected by the warnings
I'm happy to verify whether it is or not and tweak the patch to
minimize its impact.
Martin
For instance, in the test case below only the second memset is
diagnosed (with bos type 1), but not the first (bos 0). That
seems like such a gaping hole that it must make _FORTIFY_SOURCE
for the raw memory functions like memcpy and memset virtually
useless for structs accessed by pointers.
$ cat b.c && gcc -O2 -S -Wall -Wextra -Wpedantic b.c
struct S {
int a, b, c, d;
};
#define bos(p, t) __builtin_object_size (p, t)
#define memset0(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 0))
#define memset1(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 1))
void f0 (struct S *s)
{
memset0 (&s->d, 0, 1024); // no warning here (bos 0)
}
void f1 (struct S *s)
{
memset1 (&s->d, 0, 1024);
}
b.c: In function ‘f1’:
b.c:7:26: warning: call to __builtin___memset_chk will always overflow
destination buffer
#define memset1(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 1))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
b.c:16:3: note: in expansion of macro ‘memset1’
memset1 (&s->d, 0, 1024);
^~~~~~~
Even with bos 1 the following isn't diagnosed. IMO, this code is
suspicious to say the least and deserves a warning. It may not
actually be a bug so it may not call for an abort but GCC could
warn on it without emitting a checking call.
struct A {
int a, b;
};
struct B {
int a, b, c, d;
};
void f (struct A *a, struct B *b)
{
__builtin___memcpy_chk (a, b, sizeof *b, __builtin_object_size (a, 1));
}
[-- Attachment #2: gcc-53562.diff --]
[-- Type: text/x-patch, Size: 89640 bytes --]
PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
PR middle-end/78149 - missing warning on strncpy buffer overflow due to an excessive bound
PR middle-end/78138 - missing warnings on buffer overflow with non-constant source length
gcc/c-family/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
* c.opt (-Wstringop-overflow): New option.
gcc/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
PR middle-end/78149
PR middle-end/78138
* builtins.c (expand_builtin_strcat, expand_builtin_strncat): New
functions.
(get_size_range, check_sizes, check_strncat_sizes): Same.
(expand_builtin_memcpy): Call check sizes.
(expand_builtin_mempcpy): Same.
(expand_builtin_strcpy): Same.
(expand_builtin_strncpy): Same.
(expand_builtin_memset): Same,
(expand_builtin_bzero): Same.
(expand_builtin_memory_chk): Same.
(maybe_emit_sprintf_chk_warning): Same.
(expand_builtin): Handle strcat and strncat.
* gcc/emit-rtl.c (make_note_raw): Temporarily work around a bug
in the definition of the NOTE_DATA macro.
* doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
gcc/testsuite/ChangeLog:
2016-10-30 Martin Sebor <msebor@redhat.com>
PR c/53562
PR middle-end/78149
PR middle-end/78138
* c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust expected diagnostic.
* g++.dg/ext/builtin-object-size3.C (bar): Same.
* g++.dg/ext/strncpy-chk1.C: Same.
* g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
* gcc.c-torture/compile/pr55569.c: Disable -Wstringop-overflow.
* gcc.dg/Wobjsize-1.c: Adjust expected diagnostic.
* gcc.dg/attr-alloc_size.c: Same.
* gcc.dg/builtin-stringop-chk-1.c: Adjust expected diagnostic.
* gcc.dg/builtin-stringop-chk-2.c: Same.
* gcc.dg/builtin-stringop-chk-4.c: New test.
* gcc.dg/builtin-strncat-chk-1.c: Adjust expected diagnostic..
* gcc.dg/memcpy-2.c: Same.
* gcc.dg/pr40340-1.c: Same.
* gcc.dg/pr40340-2.c (main): Same.
* gcc.dg/pr40340-5.c (main): Same.
* gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
* gcc.dg/torture/pr71132.c: Disable -Wstringop-overflow.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index cc711a0..f697506 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -67,7 +67,7 @@ along with GCC; see the file COPYING3. If not see
#include "internal-fn.h"
#include "case-cfn-macros.h"
#include "gimple-fold.h"
-
+#include "intl.h"
struct target_builtins default_target_builtins;
#if SWITCHABLE_TARGET
@@ -125,9 +125,11 @@ static rtx expand_builtin_mempcpy (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_with_bounds (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_args (tree, tree, tree, rtx,
machine_mode, int, tree);
+static rtx expand_builtin_strcat (tree, rtx);
static rtx expand_builtin_strcpy (tree, rtx);
static rtx expand_builtin_strcpy_args (tree, tree, rtx);
static rtx expand_builtin_stpcpy (tree, rtx, machine_mode);
+static rtx expand_builtin_strncat (tree, rtx);
static rtx expand_builtin_strncpy (tree, rtx);
static rtx builtin_memset_gen_str (void *, HOST_WIDE_INT, machine_mode);
static rtx expand_builtin_memset (tree, rtx, machine_mode);
@@ -3011,6 +3013,211 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
return dest_addr;
}
+/* Fill the 2-element RANGE array with the minimum and maximum values
+ EXP is known to have and return true, otherwise null and return
+ false. */
+
+static bool
+get_size_range (tree exp, tree range[2])
+{
+ if (tree_fits_uhwi_p (exp))
+ {
+ range[0] = range[1] = exp;
+ return true;
+ }
+
+ if (TREE_CODE (exp) == SSA_NAME)
+ {
+ wide_int min, max;
+ enum value_range_type range_type = get_range_info (exp, &min, &max);
+
+ if (range_type == VR_RANGE)
+ {
+ /* Interpret the bound in the variable's type. */
+ range[0] = wide_int_to_tree (TREE_TYPE (exp), min);
+ range[1] = wide_int_to_tree (TREE_TYPE (exp), max);
+ return true;
+ }
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ /* An anti-range implies the original variable is signed and
+ its lower bound is negative and the upper bound positive.
+ Since that means that the expression's value could be zero
+ nothing interesting can be inferred from this. */
+ }
+ }
+
+ range[0] = NULL_TREE;
+ range[1] = NULL_TREE;
+ return false;
+}
+
+/* Try to verify that the sizes and lengths of the arguments to a string
+ manipulation function given by EXP are within valid bounds and that
+ the operation does not lead to buffer overflow. Arguments other than
+ EXP may be null. When non-null, the arguments have the following
+ meaning:
+ SIZE is the user-supplied size argument to the function (such as in
+ memcpy(d, s, SIZE) or strncpy(d, s, SIZE). It specifies the exact
+ number of bytes to write.
+ MAXLEN is the user-supplied bound on the length of the source sequence
+ (such as in strncat(d, s, N). It specifies the upper limit on the number
+ of bytes to write.
+ SLEN is the length of the source sequence (such as in strcpy(d, s),
+ SLEN = strlen(s)).
+ OBJSIZE is the size of the destination object specified by the last
+ argument to the _chk builtins, typically resulting from the expansion
+ of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
+ OBJSIZE).
+
+ When SIZE is null LEN is checked to verify that it doesn't exceed
+ SIZE_MAX.
+
+ If the call is successfully verfified as safe from buffer overflow
+ the function returns true, otherwise false.. */
+
+static bool
+check_sizes (int opt, tree exp, tree size, tree maxlen, tree slen, tree objsize)
+{
+ /* The size of the largest object. (This is way too permissive.) */
+ tree maxobjsize = build_int_cst (sizetype, HOST_WIDE_INT_MAX);
+
+ tree range[2] = { NULL_TREE, NULL_TREE };
+
+ if (!size && !maxlen)
+ {
+ /* Handle strlen but not snprintf. */
+ size = slen ? slen : maxobjsize;
+ }
+
+ if (!objsize)
+ objsize = maxobjsize;
+
+ /* The SIZE is exact if it's non-null, constant, and in range of
+ unsigned HOST_WIDE_INT. */
+ bool exactsize = size && tree_fits_uhwi_p (size);
+
+ if (size)
+ get_size_range (size, range);
+
+ /* First check the number of bytes to be written against the maximum
+ object size. */
+ if (range[0] && tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified size %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified size between %wu and %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+ return false;
+ }
+
+ /* Next check the number of bytes to be written against the destination
+ object size. */
+ if (range[0] || !exactsize || integer_all_onesp (size))
+ {
+ if (range[0]
+ && ((tree_fits_uhwi_p (objsize)
+ && tree_int_cst_lt (objsize, range[0]))
+ || (tree_fits_uhwi_p (size)
+ && tree_int_cst_lt (size, range[0]))))
+ {
+ unsigned HOST_WIDE_INT uwir0 = tree_to_uhwi (range[0]);
+
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ (uwir0 == 1
+ ? G_("%K%D writing %wu byte into a region "
+ "of size %wu overflows the destination")
+ : G_("%K%D writing %wu bytes into a region "
+ "of size %wu overflows the destination")),
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, opt,
+ "%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu overflows "
+ "the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (range[1]), tree_to_uhwi (objsize));
+
+ /* Return error when an overflow has been detected. */
+ return false;
+ }
+ }
+
+ /* Check the maximum length of the source sequence against the size
+ of the destination object if known, or against the maximum size
+ of an object. */
+ if (maxlen)
+ {
+ get_size_range (maxlen, range);
+
+ if (range[0] && objsize && tree_fits_uhwi_p (objsize))
+ {
+ if (objsize != maxobjsize && tree_int_cst_lt (objsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified bound %wu "
+ "exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (objsize));
+ return false;
+ }
+ else if (tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified bound %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
/* Expand a call EXP to the memcpy builtin.
Return NULL_RTX if we failed, the caller should emit a normal call,
otherwise try to get the result in TARGET, if convenient (and in
@@ -3027,6 +3234,18 @@ expand_builtin_memcpy (tree exp, rtx target)
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ if (int ostype = warn_rawmem_overflow)
+ {
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, ostype - 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (OPT_Wrawmem_overflow_,
+ exp, len, /*maxlen=*/NULL_TREE, NULL_TREE, objsize);
+ }
+
return expand_builtin_memcpy_args (dest, src, len, target, exp);
}
}
@@ -3076,15 +3295,29 @@ expand_builtin_mempcpy (tree exp, rtx target, machine_mode mode)
if (!validate_arglist (exp,
POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ if (int ostype = warn_rawmem_overflow)
{
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_mempcpy_args (dest, src, len,
- target, mode, /*endp=*/ 1,
- exp);
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, ostype - 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Avoid expanding mempcpy into memcpy when the call is determined
+ to overflow the buffer. This also prevents the same overflow
+ from being diagnosed again when expanding memcpy. */
+ if (!check_sizes (OPT_Wrawmem_overflow_,
+ exp, len, NULL_TREE, NULL_TREE, destsize))
+ return NULL_RTX;
}
+
+ return expand_builtin_mempcpy_args (dest, src, len,
+ target, mode, /*endp=*/ 1,
+ exp);
}
/* Expand an instrumented call EXP to the mempcpy builtin.
@@ -3256,6 +3489,52 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
return target;
}
+/* Do some very basic size validation of a call to the strcpy builtin
+ given by EXP. Return NULL_RTX to have the built-in expand to a call
+ to the library function. */
+
+static rtx
+expand_builtin_strcat (tree exp, rtx)
+{
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE)
+ || !warn_stringop_overflow)
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* There is no way here to determine the length of the string in
+ the destination to which the SRC string is being appended so
+ just diagnose cases when the srouce string is longer than
+ the destination object. */
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, warn_stringop_overflow - 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strcpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call, otherwise
try to get the result in TARGET, if convenient (and in mode MODE if that's
@@ -3264,10 +3543,37 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
static rtx
expand_builtin_strcpy (tree exp, rtx target)
{
- if (validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
+ if (validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE)
+ && warn_stringop_overflow)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+ if (lenrange[0])
+ {
+ /* Try to determine the size of the destination object into
+ which the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, warn_stringop_overflow - 1,
+ &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree len = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, NULL_TREE, NULL_TREE, len, destsize);
+ }
+
return expand_builtin_strcpy_args (dest, src, target);
}
return NULL_RTX;
@@ -3378,6 +3684,136 @@ builtin_strncpy_read_str (void *data, HOST_WIDE_INT offset,
return c_readstr (str + offset, mode);
}
+/* Helper to check the sizes of sequences and the destination of calls
+ to __builtin_strncat and __builtin___strncat_chk. Returns true on
+ success (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_strncat_sizes (tree exp, tree objsize)
+{
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ if (!objsize && warn_stringop_overflow)
+ {
+ /* If it hasn't been provided by __strncat_chk, try to determine
+ the size of the destination object into which the source is
+ being copied. */
+ unsigned HOST_WIDE_INT destsize;
+ if (compute_builtin_object_size (dest, warn_stringop_overflow - 1, &destsize))
+ objsize = build_int_cst (sizetype, destsize);
+ }
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (objsize)
+ && tree_int_cst_equal (objsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow_,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return false;
+ }
+
+ if (!srclen
+ || (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_fits_uhwi_p (srclen)
+ && tree_int_cst_lt (maxlen, srclen)))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ return check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, maxlen, srclen, objsize);
+}
+
+/* Similar to expand_builtin_strcat, do some very basic size validation
+ of a call to the strcpy builtin given by EXP. Return NULL_RTX to have
+ the built-in expand to a call to the library function. */
+
+static rtx
+expand_builtin_strncat (tree exp, rtx)
+{
+ if (!validate_arglist (exp,
+ POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE)
+ || !warn_stringop_overflow)
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ /* The upper bound on the number of bytes to write. */
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
+ tree slen = c_strlen (src, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ /* Try to determine the size of the destination object into which
+ the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, warn_stringop_overflow - 1, &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (destsize)
+ && tree_int_cst_equal (destsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow_,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return NULL_RTX;
+ }
+
+
+ if (!srclen || tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, maxlen, srclen, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strncpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call. */
@@ -3391,9 +3827,44 @@ expand_builtin_strncpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+ /* The number of bytes to write (not the maximum). */
tree len = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
tree slen = c_strlen (src, 1);
+ if (warn_stringop_overflow)
+ {
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. At a (future) stricter warning setting the longest length
+ should be used instead. */
+
+ /* Try to determine the size of the destination object into which
+ the source is being copied. */
+ tree destsize = NULL_TREE;
+ unsigned HOST_WIDE_INT objsize;
+ if (compute_builtin_object_size (dest, warn_stringop_overflow - 1,
+ &objsize))
+ destsize = build_int_cst (sizetype, objsize);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, len, /*maxlen=*/NULL_TREE, srclen, destsize);
+ }
+
/* We must be passed a constant len and src parameter. */
if (!tree_fits_uhwi_p (len) || !slen || !tree_fits_uhwi_p (slen))
return NULL_RTX;
@@ -3486,6 +3957,19 @@ expand_builtin_memset (tree exp, rtx target, machine_mode mode)
tree dest = CALL_EXPR_ARG (exp, 0);
tree val = CALL_EXPR_ARG (exp, 1);
tree len = CALL_EXPR_ARG (exp, 2);
+
+ if (int ostype = warn_rawmem_overflow)
+ {
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, ostype - 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (OPT_Wrawmem_overflow_,
+ exp, len, NULL_TREE, NULL_TREE, objsize);
+ }
+
return expand_builtin_memset_args (dest, val, len, target, mode, exp);
}
}
@@ -3677,6 +4161,18 @@ expand_builtin_bzero (tree exp)
dest = CALL_EXPR_ARG (exp, 0);
size = CALL_EXPR_ARG (exp, 1);
+ if (int ostype = warn_rawmem_overflow)
+ {
+ /* Try to determine the size of the destination object. */
+ tree objsize = NULL_TREE;
+ unsigned HOST_WIDE_INT uhwisize;
+ if (compute_builtin_object_size (dest, ostype - 1, &uhwisize))
+ objsize = build_int_cst (sizetype, uhwisize);
+
+ check_sizes (OPT_Wrawmem_overflow_,
+ exp, size, NULL_TREE, NULL_TREE, objsize);
+ }
+
/* New argument list transforming bzero(ptr x, int y) to
memset(ptr x, int 0, size_t y). This is done this way
so that if it isn't expanded inline, we fallback to
@@ -6214,12 +6710,24 @@ expand_builtin (tree exp, rtx target, rtx subtarget, machine_mode mode,
return target;
break;
+ case BUILT_IN_STRCAT:
+ target = expand_builtin_strcat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRCPY:
target = expand_builtin_strcpy (exp, target);
if (target)
return target;
break;
+ case BUILT_IN_STRNCAT:
+ target = expand_builtin_strncat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRNCPY:
target = expand_builtin_strncpy (exp, target);
if (target)
@@ -9130,22 +9638,21 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
len = CALL_EXPR_ARG (exp, 2);
size = CALL_EXPR_ARG (exp, 3);
- if (! tree_fits_uhwi_p (size))
+ bool sizes_ok = check_sizes (OPT_Wrawmem_overflow_,
+ exp, len, NULL_TREE, NULL_TREE, size);
+
+ if (!tree_fits_uhwi_p (size))
return NULL_RTX;
if (tree_fits_uhwi_p (len) || integer_all_onesp (size))
{
- tree fn;
-
- if (! integer_all_onesp (size) && tree_int_cst_lt (size, len))
- {
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return NULL_RTX;
- }
+ /* Avoid transforming the checking call to an ordinary one when
+ an overflow has been detected or when the call couldn't be
+ validated because the size is not constant. */
+ if (!sizes_ok && !integer_all_onesp (size) && tree_int_cst_lt (size, len))
+ return NULL_RTX;
- fn = NULL_TREE;
+ tree fn = NULL_TREE;
/* If __builtin_mem{cpy,pcpy,move,set}_chk is used, assume
mem{cpy,pcpy,move,set} is available. */
switch (fcode)
@@ -9231,68 +9738,84 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
static void
maybe_emit_chk_warning (tree exp, enum built_in_function fcode)
{
- int is_strlen = 0;
- tree len, size;
- location_t loc = tree_nonartificial_location (exp);
+ /* The length of the source sequence of the memory operation, and
+ the size of the destination object. */
+ tree srclen = NULL_TREE;
+ tree objsize = NULL_TREE;
+ /* The length of the sequence that the source sequence is being
+ concatenated with (as with __strcat_chk) or null if it isn't. */
+ tree catlen = NULL_TREE;
+ /* The maximum length of the source sequence in a bounded operation
+ (such as __strncat_chk) or null if the operation isn't bounded
+ (such as __strcat_chk). */
+ tree maxlen = NULL_TREE;
switch (fcode)
{
case BUILT_IN_STRCPY_CHK:
case BUILT_IN_STPCPY_CHK:
- /* For __strcat_chk the warning will be emitted only if overflowing
- by at least strlen (dest) + 1 bytes. */
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
+ break;
+
case BUILT_IN_STRCAT_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 2);
- is_strlen = 1;
+ /* For __strcat_chk the warning will be emitted only if overflowing
+ by at least strlen (dest) + 1 bytes. */
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
break;
+
case BUILT_IN_STRNCAT_CHK:
+ catlen = CALL_EXPR_ARG (exp, 0);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
+ break;
+
case BUILT_IN_STRNCPY_CHK:
case BUILT_IN_STPNCPY_CHK:
- len = CALL_EXPR_ARG (exp, 2);
- size = CALL_EXPR_ARG (exp, 3);
+ srclen = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
+
case BUILT_IN_SNPRINTF_CHK:
case BUILT_IN_VSNPRINTF_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 3);
+ maxlen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
default:
gcc_unreachable ();
}
- if (!len || !size)
- return;
-
- if (! tree_fits_uhwi_p (size) || integer_all_onesp (size))
- return;
+ /* Compute the length of shortest string the source pointer points to. */
+ if (srclen)
+ {
+ tree lenrange[2];
+ get_range_strlen (srclen, lenrange);
+ srclen = lenrange[0];
+ }
- if (is_strlen)
+ if (catlen && maxlen)
{
- len = c_strlen (len, 1);
- if (! len || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
+ /* Check __strncat_chk. There is no way to determine the length
+ of the string to which the source string is being appended so
+ just warn when the length of the source string is not known. */
+ if (!check_strncat_sizes (exp, objsize))
return;
}
- else if (fcode == BUILT_IN_STRNCAT_CHK)
+
+ if (srclen)
{
- tree src = CALL_EXPR_ARG (exp, 1);
- if (! src || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- src = c_strlen (src, 1);
- if (! src || ! tree_fits_uhwi_p (src))
- {
- warning_at (loc, 0, "%Kcall to %D might overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return;
- }
- else if (tree_int_cst_lt (src, size))
- return;
+ srclen = fold_build2 (PLUS_EXPR, TREE_TYPE (srclen), srclen,
+ size_one_node);
+ if (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_int_cst_lt (maxlen, srclen))
+ srclen = maxlen;
}
- else if (! tree_fits_uhwi_p (len) || ! tree_int_cst_lt (size, len))
- return;
- warning_at (loc, 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ check_sizes (OPT_Wstringop_overflow_, exp, NULL_TREE, maxlen, srclen, objsize);
}
/* Emit warning if a buffer overflow is detected at compile time
@@ -9346,10 +9869,9 @@ maybe_emit_sprintf_chk_warning (tree exp, enum built_in_function fcode)
else
return;
- if (! tree_int_cst_lt (len, size))
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ /* Add one for the terminating nul. */
+ len = fold_build2 (PLUS_EXPR, TREE_TYPE (len), len, size_one_node);
+ check_sizes (OPT_Wstringop_overflow_, exp, NULL_TREE, NULL_TREE, len, size);
}
/* Emit warning if a free is called with address of a variable. */
diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
index 7e86dbf..e4e1f75 100644
--- a/gcc/c-family/c.opt
+++ b/gcc/c-family/c.opt
@@ -653,6 +653,14 @@ Wnamespaces
C++ ObjC++ Var(warn_namespaces) Warning
Warn on namespace definition.
+Wrawmem-overflow
+C ObjC C++ ObjC++ Warning Alias(Wrawmem-overflow=, 1, 0)
+Warn about buffer overflow in raw memory manipulation functions like memcpy.
+
+Wrawmem-overflow=
+C ObjC C++ ObjC++ Joined RejectNegative UInteger Var(warn_rawmem_overflow) Init(1) Warning
+Warn about buffer overflow in raw memory manipulation functions like memcpy.
+
Wsized-deallocation
C++ ObjC++ Var(warn_sized_deallocation) Warning EnabledBy(Wextra)
Warn about missing sized deallocation functions.
@@ -665,6 +673,14 @@ Wsizeof-array-argument
C ObjC C++ ObjC++ Var(warn_sizeof_array_argument) Warning Init(1)
Warn when sizeof is applied on a parameter declared as an array.
+Wstringop-overflow
+C ObjC C++ ObjC++ Warning Alias(Wstringop-overflow=, 2, 0)
+Warn about buffer overflow in string manipulation functions like strcpy.
+
+Wstringop-overflow=
+C ObjC C++ ObjC++ Joined RejectNegative UInteger Var(warn_stringop_overflow) Init(2) Warning
+Warn about buffer overflow in string manipulation functions like strcpy.
+
Wsuggest-attribute=format
C ObjC C++ ObjC++ Var(warn_suggest_attribute_format) Warning
Warn about functions which might be candidates for format attributes.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index fd783bf..0afab4e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -291,7 +291,8 @@ Objective-C and Objective-C++ Dialects}.
-Wparentheses -Wno-pedantic-ms-format @gol
-Wplacement-new -Wplacement-new=@var{n} @gol
-Wpointer-arith -Wno-pointer-to-int-cast @gol
--Wno-pragmas -Wredundant-decls -Wno-return-local-addr @gol
+-Wno-pragmas -Wrawmem-overflow=@var{n} -Wredundant-decls @gol
+-Wno-return-local-addr @gol
-Wreturn-type -Wsequence-point -Wshadow -Wno-shadow-ivar @gol
-Wshadow=global, -Wshadow=local, -Wshadow=compatible-local @gol
-Wshift-overflow -Wshift-overflow=@var{n} @gol
@@ -301,6 +302,7 @@ Objective-C and Objective-C++ Dialects}.
-Wsizeof-pointer-memaccess -Wsizeof-array-argument @gol
-Wstack-protector -Wstack-usage=@var{len} -Wstrict-aliasing @gol
-Wstrict-aliasing=n -Wstrict-overflow -Wstrict-overflow=@var{n} @gol
+-Wstringop-overflow=@var{n} @gol
-Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]} @gol
-Wsuggest-final-types @gol -Wsuggest-final-methods -Wsuggest-override @gol
-Wmissing-format-attribute -Wsubobject-linkage @gol
@@ -4799,6 +4801,93 @@ Do not warn about misuses of pragmas, such as incorrect parameters,
invalid syntax, or conflicts between pragmas. See also
@option{-Wunknown-pragmas}.
+@item -Wrawmem-overflow
+@itemx -Wrawmem-overflow=@var{type}
+@opindex Wrawmem-overflow
+@opindex Wno-rawmem-overflow
+Warn for calls to functions that write raw memory such as @code{bzero} and
+@code{memcpy} that are determined to overflow the destination buffer. The
+optional argument specifies the type of Object Size Checking to perform to
+determine the size of the destination. @xref{Object Size Checking}. The
+option also warns for calls that specify a size in excess of the largest
+possible object or at most @code{SIZE_MAX / 2} bytes. The option works best
+with optimization enabled but it can detect a small subset of simple buffer
+overflows even without optimization. In any case, the option warns about
+just a subset of buffer overflows detected by the corresponding overflow
+checking built-ins. The following example illustrates the differences
+between the first three of the four argument values to the option option.
+At the default setting, @option{-Wrawmem-overflow=1} warns only on the call
+to @code{memcpy} in @code{f1}. @option{-Wrawmem-overflow=2} also warns on
+the call in @code{f2}, and @option{-Wrawmem-overflow=3} also on
+the @code{memcpy} in @code{f3}.
+
+@smallexample
+struct A @{
+ int a, b;
+@} a;
+
+struct B @{
+ struct A a;
+ int c, d;
+@} b;
+
+void f1 (void)
+@{
+ memcpy (&b.a, &b, sizeof b); // -Wrawmem-overflow=1
+@}
+
+void f2 (void)
+@{
+ memcpy (&b.a, &b, sizeof b); // -Wrawmem-overflow=2
+@}
+
+void f3 (struct A *pa)
+@{
+ memcpy (pa, &b, sizeof b); // -Wrawmem-overflow=3
+@}
+@end smallexample
+
+The @option{-Wrawmem-overflow} option is enabled by default.
+
+@table @gcctabopt
+@item -Wrawmem-overflow
+@item -Wrawmem-overflow=1
+@opindex Wrawmem-overflow
+@opindex Wno-rawmem-overflow
+The @option{-Wrawmem-overflow=1} option uses type-zero Object Size Checking
+to determine the sizes of destination objects. This is the default setting
+of the option. At this setting the option will not warn for writes past
+the end of subobjects of larger objects accessed by pointers unless the
+size of the largest surrounding object is known. When the destination may
+be one of several objects it is assumed to be the largest one of them. On
+Linux systems, when optimization is enabled at this setting the option warns
+for the same code as when the @code{_FORTIFY_SOURCE} macro is defined to
+a non-zero value.
+
+@item -Wrawmem-overflow=2
+The @option{-Wrawmem-overflow=2} option uses type-one Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+will warn about overflows when writing to members of the largest complete
+objects whose exact size is known. It will, however, not warn for excessive
+writes to the same members of unknown objects referenced by pointers since
+they may point to arrays containing unknown numbers of elements.
+
+@item -Wrawmem-overflow=3
+The @option{-Wrawmem-overflow=3} option uses type-two Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+warns about overflowing the smallest object or data member. This is the
+most restrictive setting of the option that may result in warnings for safe
+code.
+
+@item -Wrawmem-overflow=4
+The @option{-Wrawmem-overflow=4} option uses type-three Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+will warn about overflowing any data members, and when the destination is
+one of several objects it uses the size of the largest of them to decide
+whether to issue a warning. Similarly to @option{-Wrawmem-overflow=3} this
+setting of the option may result in warnings for benign code.
+@end table
+
@item -Wstrict-aliasing
@opindex Wstrict-aliasing
@opindex Wno-strict-aliasing
@@ -4896,6 +4985,67 @@ comparisons, so this warning level gives a very large number of
false positives.
@end table
+@item -Wstringop-overflow
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+Similar to @option{-Wrawmem-overflow}, this option warns for calls to string
+manipulation functions such as @code{strcpy} that are determined to overflow
+the destination buffer. The optional argument specifies the type of Object
+Size Checking to perform to determine the size of the destination.
+@xref{Object Size Checking}. The option also warns for calls to bounded
+functions such as @code{snprintf} and @code{strncat} that specify a bound
+in excess of the largest possible object or at most @code{SIZE_MAX / 2}
+bytes. The option works best with optimization enabled but it can detect
+a small subset of buffer overflows even without optimization. In any case,
+the option warns about just a subset of buffer overflows detected by
+the corresponding overflow checking built-ins.
+
+The default setting of the option is @option{-Wstringop-overflow=2}.
+
+@table @gcctabopt
+@item -Wstringop-overflow
+@item -Wstringop-overflow=1
+@opindex Wstringop-overflow
+@opindex Wno-rawmem-overflow
+The @option{-Wstringop-overflow=1} option uses type-zero Object Size Checking
+to determine the sizes of destination character arrays. At this setting
+the option will not warn for writes past the end of character array members
+of larger objects accessed by pointers unless the size of the largest
+surrounding object is known. When the destination may be one of several
+character arrays it is assumed to be the largest one of them. On Linux
+systems, when optimization is enabled at this setting the option warns
+for the same code as when the @code{_FORTIFY_SOURCE} macro is defined to
+@code{1}.
+
+@item -Wstringop-overflow=2
+The @option{-Wstringop-overflow=2} option uses type-one Object Size Checking
+to determine the sizes of destination character arrays. This is the default
+setting of the option. At this setting the option will warn about overflows
+when writing to member character arrays of the largest complete objects whose
+exact size is known. It will, however, not warn for excessive writes to
+the same character array members of unknown objects referenced by pointers
+since they may point to arrays containing unknown numbers of elements. On
+Linux systems, when optimization is enabled at this setting the option warns
+for the same code as when the @code{_FORTIFY_SOURCE} macro is defined to
+@code{2}.
+
+@item -Wstringop-overflow=3
+The @option{-Wstringop-overflow=3} option uses type-two Object Size Checking
+to determine the sizes of destination character arrays. At this setting
+the option warns about overflowing the smallest character array or array
+member. This is the most restrictive setting of the option that may result
+in warnings for safe code.
+
+@item -Wstringop-overflow=4
+The @option{-Wstringop-overflow=4} option uses type-three Object Size Checking
+to determine the sizes of destination character arrays. At this setting
+the option will warn about overflowing any character member arrays, and when
+the destination is one of several arrays it uses the size of the largest of
+them to decide whether to issue a warning. Similarly to
+@option{-Wstringop-overflow=3} this setting of the option may result in
+warnings for benign code.
+@end table
+
@item -Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]}
@opindex Wsuggest-attribute=
@opindex Wno-suggest-attribute=
diff --git a/gcc/emit-rtl.c b/gcc/emit-rtl.c
index 8afcfbe..29f816e 100644
--- a/gcc/emit-rtl.c
+++ b/gcc/emit-rtl.c
@@ -3930,7 +3930,14 @@ make_note_raw (enum insn_note subtype)
INSN_UID (note) = cur_insn_uid++;
NOTE_KIND (note) = subtype;
BLOCK_FOR_INSN (note) = NULL;
- memset (&NOTE_DATA (note), 0, sizeof (NOTE_DATA (note)));
+
+ /* FIXME: The NOTE_DATA() macro uses an invalid array subscript
+ that causes a -Wstringop-overflow warning in the call to memset
+ below. The resulting pointer is valid but the way it's derived
+ is undefined. Hide the pointer computation from memset to avoid
+ the warning until the macro is fixed. */
+ void* volatile p = &NOTE_DATA (note);
+ memset (p, 0, sizeof (NOTE_DATA (note)));
return note;
}
\f
diff --git a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
index d9ec7e2..9a02373 100644
--- a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
+++ b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
@@ -481,4 +481,4 @@ f4 (char *x, char **y, int z, char w[64])
stpncpy (x, s3, sizeof (s3));
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
index 09263e5..0207f9a 100644
--- a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
+++ b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
@@ -20,7 +20,7 @@ bar ()
{
int *p = new int;
int *q = new int[4];
- MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
- MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
+ MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "writing" }
+ MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "writing" }
baz (p, q);
}
diff --git a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
index ebafc99..85b3977 100644
--- a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
+++ b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
@@ -9,7 +9,7 @@ struct B { char z[50]; };
inline void
foo (char *dest, const char *__restrict src, __SIZE_TYPE__ n)
{
- __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "will always overflow" }
+ __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "overflows" }
}
void bar (const char *, int);
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
index 8b5c33e..2e6189b 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
@@ -713,4 +713,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-// { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" }
+// { dg-prune-output "\[\n\r\]*overflows\[\n\r\]*" }
diff --git a/gcc/testsuite/gcc.c-torture/compile/pr55569.c b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
index cffbcfc..7708f21 100644
--- a/gcc/testsuite/gcc.c-torture/compile/pr55569.c
+++ b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
@@ -1,4 +1,4 @@
-/* { dg-options "-ftree-vectorize" } */
+/* { dg-options "-Wno-stringop-overflow -ftree-vectorize" } */
int *bar (void);
void
@@ -6,6 +6,10 @@ foo (void)
{
long x;
int *y = bar ();
- for (x = -1 / sizeof (int); x; --x, ++y)
- *y = 0;
+
+ /* The loop below may be optimized to a call to memset with a size
+ that's in excess of the maximum object size. This is diagnosed
+ by the -Wstringop-overflow option. */
+ for (x = -1 / sizeof (int); x; --x, ++y)
+ *y = 0;
}
diff --git a/gcc/testsuite/gcc.dg/Wobjsize-1.c b/gcc/testsuite/gcc.dg/Wobjsize-1.c
index 291cfb9..211e068 100644
--- a/gcc/testsuite/gcc.dg/Wobjsize-1.c
+++ b/gcc/testsuite/gcc.dg/Wobjsize-1.c
@@ -10,6 +10,6 @@ int main(int argc, char **argv)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 6 } */
+/* { dg-warning "writing" "" { target *-*-* } 6 } */
/* { dg-message "file included" "included" { target *-*-* } 0 } */
/* { dg-message "inlined from" "inlined" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/attr-alloc_size.c b/gcc/testsuite/gcc.dg/attr-alloc_size.c
index e8129ce..f50ba7c 100644
--- a/gcc/testsuite/gcc.dg/attr-alloc_size.c
+++ b/gcc/testsuite/gcc.dg/attr-alloc_size.c
@@ -22,15 +22,15 @@ test (void)
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
index e491ff5..7689287 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
@@ -8,7 +8,10 @@
extern void abort (void);
#include "../gcc.c-torture/execute/builtins/chk.h"
-#include <stdarg.h>
+
+#define va_list __builtin_va_list
+#define va_start __builtin_va_start
+#define va_end __builtin_va_end
volatile void *vx;
char buf1[20];
@@ -22,60 +25,61 @@ test (int arg, ...)
char *p = &buf1[10], *q;
memcpy (&buf2[19], "ab", 1);
- memcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy" } */
vx = mempcpy (&buf2[19], "ab", 1);
- vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "mempcpy" } */
+ vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 " "mempcpy" } */
memmove (&buf2[18], &buf1[10], 2);
- memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "will always overflow" "memmove" } */
+ memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "writing 3 " "memmove" } */
memset (&buf2[16], 'a', 4);
- memset (&buf2[15], 'b', 6); /* { dg-warning "will always overflow" "memset" } */
+ memset (&buf2[15], 'b', 6); /* { dg-warning "writing 6 " "memset" } */
strcpy (&buf2[18], "a");
- strcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcpy" } */
vx = stpcpy (&buf2[18], "a");
- vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "stpcpy" } */
+ vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "writing 3" "stpcpy" } */
strncpy (&buf2[18], "a", 2);
- strncpy (&buf2[18], "a", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "a", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
strncpy (&buf2[18], "abc", 2);
- strncpy (&buf2[18], "abc", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "abc", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
memset (buf2, '\0', sizeof (buf2));
strcat (&buf2[18], "a");
memset (buf2, '\0', sizeof (buf2));
- strcat (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcat" } */
+ strcat (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcat" } */
sprintf (&buf2[18], "%s", buf1);
sprintf (&buf2[18], "%s", "a");
- sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "writing 3 " "sprintf" } */
sprintf (&buf2[18], "a");
- sprintf (&buf2[18], "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "ab"); /* { dg-warning "writing 3 " "sprintf" } */
snprintf (&buf2[18], 2, "%d", x);
/* N argument to snprintf is the size of the buffer.
Although this particular call wouldn't overflow buf2,
incorrect buffer size was passed to it and therefore
we want a warning and runtime failure. */
- snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "will always overflow" "snprintf" } */
+ snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "snprintf" } */
va_start (ap, arg);
vsprintf (&buf2[18], "a", ap);
va_end (ap);
+
va_start (ap, arg);
- vsprintf (&buf2[18], "ab", ap); /* { dg-warning "will always overflow" "vsprintf" } */
+ vsprintf (&buf2[18], "ab", ap); /* { dg-warning "writing 3" "vsprintf" } */
va_end (ap);
va_start (ap, arg);
vsnprintf (&buf2[18], 2, "%s", ap);
va_end (ap);
va_start (ap, arg);
/* See snprintf above. */
- vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "will always overflow" "vsnprintf" } */
+ vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "vsnprintf" } */
va_end (ap);
p = p + 10;
memset (p, 'd', 0);
- q = strcpy (p, ""); /* { dg-warning "will always overflow" "strcpy" } */
+ q = strcpy (p, ""); /* { dg-warning "writing 1 " "strcpy" } */
/* This invokes undefined behavior, since we are past the end of buf1. */
p = p + 10;
- memset (p, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (p, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
memset (q, 'd', 0);
- memset (q, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (q, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
q = q - 10;
memset (q, 'd', 10);
}
@@ -90,26 +94,26 @@ void
test2 (const H h)
{
char c;
- strncpy (&c, str, 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&c, str, 3); /* { dg-warning "specified bound 3 exceeds the size 1 of the destination" "strncpy" } */
struct { char b[4]; } x;
- sprintf (x.b, "%s", "ABCD"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (x.b, "%s", "ABCD"); /* { dg-warning "writing 5" "sprintf" } */
unsigned int i;
- memcpy (&i, &h, sizeof (h)); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&i, &h, sizeof (h)); /* { dg-warning "writing 16 " "memcpy" } */
unsigned char buf[21];
- memset (buf + 16, 0, 8); /* { dg-warning "will always overflow" "memset" } */
+ memset (buf + 16, 0, 8); /* { dg-warning "writing 8 " "memset" } */
typedef struct { int i, j, k, l; } S;
S *s[3];
- memset (s, 0, sizeof (S) * 3); /* { dg-warning "will always overflow" "memset" } */
+ memset (s, 0, sizeof (S) * 3); /* { dg-warning "writing 48 " "memset" } */
struct T { char a[8]; char b[4]; char c[10]; } t;
- stpcpy (t.c,"Testing..."); /* { dg-warning "will always overflow" "stpcpy" } */
+ stpcpy (t.c,"Testing..."); /* { dg-warning "writing" "stpcpy" } */
char b1[7];
char b2[4];
memset (b1, 0, sizeof (b1));
- memset (b2, 0, sizeof (b1)); /* { dg-warning "will always overflow" "memset" } */
+ memset (b2, 0, sizeof (b1)); /* { dg-warning "writing 7" "memset" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
index 7c2bb60..d537fb0 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
@@ -6,7 +6,7 @@
/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
#include "../gcc.c-torture/execute/builtins/chk.h"
-
+
void *bar (int);
extern void *malloc (__SIZE_TYPE__);
@@ -115,7 +115,7 @@ baz (const struct A *x, const unsigned char *z)
else
do
{
- memcpy (e, d, 513); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (e, d, 513); /* { dg-warning "writing" "memcpy" } */
e += 4;
}
while (--h);
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c
new file mode 100644
index 0000000..3911498
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-3.c
@@ -0,0 +1,344 @@
+/* Test exercising buffer overflow warnings emitted for __*_chk builtins
+ in cases where the destination involves a non-constant offset into
+ an object of known size. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wrawmem-overflow=2 -Wstringop-overflow=2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+void sink (void*);
+
+/* Define memcpy as a macro (as opposed to an inline function) so that
+ warnings point to its invocation in the tests (as opposed to its
+ definition), making sure its first argument is evaluated exactly
+ once. */
+#define memcpy(d, s, n) \
+ do { \
+ __typeof__ (d) __d = (d); \
+ __builtin___memcpy_chk (__d, s, n, __builtin_object_size (__d, 1)); \
+ sink (__d); \
+ } while (0)
+
+/* Function to generate a unique offset each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+ptrdiff_t random_value (void);
+
+/* For brevity. */
+#define X() random_value ()
+
+/* Test memcpy with a variable offset not known to be in any range
+ and with a constant number of bytes. */
+
+void test_var_const (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf + X(), p, 6); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+
+ memcpy (&buf[X()], p, 6); /* { dg-warning "writing" } */
+
+ /* Since X() below can be assumed to be non-negative (otherwise it would
+ result in forming a pointer before the beginning of BUF), then because
+ of the +1 added to the resulting address there must be at most enough
+ room for (sizeof(buf) - 1) or 4 bytes. */
+ memcpy (&buf[X()] + 1, p, 4);
+
+ memcpy (&buf[X()] + 1, p, 5); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] + 5, p, 6); /* { dg-warning "writing" } */
+
+ /* The negative constant offset below must have no effect on the maximum
+ size of the buffer. */
+ memcpy (&buf[X()] - 1, p, 5);
+
+ memcpy (&buf[X()] - 1, p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] - 5, p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] + X(), p, 5);
+
+ memcpy (&buf[X()] + X(), p, 6); /* { dg-warning "writing" } */
+
+ memcpy (&buf[X()] - X(), p, 5);
+
+ memcpy (&buf[X()] - X(), p, 6); /* { dg-warning "writing" } */
+}
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Test memcpy with a variable offset not known to be in any range
+ and with a number of bytes bounded by a known range. */
+
+void test_var_range (void *dst, const void *p)
+{
+ char buf[5];
+
+ memcpy (&buf[X()], p, range (0, 5));
+ memcpy (&buf[X()], p, range (1, 5));
+ memcpy (&buf[X()], p, range (2, 5));
+ memcpy (&buf[X()], p, range (3, 5));
+ memcpy (&buf[X()], p, range (4, 5));
+
+ memcpy (&buf[X()], p, range (6, 7)); /* { dg-warning "writing" } */
+
+ const size_t max = SIZE_MAX;
+ memcpy (&buf[X()], p, range (max - 1, max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (dst, p, range (max / 2 + 1, max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Return an ingeger in the range [MIN, MASK]. Use bitwise operations
+ rather than inequality to avoid relying on optimization passes
+ beyond Early Value Range Propagation that __builtin_object_size
+ doesn't make use of (yet). */
+
+static inline size_t
+simple_range (unsigned min, unsigned mask)
+{
+ return ((unsigned)random_value () & mask) | (min & mask);
+}
+
+/* For brevity. */
+#define R(min, max) simple_range (min, max)
+
+void test_range_auto (const void *p)
+{
+ char buf[5];
+
+ memcpy (buf + R (0, 1), p, 6); /* { dg-warning "writing" } */
+
+ /* Some of these could be diagnosed as an extension because they would
+ overflow when (if) the non-const index were sufficiently large.
+ The challenge is distinguishing a range where a variable is likely
+ to exceed the minimum required for the overflow to occur from one
+ where it isn't so likely. */
+ memcpy (buf + R (0, 1), p, 5);
+
+ memcpy (buf + R (0, 1), p, 4);
+
+ memcpy (buf + R (0, 2), p, 3);
+
+ memcpy (buf + R (0, 3), p, 2);
+
+ memcpy (buf + R (0, 7), p, 1);
+
+ memcpy (buf + R (0, 5), p, 0);
+
+ /* The offset is known to be at least 1 so the size of the object
+ is at most 4. */
+ memcpy (buf + R (1, 2), p, 3);
+
+ memcpy (buf + R (1, 3), p, 3);
+
+ memcpy (buf + R (1, 2), p, 4);
+
+ memcpy (buf + R (1, 3) + 1, p, 4); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (1, 3), p, 5); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (2, 3), p, 2);
+
+ memcpy (buf + R (2, 3), p, 3);
+
+ memcpy (buf + R (2, 3) + 1, p, 3); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (2, 3), p, 4); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (3, 4), p, 2);
+
+ memcpy (buf + R (3, 7), p, 3); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (3, 7), p, 9); /* { dg-warning "writing" } */
+
+ memcpy (&buf[R (0, 1)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 2)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 3)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 4)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 5)] + 1, p, 4);
+
+ memcpy (&buf[R (0, 2)] + 2, p, 4); /* { dg-warning "writing" } */
+
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+
+ memcpy (&buf[R (0, 2)] - 2, p, 3);
+
+ memcpy (&buf[R (5, 15)], p, 1); /* { dg-warning "writing" } */
+
+ /* With the offset given by the two ranges below there is at most
+ 1 byte left. */
+ memcpy (buf + R (1, 2) + R (3, 4), p, 1);
+
+ memcpy (buf + R (1, 3) + R (3, 7), p, 2); /* { dg-warning "writing" } */
+
+ /* Unfortunately, the following isn't handled quite right: only
+ the lower bound given by the first range is used, the second
+ one is disregarded. */
+ memcpy (&buf [R (1, 2)] + R (3, 4), p, 2); /* { dg-warning "writing" "index in range plus offset in range" { xfail *-*-* } } */
+
+ memcpy (buf + R (2, 3) + R (2, 3), p, 1);
+
+ memcpy (buf + R (2, 3) + R (2, 3), p, 2); /* { dg-warning "writing" } */
+}
+
+void test_range_malloc (const void *p)
+{
+ char *buf = __builtin_malloc (5);
+
+ memcpy (buf + R (0, 1), p, 6); /* { dg-warning "writing" } */
+
+ memcpy (buf + R (0, 1), p, 5);
+
+ memcpy (buf + R (0, 1), p, 4);
+
+ memcpy (buf + R (0, 2), p, 3);
+
+ memcpy (buf + R (0, 3), p, 2);
+
+ memcpy (buf + R (0, 4), p, 1);
+
+ memcpy (buf + R (0, 5), p, 0);
+}
+
+void test_range_schar (signed char i, const void *s)
+{
+ char a [130];
+
+ /* The range of I is [-128, 127] so the size of the destination below
+ is at most 2 (i.e., 130 - 128) bytes. */
+ memcpy (&a [130] + i, s, 2);
+
+ /* Strictly, the range of I below is [0, 127] because a negative value
+ would result in forming an invalid pointer, so the destination is at
+ most 2 bytes. */
+ memcpy (&a [i] + 128, s, 2);
+
+ /* Reset I's range just in case it gets set above. */
+ i = random_value ();
+ memcpy (&a [130] + i, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 128, s, 3); /* { dg-warning "writing" } */
+}
+
+void test_range_uchar (unsigned char i, const void *s)
+{
+ char a [260];
+
+ /* The range of I is [0, 255] so the size of the destination below
+ is at most 2 (i.e., 260 - 258 + 0) bytes. */
+ memcpy (&a [258] + i, s, 2);
+
+ memcpy (&a [i] + 128, s, 2);
+
+ /* Reset I's range just in case it gets set above. */
+ i = random_value ();
+ memcpy (&a [258] + i, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 258, s, 3); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [259] + i, s, 2); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 259, s, 2); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [260] + i, s, 1); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [i] + 260, s, 1); /* { dg-warning "writing" } */
+
+ i = random_value ();
+ memcpy (&a [260] + i, s, 0);
+
+ i = random_value ();
+ memcpy (&a [i] + 260, s, 0);
+}
+
+void test_range_int (int i, const void *s)
+{
+ const size_t max = (size_t)INT_MAX * 2 + 1;
+
+ char *a = __builtin_malloc (max);
+
+ memcpy (&a [max] + i, s, INT_MAX);
+ memcpy (&a [max] - i, s, INT_MAX);
+ /* &*/
+ memcpy (&a [max] + i, s, INT_MAX + (size_t)1);
+ memcpy (&a [max] - i, s, INT_MAX + (size_t)1); /* { dg-warning "writing" } */
+ memcpy (&a [max] + i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+ memcpy (&a [max] - i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+
+ char *end = &a [max];
+ memcpy (end + i, s, INT_MAX);
+ memcpy (end - i, s, INT_MAX);
+ /* &*/
+ memcpy (end + i, s, INT_MAX + (size_t)1);
+ memcpy (end - i, s, INT_MAX + (size_t)1); /* { dg-warning "writing" } */
+ memcpy (end + i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+ memcpy (end - i, s, INT_MAX + (size_t)2); /* { dg-warning "writing" } */
+
+ memcpy (&a [i] + max, s, 1);
+}
+
+
+void test_range_ptrdiff_t (ptrdiff_t i, const void *s)
+{
+ const size_t max = PTRDIFF_MAX;
+
+ char *a = __builtin_malloc (max);
+
+ memcpy (&a [max] + i, s, max);
+
+ memcpy (&a [i] + max - 1, s, 1);
+}
+
+void test_range_size_t (size_t i, const void *s)
+{
+ const size_t diffmax = PTRDIFF_MAX;
+
+ char *a = __builtin_malloc (diffmax);
+
+ memcpy (&a [diffmax] + i, s, 0);
+ memcpy (&a [i] + diffmax, s, 0);
+
+ memcpy (&a [diffmax] + i, s, 1); /* { dg-warning "writing" } */
+
+ memcpy (&a [i] + diffmax, s, 1); /* { dg-warning "writing" } */
+}
+
+struct S {
+ int i;
+ char a7[7];
+ int b;
+};
+
+void test_range_member_array (struct S *s, const void *p)
+{
+ memcpy (s->a7 + R (0, 1), p, 6);
+
+ memcpy (s->a7 + R (0, 1), p, 7);
+
+ memcpy (s->a7 + R (0, 1), p, 8); /* { dg-warning "writing" } */
+
+ memcpy (&s->a7 [R (0, 1)], p, 7);
+
+ memcpy (&s->a7 [R (1, 3)], p, 7); /* { dg-warning "writing" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
new file mode 100644
index 0000000..86d7764
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
@@ -0,0 +1,459 @@
+/* Test exercising buffer overflow warnings emitted for raw memory and
+ string manipulation builtins involving ranges of sizes and strings
+ of varying lengths. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+static const size_t ssize_max = SIZE_MAX / 2;
+static const size_t size_max = SIZE_MAX;
+
+extern signed char schar_val;
+extern signed short sshrt_val;
+extern signed int sint_val;
+extern signed long slong_val;
+extern unsigned char uchar_val;
+extern unsigned short ushrt_val;
+extern unsigned int uint_val;
+extern unsigned long ulong_val;
+
+#define memcpy(d, s, n) (memcpy ((d), (s), (n)), sink ((d)))
+extern void* (memcpy)(void*, const void*, size_t);
+
+#define mempcpy(d, s, n) (mempcpy ((d), (s), (n)), sink ((d)))
+extern void* (mempcpy)(void*, const void*, size_t);
+
+#define memset(d, c, n) (memset ((d), (c), (n)), sink ((d)))
+extern void* (memset)(void*, int, size_t);
+
+#define bzero(d, n) (bzero ((d), (n)), sink ((d)))
+extern void (bzero)(void*, size_t);
+
+#define strcat(d, s) (strcat ((d), (s)), sink ((d)))
+extern char* (strcat)(char*, const char*);
+
+#define strncat(d, s, n) (strncat ((d), (s), (n)), sink ((d)))
+extern char* (strncat)(char*, const char*, size_t);
+
+#define strcpy(d, s) (strcpy ((d), (s)), sink ((d)))
+extern char* (strcpy)(char*, const char*);
+
+#define strncpy(d, s, n) (strncpy ((d), (s), (n)), sink ((d)))
+extern char* (strncpy)(char*, const char*, size_t);
+
+void sink (void*);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+ptrdiff_t random_signed_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+unsigned_range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Return a random signed value between MIN and MAX. */
+
+static inline ptrdiff_t
+signed_range (ptrdiff_t min, ptrdiff_t max)
+{
+ const ptrdiff_t val = random_signed_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* For brevity. */
+#define UR(min, max) unsigned_range (min, max)
+#define SR(min, max) signed_range (min, max)
+
+/* UReturn a pointer to constant string whose length is at least MINLEN
+ and at most 10. */
+static inline const char*
+string_range (size_t minlen)
+{
+ static const char str[] = "0123456789";
+
+ const size_t len = unsigned_range (minlen, sizeof str - 1);
+
+ switch (len)
+ {
+ case 10: return "0123456789";
+ case 9: return "012345678";
+ case 8: return "01234567";
+ case 7: return "0123456";
+ case 6: return "012345";
+ case 5: return "01234";
+ case 4: return "0123";
+ case 3: return "012";
+ case 2: return "01";
+ case 1: return "0";
+ case 0: return "";
+ }
+}
+
+#define S(minlen) string_range (minlen)
+
+/* Test memcpy with a number of bytes bounded by a known range. */
+
+void test_memcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ memcpy (buf, s, UR (0, 5));
+ memcpy (buf, s, UR (1, 5));
+ memcpy (buf, s, UR (2, 5));
+ memcpy (buf, s, UR (3, 5));
+ memcpy (buf, s, UR (4, 5));
+
+ memcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memcpy into a destination of unknown size with excessive
+ number of bytes. */
+ memcpy (d, s, UR (ssize_max, size_max));
+ memcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (buf, s, SR (-1, 1));
+ memcpy (buf, s, SR (-3, 2));
+ memcpy (buf, s, SR (-5, 3));
+ memcpy (buf, s, SR (-7, 4));
+ memcpy (buf, s, SR (-9, 5));
+ memcpy (buf, s, SR (-11, 6));
+
+ memcpy (d, s, SR (-1, 1));
+ memcpy (d, s, SR (-3, 2));
+ memcpy (d, s, SR (-5, 3));
+ memcpy (d, s, SR (-7, 4));
+ memcpy (d, s, SR (-9, 5));
+ memcpy (d, s, SR (-11, 6));
+
+ memcpy (buf, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (d, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Even though the following calls are bounded by the range of N's
+ type they must not cause a warning for obvious reasons. */
+ memcpy (buf, s, schar_val);
+ memcpy (buf, s, sshrt_val);
+ memcpy (buf, s, sint_val);
+ memcpy (buf, s, slong_val);
+
+ memcpy (buf, s, uchar_val);
+ memcpy (buf, s, ushrt_val);
+ memcpy (buf, s, uint_val);
+ memcpy (buf, s, ulong_val);
+
+ memcpy (buf, s, schar_val + 1);
+ memcpy (buf, s, sshrt_val + 2);
+ memcpy (buf, s, sint_val + 3);
+ memcpy (buf, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+
+ memcpy (d, s, schar_val);
+ memcpy (d, s, sshrt_val);
+ memcpy (d, s, sint_val);
+ memcpy (d, s, slong_val);
+
+ memcpy (d, s, uchar_val);
+ memcpy (d, s, ushrt_val);
+ memcpy (d, s, uint_val);
+ memcpy (d, s, ulong_val);
+
+ memcpy (d, s, schar_val + 1);
+ memcpy (d, s, sshrt_val + 2);
+ memcpy (d, s, sint_val + 3);
+ memcpy (d, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+}
+
+/* Test mempcpy with a number of bytes bounded by a known range. */
+
+void test_mempcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ mempcpy (buf, s, UR (0, 5));
+ mempcpy (buf, s, UR (1, 5));
+ mempcpy (buf, s, UR (2, 5));
+ mempcpy (buf, s, UR (3, 5));
+ mempcpy (buf, s, UR (4, 5));
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ mempcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ mempcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise mempcpy into a destination of unknown size with excessive
+ number of bytes. */
+ mempcpy (d, s, UR (ssize_max, size_max));
+ mempcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test memset with a number of bytes bounded by a known range. */
+
+void test_memset_range (void *d)
+{
+ char buf[5];
+
+ memset (buf, 0, UR (0, 5));
+ memset (buf, 0, UR (1, 5));
+ memset (buf, 0, UR (2, 5));
+ memset (buf, 0, UR (3, 5));
+ memset (buf, 0, UR (4, 5));
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memset (buf, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memset (buf, 0, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memset into a destination of unknown size with excessive
+ number of bytes. */
+ memset (d, 0, UR (ssize_max, size_max));
+ memset (d, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test bzero with a number of bytes bounded by a known range. */
+
+void test_bzero_range (void *d)
+{
+ char buf[5];
+
+ bzero (buf, UR (0, 5));
+ bzero (buf, UR (1, 5));
+ bzero (buf, UR (2, 5));
+ bzero (buf, UR (3, 5));
+ bzero (buf, UR (4, 5));
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ bzero (buf, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ bzero (buf, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise bzero into a destination of unknown size with excessive
+ number of bytes. */
+ bzero (d, UR (ssize_max, size_max));
+ bzero (d, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strcat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strcat_range (void)
+{
+ char buf[5] = "";
+
+ strcat (buf, S (0));
+ strcat (buf, S (1));
+ strcat (buf, S (2));
+ strcat (buf, S (3));
+ strcat (buf, S (4));
+ strcat (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strcat. */
+ char buf2[5] = "12";
+ strcat (buf2, S (4)); /* { dg-warning "writing 5 bytes into a region of size 3" "strcat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strcpy with a non-constant source string of length in a known
+ range. */
+
+void test_strcpy_range (void)
+{
+ char buf[5];
+
+ strcpy (buf, S (0));
+ strcpy (buf, S (1));
+ strcpy (buf, S (2));
+ strcpy (buf, S (4));
+ strcpy (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+ strcpy (buf, S (6)); /* { dg-warning "writing 7 bytes into a region of size 5 " } */
+ strcpy (buf, S (7)); /* { dg-warning "writing 8 bytes into a region of size 5 " } */
+ strcpy (buf, S (8)); /* { dg-warning "writing 9 bytes into a region of size 5 " } */
+ strcpy (buf, S (9)); /* { dg-warning "writing 10 bytes into a region of size 5 " } */
+ strcpy (buf, S (10)); /* { dg-warning "writing 11 bytes into a region of size 5 " } */
+}
+
+/* Test strncat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strncat_range (void)
+{
+ char buf[5] = "";
+
+ strncat (buf, S (0), 0);
+ strncat (buf, S (0), 1);
+ strncat (buf, S (0), 2);
+ strncat (buf, S (0), 3);
+ strncat (buf, S (0), 4);
+ /* Strncat always appends a terminating null after copying the N
+ characters so the following triggers a warning pointing out
+ that specifying sizeof(buf) as the upper bound may cause
+ the nul to overflow the destination. */
+ strncat (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (0), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ strncat (buf, S (1), 0);
+ strncat (buf, S (1), 1);
+ strncat (buf, S (1), 2);
+ strncat (buf, S (1), 3);
+ strncat (buf, S (1), 4);
+ strncat (buf, S (1), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (1), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+ strncat (buf, S (2), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ /* The following could just as well say "writing 6 bytes into a region
+ of size 5. Either would be correct and probably equally as clear
+ in this case. But when the length of the source string is not known
+ at all then the bound warning seems clearer. */
+ strncat (buf, S (5), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination " } */
+ strncat (buf, S (7), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strncpy. */
+ char buf2[5] = "12";
+ strncat (buf2, S (4), 4); /* { dg-warning "writing 5 bytes into a region of size 3" "strncat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strncat_chk with an argument referencing a non-constant string
+ of lengths in a known range. */
+
+void test_strncat_chk_range (char *d)
+{
+ char buf[5] = "";
+
+#define strncat_chk(d, s, n) \
+ __builtin___strncat_chk ((d), (s), (n), __builtin_object_size (d, 1));
+
+ strncat_chk (buf, S (0), 1);
+ strncat_chk (buf, S (0), 2);
+ strncat_chk (buf, S (0), 3);
+ strncat_chk (buf, S (0), 4);
+ strncat_chk (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), 1);
+ strncat_chk (buf, S (5), 2);
+ strncat_chk (buf, S (5), 3);
+ strncat_chk (buf, S (5), 4);
+ strncat_chk (buf, S (5), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds the size 5 of the destination " } */
+
+ strncat_chk (d, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size " } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a constant number of bytes. */
+
+void test_strncpy_string_range (char *d)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), 0);
+ strncpy (buf, S (0), 1);
+ strncpy (buf, S (0), 2);
+ strncpy (buf, S (0), 3);
+ strncpy (buf, S (0), 4);
+ strncpy (buf, S (0), 5);
+ strncpy (buf, S (0), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (6), 4);
+ strncpy (buf, S (7), 5);
+ strncpy (buf, S (8), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (1), ssize_max - 1); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (2), ssize_max); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (buf, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (1), ssize_max - 1);
+ strncpy (d, S (2), ssize_max);
+ strncpy (d, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (d, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a non-constant number of bytes also in a known range. */
+
+void test_strncpy_string_count_range (char *d, const char *s)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), UR (0, 1));
+ strncpy (buf, S (0), UR (0, 2));
+ strncpy (buf, S (0), UR (0, 3));
+ strncpy (buf, S (0), UR (0, 4));
+ strncpy (buf, S (0), UR (0, 5));
+ strncpy (buf, S (0), UR (0, 6));
+ strncpy (buf, S (0), UR (1, 6));
+ strncpy (buf, S (0), UR (2, 6));
+ strncpy (buf, S (0), UR (3, 6));
+ strncpy (buf, S (0), UR (4, 6));
+ strncpy (buf, S (0), UR (5, 6));
+
+ strncpy (buf, S (9), UR (0, 1));
+ strncpy (buf, S (8), UR (0, 2));
+ strncpy (buf, S (7), UR (0, 3));
+ strncpy (buf, S (6), UR (0, 4));
+ strncpy (buf, S (8), UR (0, 5));
+ strncpy (buf, S (7), UR (0, 6));
+ strncpy (buf, S (6), UR (1, 6));
+ strncpy (buf, S (5), UR (2, 6));
+ strncpy (buf, S (9), UR (3, 6));
+ strncpy (buf, S (8), UR (4, 6));
+ strncpy (buf, S (7), UR (5, 6));
+
+ strncpy (buf, S (0), UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+ strncpy (buf, S (1), UR (7, 8)); /* { dg-warning "writing between 7 and 8 bytes into a region of size 5 " } */
+ strncpy (buf, S (2), UR (ssize_max, ssize_max + 1)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 " } */
+
+ strncpy (buf, S (2), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (0), UR (5, 6));
+ strncpy (d, S (1), UR (6, 7));
+ strncpy (d, S (2), UR (7, 8));
+
+ strncpy (d, S (3), UR (ssize_max, ssize_max + 1));
+
+ strncpy (d, S (4), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c
new file mode 100644
index 0000000..7c3ad89
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c
@@ -0,0 +1,63 @@
+/* Test exercising -Wrawmem-overflow and -Wstringop-overflow warnings. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wrawmem-overflow=1 -Wstringop-overflow=1" } */
+
+struct A { char a, b; };
+struct B { struct A a; char c, d; };
+
+extern void* memcpy (void*, const void*, __SIZE_TYPE__);
+
+void sink (void*);
+
+void test_memop_warn (const struct B *pb, unsigned n)
+{
+ if (n < 2 * sizeof (struct B) || 32 < n) return;
+
+ struct A a[2];
+
+ /* At -Wrawmem-overflow=1 the destination is considered to be
+ the whole array and its size is therefore sizeof a. */
+ memcpy (&a[0], pb, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+
+ sink (a);
+}
+
+void test_memop_nowarn (const struct B *pb, unsigned n)
+{
+ if (n < 2 * sizeof (struct B) || 32 < n) return;
+
+ struct B b[2];
+
+ memcpy (&b[0].a, pb, n);
+
+ sink (b);
+}
+
+struct C { char a[3], b; };
+struct D { struct C c; char d, e; };
+
+extern char* strncpy (char*, const char*, __SIZE_TYPE__);
+
+void test_stringop_warn (unsigned n)
+{
+ if (n < 2 * sizeof (struct D) || 32 < n) return;
+
+ struct C c[2];
+
+ /* Similarly, at -Wstringop-overflow=1 the destination is considered
+ to be the whole array and its size is therefore sizeof c. */
+ strncpy (c[0].a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 8 overflows the destination" } */
+
+ sink (c);
+}
+
+void test_stringop_nowarn (unsigned n)
+{
+ if (n < 2 * sizeof (struct D) || 32 < n) return;
+
+ struct D d[2];
+
+ strncpy (d[0].c.a, "123", n);
+
+ sink (d);
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c
new file mode 100644
index 0000000..5bc9af5
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c
@@ -0,0 +1,68 @@
+/* Test exercising -Wrawmem-overflow and -Wstringop-overflow warnings. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wrawmem-overflow=2 -Wstringop-overflow=2" } */
+
+struct A { char a, b; };
+struct B { struct A a; char c, d; };
+
+extern void* memcpy (void*, const void*, __SIZE_TYPE__);
+
+void sink (void*);
+
+void test_memop_warn_object (const struct B *pb, unsigned n)
+{
+ if (n < 2 * sizeof (struct B) || 32 < n) return;
+
+ struct A a[2];
+
+ /* At -Wrawmem-overflow=2 the destination is considered to be
+ the whole array and its size is therefore sizeof a. */
+ memcpy (&a[0], pb, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+
+ sink (a);
+}
+
+void test_memop_warn_subobject (const struct B *pb, unsigned n)
+{
+ if (n < 2 * sizeof (struct B) || 32 < n) return;
+
+ struct B b[2];
+
+ /* At -Wrawmem-overflow=2 the destination is considered to be
+ the member sobobject of the first array element and its size
+ is therefore sizeof b[0].a. */
+ memcpy (&b[0].a, pb, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 2 overflows the destination" } */
+
+ sink (b);
+}
+
+struct C { char a[3], b; };
+struct D { struct C c; char d, e; };
+
+extern char* strncpy (char*, const char*, __SIZE_TYPE__);
+
+void test_stringop_warn_object (unsigned n)
+{
+ if (n < 2 * sizeof (struct D) || 32 < n) return;
+
+ struct C c[2];
+
+ /* Similarly, at -Wstringop-overflow=2 the destination is considered
+ to be the array member of the first element of the array c and its
+ size is therefore sizeof c[0].a. */
+ strncpy (c[0].a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+
+ sink (c);
+}
+
+void test_stringop_warn_subobject (unsigned n)
+{
+ if (n < 2 * sizeof (struct D) || 32 < n) return;
+
+ struct D d[2];
+
+ /* Same as above. */
+ strncpy (d[0].c.a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+
+ sink (d);
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
index 44677f1..daff680 100644
--- a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
@@ -24,15 +24,15 @@ test (int arg, ...)
*p = 0;
strncat (p, "abcdefghi", 10);
*p = 0;
- strncat (p, "abcdefghij", 10); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghij", 10); /* { dg-warning "writing 11 bytes into a region of size 10 overflows the destination" } */
*p = 0;
strncat (p, "abcdefgh", 11);
*p = 0;
- strncat (p, "abcdefghijkl", 11); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghijkl", 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
*p = 0;
strncat (p, q, 9);
*p = 0;
- strncat (p, q, 10); /* { dg-warning "might overflow" } */
+ strncat (p, q, 10); /* { dg-warning "specified bound 10 equals the size of the destination" } */
*p = 0;
- strncat (p, q, 11); /* { dg-warning "might overflow" } */
+ strncat (p, q, 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
}
diff --git a/gcc/testsuite/gcc.dg/memcpy-2.c b/gcc/testsuite/gcc.dg/memcpy-2.c
index 24464abd..7f839d2 100644
--- a/gcc/testsuite/gcc.dg/memcpy-2.c
+++ b/gcc/testsuite/gcc.dg/memcpy-2.c
@@ -7,7 +7,7 @@ typedef __SIZE_TYPE__ size_t;
extern inline __attribute__((gnu_inline, always_inline, artificial)) void *
memcpy (void *__restrict dest, const void *__restrict src, size_t len)
{
- return __builtin___memcpy_chk (dest, /* { dg-warning "will always overflow destination buffer" } */
+ return __builtin___memcpy_chk (dest, /* { dg-warning "writing" } */
src, len, __builtin_object_size (dest, 0));
}
diff --git a/gcc/testsuite/gcc.dg/pr40340-1.c b/gcc/testsuite/gcc.dg/pr40340-1.c
index aae84c6..78540a2 100644
--- a/gcc/testsuite/gcc.dg/pr40340-1.c
+++ b/gcc/testsuite/gcc.dg/pr40340-1.c
@@ -20,5 +20,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-2.c b/gcc/testsuite/gcc.dg/pr40340-2.c
index a0d6e084..1dc21d1 100644
--- a/gcc/testsuite/gcc.dg/pr40340-2.c
+++ b/gcc/testsuite/gcc.dg/pr40340-2.c
@@ -12,5 +12,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-5.c b/gcc/testsuite/gcc.dg/pr40340-5.c
index f50514c..e517147 100644
--- a/gcc/testsuite/gcc.dg/pr40340-5.c
+++ b/gcc/testsuite/gcc.dg/pr40340-5.c
@@ -13,5 +13,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
index 7ce9eae..b5a59f4 100644
--- a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
+++ b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
@@ -710,4 +710,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/gcc.dg/torture/pr71132.c b/gcc/testsuite/gcc.dg/torture/pr71132.c
index 2991718..2544eb1 100644
--- a/gcc/testsuite/gcc.dg/torture/pr71132.c
+++ b/gcc/testsuite/gcc.dg/torture/pr71132.c
@@ -1,4 +1,9 @@
/* { dg-do compile } */
+/* { dg-additional-options "-Wno-stringop-overflow" } */
+/* The loop below writes past the end of the global object a.
+ When the loop is transformed into a call to memcpy the buffer
+ overflow is detected and diagnosed by the -Wstringop-overflow
+ option enabled by default. */
typedef unsigned size_t;
struct {
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 2:55 ` Martin Sebor
@ 2016-11-02 7:38 ` Jakub Jelinek
2016-11-02 15:46 ` Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Jakub Jelinek @ 2016-11-02 7:38 UTC (permalink / raw)
To: Martin Sebor; +Cc: Jeff Law, gcc-patches, Tobias Burnus
On Tue, Nov 01, 2016 at 08:55:03PM -0600, Martin Sebor wrote:
> struct S {
> int a, b, c, d;
> };
>
> #define bos(p, t) __builtin_object_size (p, t)
> #define memset0(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 0))
> #define memset1(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 1))
>
> void f0 (struct S *s)
> {
> memset0 (&s->d, 0, 1024); // no warning here (bos 0)
> }
But we do not want the warning here, there is nothing wrong on it.
The caller may be
void
bar (void)
{
struct T { struct S header; char payload[1024 - offsetof (struct S, d)]; } t;
initialize (&t);
f0 (&t.header);
}
and the callee might rely on that. Using some header structure at the
beginning and then conditionally on fields in that structure various
payloads occurs in many projects, starting with glibc, gcc, Linux kernel,
... The warning really must not be detached from reality.
If you want a warning for suspicious calls, sure, but
1) it has to be clearly worded significantly differently from how do you
word it, so that users really understand you are warning about
suspicious code (though, I really believe it is very common and there
is really nothing the users can do about it)
2) it really shouldn't be enabled in -Wall, and I think not even in -Wextra
Jakub
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 7:38 ` Jakub Jelinek
@ 2016-11-02 15:46 ` Martin Sebor
2016-11-02 16:55 ` Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-02 15:46 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: Jeff Law, gcc-patches, Tobias Burnus
On 11/02/2016 01:37 AM, Jakub Jelinek wrote:
> On Tue, Nov 01, 2016 at 08:55:03PM -0600, Martin Sebor wrote:
>> struct S {
>> int a, b, c, d;
>> };
>>
>> #define bos(p, t) __builtin_object_size (p, t)
>> #define memset0(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 0))
>> #define memset1(p, i, n) __builtin___memset_chk (p, i, n, bos (p, 1))
>>
>> void f0 (struct S *s)
>> {
>> memset0 (&s->d, 0, 1024); // no warning here (bos 0)
>> }
>
> But we do not want the warning here, there is nothing wrong on it.
> The caller may be
>
> void
> bar (void)
> {
> struct T { struct S header; char payload[1024 - offsetof (struct S, d)]; } t;
> initialize (&t);
> f0 (&t.header);
> }
>
> and the callee might rely on that.
Sure, they might and in that case the warning would be a false
positive. It wouldn't be the first such warning that wasn't 100%
free of them. But my testing with Binutils, GCC, and the Linux
kernel has exposed only 10 instances of new warnings and I don't
think I saw this idiom among them. But even if some were, or if
all of them were false positives I think that would be well within
the acceptable rates. Here are the numbers of warnings for
Binutils and the kernel:
113 -Wimplicit-fallthrough
38 -Wformat-length=
12 -Wunused-const-variable=
10 -Wstringop-overflow
2 -Wdangling-else
2 -Wframe-address
2 -Wint-in-bool-context
1 -Wbool-operation
> Using some header structure at the
> beginning and then conditionally on fields in that structure various
> payloads occurs in many projects, starting with glibc, gcc, Linux kernel,
> ... The warning really must not be detached from reality.
That's an unfair assertion in light of the numbers above.
> If you want a warning for suspicious calls, sure, but
> 1) it has to be clearly worded significantly differently from how do you
> word it, so that users really understand you are warning about
> suspicious code (though, I really believe it is very common and there
> is really nothing the users can do about it)
> 2) it really shouldn't be enabled in -Wall, and I think not even in -Wextra
As you have argued yourself recently in our discussion of
-Wimplicit-fallthrough, warnings that aren't enabled by either
of these options don't generally benefit users because very few
turn them on explicitly. I agree with that argument although I
would be in favor of rolling out a new warning gradually over
two or more releases if it were known to be prone to high rates
of false positive. The -Wstringop-overflow warning clearly isn't
in that category so there's no need for it. My offer to do
additional testing is still good if you'd like to see more data.
As for the wording, I welcome suggestions for improvements.
Martin
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 15:46 ` Martin Sebor
@ 2016-11-02 16:55 ` Martin Sebor
2016-11-02 19:32 ` Jakub Jelinek
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-02 16:55 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: Jeff Law, gcc-patches, Tobias Burnus
> Sure, they might and in that case the warning would be a false
> positive. It wouldn't be the first such warning that wasn't 100%
> free of them. But my testing with Binutils, GCC, and the Linux
> kernel has exposed only 10 instances of new warnings and I don't
> think I saw this idiom among them. But even if some were, or if
> all of them were false positives I think that would be well within
> the acceptable rates.
I've gone through all the new warnings. With one exception where
it's unclear what exactly is going on they all appear to be due
to the idiom of writing into a struct member to clear or copy
data into the member and those that follow to the end of the
struct, like so:
struct S { int a, b, c } *s;
memset (&s->b, 0, sizeof *s - offsetof (struct S, b));
It should be doable to recognize this idiom and suppress the
warning in this case. Let me work on enhancing the patch to
do that.
> Here are the numbers of warnings for
> Binutils and the kernel:
>
> 113 -Wimplicit-fallthrough
> 38 -Wformat-length=
> 12 -Wunused-const-variable=
> 10 -Wstringop-overflow
> 2 -Wdangling-else
> 2 -Wframe-address
> 2 -Wint-in-bool-context
> 1 -Wbool-operation
>
>> Using some header structure at the
>> beginning and then conditionally on fields in that structure various
>> payloads occurs in many projects, starting with glibc, gcc, Linux kernel,
>> ... The warning really must not be detached from reality.
>
> That's an unfair assertion in light of the numbers above.
>
>> If you want a warning for suspicious calls, sure, but
>> 1) it has to be clearly worded significantly differently from how do you
>> word it, so that users really understand you are warning about
>> suspicious code (though, I really believe it is very common and there
>> is really nothing the users can do about it)
>> 2) it really shouldn't be enabled in -Wall, and I think not even in
>> -Wextra
>
> As you have argued yourself recently in our discussion of
> -Wimplicit-fallthrough, warnings that aren't enabled by either
> of these options don't generally benefit users because very few
> turn them on explicitly. I agree with that argument although I
> would be in favor of rolling out a new warning gradually over
> two or more releases if it were known to be prone to high rates
> of false positive. The -Wstringop-overflow warning clearly isn't
> in that category so there's no need for it. My offer to do
> additional testing is still good if you'd like to see more data.
>
> As for the wording, I welcome suggestions for improvements.
>
> Martin
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 16:55 ` Martin Sebor
@ 2016-11-02 19:32 ` Jakub Jelinek
2016-11-04 20:16 ` Martin Sebor
` (2 more replies)
0 siblings, 3 replies; 22+ messages in thread
From: Jakub Jelinek @ 2016-11-02 19:32 UTC (permalink / raw)
To: Martin Sebor; +Cc: Jeff Law, gcc-patches, Tobias Burnus
On Wed, Nov 02, 2016 at 10:55:23AM -0600, Martin Sebor wrote:
> >That's an unfair assertion in light of the numbers above.
> >
> >>If you want a warning for suspicious calls, sure, but
> >>1) it has to be clearly worded significantly differently from how do you
> >> word it, so that users really understand you are warning about
> >> suspicious code (though, I really believe it is very common and there
> >> is really nothing the users can do about it)
> >>2) it really shouldn't be enabled in -Wall, and I think not even in
> >>-Wextra
> >
> >As you have argued yourself recently in our discussion of
> >-Wimplicit-fallthrough, warnings that aren't enabled by either
> >of these options don't generally benefit users because very few
> >turn them on explicitly. I agree with that argument although I
> >would be in favor of rolling out a new warning gradually over
> >two or more releases if it were known to be prone to high rates
> >of false positive. The -Wstringop-overflow warning clearly isn't
> >in that category so there's no need for it. My offer to do
> >additional testing is still good if you'd like to see more data.
But obviously not all levels of the warning can/should be enabled
with -Wall/-Werror. There are cases which are worth warning by default
(the case where we want to inform the user if you reach this stmt,
you'll get your program killed (will call __chk_fail)) is something
that ought like before be enabled by default; can have a warning
switch users can disable.
Then there is the case where there is a sure buffer overflow (not using
-D_FORTIFY_SOURCE, but still __bos (, 0) tells the buffer is too short,
and it is unconditional (no tricks with PHIs where one path has short
and another part has long size). This is something that is useful
in -Wall.
The rest I'm very doubtful about even for -Wextra.
One thing is that for useful warnings users have to be able to do something
to quiet them. For -Wmisleading-indentation you indent your code properly,
for -Wimplicit-fallthrough you add attributes or comments, etc.
But I really don't know what you want people to do to tell the compiler
the warning is a false positive. Add asm ("" : "+g" (ptr)); to hide
everything from the compiler? Too ugly, too unportable, pessimizing correct
code.
Another thing is that __builtin_object_size (x, 1) is very fragile thing
especially since the introduction of MEM_REF, but also various foldings etc.
Just look up the numerous open PRs about it. We try to mitigate it in some
early optimization passes, and had to introduce an early objsz pass copy to
deal with that. But further down the optimization passes the distinctions
that __bos (x, 1) needs to do are very often lost, optimizers fold
(char *)&s + offsetof (struct S, fld) into &s.fld and vice versa, MEM_REF
just doesn't tell you anything about what field is used, etc. It is
unreliable in both directions. So trying to use it for anything very late
in the GIMPLE opts is just a bad idea.
Jakub
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 19:32 ` Jakub Jelinek
@ 2016-11-04 20:16 ` Martin Sebor
2016-11-09 22:50 ` [PING] " Martin Sebor
2016-11-07 0:50 ` Martin Sebor
2016-11-16 18:10 ` Jeff Law
2 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-04 20:16 UTC (permalink / raw)
To: Jakub Jelinek, Jeff Law, gcc-patches, Tobias Burnus
[-- Attachment #1: Type: text/plain, Size: 1269 bytes --]
Attached is an update to the patch that takes into consideration
the feedback I got. It goes back to adding just one option,
-Wstringop-overflow, as in the original, while keeping the Object
Size type as an argument. It uses type-1 as the default setting
for string functions (strcpy et al.) and, unconditionally, type-0
for raw memory functions (memcpy, etc.)
I retested Binutils 2.27 and the Linux kernel again with this patch
and also added Glibc, and it doesn't complain about anything (both
Binutils and the kernel also build cleanly with an unpatched GCC
with_FORTIFY_SOURCE=2 or its rough equivalent for the kernel).
The emit-rtl.c warning (bug 78174) has also been suppressed by
the change to bos type-0 for memcpy.
While the patch doesn't trigger any false positives (AFAIK) it is
subject to a fair number of false negatives due to the limitations
of the tree-object-size pass, and due to transformations done by
other passes that prevent it from detecting some otherwise obvious
overflows. Although unfortunate, I believe the warnings that are
emitted are useful as the first line of defense in software that
doesn't use _FORTIFY_SOURCE (such as GCC itself). And this can
of course be improved if some of the limitations are removed over
time.
Martin
[-- Attachment #2: gcc-53562.diff --]
[-- Type: text/x-patch, Size: 89845 bytes --]
PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
PR middle-end/78149 - missing warning on strncpy buffer overflow due to an excessive bound
PR middle-end/78138 - missing warnings on buffer overflow with non-constant source length
gcc/c-family/ChangeLog:
PR c/53562
* c.opt (-Wstringop-overflow): New option.
gcc/ChangeLog:
PR c/53562
PR middle-end/78149
PR middle-end/78138
* builtins.c (expand_builtin_strcat, expand_builtin_strncat): New
functions.
(compute_dest_size, get_size_range, check_sizes, check_strncat_sizes)
(check_memop_sizes): Same.
(expand_builtin_memcpy): Call check memop_sizes.
(expand_builtin_mempcpy): Same.
(expand_builtin_memset): Same,
(expand_builtin_bzero): Same.
(expand_builtin_memory_chk): Call check_sizes.
(expand_builtin_strcpy): Same.
(expand_builtin_strncpy): Same.
(maybe_emit_sprintf_chk_warning): Same.
(expand_builtin): Handle strcat and strncat.
(fini_object_sizes): Reset pointers.
(compute_object_size): New function.
* doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
gcc/testsuite/ChangeLog:
PR c/53562
PR middle-end/78149
PR middle-end/78138
* c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust expected diagnostic.
* g++.dg/ext/builtin-object-size3.C (bar): Same.
* g++.dg/ext/strncpy-chk1.C: Same.
* g++.dg/opt/memcpy1.C: Same.
* g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
* gcc.c-torture/compile/pr55569.c: Disable -Wstringop-overflow.
* gcc.dg/Wobjsize-1.c: Adjust expected diagnostic.
* gcc.dg/attr-alloc_size.c: Same.
* gcc.dg/builtin-stringop-chk-1.c: Adjust expected diagnostic.
* gcc.dg/builtin-stringop-chk-2.c: Same.
* gcc.dg/builtin-stringop-chk-4.c: New test.
* gcc.dg/builtin-strncat-chk-1.c: Adjust expected diagnostic.
* gcc.dg/memcpy-2.c: Same.
* gcc.dg/pr40340-1.c: Same.
* gcc.dg/pr40340-2.c (main): Same.
* gcc.dg/pr40340-5.c (main): Same.
* gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
* gcc.dg/torture/pr71132.c: Disable -Wstringop-overflow.
* gcc.dg/fstack-protector-strong.c: Add expected diagnostic.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index cc711a0..e2cf20a 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -67,7 +67,7 @@ along with GCC; see the file COPYING3. If not see
#include "internal-fn.h"
#include "case-cfn-macros.h"
#include "gimple-fold.h"
-
+#include "intl.h"
struct target_builtins default_target_builtins;
#if SWITCHABLE_TARGET
@@ -125,9 +125,11 @@ static rtx expand_builtin_mempcpy (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_with_bounds (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_args (tree, tree, tree, rtx,
machine_mode, int, tree);
+static rtx expand_builtin_strcat (tree, rtx);
static rtx expand_builtin_strcpy (tree, rtx);
static rtx expand_builtin_strcpy_args (tree, tree, rtx);
static rtx expand_builtin_stpcpy (tree, rtx, machine_mode);
+static rtx expand_builtin_strncat (tree, rtx);
static rtx expand_builtin_strncpy (tree, rtx);
static rtx builtin_memset_gen_str (void *, HOST_WIDE_INT, machine_mode);
static rtx expand_builtin_memset (tree, rtx, machine_mode);
@@ -3011,6 +3013,292 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
return dest_addr;
}
+/* Fill the 2-element RANGE array with the minimum and maximum values
+ EXP is known to have and return true, otherwise null and return
+ false. */
+
+static bool
+get_size_range (tree exp, tree range[2])
+{
+ if (tree_fits_uhwi_p (exp))
+ {
+ range[0] = range[1] = exp;
+ return true;
+ }
+
+ if (TREE_CODE (exp) == SSA_NAME)
+ {
+ wide_int min, max;
+ enum value_range_type range_type = get_range_info (exp, &min, &max);
+
+ if (range_type == VR_RANGE)
+ {
+ /* Interpret the bound in the variable's type. */
+ range[0] = wide_int_to_tree (TREE_TYPE (exp), min);
+ range[1] = wide_int_to_tree (TREE_TYPE (exp), max);
+ return true;
+ }
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ /* An anti-range implies the original variable is signed and
+ its lower bound is negative and the upper bound positive.
+ Since that means that the expression's value could be zero
+ nothing interesting can be inferred from this. */
+ }
+ }
+
+ range[0] = NULL_TREE;
+ range[1] = NULL_TREE;
+ return false;
+}
+
+/* Try to verify that the sizes and lengths of the arguments to a string
+ manipulation function given by EXP are within valid bounds and that
+ the operation does not lead to buffer overflow. Arguments other than
+ EXP may be null. When non-null, the arguments have the following
+ meaning:
+ SIZE is the user-supplied size argument to the function (such as in
+ memcpy(d, s, SIZE) or strncpy(d, s, SIZE). It specifies the exact
+ number of bytes to write.
+ MAXLEN is the user-supplied bound on the length of the source sequence
+ (such as in strncat(d, s, N). It specifies the upper limit on the number
+ of bytes to write.
+ STR is the source string (such as in strcpy(d, s)) when the epxression
+ EXP is a string function call (as opposed to a memory call like memcpy).
+ As an exception, STR can also be an integer denoting the precomputed
+ length of the source string.
+ OBJSIZE is the size of the destination object specified by the last
+ argument to the _chk builtins, typically resulting from the expansion
+ of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
+ OBJSIZE).
+
+ When SIZE is null LEN is checked to verify that it doesn't exceed
+ SIZE_MAX.
+
+ If the call is successfully verfified as safe from buffer overflow
+ the function returns true, otherwise false.. */
+
+static bool
+check_sizes (int opt, tree exp, tree size, tree maxlen, tree str, tree objsize)
+{
+ /* The size of the largest object. (This is way too permissive.) */
+ tree maxobjsize = build_int_cst (sizetype, HOST_WIDE_INT_MAX);
+
+ tree slen = NULL_TREE;
+
+ /* Set to true when the exact number of bytes written by a string
+ function like strcpy is not known and the only thing that is
+ known is that it must be at least one (for the terminating nul). */
+ bool at_least_one = false;
+ if (str)
+ {
+ /* STR is normally a pointer to string but as a special case
+ it can be an integer denoting the length of a string. */
+ if (TREE_CODE (TREE_TYPE (str)) == POINTER_TYPE)
+ {
+ /* Try to determine the range of lengths the source string
+ refers to. If it can be determined add one to it for
+ the terminating nul. Otherwise, set it to one for
+ the same reason. */
+ tree lenrange[2];
+ get_range_strlen (str, lenrange);
+ if (lenrange[0])
+ slen = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ else
+ {
+ at_least_one = true;
+ slen = size_one_node;
+ }
+ }
+ else
+ slen = str;
+ }
+
+ if (!size && !maxlen)
+ {
+ /* When the only available piece of data is the object size
+ there is nothing to do. */
+ if (!slen)
+ return true;
+
+ /* Otherwise, when the length of the source sequence is known
+ (as with with strlen), set SIZE to it. */
+ size = slen;
+ }
+
+ if (!objsize)
+ objsize = maxobjsize;
+
+ /* The SIZE is exact if it's non-null, constant, and in range of
+ unsigned HOST_WIDE_INT. */
+ bool exactsize = size && tree_fits_uhwi_p (size);
+
+ tree range[2] = { NULL_TREE, NULL_TREE };
+ if (size)
+ get_size_range (size, range);
+
+ /* First check the number of bytes to be written against the maximum
+ object size. */
+ if (range[0] && tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified size %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified size between %wu and %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+ return false;
+ }
+
+ /* Next check the number of bytes to be written against the destination
+ object size. */
+ if (range[0] || !exactsize || integer_all_onesp (size))
+ {
+ if (range[0]
+ && ((tree_fits_uhwi_p (objsize)
+ && tree_int_cst_lt (objsize, range[0]))
+ || (tree_fits_uhwi_p (size)
+ && tree_int_cst_lt (size, range[0]))))
+ {
+ unsigned HOST_WIDE_INT uwir0 = tree_to_uhwi (range[0]);
+
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (at_least_one)
+ warning_at (loc, opt,
+ "%K%D writing at least %wu byte into a region "
+ "of size %wu overflows the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else if (range[0] == range[1])
+ warning_at (loc, opt,
+ (uwir0 == 1
+ ? G_("%K%D writing %wu byte into a region "
+ "of size %wu overflows the destination")
+ : G_("%K%D writing %wu bytes into a region "
+ "of size %wu overflows the destination")),
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, opt,
+ "%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu overflows "
+ "the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (range[1]), tree_to_uhwi (objsize));
+
+ /* Return error when an overflow has been detected. */
+ return false;
+ }
+ }
+
+ /* Check the maximum length of the source sequence against the size
+ of the destination object if known, or against the maximum size
+ of an object. */
+ if (maxlen)
+ {
+ get_size_range (maxlen, range);
+
+ if (range[0] && objsize && tree_fits_uhwi_p (objsize))
+ {
+ if (objsize != maxobjsize && tree_int_cst_lt (objsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified bound %wu "
+ "exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (objsize));
+ return false;
+ }
+ else if (tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified bound %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+/* Helper to compute the size of the object referenced by the DEST
+ expression which must of of pointer type, using Object Size type
+ OSTYPE (only the least significant 2 bits are used). Return
+ the size of the object if successful or NULL when the size cannot
+ be determined. */
+
+static inline tree
+compute_dest_size (tree dest, int ostype)
+{
+ unsigned HOST_WIDE_INT size;
+ if (compute_builtin_object_size (dest, ostype & 3, &size))
+ return build_int_cst (sizetype, size);
+
+ return NULL_TREE;
+}
+
+/* Helper to determine and check the sizes of the source and the destination
+ of calls to __builtin_{bzero,memcpy,memset} calls. Use Object Size type-0
+ regardless of the OPT_Wstringop_overflow_ setting. Returns true on success
+ (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_memop_sizes (tree exp, tree dest, tree size)
+{
+ if (!warn_stringop_overflow)
+ return true;
+
+ /* For functions like memset and memcpy that operate on raw memory
+ try to determine the size of the largest destination object using
+ type-0 Object Size regardless of the object size type specified
+ by the option. */
+ tree objsize = compute_dest_size (dest, 0);
+
+ return check_sizes (OPT_Wstringop_overflow_, exp,
+ size, /*maxlen=*/NULL_TREE, /*str=*/NULL_TREE, objsize);
+}
+
/* Expand a call EXP to the memcpy builtin.
Return NULL_RTX if we failed, the caller should emit a normal call,
otherwise try to get the result in TARGET, if convenient (and in
@@ -3022,13 +3310,14 @@ expand_builtin_memcpy (tree exp, rtx target)
if (!validate_arglist (exp,
POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_memcpy_args (dest, src, len, target, exp);
- }
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ check_memop_sizes (exp, dest, len);
+
+ return expand_builtin_memcpy_args (dest, src, len, target, exp);
}
/* Expand an instrumented call EXP to the memcpy builtin.
@@ -3076,15 +3365,20 @@ expand_builtin_mempcpy (tree exp, rtx target, machine_mode mode)
if (!validate_arglist (exp,
POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_mempcpy_args (dest, src, len,
- target, mode, /*endp=*/ 1,
- exp);
- }
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ /* Avoid expanding mempcpy into memcpy when the call is determined
+ to overflow the buffer. This also prevents the same overflow
+ from being diagnosed again when expanding memcpy. */
+ if (!check_memop_sizes (exp, dest, len))
+ return NULL_RTX;
+
+ return expand_builtin_mempcpy_args (dest, src, len,
+ target, mode, /*endp=*/ 1,
+ exp);
}
/* Expand an instrumented call EXP to the mempcpy builtin.
@@ -3256,6 +3550,33 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
return target;
}
+/* Do some very basic size validation of a call to the strcpy builtin
+ given by EXP. Return NULL_RTX to have the built-in expand to a call
+ to the library function. */
+
+static rtx
+expand_builtin_strcat (tree exp, rtx)
+{
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE)
+ || !warn_stringop_overflow)
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* There is no way here to determine the length of the string in
+ the destination to which the SRC string is being appended so
+ just diagnose cases when the srouce string is longer than
+ the destination object. */
+
+ tree destsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, /*maxlen=*/NULL_TREE, src, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strcpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call, otherwise
try to get the result in TARGET, if convenient (and in mode MODE if that's
@@ -3264,13 +3585,20 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
static rtx
expand_builtin_strcpy (tree exp, rtx target)
{
- if (validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- return expand_builtin_strcpy_args (dest, src, target);
- }
- return NULL_RTX;
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ if (warn_stringop_overflow)
+ {
+ tree destsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, /*maxlen=*/NULL_TREE, src, destsize);
+ }
+
+ return expand_builtin_strcpy_args (dest, src, target);
}
/* Helper function to do the actual work for expand_builtin_strcpy. The
@@ -3378,6 +3706,131 @@ builtin_strncpy_read_str (void *data, HOST_WIDE_INT offset,
return c_readstr (str + offset, mode);
}
+/* Helper to check the sizes of sequences and the destination of calls
+ to __builtin_strncat and __builtin___strncat_chk. Returns true on
+ success (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_strncat_sizes (tree exp, tree objsize)
+{
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ if (!objsize && warn_stringop_overflow)
+ {
+ /* If it hasn't been provided by __strncat_chk, try to determine
+ the size of the destination object into which the source is
+ being copied. */
+ objsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+ }
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (objsize)
+ && tree_int_cst_equal (objsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow_,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return false;
+ }
+
+ if (!srclen
+ || (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_fits_uhwi_p (srclen)
+ && tree_int_cst_lt (maxlen, srclen)))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ return check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, maxlen, srclen, objsize);
+}
+
+/* Similar to expand_builtin_strcat, do some very basic size validation
+ of a call to the strcpy builtin given by EXP. Return NULL_RTX to have
+ the built-in expand to a call to the library function. */
+
+static rtx
+expand_builtin_strncat (tree exp, rtx)
+{
+ if (!validate_arglist (exp,
+ POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE)
+ || !warn_stringop_overflow)
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ /* The upper bound on the number of bytes to write. */
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
+ tree slen = c_strlen (src, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. First try to determine the size of the destination object
+ into which the source is being copied. */
+ tree destsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (destsize)
+ && tree_int_cst_equal (destsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow_,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return NULL_RTX;
+ }
+
+ if (!srclen
+ || (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_fits_uhwi_p (srclen)
+ && tree_int_cst_lt (maxlen, srclen)))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, maxlen, srclen, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strncpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call. */
@@ -3391,9 +3844,33 @@ expand_builtin_strncpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+ /* The number of bytes to write (not the maximum). */
tree len = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
tree slen = c_strlen (src, 1);
+ if (warn_stringop_overflow)
+ {
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ {
+ get_range_strlen (src, lenrange);
+ slen = lenrange[0];
+ }
+
+ tree destsize = compute_dest_size (dest,
+ warn_stringop_overflow - 1);
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SLEN if LEN's value isn't known. */
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, len, /*maxlen=*/NULL_TREE, slen, destsize);
+ }
+
/* We must be passed a constant len and src parameter. */
if (!tree_fits_uhwi_p (len) || !slen || !tree_fits_uhwi_p (slen))
return NULL_RTX;
@@ -3481,13 +3958,14 @@ expand_builtin_memset (tree exp, rtx target, machine_mode mode)
if (!validate_arglist (exp,
POINTER_TYPE, INTEGER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree val = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_memset_args (dest, val, len, target, mode, exp);
- }
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree val = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ check_memop_sizes (exp, dest, len);
+
+ return expand_builtin_memset_args (dest, val, len, target, mode, exp);
}
/* Expand expression EXP, which is an instrumented call to the memset builtin.
@@ -3668,20 +4146,21 @@ expand_builtin_memset_args (tree dest, tree val, tree len,
static rtx
expand_builtin_bzero (tree exp)
{
- tree dest, size;
- location_t loc = EXPR_LOCATION (exp);
-
if (!validate_arglist (exp, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- dest = CALL_EXPR_ARG (exp, 0);
- size = CALL_EXPR_ARG (exp, 1);
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree size = CALL_EXPR_ARG (exp, 1);
+
+ check_memop_sizes (exp, dest, size);
/* New argument list transforming bzero(ptr x, int y) to
memset(ptr x, int 0, size_t y). This is done this way
so that if it isn't expanded inline, we fallback to
calling bzero instead of memset. */
+ location_t loc = EXPR_LOCATION (exp);
+
return expand_builtin_memset_args (dest, integer_zero_node,
fold_convert_loc (loc,
size_type_node, size),
@@ -6214,12 +6693,24 @@ expand_builtin (tree exp, rtx target, rtx subtarget, machine_mode mode,
return target;
break;
+ case BUILT_IN_STRCAT:
+ target = expand_builtin_strcat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRCPY:
target = expand_builtin_strcpy (exp, target);
if (target)
return target;
break;
+ case BUILT_IN_STRNCAT:
+ target = expand_builtin_strncat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRNCPY:
target = expand_builtin_strncpy (exp, target);
if (target)
@@ -9130,22 +9621,22 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
len = CALL_EXPR_ARG (exp, 2);
size = CALL_EXPR_ARG (exp, 3);
- if (! tree_fits_uhwi_p (size))
+ bool sizes_ok = check_sizes (OPT_Wstringop_overflow_,
+ exp, len, /*maxlen=*/NULL_TREE,
+ /*str=*/NULL_TREE, size);
+
+ if (!tree_fits_uhwi_p (size))
return NULL_RTX;
if (tree_fits_uhwi_p (len) || integer_all_onesp (size))
{
- tree fn;
-
- if (! integer_all_onesp (size) && tree_int_cst_lt (size, len))
- {
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return NULL_RTX;
- }
+ /* Avoid transforming the checking call to an ordinary one when
+ an overflow has been detected or when the call couldn't be
+ validated because the size is not constant. */
+ if (!sizes_ok && !integer_all_onesp (size) && tree_int_cst_lt (size, len))
+ return NULL_RTX;
- fn = NULL_TREE;
+ tree fn = NULL_TREE;
/* If __builtin_mem{cpy,pcpy,move,set}_chk is used, assume
mem{cpy,pcpy,move,set} is available. */
switch (fcode)
@@ -9231,68 +9722,68 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
static void
maybe_emit_chk_warning (tree exp, enum built_in_function fcode)
{
- int is_strlen = 0;
- tree len, size;
- location_t loc = tree_nonartificial_location (exp);
+ /* The source string. */
+ tree srcstr = NULL_TREE;
+ /* The size of the destination object. */
+ tree objsize = NULL_TREE;
+ /* The string that is being concatenated with (as in __strcat_chk)
+ or null if it isn't. */
+ tree catstr = NULL_TREE;
+ /* The maximum length of the source sequence in a bounded operation
+ (such as __strncat_chk) or null if the operation isn't bounded
+ (such as __strcat_chk). */
+ tree maxlen = NULL_TREE;
switch (fcode)
{
case BUILT_IN_STRCPY_CHK:
case BUILT_IN_STPCPY_CHK:
- /* For __strcat_chk the warning will be emitted only if overflowing
- by at least strlen (dest) + 1 bytes. */
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
+ break;
+
case BUILT_IN_STRCAT_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 2);
- is_strlen = 1;
+ /* For __strcat_chk the warning will be emitted only if overflowing
+ by at least strlen (dest) + 1 bytes. */
+ catstr = CALL_EXPR_ARG (exp, 0);
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
break;
+
case BUILT_IN_STRNCAT_CHK:
+ catstr = CALL_EXPR_ARG (exp, 0);
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
+ break;
+
case BUILT_IN_STRNCPY_CHK:
case BUILT_IN_STPNCPY_CHK:
- len = CALL_EXPR_ARG (exp, 2);
- size = CALL_EXPR_ARG (exp, 3);
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
+
case BUILT_IN_SNPRINTF_CHK:
case BUILT_IN_VSNPRINTF_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 3);
+ maxlen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
default:
gcc_unreachable ();
}
- if (!len || !size)
- return;
-
- if (! tree_fits_uhwi_p (size) || integer_all_onesp (size))
- return;
-
- if (is_strlen)
+ if (catstr && maxlen)
{
- len = c_strlen (len, 1);
- if (! len || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
+ /* Check __strncat_chk. There is no way to determine the length
+ of the string to which the source string is being appended so
+ just warn when the length of the source string is not known. */
+ if (!check_strncat_sizes (exp, objsize))
return;
}
- else if (fcode == BUILT_IN_STRNCAT_CHK)
- {
- tree src = CALL_EXPR_ARG (exp, 1);
- if (! src || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- src = c_strlen (src, 1);
- if (! src || ! tree_fits_uhwi_p (src))
- {
- warning_at (loc, 0, "%Kcall to %D might overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return;
- }
- else if (tree_int_cst_lt (src, size))
- return;
- }
- else if (! tree_fits_uhwi_p (len) || ! tree_int_cst_lt (size, len))
- return;
- warning_at (loc, 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ check_sizes (OPT_Wstringop_overflow_, exp,
+ /*size=*/NULL_TREE, maxlen, srcstr, objsize);
}
/* Emit warning if a buffer overflow is detected at compile time
@@ -9346,10 +9837,10 @@ maybe_emit_sprintf_chk_warning (tree exp, enum built_in_function fcode)
else
return;
- if (! tree_int_cst_lt (len, size))
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ /* Add one for the terminating nul. */
+ len = fold_build2 (PLUS_EXPR, TREE_TYPE (len), len, size_one_node);
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, /*maxlen=*/NULL_TREE, len, size);
}
/* Emit warning if a free is called with address of a variable. */
diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
index 7d8a726..d92fca2 100644
--- a/gcc/c-family/c.opt
+++ b/gcc/c-family/c.opt
@@ -665,6 +665,16 @@ Wsizeof-array-argument
C ObjC C++ ObjC++ Var(warn_sizeof_array_argument) Warning Init(1)
Warn when sizeof is applied on a parameter declared as an array.
+Wstringop-overflow
+C ObjC C++ ObjC++ Warning Alias(Wstringop-overflow=, 2, 0)
+Warn about buffer overflow in string manipulation functions like memcpy
+and strcpy.
+
+Wstringop-overflow=
+C ObjC C++ ObjC++ Joined RejectNegative UInteger Var(warn_stringop_overflow) Init(2) Warning
+Under the control of Object Size type, warn about buffer overflow in string
+manipulation functions like memcpy and strcpy.
+
Wsuggest-attribute=format
C ObjC C++ ObjC++ Var(warn_suggest_attribute_format) Warning
Warn about functions which might be candidates for format attributes.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index ad9304f..781caba 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -292,7 +292,8 @@ Objective-C and Objective-C++ Dialects}.
-Wparentheses -Wno-pedantic-ms-format @gol
-Wplacement-new -Wplacement-new=@var{n} @gol
-Wpointer-arith -Wno-pointer-to-int-cast @gol
--Wno-pragmas -Wredundant-decls -Wno-return-local-addr @gol
+-Wno-pragmas -Wredundant-decls @gol
+-Wno-return-local-addr @gol
-Wreturn-type -Wsequence-point -Wshadow -Wno-shadow-ivar @gol
-Wshadow=global, -Wshadow=local, -Wshadow=compatible-local @gol
-Wshift-overflow -Wshift-overflow=@var{n} @gol
@@ -302,6 +303,7 @@ Objective-C and Objective-C++ Dialects}.
-Wsizeof-pointer-memaccess -Wsizeof-array-argument @gol
-Wstack-protector -Wstack-usage=@var{len} -Wstrict-aliasing @gol
-Wstrict-aliasing=n -Wstrict-overflow -Wstrict-overflow=@var{n} @gol
+-Wstringop-overflow=@var{n} @gol
-Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]} @gol
-Wsuggest-final-types @gol -Wsuggest-final-methods -Wsuggest-override @gol
-Wmissing-format-attribute -Wsubobject-linkage @gol
@@ -4908,6 +4910,86 @@ comparisons, so this warning level gives a very large number of
false positives.
@end table
+@item -Wstringop-overflow
+@itemx -Wstringop-overflow=@var{type}
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+Warn for calls to string manipulation functions such as @code{memcpy} and
+@code{strcpy} that are determined to overflow the destination buffer. The
+optional argument is one greater than the type of Object Size Checking to
+perform to determine the size of the destination. @xref{Object Size Checking}.
+The argument is meaningful only for functions that operate on character arrays
+but not for raw memory functions like @code{memcpy} which always make use
+of Object Size type-0. The option also warns for calls that specify a size
+in excess of the largest possible object or at most @code{SIZE_MAX / 2} bytes.
+The option produces the best results with optimization enabled but can detect
+a small subset of simple buffer overflows even without optimization in
+calls to the GCC built-in functions like @code{__builtin_memcpy} that
+correspond to the standard functions. In any case, the option warns about
+just a subset of buffer overflows detected by the corresponding overflow
+checking built-ins. For example, the option will issue a warning for
+the @code{strcpy} call below because it copies at least 5 characters
+(the string @code{"blue"} including the terminating NUL) into the buffer
+of size 4.
+
+@smallexample
+enum Color @{ blue, purple, yellow @};
+const char* f (enum Color clr)
+@{
+ static char buf [4];
+ const char *str;
+ switch (clr)
+ @{
+ case blue: str = "blue"; break;
+ case purple: str = "purple"; break;
+ case yellow: str = "yellow"; break;
+ @}
+
+ return strcpy (buf, str); // warning here
+@}
+@end smallexample
+
+Option @option{-Wstringop-overflow=2} is enabled by default.
+
+@table @gcctabopt
+@item -Wstringop-overflow
+@item -Wstringop-overflow=1
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+The @option{-Wstringop-overflow=1} option uses type-zero Object Size Checking
+to determine the sizes of destination objects. This is the default setting
+of the option. At this setting the option will not warn for writes past
+the end of subobjects of larger objects accessed by pointers unless the
+size of the largest surrounding object is known. When the destination may
+be one of several objects it is assumed to be the largest one of them. On
+Linux systems, when optimization is enabled at this setting the option warns
+for the same code as when the @code{_FORTIFY_SOURCE} macro is defined to
+a non-zero value.
+
+@item -Wstringop-overflow=2
+The @option{-Wstringop-overflow=2} option uses type-one Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+will warn about overflows when writing to members of the largest complete
+objects whose exact size is known. It will, however, not warn for excessive
+writes to the same members of unknown objects referenced by pointers since
+they may point to arrays containing unknown numbers of elements.
+
+@item -Wstringop-overflow=3
+The @option{-Wstringop-overflow=3} option uses type-two Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+warns about overflowing the smallest object or data member. This is the
+most restrictive setting of the option that may result in warnings for safe
+code.
+
+@item -Wstringop-overflow=4
+The @option{-Wstringop-overflow=4} option uses type-three Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+will warn about overflowing any data members, and when the destination is
+one of several objects it uses the size of the largest of them to decide
+whether to issue a warning. Similarly to @option{-Wstringop-overflow=3} this
+setting of the option may result in warnings for benign code.
+@end table
+
@item -Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]}
@opindex Wsuggest-attribute=
@opindex Wno-suggest-attribute=
diff --git a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
index d9ec7e2..9a02373 100644
--- a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
+++ b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
@@ -481,4 +481,4 @@ f4 (char *x, char **y, int z, char w[64])
stpncpy (x, s3, sizeof (s3));
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
index 09263e5..0207f9a 100644
--- a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
+++ b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
@@ -20,7 +20,7 @@ bar ()
{
int *p = new int;
int *q = new int[4];
- MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
- MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
+ MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "writing" }
+ MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "writing" }
baz (p, q);
}
diff --git a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
index ebafc99..d67d6bf 100644
--- a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
+++ b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
@@ -9,7 +9,7 @@ struct B { char z[50]; };
inline void
foo (char *dest, const char *__restrict src, __SIZE_TYPE__ n)
{
- __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "will always overflow" }
+ __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "specified bound 36 exceeds the size 35 of the destination" }
}
void bar (const char *, int);
diff --git a/gcc/testsuite/g++.dg/opt/memcpy1.C b/gcc/testsuite/g++.dg/opt/memcpy1.C
index f291345..e2b1dd2 100644
--- a/gcc/testsuite/g++.dg/opt/memcpy1.C
+++ b/gcc/testsuite/g++.dg/opt/memcpy1.C
@@ -59,7 +59,10 @@ namespace CS
}
uint8 Clip ()
{
- __builtin_memcpy (this->OutP, InP, OutV * sizeof (csVector2));
+ // OutV is initialized to SIZE_MAX in the ctor above causing
+ // the multiplication below to produce a very large number
+ // in excess of the maximum possible object size (SIZE_MAX/2).
+ __builtin_memcpy (this->OutP, InP, OutV * sizeof (csVector2)); // { dg-warning "specified size \[0-9\]+ exceeds maximum object size" }
}
};
}
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
index 8b5c33e..2e6189b 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
@@ -713,4 +713,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-// { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" }
+// { dg-prune-output "\[\n\r\]*overflows\[\n\r\]*" }
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C
index 0e99568..a216f47 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C
@@ -1,7 +1,8 @@
// Test -Wsizeof-pointer-memaccess warnings.
// { dg-do compile }
-// { dg-options "-Wall -Wno-sizeof-array-argument" }
-// Test just twice, once with -O0 non-fortified, once with -O2 fortified.
+// { dg-options "-Wall -Wno-sizeof-array-argument -Wno-stringop-overflow" }
+// Test just twice, once with -O0 non-fortified, once with -O2 fortified,
+// suppressing buffer overflow warnings.
// { dg-skip-if "" { *-*-* } { "*" } { "-O0" "-O2" } }
// { dg-skip-if "" { *-*-* } { "-flto" } { "" } }
diff --git a/gcc/testsuite/gcc.c-torture/compile/pr55569.c b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
index cffbcfc..7708f21 100644
--- a/gcc/testsuite/gcc.c-torture/compile/pr55569.c
+++ b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
@@ -1,4 +1,4 @@
-/* { dg-options "-ftree-vectorize" } */
+/* { dg-options "-Wno-stringop-overflow -ftree-vectorize" } */
int *bar (void);
void
@@ -6,6 +6,10 @@ foo (void)
{
long x;
int *y = bar ();
- for (x = -1 / sizeof (int); x; --x, ++y)
- *y = 0;
+
+ /* The loop below may be optimized to a call to memset with a size
+ that's in excess of the maximum object size. This is diagnosed
+ by the -Wstringop-overflow option. */
+ for (x = -1 / sizeof (int); x; --x, ++y)
+ *y = 0;
}
diff --git a/gcc/testsuite/gcc.dg/Wobjsize-1.c b/gcc/testsuite/gcc.dg/Wobjsize-1.c
index 291cfb9..211e068 100644
--- a/gcc/testsuite/gcc.dg/Wobjsize-1.c
+++ b/gcc/testsuite/gcc.dg/Wobjsize-1.c
@@ -10,6 +10,6 @@ int main(int argc, char **argv)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 6 } */
+/* { dg-warning "writing" "" { target *-*-* } 6 } */
/* { dg-message "file included" "included" { target *-*-* } 0 } */
/* { dg-message "inlined from" "inlined" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/attr-alloc_size.c b/gcc/testsuite/gcc.dg/attr-alloc_size.c
index e8129ce..f50ba7c 100644
--- a/gcc/testsuite/gcc.dg/attr-alloc_size.c
+++ b/gcc/testsuite/gcc.dg/attr-alloc_size.c
@@ -22,15 +22,15 @@ test (void)
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
index e491ff5..7689287 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
@@ -8,7 +8,10 @@
extern void abort (void);
#include "../gcc.c-torture/execute/builtins/chk.h"
-#include <stdarg.h>
+
+#define va_list __builtin_va_list
+#define va_start __builtin_va_start
+#define va_end __builtin_va_end
volatile void *vx;
char buf1[20];
@@ -22,60 +25,61 @@ test (int arg, ...)
char *p = &buf1[10], *q;
memcpy (&buf2[19], "ab", 1);
- memcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy" } */
vx = mempcpy (&buf2[19], "ab", 1);
- vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "mempcpy" } */
+ vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 " "mempcpy" } */
memmove (&buf2[18], &buf1[10], 2);
- memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "will always overflow" "memmove" } */
+ memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "writing 3 " "memmove" } */
memset (&buf2[16], 'a', 4);
- memset (&buf2[15], 'b', 6); /* { dg-warning "will always overflow" "memset" } */
+ memset (&buf2[15], 'b', 6); /* { dg-warning "writing 6 " "memset" } */
strcpy (&buf2[18], "a");
- strcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcpy" } */
vx = stpcpy (&buf2[18], "a");
- vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "stpcpy" } */
+ vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "writing 3" "stpcpy" } */
strncpy (&buf2[18], "a", 2);
- strncpy (&buf2[18], "a", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "a", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
strncpy (&buf2[18], "abc", 2);
- strncpy (&buf2[18], "abc", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "abc", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
memset (buf2, '\0', sizeof (buf2));
strcat (&buf2[18], "a");
memset (buf2, '\0', sizeof (buf2));
- strcat (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcat" } */
+ strcat (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcat" } */
sprintf (&buf2[18], "%s", buf1);
sprintf (&buf2[18], "%s", "a");
- sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "writing 3 " "sprintf" } */
sprintf (&buf2[18], "a");
- sprintf (&buf2[18], "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "ab"); /* { dg-warning "writing 3 " "sprintf" } */
snprintf (&buf2[18], 2, "%d", x);
/* N argument to snprintf is the size of the buffer.
Although this particular call wouldn't overflow buf2,
incorrect buffer size was passed to it and therefore
we want a warning and runtime failure. */
- snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "will always overflow" "snprintf" } */
+ snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "snprintf" } */
va_start (ap, arg);
vsprintf (&buf2[18], "a", ap);
va_end (ap);
+
va_start (ap, arg);
- vsprintf (&buf2[18], "ab", ap); /* { dg-warning "will always overflow" "vsprintf" } */
+ vsprintf (&buf2[18], "ab", ap); /* { dg-warning "writing 3" "vsprintf" } */
va_end (ap);
va_start (ap, arg);
vsnprintf (&buf2[18], 2, "%s", ap);
va_end (ap);
va_start (ap, arg);
/* See snprintf above. */
- vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "will always overflow" "vsnprintf" } */
+ vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "vsnprintf" } */
va_end (ap);
p = p + 10;
memset (p, 'd', 0);
- q = strcpy (p, ""); /* { dg-warning "will always overflow" "strcpy" } */
+ q = strcpy (p, ""); /* { dg-warning "writing 1 " "strcpy" } */
/* This invokes undefined behavior, since we are past the end of buf1. */
p = p + 10;
- memset (p, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (p, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
memset (q, 'd', 0);
- memset (q, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (q, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
q = q - 10;
memset (q, 'd', 10);
}
@@ -90,26 +94,26 @@ void
test2 (const H h)
{
char c;
- strncpy (&c, str, 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&c, str, 3); /* { dg-warning "specified bound 3 exceeds the size 1 of the destination" "strncpy" } */
struct { char b[4]; } x;
- sprintf (x.b, "%s", "ABCD"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (x.b, "%s", "ABCD"); /* { dg-warning "writing 5" "sprintf" } */
unsigned int i;
- memcpy (&i, &h, sizeof (h)); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&i, &h, sizeof (h)); /* { dg-warning "writing 16 " "memcpy" } */
unsigned char buf[21];
- memset (buf + 16, 0, 8); /* { dg-warning "will always overflow" "memset" } */
+ memset (buf + 16, 0, 8); /* { dg-warning "writing 8 " "memset" } */
typedef struct { int i, j, k, l; } S;
S *s[3];
- memset (s, 0, sizeof (S) * 3); /* { dg-warning "will always overflow" "memset" } */
+ memset (s, 0, sizeof (S) * 3); /* { dg-warning "writing 48 " "memset" } */
struct T { char a[8]; char b[4]; char c[10]; } t;
- stpcpy (t.c,"Testing..."); /* { dg-warning "will always overflow" "stpcpy" } */
+ stpcpy (t.c,"Testing..."); /* { dg-warning "writing" "stpcpy" } */
char b1[7];
char b2[4];
memset (b1, 0, sizeof (b1));
- memset (b2, 0, sizeof (b1)); /* { dg-warning "will always overflow" "memset" } */
+ memset (b2, 0, sizeof (b1)); /* { dg-warning "writing 7" "memset" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
index 7c2bb60..d537fb0 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
@@ -6,7 +6,7 @@
/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
#include "../gcc.c-torture/execute/builtins/chk.h"
-
+
void *bar (int);
extern void *malloc (__SIZE_TYPE__);
@@ -115,7 +115,7 @@ baz (const struct A *x, const unsigned char *z)
else
do
{
- memcpy (e, d, 513); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (e, d, 513); /* { dg-warning "writing" "memcpy" } */
e += 4;
}
while (--h);
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
new file mode 100644
index 0000000..43e2a99
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
@@ -0,0 +1,525 @@
+/* Test exercising buffer overflow warnings emitted for raw memory and
+ string manipulation builtins involving ranges of sizes and strings
+ of varying lengths. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+static const size_t ssize_max = SIZE_MAX / 2;
+static const size_t size_max = SIZE_MAX;
+
+extern signed char schar_val;
+extern signed short sshrt_val;
+extern signed int sint_val;
+extern signed long slong_val;
+extern unsigned char uchar_val;
+extern unsigned short ushrt_val;
+extern unsigned int uint_val;
+extern unsigned long ulong_val;
+
+#define memcpy(d, s, n) (memcpy ((d), (s), (n)), sink ((d)))
+extern void* (memcpy)(void*, const void*, size_t);
+
+#define mempcpy(d, s, n) (mempcpy ((d), (s), (n)), sink ((d)))
+extern void* (mempcpy)(void*, const void*, size_t);
+
+#define memset(d, c, n) (memset ((d), (c), (n)), sink ((d)))
+extern void* (memset)(void*, int, size_t);
+
+#define bzero(d, n) (bzero ((d), (n)), sink ((d)))
+extern void (bzero)(void*, size_t);
+
+#define strcat(d, s) (strcat ((d), (s)), sink ((d)))
+extern char* (strcat)(char*, const char*);
+
+#define strncat(d, s, n) (strncat ((d), (s), (n)), sink ((d)))
+extern char* (strncat)(char*, const char*, size_t);
+
+#define strcpy(d, s) (strcpy ((d), (s)), sink ((d)))
+extern char* (strcpy)(char*, const char*);
+
+#define strncpy(d, s, n) (strncpy ((d), (s), (n)), sink ((d)))
+extern char* (strncpy)(char*, const char*, size_t);
+
+void sink (void*);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+ptrdiff_t random_signed_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+unsigned_range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Return a random signed value between MIN and MAX. */
+
+static inline ptrdiff_t
+signed_range (ptrdiff_t min, ptrdiff_t max)
+{
+ const ptrdiff_t val = random_signed_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* For brevity. */
+#define UR(min, max) unsigned_range (min, max)
+#define SR(min, max) signed_range (min, max)
+
+/* UReturn a pointer to constant string whose length is at least MINLEN
+ and at most 10. */
+static inline const char*
+string_range (size_t minlen)
+{
+ static const char str[] = "0123456789";
+
+ const size_t len = unsigned_range (minlen, sizeof str - 1);
+
+ switch (len)
+ {
+ case 10: return "0123456789";
+ case 9: return "012345678";
+ case 8: return "01234567";
+ case 7: return "0123456";
+ case 6: return "012345";
+ case 5: return "01234";
+ case 4: return "0123";
+ case 3: return "012";
+ case 2: return "01";
+ case 1: return "0";
+ case 0: return "";
+ }
+}
+
+#define S(minlen) string_range (minlen)
+
+/* Test memcpy with a number of bytes bounded by a known range. */
+
+void test_memcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ memcpy (buf, s, UR (0, 5));
+ memcpy (buf, s, UR (1, 5));
+ memcpy (buf, s, UR (2, 5));
+ memcpy (buf, s, UR (3, 5));
+ memcpy (buf, s, UR (4, 5));
+
+ memcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memcpy (buf + 5, s, UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 overflows the destination" } */
+
+ memcpy (buf + size_max, s, UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 overflows the destination" "excessive pointer offset" { xfail *-*-* } } */
+
+ memcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memcpy into a destination of unknown size with excessive
+ number of bytes. */
+ memcpy (d, s, UR (ssize_max, size_max));
+ memcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (buf, s, SR (-1, 1));
+ memcpy (buf, s, SR (-3, 2));
+ memcpy (buf, s, SR (-5, 3));
+ memcpy (buf, s, SR (-7, 4));
+ memcpy (buf, s, SR (-9, 5));
+ memcpy (buf, s, SR (-11, 6));
+
+ memcpy (d, s, SR (-1, 1));
+ memcpy (d, s, SR (-3, 2));
+ memcpy (d, s, SR (-5, 3));
+ memcpy (d, s, SR (-7, 4));
+ memcpy (d, s, SR (-9, 5));
+ memcpy (d, s, SR (-11, 6));
+
+ memcpy (buf, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (d, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Even though the following calls are bounded by the range of N's
+ type they must not cause a warning for obvious reasons. */
+ memcpy (buf, s, schar_val);
+ memcpy (buf, s, sshrt_val);
+ memcpy (buf, s, sint_val);
+ memcpy (buf, s, slong_val);
+
+ memcpy (buf, s, uchar_val);
+ memcpy (buf, s, ushrt_val);
+ memcpy (buf, s, uint_val);
+ memcpy (buf, s, ulong_val);
+
+ memcpy (buf, s, schar_val + 1);
+ memcpy (buf, s, sshrt_val + 2);
+ memcpy (buf, s, sint_val + 3);
+ memcpy (buf, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+
+ memcpy (d, s, schar_val);
+ memcpy (d, s, sshrt_val);
+ memcpy (d, s, sint_val);
+ memcpy (d, s, slong_val);
+
+ memcpy (d, s, uchar_val);
+ memcpy (d, s, ushrt_val);
+ memcpy (d, s, uint_val);
+ memcpy (d, s, ulong_val);
+
+ memcpy (d, s, schar_val + 1);
+ memcpy (d, s, sshrt_val + 2);
+ memcpy (d, s, sint_val + 3);
+ memcpy (d, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+}
+
+/* Test mempcpy with a number of bytes bounded by a known range. */
+
+void test_mempcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ mempcpy (buf, s, UR (0, 5));
+ mempcpy (buf, s, UR (1, 5));
+ mempcpy (buf, s, UR (2, 5));
+ mempcpy (buf, s, UR (3, 5));
+ mempcpy (buf, s, UR (4, 5));
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ mempcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ mempcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise mempcpy into a destination of unknown size with excessive
+ number of bytes. */
+ mempcpy (d, s, UR (ssize_max, size_max));
+ mempcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test memset with a number of bytes bounded by a known range. */
+
+void test_memset_range (void *d)
+{
+ char buf[5];
+
+ memset (buf, 0, UR (0, 5));
+ memset (buf, 0, UR (1, 5));
+ memset (buf, 0, UR (2, 5));
+ memset (buf, 0, UR (3, 5));
+ memset (buf, 0, UR (4, 5));
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memset (buf, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memset (buf, 0, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memset into a destination of unknown size with excessive
+ number of bytes. */
+ memset (d, 0, UR (ssize_max, size_max));
+ memset (d, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test bzero with a number of bytes bounded by a known range. */
+
+void test_bzero_range (void *d)
+{
+ char buf[5];
+
+ bzero (buf, UR (0, 5));
+ bzero (buf, UR (1, 5));
+ bzero (buf, UR (2, 5));
+ bzero (buf, UR (3, 5));
+ bzero (buf, UR (4, 5));
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ bzero (buf, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ bzero (buf, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise bzero into a destination of unknown size with excessive
+ number of bytes. */
+ bzero (d, UR (ssize_max, size_max));
+ bzero (d, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strcat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strcat_range (void)
+{
+ char buf[5] = "";
+
+ strcat (buf, S (0));
+ strcat (buf, S (1));
+ strcat (buf, S (2));
+ strcat (buf, S (3));
+ strcat (buf, S (4));
+ strcat (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strcat. */
+ char buf2[5] = "12";
+ strcat (buf2, S (4)); /* { dg-warning "writing 5 bytes into a region of size 3" "strcat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Verify that strcpy with an unknown source string doesn't cause
+ warnings unless the destination has zero size. */
+
+void test_strcpy (const char *src)
+{
+ struct A { char a[2]; char b[3]; } a;
+
+ strcpy (a.a, src);
+ strcpy (a.a + 1, src);
+
+ /* There must be enough room in the destination for the terminating
+ nul, otherwise verify that a warning is issued.
+ The following works as expected with __builtin___strcpy_chk and
+ __builtin_object_size because they see that the offset is from
+ the a.a array. When optimization is enabled, it isn't detected
+ by __bultin_strcpy (when __builtin_object_size isn't called
+ explicitly) because by the time it's seen the offset has been
+ transformed to one from the beginning of the whole object, i.e.,
+ as if it had been written as (char*)&a + 2 . Then the destination
+ size is taken to be the rest of the whole object. It is detected
+ by __builtin_strcpy when optimization is not enabled because then
+ the &a.a + 2 expression is preserved. But without optimization
+ an ordinary call to strcpy isn't transformed to __builtin_strcpy
+ and so it can't be detected here (since the rest of the test
+ relies on optimization). */
+ strcpy (a.a + 2, src); /* { dg-warning "writing at least 1 byte into a region of size 0 " "strcpy into empty substring" { xfail *-*-* } } */
+
+ /* This does work. */
+ strcpy (a.a + 5, src); /* { dg-warning "writing at least 1 byte into a region of size 0 " } */
+
+ /* As does this. */
+ strcpy (a.a + 17, src); /* { dg-warning "writing at least 1 byte into a region of size 0 " } */
+}
+
+/* Test strcpy with a non-constant source string of length in a known
+ range. */
+
+void test_strcpy_range (void)
+{
+ char buf[5];
+
+ strcpy (buf, S (0));
+ strcpy (buf, S (1));
+ strcpy (buf, S (2));
+ strcpy (buf, S (4));
+ strcpy (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+ strcpy (buf, S (6)); /* { dg-warning "writing 7 bytes into a region of size 5 " } */
+ strcpy (buf, S (7)); /* { dg-warning "writing 8 bytes into a region of size 5 " } */
+ strcpy (buf, S (8)); /* { dg-warning "writing 9 bytes into a region of size 5 " } */
+ strcpy (buf, S (9)); /* { dg-warning "writing 10 bytes into a region of size 5 " } */
+ strcpy (buf, S (10)); /* { dg-warning "writing 11 bytes into a region of size 5 " } */
+
+ strcpy (buf + 5, S (0)); /* { dg-warning "writing 1 byte into a region of size 0 " } */
+
+ strcpy (buf + 17, S (0)); /* { dg-warning "writing 1 byte into a region of size 0 " } */
+}
+
+/* Test strncat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strncat_range (void)
+{
+ char buf[5] = "";
+
+ strncat (buf, S (0), 0);
+ strncat (buf, S (0), 1);
+ strncat (buf, S (0), 2);
+ strncat (buf, S (0), 3);
+ strncat (buf, S (0), 4);
+
+ strncat (buf + 5, S (0), 0);
+
+ strncat (buf + 5, S (0), 1); /* { dg-warning "specified bound 1 exceeds the size 0 of the destination " } */
+ strncat (buf + 5, S (1), 1); /* { dg-warning "specified bound 1 exceeds the size 0 of the destination " } */
+
+ /* Strncat always appends a terminating null after copying the N
+ characters so the following triggers a warning pointing out
+ that specifying sizeof(buf) as the upper bound may cause
+ the nul to overflow the destination. */
+ strncat (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (0), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ strncat (buf, S (1), 0);
+ strncat (buf, S (1), 1);
+ strncat (buf, S (1), 2);
+ strncat (buf, S (1), 3);
+ strncat (buf, S (1), 4);
+ strncat (buf, S (1), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (1), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+ strncat (buf, S (2), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ /* The following could just as well say "writing 6 bytes into a region
+ of size 5. Either would be correct and probably equally as clear
+ in this case. But when the length of the source string is not known
+ at all then the bound warning seems clearer. */
+ strncat (buf, S (5), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination " } */
+ strncat (buf, S (7), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strncpy. */
+ char buf2[5] = "12";
+ strncat (buf2, S (4), 4); /* { dg-warning "writing 5 bytes into a region of size 3" "strncat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strncat_chk with an argument referencing a non-constant string
+ of lengths in a known range. */
+
+void test_strncat_chk_range (char *d)
+{
+ char buf[5] = "";
+
+#define strncat_chk(d, s, n) \
+ __builtin___strncat_chk ((d), (s), (n), __builtin_object_size (d, 1));
+
+ strncat_chk (buf, S (0), 1);
+ strncat_chk (buf, S (0), 2);
+ strncat_chk (buf, S (0), 3);
+ strncat_chk (buf, S (0), 4);
+ strncat_chk (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), 1);
+ strncat_chk (buf, S (5), 2);
+ strncat_chk (buf, S (5), 3);
+ strncat_chk (buf, S (5), 4);
+ strncat_chk (buf, S (5), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds the size 5 of the destination " } */
+
+ strncat_chk (d, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size " } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a constant number of bytes. */
+
+void test_strncpy_string_range (char *d)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), 0);
+ strncpy (buf, S (0), 1);
+ strncpy (buf, S (0), 2);
+ strncpy (buf, S (0), 3);
+ strncpy (buf, S (0), 4);
+ strncpy (buf, S (0), 5);
+ strncpy (buf, S (0), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (6), 4);
+ strncpy (buf, S (7), 5);
+ strncpy (buf, S (8), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (1), ssize_max - 1); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (2), ssize_max); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (buf, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (1), ssize_max - 1);
+ strncpy (d, S (2), ssize_max);
+ strncpy (d, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (d, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a non-constant number of bytes also in a known range. */
+
+void test_strncpy_string_count_range (char *dst, const char *src)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), UR (0, 1));
+ strncpy (buf, S (0), UR (0, 2));
+ strncpy (buf, S (0), UR (0, 3));
+ strncpy (buf, S (0), UR (0, 4));
+ strncpy (buf, S (0), UR (0, 5));
+ strncpy (buf, S (0), UR (0, 6));
+ strncpy (buf, S (0), UR (1, 6));
+ strncpy (buf, S (0), UR (2, 6));
+ strncpy (buf, S (0), UR (3, 6));
+ strncpy (buf, S (0), UR (4, 6));
+ strncpy (buf, S (0), UR (5, 6));
+
+ strncpy (buf, S (9), UR (0, 1));
+ strncpy (buf, S (8), UR (0, 2));
+ strncpy (buf, S (7), UR (0, 3));
+ strncpy (buf, S (6), UR (0, 4));
+ strncpy (buf, S (8), UR (0, 5));
+ strncpy (buf, S (7), UR (0, 6));
+ strncpy (buf, S (6), UR (1, 6));
+ strncpy (buf, S (5), UR (2, 6));
+ strncpy (buf, S (9), UR (3, 6));
+ strncpy (buf, S (8), UR (4, 6));
+ strncpy (buf, S (7), UR (5, 6));
+
+ strncpy (buf, S (0), UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+ strncpy (buf, S (1), UR (7, 8)); /* { dg-warning "writing between 7 and 8 bytes into a region of size 5 " } */
+ strncpy (buf, S (2), UR (ssize_max, ssize_max + 1)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 " } */
+
+ strncpy (buf, S (2), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ strncpy (buf + 5, S (0), UR (0, 1));
+ strncpy (buf + 5, S (1), UR (0, 1));
+ strncpy (buf + 5, S (0), UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 " } */
+ strncpy (buf + 5, S (1), UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 " } */
+
+ strncpy (buf, src, UR (0, 1));
+ strncpy (buf, src, UR (0, 2));
+ strncpy (buf, src, UR (0, 3));
+ strncpy (buf, src, UR (0, 4));
+ strncpy (buf, src, UR (0, 5));
+ strncpy (buf, src, UR (0, 6));
+ strncpy (buf, src, UR (1, 6));
+ strncpy (buf, src, UR (2, 6));
+ strncpy (buf, src, UR (3, 6));
+ strncpy (buf, src, UR (4, 6));
+ strncpy (buf, src, UR (5, 6));
+ strncpy (buf, src, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (dst, S (0), UR (5, 6));
+ strncpy (dst, S (1), UR (6, 7));
+ strncpy (dst, S (2), UR (7, 8));
+
+ strncpy (dst, S (3), UR (ssize_max, ssize_max + 1));
+
+ strncpy (dst, S (4), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c
new file mode 100644
index 0000000..489f880
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c
@@ -0,0 +1,260 @@
+/* Test exercising -Wrawmem-overflow and -Wstringop-overflow warnings. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wstringop-overflow=1" } */
+
+#define offsetof(type, mem) __builtin_offsetof (type, mem)
+
+/* Return the number of bytes from member MEM of TYPE to the end
+ of object OBJ. */
+#define offsetfrom(type, obj, mem) (sizeof (obj) - offsetof (type, mem))
+
+
+typedef __SIZE_TYPE__ size_t;
+extern void* memcpy (void*, const void*, size_t);
+extern void* memset (void*, int, __SIZE_TYPE__);
+
+
+struct A { char a, b; };
+struct B { struct A a; char c, d; };
+
+/* Function to call to "escape" pointers from tests below to prevent
+ GCC from assuming the values of the objects they point to stay
+ the unchanged. */
+void escape (void*, ...);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Verify that writing past the end of a local array is diagnosed. */
+
+void test_memop_warn_local (const void *src)
+{
+ size_t n;
+
+ n = range (8, 32);
+
+ struct A a[2];
+
+ memcpy (a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+ escape (a, src);
+
+ /* At -Wrawmem-overflow=1 the destination is considered to be
+ the whole array and its size is therefore sizeof a. */
+ memcpy (&a[0], src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+ escape (a, src);
+
+ /* Verify the same as above but by writing into the first mmeber
+ of the first element of the array. */
+ memcpy (&a[0].a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+ escape (a, src);
+
+ n = range (12, 32);
+
+ struct B b[2];
+
+ memcpy (&b[0], src, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 8 overflows the destination" } */
+ escape (b);
+
+ /* The following idiom of clearing multiple members of a struct is
+ used in a few places in the Linux kernel. Verify that a warning
+ is issued for it when it writes past the end of the array object. */
+ memset (&b[0].a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" } */
+ escape (b);
+
+ memset (&b->a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" } */
+ escape (b);
+
+ memset (&b[0].c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" } */
+ escape (b);
+
+ memset (&b->c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" } */
+ escape (b);
+
+ memset (&b[0].d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+ escape (b);
+
+ memset (&b->d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+ escape (b);
+
+ /* Same as above but clearing just elements of the second element
+ of the array. */
+ memset (&b[1].a.b, 0, offsetfrom (struct B, b[1], a.b) + 1); /* { dg-warning "writing 4 bytes into a region of size 3" } */
+ escape (b);
+
+ memset (&b[1].c, 0, offsetfrom (struct B, b[1], c) + 1); /* { dg-warning "writing 3 bytes into a region of size 2" } */
+ escape (b);
+
+ memset (&b[1].d, 0, offsetfrom (struct B, b[1], d) + 1); /* { dg-warning "writing 2 bytes into a region of size 1" } */
+ escape (b);
+}
+
+/* Verify that writing past the end of a dynamically allocated array
+ of known size is diagnosed. */
+
+void test_memop_warn_alloc (const void *src)
+{
+ size_t n;
+
+ n = range (8, 32);
+
+ struct A *a = __builtin_malloc (sizeof *a * 2);
+
+ memcpy (a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (a, src);
+
+ /* At -Wrawmem-overflow=1 the destination is considered to be
+ the whole array and its size is therefore sizeof a. */
+ memcpy (&a[0], src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (a, src);
+
+ /* Verify the same as above but by writing into the first mmeber
+ of the first element of the array. */
+ memcpy (&a[0].a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (a, src);
+
+ n = range (12, 32);
+
+ struct B *b = __builtin_malloc (sizeof *b * 2);
+
+ memcpy (&b[0], src, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 8 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ /* The following idiom of clearing multiple members of a struct is
+ used in a few places in the Linux kernel. Verify that a warning
+ is issued for it when it writes past the end of the array object. */
+ memset (&b[0].a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b->a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[0].c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b->c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[0].d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b->d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ /* Same as above but clearing just elements of the second element
+ of the array. */
+ memset (&b[1].a.b, 0, offsetfrom (struct B, b[1], a.b) + 1); /* { dg-warning "writing 4 bytes into a region of size 3" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[1].c, 0, offsetfrom (struct B, b[1], c) + 1); /* { dg-warning "writing 3 bytes into a region of size 2" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[1].d, 0, offsetfrom (struct B, b[1], d) + 1); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+}
+
+
+void test_memop_nowarn (const void *src)
+{
+ struct B b[2];
+
+ size_t n = range (sizeof b, 32);
+
+ /* Verify that clearing the whole array is not diagnosed regardless
+ of whether the expression pointing to its beginning is obtained
+ from the array itself or its first member(s). */
+ memcpy (b, src, n);
+ escape (b);
+
+ memcpy (&b[0], src, n);
+ escape (b);
+
+ memcpy (&b[0].a, src, n);
+ escape (b, src);
+
+ memcpy (&b[0].a.a, src, n);
+ escape (b, src);
+
+ /* Clearing multiple elements of an array of structs. */
+ memset (&b[0].a.b, 0, sizeof b - offsetof (struct B, a.b));
+ escape (b);
+
+ memset (&b->a.b, 0, sizeof b - offsetof (struct B, a.b));
+ escape (b);
+
+ memset (&b[0].c, 0, sizeof b - offsetof (struct B, c));
+ escape (b);
+
+ memset (&b->c, 0, sizeof b - offsetof (struct B, c));
+ escape (b);
+
+ memset (&b[0].d, 0, sizeof b - offsetof (struct B, d));
+ escape (b);
+
+ memset (&b->d, 0, sizeof b - offsetof (struct B, d));
+ escape (b);
+
+ /* Same as above but clearing just elements of the second element
+ of the array. */
+ memset (&b[1].a.b, 0, sizeof b[1] - offsetof (struct B, a.b));
+ escape (b);
+
+ memset (&b[1].c, 0, sizeof b[1] - offsetof (struct B, c));
+ escape (b);
+
+ memset (&b[1].d, 0, sizeof b[1] - offsetof (struct B, d));
+ escape (b);
+}
+
+
+/* The foollowing function could specify in its API that it takes
+ an array of exactly two elements, as shown below. Verify that
+ writing into both elements is not diagnosed. */
+void test_memop_nowarn_arg (struct A[2], const void*);
+
+void test_memop_nowarn_arg (struct A *a, const void *src)
+{
+ memcpy (a, src, 2 * sizeof *a);
+ escape (a, src);
+
+ memcpy (a, src, range (2 * sizeof *a, 123));
+ escape (a, src);
+}
+
+
+struct C { char a[3], b; };
+struct D { struct C c; char d, e; };
+
+extern char* strncpy (char*, const char*, __SIZE_TYPE__);
+
+void test_stringop_warn (void)
+{
+ size_t n = range (2 * sizeof (struct D) + 1, 33);
+
+ struct C c[2];
+
+ /* Similarly, at -Wstringop-overflow=1 the destination is considered
+ to be the whole array and its size is therefore sizeof c. */
+ strncpy (c[0].a, "123", n); /* { dg-warning "writing between 13 and 33 bytes into a region of size 8 overflows the destination" } */
+
+ escape (c);
+}
+
+
+void test_stringop_nowarn (void)
+{
+ struct D d[2];
+
+ strncpy (d[0].c.a, "123", range (sizeof d, 32));
+ escape (d);
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c
new file mode 100644
index 0000000..9572ce1
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c
@@ -0,0 +1,112 @@
+/* Test exercising -Wrawmem-overflow and -Wstringop-overflow warnings. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wstringop-overflow=2" } */
+
+#define offsetof(type, mem) __builtin_offsetof (type, mem)
+
+/* Return the number of bytes from member MEM of TYPE to the end
+ of object OBJ. */
+#define offsetfrom(type, obj, mem) (sizeof (obj) - offsetof (type, mem))
+
+
+typedef __SIZE_TYPE__ size_t;
+extern void* memcpy (void*, const void*, size_t);
+extern void* memset (void*, int, __SIZE_TYPE__);
+
+
+struct A { char a, b; };
+struct B { struct A a; char c, d; };
+
+/* Function to call to "escape" pointers from tests below to prevent
+ GCC from assuming the values of the objects they point to stay
+ the unchanged. */
+void escape (void*, ...);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+
+void test_memop_warn_object (const void *src)
+{
+ unsigned n = range (17, 29);
+
+ struct A a[2];
+
+ /* At both -Wstringop-overflow=2, like at 1, the destination of functions
+ that operate on raw memory is considered to be the whole array and its
+ size is therefore sizeof a. */
+ memcpy (&a[0], src, n); /* { dg-warning "writing between 17 and 29 bytes into a region of size 4 overflows the destination" } */
+ escape (a);
+}
+
+void test_memop_warn_subobject (const void *src)
+{
+ unsigned n = range (17, 31);
+
+ struct B b[2];
+
+ /* At -Wrawmem-overflow=2 the destination is considered to be
+ the member sobobject of the first array element and its size
+ is therefore sizeof b[0].a. */
+ memcpy (&b[0].a, src, n); /* { dg-warning "writing between 17 and 31 bytes into a region of size 8 overflows the destination" } */
+
+ escape (b);
+}
+
+void test_memop_nowarn_subobject (void)
+{
+ struct B b[2];
+
+ /* The following idiom of clearing multiple members of a struct
+ has been seen in a few places in the Linux kernel. Verify
+ that a warning is not issued for it. */
+ memset (&b[0].c, 0, sizeof b[0] - offsetof (struct B, c));
+
+ escape (b);
+}
+
+struct C { char a[3], b; };
+struct D { struct C c; char d, e; };
+
+extern char* strncpy (char*, const char*, __SIZE_TYPE__);
+
+void test_stringop_warn_object (const char *str)
+{
+ unsigned n = range (2 * sizeof (struct D), 32);
+
+ struct C c[2];
+
+ /* Similarly, at -Wstringop-overflow=2 the destination is considered
+ to be the array member of the first element of the array c and its
+ size is therefore sizeof c[0].a. */
+ strncpy (c[0].a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (c);
+
+ strncpy (c[0].a, str, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (c);
+}
+
+void test_stringop_warn_subobject (const char *src)
+{
+ unsigned n = range (2 * sizeof (struct D), 32);
+
+ struct D d[2];
+
+ /* Same as above. */
+ strncpy (d[0].c.a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (d);
+
+ strncpy (d[0].c.a, src, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (d);
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
index 44677f1..daff680 100644
--- a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
@@ -24,15 +24,15 @@ test (int arg, ...)
*p = 0;
strncat (p, "abcdefghi", 10);
*p = 0;
- strncat (p, "abcdefghij", 10); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghij", 10); /* { dg-warning "writing 11 bytes into a region of size 10 overflows the destination" } */
*p = 0;
strncat (p, "abcdefgh", 11);
*p = 0;
- strncat (p, "abcdefghijkl", 11); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghijkl", 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
*p = 0;
strncat (p, q, 9);
*p = 0;
- strncat (p, q, 10); /* { dg-warning "might overflow" } */
+ strncat (p, q, 10); /* { dg-warning "specified bound 10 equals the size of the destination" } */
*p = 0;
- strncat (p, q, 11); /* { dg-warning "might overflow" } */
+ strncat (p, q, 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
}
diff --git a/gcc/testsuite/gcc.dg/fstack-protector-strong.c b/gcc/testsuite/gcc.dg/fstack-protector-strong.c
index 8e9d891..94dc350 100644
--- a/gcc/testsuite/gcc.dg/fstack-protector-strong.c
+++ b/gcc/testsuite/gcc.dg/fstack-protector-strong.c
@@ -106,7 +106,7 @@ int
foo8 ()
{
char base[100];
- memcpy ((void *)base, (const void *)pg0, 105);
+ memcpy ((void *)base, (const void *)pg0, 105); /* { dg-warning "writing 105 bytes into a region of size 100" } */
return (int)(base[32]);
}
diff --git a/gcc/testsuite/gcc.dg/memcpy-2.c b/gcc/testsuite/gcc.dg/memcpy-2.c
index 24464abd..7f839d2 100644
--- a/gcc/testsuite/gcc.dg/memcpy-2.c
+++ b/gcc/testsuite/gcc.dg/memcpy-2.c
@@ -7,7 +7,7 @@ typedef __SIZE_TYPE__ size_t;
extern inline __attribute__((gnu_inline, always_inline, artificial)) void *
memcpy (void *__restrict dest, const void *__restrict src, size_t len)
{
- return __builtin___memcpy_chk (dest, /* { dg-warning "will always overflow destination buffer" } */
+ return __builtin___memcpy_chk (dest, /* { dg-warning "writing" } */
src, len, __builtin_object_size (dest, 0));
}
diff --git a/gcc/testsuite/gcc.dg/pr40340-1.c b/gcc/testsuite/gcc.dg/pr40340-1.c
index aae84c6..78540a2 100644
--- a/gcc/testsuite/gcc.dg/pr40340-1.c
+++ b/gcc/testsuite/gcc.dg/pr40340-1.c
@@ -20,5 +20,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-2.c b/gcc/testsuite/gcc.dg/pr40340-2.c
index a0d6e084..1dc21d1 100644
--- a/gcc/testsuite/gcc.dg/pr40340-2.c
+++ b/gcc/testsuite/gcc.dg/pr40340-2.c
@@ -12,5 +12,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-5.c b/gcc/testsuite/gcc.dg/pr40340-5.c
index f50514c..e517147 100644
--- a/gcc/testsuite/gcc.dg/pr40340-5.c
+++ b/gcc/testsuite/gcc.dg/pr40340-5.c
@@ -13,5 +13,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
index 7ce9eae..b5a59f4 100644
--- a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
+++ b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
@@ -710,4 +710,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/gcc.dg/torture/pr71132.c b/gcc/testsuite/gcc.dg/torture/pr71132.c
index 2991718..2544eb1 100644
--- a/gcc/testsuite/gcc.dg/torture/pr71132.c
+++ b/gcc/testsuite/gcc.dg/torture/pr71132.c
@@ -1,4 +1,9 @@
/* { dg-do compile } */
+/* { dg-additional-options "-Wno-stringop-overflow" } */
+/* The loop below writes past the end of the global object a.
+ When the loop is transformed into a call to memcpy the buffer
+ overflow is detected and diagnosed by the -Wstringop-overflow
+ option enabled by default. */
typedef unsigned size_t;
struct {
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 19:32 ` Jakub Jelinek
2016-11-04 20:16 ` Martin Sebor
@ 2016-11-07 0:50 ` Martin Sebor
2016-11-16 18:10 ` Jeff Law
2 siblings, 0 replies; 22+ messages in thread
From: Martin Sebor @ 2016-11-07 0:50 UTC (permalink / raw)
To: Jakub Jelinek; +Cc: Jeff Law, gcc-patches, Tobias Burnus
> But obviously not all levels of the warning can/should be enabled
> with -Wall/-Werror. There are cases which are worth warning by default
> (the case where we want to inform the user if you reach this stmt,
> you'll get your program killed (will call __chk_fail)) is something
> that ought like before be enabled by default; can have a warning
> switch users can disable.
> Then there is the case where there is a sure buffer overflow (not using
> -D_FORTIFY_SOURCE, but still __bos (, 0) tells the buffer is too short,
> and it is unconditional (no tricks with PHIs where one path has short
> and another part has long size). This is something that is useful
> in -Wall.
> The rest I'm very doubtful about even for -Wextra.
I've posted an updated patch that disables the warning for the cases
you were concerned about but I want to respond these two points.
GCC issues a number of different kinds of warnings under -Wall and
-Wextra for constructs that are strictly safe but that have been
known to cause bugs down the line. Those warnings are helpful even
if some of their instances could be considered false positives.
I think the same is even more true for warnings that help detect
defects as serious as buffer overflows.
> One thing is that for useful warnings users have to be able to do something
> to quiet them. For -Wmisleading-indentation you indent your code properly,
> for -Wimplicit-fallthrough you add attributes or comments, etc.
> But I really don't know what you want people to do to tell the compiler
> the warning is a false positive. Add asm ("" : "+g" (ptr)); to hide
> everything from the compiler? Too ugly, too unportable, pessimizing correct
> code.
That's a valid question to ask. There are a few portable ways to
suppress these warnings. The latest patch doesn't warn on the
examples you posted above anymore but here's one where it does
warn where _FORTIIFY_SOURCE did not before the patch. The example
shows the code that triggers the warning (in function f) and how
the warning can be suppressed (in function g).
The code in f is questionable (and, in my view, would be even if
it called memcpy instead) and suggests that the programmer may
have made a mistake. If the intent is to copy the string over
the whole struct then it's better written as in g (though using
memcpy would be more appropriate).
$ cat b.c && gcc -O2 -S -Wall -Wextra b.c
extern char* strcpy (char*, const char*);
const char* const s0 = "1234";
const char* const s1 = "12345";
struct S { char a[4]; char b[4]; };
void f (struct S *s, _Bool i)
{
strcpy (s->a, i ? s1 : s0);
}
void g (struct S *s, _Bool i)
{
strcpy ((char*)s, i ? s1 : s0);
}
b.c: In function ‘f’:
b.c:10:3: warning: strcpy writing 5 bytes into a region of size 4
overflows the destination [-Wstringop-overflow=]
strcpy (s->a, i ? s1 : s0);
^~~~~~~~~~~~~~~~~~~~~~~~~~
Martin
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PING] [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-04 20:16 ` Martin Sebor
@ 2016-11-09 22:50 ` Martin Sebor
2016-11-16 15:58 ` [PING 2] " Martin Sebor
2016-12-07 19:42 ` [PING] " Jeff Law
0 siblings, 2 replies; 22+ messages in thread
From: Martin Sebor @ 2016-11-09 22:50 UTC (permalink / raw)
To: Jakub Jelinek, Jeff Law, gcc-patches, Tobias Burnus
[-- Attachment #1: Type: text/plain, Size: 1571 bytes --]
The attached minor update to the patch also resolves bug 77784 that
points out that -Wformat-length issues a warning also issued during
the expansion of some of the __builtin___sprintf_chk intrinsics.
Martin
On 11/04/2016 02:16 PM, Martin Sebor wrote:
> Attached is an update to the patch that takes into consideration
> the feedback I got. It goes back to adding just one option,
> -Wstringop-overflow, as in the original, while keeping the Object
> Size type as an argument. It uses type-1 as the default setting
> for string functions (strcpy et al.) and, unconditionally, type-0
> for raw memory functions (memcpy, etc.)
>
> I retested Binutils 2.27 and the Linux kernel again with this patch
> and also added Glibc, and it doesn't complain about anything (both
> Binutils and the kernel also build cleanly with an unpatched GCC
> with_FORTIFY_SOURCE=2 or its rough equivalent for the kernel).
> The emit-rtl.c warning (bug 78174) has also been suppressed by
> the change to bos type-0 for memcpy.
>
> While the patch doesn't trigger any false positives (AFAIK) it is
> subject to a fair number of false negatives due to the limitations
> of the tree-object-size pass, and due to transformations done by
> other passes that prevent it from detecting some otherwise obvious
> overflows. Although unfortunate, I believe the warnings that are
> emitted are useful as the first line of defense in software that
> doesn't use _FORTIFY_SOURCE (such as GCC itself). And this can
> of course be improved if some of the limitations are removed over
> time.
>
> Martin
[-- Attachment #2: gcc-53562.diff --]
[-- Type: text/x-patch, Size: 94954 bytes --]
PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
PR middle-end/77784 - duplicate warning for snprintf when n > object size
PR middle-end/78149 - missing warning on strncpy buffer overflow due to an excessive bound
PR middle-end/78138 - missing warnings on buffer overflow with non-constant source length
gcc/c-family/ChangeLog:
PR c/53562
* c.opt (-Wstringop-overflow): New option.
gcc/ChangeLog:
PR c/53562
PR middle-end/77784
PR middle-end/78149
PR middle-end/78138
* builtins.c (expand_builtin_strcat, expand_builtin_strncat): New
functions.
(compute_dest_size, get_size_range, check_sizes, check_strncat_sizes)
(check_memop_sizes): Same.
(expand_builtin_memcpy): Call check memop_sizes.
(expand_builtin_mempcpy): Same.
(expand_builtin_memset): Same,
(expand_builtin_bzero): Same.
(expand_builtin_memory_chk): Call check_sizes.
(expand_builtin_strcpy): Same.
(expand_builtin_strncpy): Same.
(maybe_emit_sprintf_chk_warning): Same.
(expand_builtin): Handle strcat and strncat.
(fini_object_sizes): Reset pointers.
(compute_object_size): New function.
* gimple-ssa-sprintf.c (pass_sprintf_length::handle_gimple_call):
Avoid issuing warnings also issued during built-in expansion.
* doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
gcc/testsuite/ChangeLog:
PR c/53562
PR middle-end/77784
PR middle-end/78149
PR middle-end/78138
* c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust expected diagnostic.
* g++.dg/ext/builtin-object-size3.C (bar): Same.
* g++.dg/ext/strncpy-chk1.C: Same.
* g++.dg/opt/memcpy1.C: Same.
* g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
* gcc.c-torture/compile/pr55569.c: Disable -Wstringop-overflow.
* gcc.dg/Wobjsize-1.c: Adjust expected diagnostic.
* gcc.dg/attr-alloc_size.c: Same.
* gcc.dg/builtin-stringop-chk-1.c: Adjust expected diagnostic.
* gcc.dg/builtin-stringop-chk-2.c: Same.
* gcc.dg/builtin-stringop-chk-4.c: New test.
* gcc.dg/builtin-strncat-chk-1.c: Adjust expected diagnostic.
* gcc.dg/memcpy-2.c: Same.
* gcc.dg/pr40340-1.c: Same.
* gcc.dg/pr40340-2.c (main): Same.
* gcc.dg/pr40340-5.c (main): Same.
* gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
* gcc.dg/torture/pr71132.c: Disable -Wstringop-overflow.
* gcc.dg/tree-ssa/builtin-sprintf-warn-1.c: Adjust text of expected
warning.
* gcc.dg/fstack-protector-strong.c: Add expected diagnostic.
diff --git a/gcc/builtins.c b/gcc/builtins.c
index cc711a0..cb7bbaf 100644
--- a/gcc/builtins.c
+++ b/gcc/builtins.c
@@ -67,7 +67,7 @@ along with GCC; see the file COPYING3. If not see
#include "internal-fn.h"
#include "case-cfn-macros.h"
#include "gimple-fold.h"
-
+#include "intl.h"
struct target_builtins default_target_builtins;
#if SWITCHABLE_TARGET
@@ -125,9 +125,11 @@ static rtx expand_builtin_mempcpy (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_with_bounds (tree, rtx, machine_mode);
static rtx expand_builtin_mempcpy_args (tree, tree, tree, rtx,
machine_mode, int, tree);
+static rtx expand_builtin_strcat (tree, rtx);
static rtx expand_builtin_strcpy (tree, rtx);
static rtx expand_builtin_strcpy_args (tree, tree, rtx);
static rtx expand_builtin_stpcpy (tree, rtx, machine_mode);
+static rtx expand_builtin_strncat (tree, rtx);
static rtx expand_builtin_strncpy (tree, rtx);
static rtx builtin_memset_gen_str (void *, HOST_WIDE_INT, machine_mode);
static rtx expand_builtin_memset (tree, rtx, machine_mode);
@@ -3011,6 +3013,295 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
return dest_addr;
}
+/* Fill the 2-element RANGE array with the minimum and maximum values
+ EXP is known to have and return true, otherwise null and return
+ false. */
+
+static bool
+get_size_range (tree exp, tree range[2])
+{
+ if (tree_fits_uhwi_p (exp))
+ {
+ range[0] = range[1] = exp;
+ return true;
+ }
+
+ if (TREE_CODE (exp) == SSA_NAME)
+ {
+ wide_int min, max;
+ enum value_range_type range_type = get_range_info (exp, &min, &max);
+
+ if (range_type == VR_RANGE)
+ {
+ /* Interpret the bound in the variable's type. */
+ range[0] = wide_int_to_tree (TREE_TYPE (exp), min);
+ range[1] = wide_int_to_tree (TREE_TYPE (exp), max);
+ return true;
+ }
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ /* An anti-range implies the original variable is signed and
+ its lower bound is negative and the upper bound positive.
+ Since that means that the expression's value could be zero
+ nothing interesting can be inferred from this. */
+ }
+ }
+
+ range[0] = NULL_TREE;
+ range[1] = NULL_TREE;
+ return false;
+}
+
+/* Try to verify that the sizes and lengths of the arguments to a string
+ manipulation function given by EXP are within valid bounds and that
+ the operation does not lead to buffer overflow. Arguments other than
+ EXP may be null. When non-null, the arguments have the following
+ meaning:
+ SIZE is the user-supplied size argument to the function (such as in
+ memcpy(d, s, SIZE) or strncpy(d, s, SIZE). It specifies the exact
+ number of bytes to write.
+ MAXLEN is the user-supplied bound on the length of the source sequence
+ (such as in strncat(d, s, N). It specifies the upper limit on the number
+ of bytes to write.
+ STR is the source string (such as in strcpy(d, s)) when the epxression
+ EXP is a string function call (as opposed to a memory call like memcpy).
+ As an exception, STR can also be an integer denoting the precomputed
+ length of the source string.
+ OBJSIZE is the size of the destination object specified by the last
+ argument to the _chk builtins, typically resulting from the expansion
+ of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
+ OBJSIZE).
+
+ When SIZE is null LEN is checked to verify that it doesn't exceed
+ SIZE_MAX.
+
+ If the call is successfully verfified as safe from buffer overflow
+ the function returns true, otherwise false.. */
+
+static bool
+check_sizes (int opt, tree exp, tree size, tree maxlen, tree str, tree objsize)
+{
+ /* The size of the largest object is half the address space, or
+ SSIZE_MAX. (This is way too permissive.) */
+ tree maxobjsize = TYPE_MAX_VALUE (ssizetype);
+
+ tree slen = NULL_TREE;
+
+ /* Set to true when the exact number of bytes written by a string
+ function like strcpy is not known and the only thing that is
+ known is that it must be at least one (for the terminating nul). */
+ bool at_least_one = false;
+ if (str)
+ {
+ /* STR is normally a pointer to string but as a special case
+ it can be an integer denoting the length of a string. */
+ if (TREE_CODE (TREE_TYPE (str)) == POINTER_TYPE)
+ {
+ /* Try to determine the range of lengths the source string
+ refers to. If it can be determined add one to it for
+ the terminating nul. Otherwise, set it to one for
+ the same reason. */
+ tree lenrange[2];
+ get_range_strlen (str, lenrange);
+ if (lenrange[0])
+ slen = fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node);
+ else
+ {
+ at_least_one = true;
+ slen = size_one_node;
+ }
+ }
+ else
+ slen = str;
+ }
+
+ if (!size && !maxlen)
+ {
+ /* When the only available piece of data is the object size
+ there is nothing to do. */
+ if (!slen)
+ return true;
+
+ /* Otherwise, when the length of the source sequence is known
+ (as with with strlen), set SIZE to it. */
+ size = slen;
+ }
+
+ if (!objsize)
+ objsize = maxobjsize;
+
+ /* The SIZE is exact if it's non-null, constant, and in range of
+ unsigned HOST_WIDE_INT. */
+ bool exactsize = size && tree_fits_uhwi_p (size);
+
+ tree range[2] = { NULL_TREE, NULL_TREE };
+ if (size)
+ get_size_range (size, range);
+
+ /* First check the number of bytes to be written against the maximum
+ object size. */
+ if (range[0] && tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified size %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified size between %wu and %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+ return false;
+ }
+
+ /* Next check the number of bytes to be written against the destination
+ object size. */
+ if (range[0] || !exactsize || integer_all_onesp (size))
+ {
+ if (range[0]
+ && ((tree_fits_uhwi_p (objsize)
+ && tree_int_cst_lt (objsize, range[0]))
+ || (tree_fits_uhwi_p (size)
+ && tree_int_cst_lt (size, range[0]))))
+ {
+ unsigned HOST_WIDE_INT uwir0 = tree_to_uhwi (range[0]);
+
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (at_least_one)
+ warning_at (loc, opt,
+ "%K%D writing at least %wu byte into a region "
+ "of size %wu overflows the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else if (range[0] == range[1])
+ warning_at (loc, opt,
+ (uwir0 == 1
+ ? G_("%K%D writing %wu byte into a region "
+ "of size %wu overflows the destination")
+ : G_("%K%D writing %wu bytes into a region "
+ "of size %wu overflows the destination")),
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, opt,
+ "%K%D writing between %wu and %wu bytes "
+ "into a region of size %wu overflows "
+ "the destination",
+ exp, get_callee_fndecl (exp), uwir0,
+ tree_to_uhwi (range[1]), tree_to_uhwi (objsize));
+
+ /* Return error when an overflow has been detected. */
+ return false;
+ }
+ }
+
+ /* Check the maximum length of the source sequence against the size
+ of the destination object if known, or against the maximum size
+ of an object. */
+ if (maxlen)
+ {
+ get_size_range (maxlen, range);
+
+ if (range[0] && objsize && tree_fits_uhwi_p (objsize))
+ {
+ location_t loc = tree_nonartificial_location (exp);
+
+ if (tree_int_cst_lt (maxobjsize, range[0]))
+ {
+ /* Warn about crazy big sizes first since that's more
+ likely to be meaningful than saying that the bound
+ is greater than the object size if both are big. */
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified bound %wu "
+ "exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (maxobjsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds maximum object size %wu",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (maxobjsize));
+
+ return false;
+ }
+
+ if (objsize != maxobjsize && tree_int_cst_lt (objsize, range[0]))
+ {
+ if (range[0] == range[1])
+ warning_at (loc, opt,
+ "%K%D specified bound %wu "
+ "exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (objsize));
+ else
+ warning_at (loc, opt,
+ "%K%D specified bound between %wu and %wu "
+ " exceeds the size %wu of the destination",
+ exp, get_callee_fndecl (exp),
+ tree_to_uhwi (range[0]),
+ tree_to_uhwi (range[1]),
+ tree_to_uhwi (objsize));
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+/* Helper to compute the size of the object referenced by the DEST
+ expression which must of of pointer type, using Object Size type
+ OSTYPE (only the least significant 2 bits are used). Return
+ the size of the object if successful or NULL when the size cannot
+ be determined. */
+
+static inline tree
+compute_dest_size (tree dest, int ostype)
+{
+ unsigned HOST_WIDE_INT size;
+ if (compute_builtin_object_size (dest, ostype & 3, &size))
+ return build_int_cst (sizetype, size);
+
+ return NULL_TREE;
+}
+
+/* Helper to determine and check the sizes of the source and the destination
+ of calls to __builtin_{bzero,memcpy,memset} calls. Use Object Size type-0
+ regardless of the OPT_Wstringop_overflow_ setting. Returns true on success
+ (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_memop_sizes (tree exp, tree dest, tree size)
+{
+ if (!warn_stringop_overflow)
+ return true;
+
+ /* For functions like memset and memcpy that operate on raw memory
+ try to determine the size of the largest destination object using
+ type-0 Object Size regardless of the object size type specified
+ by the option. */
+ tree objsize = compute_dest_size (dest, 0);
+
+ return check_sizes (OPT_Wstringop_overflow_, exp,
+ size, /*maxlen=*/NULL_TREE, /*str=*/NULL_TREE, objsize);
+}
+
/* Expand a call EXP to the memcpy builtin.
Return NULL_RTX if we failed, the caller should emit a normal call,
otherwise try to get the result in TARGET, if convenient (and in
@@ -3022,13 +3313,14 @@ expand_builtin_memcpy (tree exp, rtx target)
if (!validate_arglist (exp,
POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_memcpy_args (dest, src, len, target, exp);
- }
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ check_memop_sizes (exp, dest, len);
+
+ return expand_builtin_memcpy_args (dest, src, len, target, exp);
}
/* Expand an instrumented call EXP to the memcpy builtin.
@@ -3076,15 +3368,20 @@ expand_builtin_mempcpy (tree exp, rtx target, machine_mode mode)
if (!validate_arglist (exp,
POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_mempcpy_args (dest, src, len,
- target, mode, /*endp=*/ 1,
- exp);
- }
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ /* Avoid expanding mempcpy into memcpy when the call is determined
+ to overflow the buffer. This also prevents the same overflow
+ from being diagnosed again when expanding memcpy. */
+ if (!check_memop_sizes (exp, dest, len))
+ return NULL_RTX;
+
+ return expand_builtin_mempcpy_args (dest, src, len,
+ target, mode, /*endp=*/ 1,
+ exp);
}
/* Expand an instrumented call EXP to the mempcpy builtin.
@@ -3256,6 +3553,33 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
return target;
}
+/* Do some very basic size validation of a call to the strcpy builtin
+ given by EXP. Return NULL_RTX to have the built-in expand to a call
+ to the library function. */
+
+static rtx
+expand_builtin_strcat (tree exp, rtx)
+{
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE)
+ || !warn_stringop_overflow)
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ /* There is no way here to determine the length of the string in
+ the destination to which the SRC string is being appended so
+ just diagnose cases when the srouce string is longer than
+ the destination object. */
+
+ tree destsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, /*maxlen=*/NULL_TREE, src, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strcpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call, otherwise
try to get the result in TARGET, if convenient (and in mode MODE if that's
@@ -3264,13 +3588,20 @@ expand_movstr (tree dest, tree src, rtx target, int endp)
static rtx
expand_builtin_strcpy (tree exp, rtx target)
{
- if (validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree src = CALL_EXPR_ARG (exp, 1);
- return expand_builtin_strcpy_args (dest, src, target);
- }
- return NULL_RTX;
+ if (!validate_arglist (exp, POINTER_TYPE, POINTER_TYPE, VOID_TYPE))
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+
+ if (warn_stringop_overflow)
+ {
+ tree destsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, /*maxlen=*/NULL_TREE, src, destsize);
+ }
+
+ return expand_builtin_strcpy_args (dest, src, target);
}
/* Helper function to do the actual work for expand_builtin_strcpy. The
@@ -3378,6 +3709,131 @@ builtin_strncpy_read_str (void *data, HOST_WIDE_INT offset,
return c_readstr (str + offset, mode);
}
+/* Helper to check the sizes of sequences and the destination of calls
+ to __builtin_strncat and __builtin___strncat_chk. Returns true on
+ success (no overflow or invalid sizes), false otherwise. */
+
+static bool
+check_strncat_sizes (tree exp, tree objsize)
+{
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. */
+
+ if (!objsize && warn_stringop_overflow)
+ {
+ /* If it hasn't been provided by __strncat_chk, try to determine
+ the size of the destination object into which the source is
+ being copied. */
+ objsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+ }
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (objsize)
+ && tree_int_cst_equal (objsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow_,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return false;
+ }
+
+ if (!srclen
+ || (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_fits_uhwi_p (srclen)
+ && tree_int_cst_lt (maxlen, srclen)))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ return check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, maxlen, srclen, objsize);
+}
+
+/* Similar to expand_builtin_strcat, do some very basic size validation
+ of a call to the strcpy builtin given by EXP. Return NULL_RTX to have
+ the built-in expand to a call to the library function. */
+
+static rtx
+expand_builtin_strncat (tree exp, rtx)
+{
+ if (!validate_arglist (exp,
+ POINTER_TYPE, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE)
+ || !warn_stringop_overflow)
+ return NULL_RTX;
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree src = CALL_EXPR_ARG (exp, 1);
+ /* The upper bound on the number of bytes to write. */
+ tree maxlen = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
+ tree slen = c_strlen (src, 1);
+
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ get_range_strlen (src, lenrange);
+
+ /* Try to verify that the destination is big enough for the shortest
+ string. First try to determine the size of the destination object
+ into which the source is being copied. */
+ tree destsize = compute_dest_size (dest, warn_stringop_overflow - 1);
+
+ /* Add one for the terminating nul. */
+ tree srclen = (lenrange[0]
+ ? fold_build2 (PLUS_EXPR, size_type_node, lenrange[0],
+ size_one_node)
+ : NULL_TREE);
+
+ /* Strncat copies at most MAXLEN bytes and always appends the terminating
+ nul so the specified upper bound should never be equal to (or greater
+ than) the size of the destination. */
+ if (tree_fits_uhwi_p (maxlen) && tree_fits_uhwi_p (destsize)
+ && tree_int_cst_equal (destsize, maxlen))
+ {
+ warning_at (EXPR_LOCATION (exp), OPT_Wstringop_overflow_,
+ "specified bound %wu "
+ "equals the size of the destination",
+ tree_to_uhwi (maxlen));
+
+ return NULL_RTX;
+ }
+
+ if (!srclen
+ || (maxlen && tree_fits_uhwi_p (maxlen)
+ && tree_fits_uhwi_p (srclen)
+ && tree_int_cst_lt (maxlen, srclen)))
+ srclen = maxlen;
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SRCLEN if LEN's value isn't known. */
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, maxlen, srclen, destsize);
+
+ return NULL_RTX;
+}
+
/* Expand expression EXP, which is a call to the strncpy builtin. Return
NULL_RTX if we failed the caller should emit a normal call. */
@@ -3391,9 +3847,33 @@ expand_builtin_strncpy (tree exp, rtx target)
{
tree dest = CALL_EXPR_ARG (exp, 0);
tree src = CALL_EXPR_ARG (exp, 1);
+ /* The number of bytes to write (not the maximum). */
tree len = CALL_EXPR_ARG (exp, 2);
+ /* The length of the source sequence. */
tree slen = c_strlen (src, 1);
+ if (warn_stringop_overflow)
+ {
+ /* Try to determine the range of lengths that the source expression
+ refers to. */
+ tree lenrange[2];
+ if (slen)
+ lenrange[0] = lenrange[1] = slen;
+ else
+ {
+ get_range_strlen (src, lenrange);
+ slen = lenrange[0];
+ }
+
+ tree destsize = compute_dest_size (dest,
+ warn_stringop_overflow - 1);
+
+ /* The number of bytes to write is LEN but check_sizes will also
+ check SLEN if LEN's value isn't known. */
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, len, /*maxlen=*/NULL_TREE, slen, destsize);
+ }
+
/* We must be passed a constant len and src parameter. */
if (!tree_fits_uhwi_p (len) || !slen || !tree_fits_uhwi_p (slen))
return NULL_RTX;
@@ -3481,13 +3961,14 @@ expand_builtin_memset (tree exp, rtx target, machine_mode mode)
if (!validate_arglist (exp,
POINTER_TYPE, INTEGER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- else
- {
- tree dest = CALL_EXPR_ARG (exp, 0);
- tree val = CALL_EXPR_ARG (exp, 1);
- tree len = CALL_EXPR_ARG (exp, 2);
- return expand_builtin_memset_args (dest, val, len, target, mode, exp);
- }
+
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree val = CALL_EXPR_ARG (exp, 1);
+ tree len = CALL_EXPR_ARG (exp, 2);
+
+ check_memop_sizes (exp, dest, len);
+
+ return expand_builtin_memset_args (dest, val, len, target, mode, exp);
}
/* Expand expression EXP, which is an instrumented call to the memset builtin.
@@ -3668,20 +4149,21 @@ expand_builtin_memset_args (tree dest, tree val, tree len,
static rtx
expand_builtin_bzero (tree exp)
{
- tree dest, size;
- location_t loc = EXPR_LOCATION (exp);
-
if (!validate_arglist (exp, POINTER_TYPE, INTEGER_TYPE, VOID_TYPE))
return NULL_RTX;
- dest = CALL_EXPR_ARG (exp, 0);
- size = CALL_EXPR_ARG (exp, 1);
+ tree dest = CALL_EXPR_ARG (exp, 0);
+ tree size = CALL_EXPR_ARG (exp, 1);
+
+ check_memop_sizes (exp, dest, size);
/* New argument list transforming bzero(ptr x, int y) to
memset(ptr x, int 0, size_t y). This is done this way
so that if it isn't expanded inline, we fallback to
calling bzero instead of memset. */
+ location_t loc = EXPR_LOCATION (exp);
+
return expand_builtin_memset_args (dest, integer_zero_node,
fold_convert_loc (loc,
size_type_node, size),
@@ -6214,12 +6696,24 @@ expand_builtin (tree exp, rtx target, rtx subtarget, machine_mode mode,
return target;
break;
+ case BUILT_IN_STRCAT:
+ target = expand_builtin_strcat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRCPY:
target = expand_builtin_strcpy (exp, target);
if (target)
return target;
break;
+ case BUILT_IN_STRNCAT:
+ target = expand_builtin_strncat (exp, target);
+ if (target)
+ return target;
+ break;
+
case BUILT_IN_STRNCPY:
target = expand_builtin_strncpy (exp, target);
if (target)
@@ -9130,22 +9624,22 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
len = CALL_EXPR_ARG (exp, 2);
size = CALL_EXPR_ARG (exp, 3);
- if (! tree_fits_uhwi_p (size))
+ bool sizes_ok = check_sizes (OPT_Wstringop_overflow_,
+ exp, len, /*maxlen=*/NULL_TREE,
+ /*str=*/NULL_TREE, size);
+
+ if (!tree_fits_uhwi_p (size))
return NULL_RTX;
if (tree_fits_uhwi_p (len) || integer_all_onesp (size))
{
- tree fn;
-
- if (! integer_all_onesp (size) && tree_int_cst_lt (size, len))
- {
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return NULL_RTX;
- }
+ /* Avoid transforming the checking call to an ordinary one when
+ an overflow has been detected or when the call couldn't be
+ validated because the size is not constant. */
+ if (!sizes_ok && !integer_all_onesp (size) && tree_int_cst_lt (size, len))
+ return NULL_RTX;
- fn = NULL_TREE;
+ tree fn = NULL_TREE;
/* If __builtin_mem{cpy,pcpy,move,set}_chk is used, assume
mem{cpy,pcpy,move,set} is available. */
switch (fcode)
@@ -9231,68 +9725,68 @@ expand_builtin_memory_chk (tree exp, rtx target, machine_mode mode,
static void
maybe_emit_chk_warning (tree exp, enum built_in_function fcode)
{
- int is_strlen = 0;
- tree len, size;
- location_t loc = tree_nonartificial_location (exp);
+ /* The source string. */
+ tree srcstr = NULL_TREE;
+ /* The size of the destination object. */
+ tree objsize = NULL_TREE;
+ /* The string that is being concatenated with (as in __strcat_chk)
+ or null if it isn't. */
+ tree catstr = NULL_TREE;
+ /* The maximum length of the source sequence in a bounded operation
+ (such as __strncat_chk) or null if the operation isn't bounded
+ (such as __strcat_chk). */
+ tree maxlen = NULL_TREE;
switch (fcode)
{
case BUILT_IN_STRCPY_CHK:
case BUILT_IN_STPCPY_CHK:
- /* For __strcat_chk the warning will be emitted only if overflowing
- by at least strlen (dest) + 1 bytes. */
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
+ break;
+
case BUILT_IN_STRCAT_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 2);
- is_strlen = 1;
+ /* For __strcat_chk the warning will be emitted only if overflowing
+ by at least strlen (dest) + 1 bytes. */
+ catstr = CALL_EXPR_ARG (exp, 0);
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 2);
break;
+
case BUILT_IN_STRNCAT_CHK:
+ catstr = CALL_EXPR_ARG (exp, 0);
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
+ break;
+
case BUILT_IN_STRNCPY_CHK:
case BUILT_IN_STPNCPY_CHK:
- len = CALL_EXPR_ARG (exp, 2);
- size = CALL_EXPR_ARG (exp, 3);
+ srcstr = CALL_EXPR_ARG (exp, 1);
+ maxlen = CALL_EXPR_ARG (exp, 2);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
+
case BUILT_IN_SNPRINTF_CHK:
case BUILT_IN_VSNPRINTF_CHK:
- len = CALL_EXPR_ARG (exp, 1);
- size = CALL_EXPR_ARG (exp, 3);
+ maxlen = CALL_EXPR_ARG (exp, 1);
+ objsize = CALL_EXPR_ARG (exp, 3);
break;
default:
gcc_unreachable ();
}
- if (!len || !size)
- return;
-
- if (! tree_fits_uhwi_p (size) || integer_all_onesp (size))
- return;
-
- if (is_strlen)
+ if (catstr && maxlen)
{
- len = c_strlen (len, 1);
- if (! len || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
+ /* Check __strncat_chk. There is no way to determine the length
+ of the string to which the source string is being appended so
+ just warn when the length of the source string is not known. */
+ if (!check_strncat_sizes (exp, objsize))
return;
}
- else if (fcode == BUILT_IN_STRNCAT_CHK)
- {
- tree src = CALL_EXPR_ARG (exp, 1);
- if (! src || ! tree_fits_uhwi_p (len) || tree_int_cst_lt (len, size))
- return;
- src = c_strlen (src, 1);
- if (! src || ! tree_fits_uhwi_p (src))
- {
- warning_at (loc, 0, "%Kcall to %D might overflow destination buffer",
- exp, get_callee_fndecl (exp));
- return;
- }
- else if (tree_int_cst_lt (src, size))
- return;
- }
- else if (! tree_fits_uhwi_p (len) || ! tree_int_cst_lt (size, len))
- return;
- warning_at (loc, 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ check_sizes (OPT_Wstringop_overflow_, exp,
+ /*size=*/NULL_TREE, maxlen, srcstr, objsize);
}
/* Emit warning if a buffer overflow is detected at compile time
@@ -9346,10 +9840,10 @@ maybe_emit_sprintf_chk_warning (tree exp, enum built_in_function fcode)
else
return;
- if (! tree_int_cst_lt (len, size))
- warning_at (tree_nonartificial_location (exp),
- 0, "%Kcall to %D will always overflow destination buffer",
- exp, get_callee_fndecl (exp));
+ /* Add one for the terminating nul. */
+ len = fold_build2 (PLUS_EXPR, TREE_TYPE (len), len, size_one_node);
+ check_sizes (OPT_Wstringop_overflow_,
+ exp, /*size=*/NULL_TREE, /*maxlen=*/NULL_TREE, len, size);
}
/* Emit warning if a free is called with address of a variable. */
diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
index 7d8a726..d92fca2 100644
--- a/gcc/c-family/c.opt
+++ b/gcc/c-family/c.opt
@@ -665,6 +665,16 @@ Wsizeof-array-argument
C ObjC C++ ObjC++ Var(warn_sizeof_array_argument) Warning Init(1)
Warn when sizeof is applied on a parameter declared as an array.
+Wstringop-overflow
+C ObjC C++ ObjC++ Warning Alias(Wstringop-overflow=, 2, 0)
+Warn about buffer overflow in string manipulation functions like memcpy
+and strcpy.
+
+Wstringop-overflow=
+C ObjC C++ ObjC++ Joined RejectNegative UInteger Var(warn_stringop_overflow) Init(2) Warning
+Under the control of Object Size type, warn about buffer overflow in string
+manipulation functions like memcpy and strcpy.
+
Wsuggest-attribute=format
C ObjC C++ ObjC++ Var(warn_suggest_attribute_format) Warning
Warn about functions which might be candidates for format attributes.
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index ad9304f..781caba 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -292,7 +292,8 @@ Objective-C and Objective-C++ Dialects}.
-Wparentheses -Wno-pedantic-ms-format @gol
-Wplacement-new -Wplacement-new=@var{n} @gol
-Wpointer-arith -Wno-pointer-to-int-cast @gol
--Wno-pragmas -Wredundant-decls -Wno-return-local-addr @gol
+-Wno-pragmas -Wredundant-decls @gol
+-Wno-return-local-addr @gol
-Wreturn-type -Wsequence-point -Wshadow -Wno-shadow-ivar @gol
-Wshadow=global, -Wshadow=local, -Wshadow=compatible-local @gol
-Wshift-overflow -Wshift-overflow=@var{n} @gol
@@ -302,6 +303,7 @@ Objective-C and Objective-C++ Dialects}.
-Wsizeof-pointer-memaccess -Wsizeof-array-argument @gol
-Wstack-protector -Wstack-usage=@var{len} -Wstrict-aliasing @gol
-Wstrict-aliasing=n -Wstrict-overflow -Wstrict-overflow=@var{n} @gol
+-Wstringop-overflow=@var{n} @gol
-Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]} @gol
-Wsuggest-final-types @gol -Wsuggest-final-methods -Wsuggest-override @gol
-Wmissing-format-attribute -Wsubobject-linkage @gol
@@ -4908,6 +4910,86 @@ comparisons, so this warning level gives a very large number of
false positives.
@end table
+@item -Wstringop-overflow
+@itemx -Wstringop-overflow=@var{type}
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+Warn for calls to string manipulation functions such as @code{memcpy} and
+@code{strcpy} that are determined to overflow the destination buffer. The
+optional argument is one greater than the type of Object Size Checking to
+perform to determine the size of the destination. @xref{Object Size Checking}.
+The argument is meaningful only for functions that operate on character arrays
+but not for raw memory functions like @code{memcpy} which always make use
+of Object Size type-0. The option also warns for calls that specify a size
+in excess of the largest possible object or at most @code{SIZE_MAX / 2} bytes.
+The option produces the best results with optimization enabled but can detect
+a small subset of simple buffer overflows even without optimization in
+calls to the GCC built-in functions like @code{__builtin_memcpy} that
+correspond to the standard functions. In any case, the option warns about
+just a subset of buffer overflows detected by the corresponding overflow
+checking built-ins. For example, the option will issue a warning for
+the @code{strcpy} call below because it copies at least 5 characters
+(the string @code{"blue"} including the terminating NUL) into the buffer
+of size 4.
+
+@smallexample
+enum Color @{ blue, purple, yellow @};
+const char* f (enum Color clr)
+@{
+ static char buf [4];
+ const char *str;
+ switch (clr)
+ @{
+ case blue: str = "blue"; break;
+ case purple: str = "purple"; break;
+ case yellow: str = "yellow"; break;
+ @}
+
+ return strcpy (buf, str); // warning here
+@}
+@end smallexample
+
+Option @option{-Wstringop-overflow=2} is enabled by default.
+
+@table @gcctabopt
+@item -Wstringop-overflow
+@item -Wstringop-overflow=1
+@opindex Wstringop-overflow
+@opindex Wno-stringop-overflow
+The @option{-Wstringop-overflow=1} option uses type-zero Object Size Checking
+to determine the sizes of destination objects. This is the default setting
+of the option. At this setting the option will not warn for writes past
+the end of subobjects of larger objects accessed by pointers unless the
+size of the largest surrounding object is known. When the destination may
+be one of several objects it is assumed to be the largest one of them. On
+Linux systems, when optimization is enabled at this setting the option warns
+for the same code as when the @code{_FORTIFY_SOURCE} macro is defined to
+a non-zero value.
+
+@item -Wstringop-overflow=2
+The @option{-Wstringop-overflow=2} option uses type-one Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+will warn about overflows when writing to members of the largest complete
+objects whose exact size is known. It will, however, not warn for excessive
+writes to the same members of unknown objects referenced by pointers since
+they may point to arrays containing unknown numbers of elements.
+
+@item -Wstringop-overflow=3
+The @option{-Wstringop-overflow=3} option uses type-two Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+warns about overflowing the smallest object or data member. This is the
+most restrictive setting of the option that may result in warnings for safe
+code.
+
+@item -Wstringop-overflow=4
+The @option{-Wstringop-overflow=4} option uses type-three Object Size Checking
+to determine the sizes of destination objects. At this setting the option
+will warn about overflowing any data members, and when the destination is
+one of several objects it uses the size of the largest of them to decide
+whether to issue a warning. Similarly to @option{-Wstringop-overflow=3} this
+setting of the option may result in warnings for benign code.
+@end table
+
@item -Wsuggest-attribute=@r{[}pure@r{|}const@r{|}noreturn@r{|}format@r{]}
@opindex Wsuggest-attribute=
@opindex Wno-suggest-attribute=
diff --git a/gcc/gimple-ssa-sprintf.c b/gcc/gimple-ssa-sprintf.c
index 3138ad3..5f26320 100644
--- a/gcc/gimple-ssa-sprintf.c
+++ b/gcc/gimple-ssa-sprintf.c
@@ -2701,10 +2701,15 @@ pass_sprintf_length::handle_gimple_call (gimple_stmt_iterator gsi)
/* No object can be larger than SIZE_MAX bytes (half the address
space) on the target. This imposes a limit that's one byte
less than that. */
- if (dstsize >= target_size_max () / 2)
+ if (dstsize >= target_size_max () / 2
+ /* Avoid warning if -Wstringop-overflow is specified since
+ it also warns for the same thing though only for the
+ checking built-ins. */
+ && (idx_objsize == HOST_WIDE_INT_M1U
+ || !warn_stringop_overflow))
warning_at (gimple_location (info.callstmt), OPT_Wformat_length_,
- "specified destination size %wu too large",
- dstsize);
+ "specified bound %wu exceeds maximum object size %wu",
+ dstsize, target_size_max () / 2);
}
else if (TREE_CODE (size) == SSA_NAME)
{
@@ -2747,10 +2752,15 @@ pass_sprintf_length::handle_gimple_call (gimple_stmt_iterator gsi)
info.objsize = dstsize < objsize ? dstsize : objsize;
if (info.bounded
- && dstsize < target_size_max () / 2 && objsize < dstsize)
+ && dstsize < target_size_max () / 2 && objsize < dstsize
+ /* Avoid warning if -Wstringop-overflow is specified since
+ it also warns for the same thing though only for the
+ checking built-ins. */
+ && (idx_objsize == HOST_WIDE_INT_M1U
+ || !warn_stringop_overflow))
{
warning_at (gimple_location (info.callstmt), OPT_Wformat_length_,
- "specified size %wu exceeds the size %wu "
+ "specified bound %wu exceeds the size %wu "
"of the destination object", dstsize, objsize);
}
}
diff --git a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
index d9ec7e2..9a02373 100644
--- a/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
+++ b/gcc/testsuite/c-c++-common/Wsizeof-pointer-memaccess2.c
@@ -481,4 +481,4 @@ f4 (char *x, char **y, int z, char w[64])
stpncpy (x, s3, sizeof (s3));
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
index 09263e5..0207f9a 100644
--- a/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
+++ b/gcc/testsuite/g++.dg/ext/builtin-object-size3.C
@@ -20,7 +20,7 @@ bar ()
{
int *p = new int;
int *q = new int[4];
- MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
- MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "will always overflow destination buffer" }
+ MEMCPY (p, "abcdefghijklmnopqrstuvwxyz", sizeof (int) + 1); // { dg-warning "writing" }
+ MEMCPY (q, "abcdefghijklmnopqrstuvwxyz", 4 * sizeof (int) + 1); // { dg-warning "writing" }
baz (p, q);
}
diff --git a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
index ebafc99..d67d6bf 100644
--- a/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
+++ b/gcc/testsuite/g++.dg/ext/strncpy-chk1.C
@@ -9,7 +9,7 @@ struct B { char z[50]; };
inline void
foo (char *dest, const char *__restrict src, __SIZE_TYPE__ n)
{
- __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "will always overflow" }
+ __builtin___strncpy_chk (dest, src, n, __builtin_object_size (dest, 0)); // { dg-warning "specified bound 36 exceeds the size 35 of the destination" }
}
void bar (const char *, int);
diff --git a/gcc/testsuite/g++.dg/opt/memcpy1.C b/gcc/testsuite/g++.dg/opt/memcpy1.C
index f291345..e2b1dd2 100644
--- a/gcc/testsuite/g++.dg/opt/memcpy1.C
+++ b/gcc/testsuite/g++.dg/opt/memcpy1.C
@@ -59,7 +59,10 @@ namespace CS
}
uint8 Clip ()
{
- __builtin_memcpy (this->OutP, InP, OutV * sizeof (csVector2));
+ // OutV is initialized to SIZE_MAX in the ctor above causing
+ // the multiplication below to produce a very large number
+ // in excess of the maximum possible object size (SIZE_MAX/2).
+ __builtin_memcpy (this->OutP, InP, OutV * sizeof (csVector2)); // { dg-warning "specified size \[0-9\]+ exceeds maximum object size" }
}
};
}
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
index 8b5c33e..2e6189b 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess1.C
@@ -713,4 +713,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-// { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" }
+// { dg-prune-output "\[\n\r\]*overflows\[\n\r\]*" }
diff --git a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C
index 0e99568..a216f47 100644
--- a/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C
+++ b/gcc/testsuite/g++.dg/torture/Wsizeof-pointer-memaccess2.C
@@ -1,7 +1,8 @@
// Test -Wsizeof-pointer-memaccess warnings.
// { dg-do compile }
-// { dg-options "-Wall -Wno-sizeof-array-argument" }
-// Test just twice, once with -O0 non-fortified, once with -O2 fortified.
+// { dg-options "-Wall -Wno-sizeof-array-argument -Wno-stringop-overflow" }
+// Test just twice, once with -O0 non-fortified, once with -O2 fortified,
+// suppressing buffer overflow warnings.
// { dg-skip-if "" { *-*-* } { "*" } { "-O0" "-O2" } }
// { dg-skip-if "" { *-*-* } { "-flto" } { "" } }
diff --git a/gcc/testsuite/gcc.c-torture/compile/pr55569.c b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
index cffbcfc..7708f21 100644
--- a/gcc/testsuite/gcc.c-torture/compile/pr55569.c
+++ b/gcc/testsuite/gcc.c-torture/compile/pr55569.c
@@ -1,4 +1,4 @@
-/* { dg-options "-ftree-vectorize" } */
+/* { dg-options "-Wno-stringop-overflow -ftree-vectorize" } */
int *bar (void);
void
@@ -6,6 +6,10 @@ foo (void)
{
long x;
int *y = bar ();
- for (x = -1 / sizeof (int); x; --x, ++y)
- *y = 0;
+
+ /* The loop below may be optimized to a call to memset with a size
+ that's in excess of the maximum object size. This is diagnosed
+ by the -Wstringop-overflow option. */
+ for (x = -1 / sizeof (int); x; --x, ++y)
+ *y = 0;
}
diff --git a/gcc/testsuite/gcc.dg/Wobjsize-1.c b/gcc/testsuite/gcc.dg/Wobjsize-1.c
index 291cfb9..211e068 100644
--- a/gcc/testsuite/gcc.dg/Wobjsize-1.c
+++ b/gcc/testsuite/gcc.dg/Wobjsize-1.c
@@ -10,6 +10,6 @@ int main(int argc, char **argv)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 6 } */
+/* { dg-warning "writing" "" { target *-*-* } 6 } */
/* { dg-message "file included" "included" { target *-*-* } 0 } */
/* { dg-message "inlined from" "inlined" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/attr-alloc_size.c b/gcc/testsuite/gcc.dg/attr-alloc_size.c
index e8129ce..f50ba7c 100644
--- a/gcc/testsuite/gcc.dg/attr-alloc_size.c
+++ b/gcc/testsuite/gcc.dg/attr-alloc_size.c
@@ -22,15 +22,15 @@ test (void)
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
- strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (p, "Hello World"); /* { dg-warning "writing" "strcpy" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
index e491ff5..7689287 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-1.c
@@ -8,7 +8,10 @@
extern void abort (void);
#include "../gcc.c-torture/execute/builtins/chk.h"
-#include <stdarg.h>
+
+#define va_list __builtin_va_list
+#define va_start __builtin_va_start
+#define va_end __builtin_va_end
volatile void *vx;
char buf1[20];
@@ -22,60 +25,61 @@ test (int arg, ...)
char *p = &buf1[10], *q;
memcpy (&buf2[19], "ab", 1);
- memcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy" } */
vx = mempcpy (&buf2[19], "ab", 1);
- vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "will always overflow" "mempcpy" } */
+ vx = mempcpy (&buf2[19], "ab", 2); /* { dg-warning "writing 2 " "mempcpy" } */
memmove (&buf2[18], &buf1[10], 2);
- memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "will always overflow" "memmove" } */
+ memmove (&buf2[18], &buf1[10], 3); /* { dg-warning "writing 3 " "memmove" } */
memset (&buf2[16], 'a', 4);
- memset (&buf2[15], 'b', 6); /* { dg-warning "will always overflow" "memset" } */
+ memset (&buf2[15], 'b', 6); /* { dg-warning "writing 6 " "memset" } */
strcpy (&buf2[18], "a");
- strcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcpy" } */
+ strcpy (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcpy" } */
vx = stpcpy (&buf2[18], "a");
- vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "will always overflow" "stpcpy" } */
+ vx = stpcpy (&buf2[18], "ab"); /* { dg-warning "writing 3" "stpcpy" } */
strncpy (&buf2[18], "a", 2);
- strncpy (&buf2[18], "a", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "a", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
strncpy (&buf2[18], "abc", 2);
- strncpy (&buf2[18], "abc", 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&buf2[18], "abc", 3); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "strncpy" } */
memset (buf2, '\0', sizeof (buf2));
strcat (&buf2[18], "a");
memset (buf2, '\0', sizeof (buf2));
- strcat (&buf2[18], "ab"); /* { dg-warning "will always overflow" "strcat" } */
+ strcat (&buf2[18], "ab"); /* { dg-warning "writing 3 " "strcat" } */
sprintf (&buf2[18], "%s", buf1);
sprintf (&buf2[18], "%s", "a");
- sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "%s", "ab"); /* { dg-warning "writing 3 " "sprintf" } */
sprintf (&buf2[18], "a");
- sprintf (&buf2[18], "ab"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (&buf2[18], "ab"); /* { dg-warning "writing 3 " "sprintf" } */
snprintf (&buf2[18], 2, "%d", x);
/* N argument to snprintf is the size of the buffer.
Although this particular call wouldn't overflow buf2,
incorrect buffer size was passed to it and therefore
we want a warning and runtime failure. */
- snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "will always overflow" "snprintf" } */
+ snprintf (&buf2[18], 3, "%d", x); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "snprintf" } */
va_start (ap, arg);
vsprintf (&buf2[18], "a", ap);
va_end (ap);
+
va_start (ap, arg);
- vsprintf (&buf2[18], "ab", ap); /* { dg-warning "will always overflow" "vsprintf" } */
+ vsprintf (&buf2[18], "ab", ap); /* { dg-warning "writing 3" "vsprintf" } */
va_end (ap);
va_start (ap, arg);
vsnprintf (&buf2[18], 2, "%s", ap);
va_end (ap);
va_start (ap, arg);
/* See snprintf above. */
- vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "will always overflow" "vsnprintf" } */
+ vsnprintf (&buf2[18], 3, "%s", ap); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" "vsnprintf" } */
va_end (ap);
p = p + 10;
memset (p, 'd', 0);
- q = strcpy (p, ""); /* { dg-warning "will always overflow" "strcpy" } */
+ q = strcpy (p, ""); /* { dg-warning "writing 1 " "strcpy" } */
/* This invokes undefined behavior, since we are past the end of buf1. */
p = p + 10;
- memset (p, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (p, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
memset (q, 'd', 0);
- memset (q, 'd', 1); /* { dg-warning "will always overflow" "memset" } */
+ memset (q, 'd', 1); /* { dg-warning "writing 1 " "memset" } */
q = q - 10;
memset (q, 'd', 10);
}
@@ -90,26 +94,26 @@ void
test2 (const H h)
{
char c;
- strncpy (&c, str, 3); /* { dg-warning "will always overflow" "strncpy" } */
+ strncpy (&c, str, 3); /* { dg-warning "specified bound 3 exceeds the size 1 of the destination" "strncpy" } */
struct { char b[4]; } x;
- sprintf (x.b, "%s", "ABCD"); /* { dg-warning "will always overflow" "sprintf" } */
+ sprintf (x.b, "%s", "ABCD"); /* { dg-warning "writing 5" "sprintf" } */
unsigned int i;
- memcpy (&i, &h, sizeof (h)); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (&i, &h, sizeof (h)); /* { dg-warning "writing 16 " "memcpy" } */
unsigned char buf[21];
- memset (buf + 16, 0, 8); /* { dg-warning "will always overflow" "memset" } */
+ memset (buf + 16, 0, 8); /* { dg-warning "writing 8 " "memset" } */
typedef struct { int i, j, k, l; } S;
S *s[3];
- memset (s, 0, sizeof (S) * 3); /* { dg-warning "will always overflow" "memset" } */
+ memset (s, 0, sizeof (S) * 3); /* { dg-warning "writing 48 " "memset" } */
struct T { char a[8]; char b[4]; char c[10]; } t;
- stpcpy (t.c,"Testing..."); /* { dg-warning "will always overflow" "stpcpy" } */
+ stpcpy (t.c,"Testing..."); /* { dg-warning "writing" "stpcpy" } */
char b1[7];
char b2[4];
memset (b1, 0, sizeof (b1));
- memset (b2, 0, sizeof (b1)); /* { dg-warning "will always overflow" "memset" } */
+ memset (b2, 0, sizeof (b1)); /* { dg-warning "writing 7" "memset" } */
}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
index 7c2bb60..d537fb0 100644
--- a/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-2.c
@@ -6,7 +6,7 @@
/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
#include "../gcc.c-torture/execute/builtins/chk.h"
-
+
void *bar (int);
extern void *malloc (__SIZE_TYPE__);
@@ -115,7 +115,7 @@ baz (const struct A *x, const unsigned char *z)
else
do
{
- memcpy (e, d, 513); /* { dg-warning "will always overflow" "memcpy" } */
+ memcpy (e, d, 513); /* { dg-warning "writing" "memcpy" } */
e += 4;
}
while (--h);
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
new file mode 100644
index 0000000..43e2a99
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-4.c
@@ -0,0 +1,525 @@
+/* Test exercising buffer overflow warnings emitted for raw memory and
+ string manipulation builtins involving ranges of sizes and strings
+ of varying lengths. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -ftrack-macro-expansion=0" } */
+
+#define INT_MAX __INT_MAX__
+#define PTRDIFF_MAX __PTRDIFF_MAX__
+#define SIZE_MAX __SIZE_MAX__
+
+typedef __PTRDIFF_TYPE__ ptrdiff_t;
+typedef __SIZE_TYPE__ size_t;
+
+static const size_t ssize_max = SIZE_MAX / 2;
+static const size_t size_max = SIZE_MAX;
+
+extern signed char schar_val;
+extern signed short sshrt_val;
+extern signed int sint_val;
+extern signed long slong_val;
+extern unsigned char uchar_val;
+extern unsigned short ushrt_val;
+extern unsigned int uint_val;
+extern unsigned long ulong_val;
+
+#define memcpy(d, s, n) (memcpy ((d), (s), (n)), sink ((d)))
+extern void* (memcpy)(void*, const void*, size_t);
+
+#define mempcpy(d, s, n) (mempcpy ((d), (s), (n)), sink ((d)))
+extern void* (mempcpy)(void*, const void*, size_t);
+
+#define memset(d, c, n) (memset ((d), (c), (n)), sink ((d)))
+extern void* (memset)(void*, int, size_t);
+
+#define bzero(d, n) (bzero ((d), (n)), sink ((d)))
+extern void (bzero)(void*, size_t);
+
+#define strcat(d, s) (strcat ((d), (s)), sink ((d)))
+extern char* (strcat)(char*, const char*);
+
+#define strncat(d, s, n) (strncat ((d), (s), (n)), sink ((d)))
+extern char* (strncat)(char*, const char*, size_t);
+
+#define strcpy(d, s) (strcpy ((d), (s)), sink ((d)))
+extern char* (strcpy)(char*, const char*);
+
+#define strncpy(d, s, n) (strncpy ((d), (s), (n)), sink ((d)))
+extern char* (strncpy)(char*, const char*, size_t);
+
+void sink (void*);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+ptrdiff_t random_signed_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+unsigned_range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Return a random signed value between MIN and MAX. */
+
+static inline ptrdiff_t
+signed_range (ptrdiff_t min, ptrdiff_t max)
+{
+ const ptrdiff_t val = random_signed_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* For brevity. */
+#define UR(min, max) unsigned_range (min, max)
+#define SR(min, max) signed_range (min, max)
+
+/* UReturn a pointer to constant string whose length is at least MINLEN
+ and at most 10. */
+static inline const char*
+string_range (size_t minlen)
+{
+ static const char str[] = "0123456789";
+
+ const size_t len = unsigned_range (minlen, sizeof str - 1);
+
+ switch (len)
+ {
+ case 10: return "0123456789";
+ case 9: return "012345678";
+ case 8: return "01234567";
+ case 7: return "0123456";
+ case 6: return "012345";
+ case 5: return "01234";
+ case 4: return "0123";
+ case 3: return "012";
+ case 2: return "01";
+ case 1: return "0";
+ case 0: return "";
+ }
+}
+
+#define S(minlen) string_range (minlen)
+
+/* Test memcpy with a number of bytes bounded by a known range. */
+
+void test_memcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ memcpy (buf, s, UR (0, 5));
+ memcpy (buf, s, UR (1, 5));
+ memcpy (buf, s, UR (2, 5));
+ memcpy (buf, s, UR (3, 5));
+ memcpy (buf, s, UR (4, 5));
+
+ memcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memcpy (buf + 5, s, UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 overflows the destination" } */
+
+ memcpy (buf + size_max, s, UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 overflows the destination" "excessive pointer offset" { xfail *-*-* } } */
+
+ memcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memcpy into a destination of unknown size with excessive
+ number of bytes. */
+ memcpy (d, s, UR (ssize_max, size_max));
+ memcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ memcpy (buf, s, SR (-1, 1));
+ memcpy (buf, s, SR (-3, 2));
+ memcpy (buf, s, SR (-5, 3));
+ memcpy (buf, s, SR (-7, 4));
+ memcpy (buf, s, SR (-9, 5));
+ memcpy (buf, s, SR (-11, 6));
+
+ memcpy (d, s, SR (-1, 1));
+ memcpy (d, s, SR (-3, 2));
+ memcpy (d, s, SR (-5, 3));
+ memcpy (d, s, SR (-7, 4));
+ memcpy (d, s, SR (-9, 5));
+ memcpy (d, s, SR (-11, 6));
+
+ memcpy (buf, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memcpy (d, s, SR (-2, -1)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Even though the following calls are bounded by the range of N's
+ type they must not cause a warning for obvious reasons. */
+ memcpy (buf, s, schar_val);
+ memcpy (buf, s, sshrt_val);
+ memcpy (buf, s, sint_val);
+ memcpy (buf, s, slong_val);
+
+ memcpy (buf, s, uchar_val);
+ memcpy (buf, s, ushrt_val);
+ memcpy (buf, s, uint_val);
+ memcpy (buf, s, ulong_val);
+
+ memcpy (buf, s, schar_val + 1);
+ memcpy (buf, s, sshrt_val + 2);
+ memcpy (buf, s, sint_val + 3);
+ memcpy (buf, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+
+ memcpy (d, s, schar_val);
+ memcpy (d, s, sshrt_val);
+ memcpy (d, s, sint_val);
+ memcpy (d, s, slong_val);
+
+ memcpy (d, s, uchar_val);
+ memcpy (d, s, ushrt_val);
+ memcpy (d, s, uint_val);
+ memcpy (d, s, ulong_val);
+
+ memcpy (d, s, schar_val + 1);
+ memcpy (d, s, sshrt_val + 2);
+ memcpy (d, s, sint_val + 3);
+ memcpy (d, s, slong_val + 4);
+
+ memcpy (d, s, uchar_val + 5);
+ memcpy (d, s, ushrt_val + 6);
+ memcpy (d, s, uint_val + 7);
+ memcpy (d, s, ulong_val + 8);
+}
+
+/* Test mempcpy with a number of bytes bounded by a known range. */
+
+void test_mempcpy_range (void *d, const void *s)
+{
+ char buf[5];
+
+ mempcpy (buf, s, UR (0, 5));
+ mempcpy (buf, s, UR (1, 5));
+ mempcpy (buf, s, UR (2, 5));
+ mempcpy (buf, s, UR (3, 5));
+ mempcpy (buf, s, UR (4, 5));
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ mempcpy (buf, s, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ mempcpy (buf, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ mempcpy (buf, s, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise mempcpy into a destination of unknown size with excessive
+ number of bytes. */
+ mempcpy (d, s, UR (ssize_max, size_max));
+ mempcpy (d, s, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test memset with a number of bytes bounded by a known range. */
+
+void test_memset_range (void *d)
+{
+ char buf[5];
+
+ memset (buf, 0, UR (0, 5));
+ memset (buf, 0, UR (1, 5));
+ memset (buf, 0, UR (2, 5));
+ memset (buf, 0, UR (3, 5));
+ memset (buf, 0, UR (4, 5));
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ memset (buf, 0, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ memset (buf, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ memset (buf, 0, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise memset into a destination of unknown size with excessive
+ number of bytes. */
+ memset (d, 0, UR (ssize_max, size_max));
+ memset (d, 0, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test bzero with a number of bytes bounded by a known range. */
+
+void test_bzero_range (void *d)
+{
+ char buf[5];
+
+ bzero (buf, UR (0, 5));
+ bzero (buf, UR (1, 5));
+ bzero (buf, UR (2, 5));
+ bzero (buf, UR (3, 5));
+ bzero (buf, UR (4, 5));
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 overflows the destination" } */
+
+ bzero (buf, UR (ssize_max, size_max)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 overflows the destination" } */
+ bzero (buf, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+ bzero (buf, UR (size_max - 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise bzero into a destination of unknown size with excessive
+ number of bytes. */
+ bzero (d, UR (ssize_max, size_max));
+ bzero (d, UR (ssize_max + 1, size_max)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strcat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strcat_range (void)
+{
+ char buf[5] = "";
+
+ strcat (buf, S (0));
+ strcat (buf, S (1));
+ strcat (buf, S (2));
+ strcat (buf, S (3));
+ strcat (buf, S (4));
+ strcat (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strcat. */
+ char buf2[5] = "12";
+ strcat (buf2, S (4)); /* { dg-warning "writing 5 bytes into a region of size 3" "strcat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Verify that strcpy with an unknown source string doesn't cause
+ warnings unless the destination has zero size. */
+
+void test_strcpy (const char *src)
+{
+ struct A { char a[2]; char b[3]; } a;
+
+ strcpy (a.a, src);
+ strcpy (a.a + 1, src);
+
+ /* There must be enough room in the destination for the terminating
+ nul, otherwise verify that a warning is issued.
+ The following works as expected with __builtin___strcpy_chk and
+ __builtin_object_size because they see that the offset is from
+ the a.a array. When optimization is enabled, it isn't detected
+ by __bultin_strcpy (when __builtin_object_size isn't called
+ explicitly) because by the time it's seen the offset has been
+ transformed to one from the beginning of the whole object, i.e.,
+ as if it had been written as (char*)&a + 2 . Then the destination
+ size is taken to be the rest of the whole object. It is detected
+ by __builtin_strcpy when optimization is not enabled because then
+ the &a.a + 2 expression is preserved. But without optimization
+ an ordinary call to strcpy isn't transformed to __builtin_strcpy
+ and so it can't be detected here (since the rest of the test
+ relies on optimization). */
+ strcpy (a.a + 2, src); /* { dg-warning "writing at least 1 byte into a region of size 0 " "strcpy into empty substring" { xfail *-*-* } } */
+
+ /* This does work. */
+ strcpy (a.a + 5, src); /* { dg-warning "writing at least 1 byte into a region of size 0 " } */
+
+ /* As does this. */
+ strcpy (a.a + 17, src); /* { dg-warning "writing at least 1 byte into a region of size 0 " } */
+}
+
+/* Test strcpy with a non-constant source string of length in a known
+ range. */
+
+void test_strcpy_range (void)
+{
+ char buf[5];
+
+ strcpy (buf, S (0));
+ strcpy (buf, S (1));
+ strcpy (buf, S (2));
+ strcpy (buf, S (4));
+ strcpy (buf, S (5)); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+ strcpy (buf, S (6)); /* { dg-warning "writing 7 bytes into a region of size 5 " } */
+ strcpy (buf, S (7)); /* { dg-warning "writing 8 bytes into a region of size 5 " } */
+ strcpy (buf, S (8)); /* { dg-warning "writing 9 bytes into a region of size 5 " } */
+ strcpy (buf, S (9)); /* { dg-warning "writing 10 bytes into a region of size 5 " } */
+ strcpy (buf, S (10)); /* { dg-warning "writing 11 bytes into a region of size 5 " } */
+
+ strcpy (buf + 5, S (0)); /* { dg-warning "writing 1 byte into a region of size 0 " } */
+
+ strcpy (buf + 17, S (0)); /* { dg-warning "writing 1 byte into a region of size 0 " } */
+}
+
+/* Test strncat with an argument referencing a non-constant string of
+ lengths in a known range. */
+
+void test_strncat_range (void)
+{
+ char buf[5] = "";
+
+ strncat (buf, S (0), 0);
+ strncat (buf, S (0), 1);
+ strncat (buf, S (0), 2);
+ strncat (buf, S (0), 3);
+ strncat (buf, S (0), 4);
+
+ strncat (buf + 5, S (0), 0);
+
+ strncat (buf + 5, S (0), 1); /* { dg-warning "specified bound 1 exceeds the size 0 of the destination " } */
+ strncat (buf + 5, S (1), 1); /* { dg-warning "specified bound 1 exceeds the size 0 of the destination " } */
+
+ /* Strncat always appends a terminating null after copying the N
+ characters so the following triggers a warning pointing out
+ that specifying sizeof(buf) as the upper bound may cause
+ the nul to overflow the destination. */
+ strncat (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (0), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ strncat (buf, S (1), 0);
+ strncat (buf, S (1), 1);
+ strncat (buf, S (1), 2);
+ strncat (buf, S (1), 3);
+ strncat (buf, S (1), 4);
+ strncat (buf, S (1), 5); /* { dg-warning "specified bound 5 equals the size of the destination" } */
+ strncat (buf, S (1), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+ strncat (buf, S (2), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ /* The following could just as well say "writing 6 bytes into a region
+ of size 5. Either would be correct and probably equally as clear
+ in this case. But when the length of the source string is not known
+ at all then the bound warning seems clearer. */
+ strncat (buf, S (5), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination " } */
+ strncat (buf, S (7), 6); /* { dg-warning "specified bound 6 exceeds the size 5 of the destination" } */
+
+ {
+ /* The implementation of the warning isn't smart enough to determine
+ the length of the string in the buffer so it assumes it's empty
+ and issues the warning basically for the same cases as strncpy. */
+ char buf2[5] = "12";
+ strncat (buf2, S (4), 4); /* { dg-warning "writing 5 bytes into a region of size 3" "strncat to a non-empty string" { xfail *-*-* } } */
+ }
+}
+
+/* Test strncat_chk with an argument referencing a non-constant string
+ of lengths in a known range. */
+
+void test_strncat_chk_range (char *d)
+{
+ char buf[5] = "";
+
+#define strncat_chk(d, s, n) \
+ __builtin___strncat_chk ((d), (s), (n), __builtin_object_size (d, 1));
+
+ strncat_chk (buf, S (0), 1);
+ strncat_chk (buf, S (0), 2);
+ strncat_chk (buf, S (0), 3);
+ strncat_chk (buf, S (0), 4);
+ strncat_chk (buf, S (0), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), 1);
+ strncat_chk (buf, S (5), 2);
+ strncat_chk (buf, S (5), 3);
+ strncat_chk (buf, S (5), 4);
+ strncat_chk (buf, S (5), 5); /* { dg-warning "specified bound 5 equals the size of the destination " } */
+
+ strncat_chk (buf, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds the size 5 of the destination " } */
+
+ strncat_chk (d, S (5), size_max); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size " } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a constant number of bytes. */
+
+void test_strncpy_string_range (char *d)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), 0);
+ strncpy (buf, S (0), 1);
+ strncpy (buf, S (0), 2);
+ strncpy (buf, S (0), 3);
+ strncpy (buf, S (0), 4);
+ strncpy (buf, S (0), 5);
+ strncpy (buf, S (0), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (6), 4);
+ strncpy (buf, S (7), 5);
+ strncpy (buf, S (8), 6); /* { dg-warning "writing 6 bytes into a region of size 5 " } */
+
+ strncpy (buf, S (1), ssize_max - 1); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (2), ssize_max); /* { dg-warning "writing \[0-9\]+ bytes into a region of size 5" } */
+ strncpy (buf, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (buf, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (d, S (1), ssize_max - 1);
+ strncpy (d, S (2), ssize_max);
+ strncpy (d, S (3), ssize_max + 1); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+ strncpy (d, S (4), size_max); /* { dg-warning "specified size \[0-9\]+ exceeds maximum object size" } */
+}
+
+/* Test strncpy with a non-constant source string of length in a known
+ range and a non-constant number of bytes also in a known range. */
+
+void test_strncpy_string_count_range (char *dst, const char *src)
+{
+ char buf[5];
+
+ strncpy (buf, S (0), UR (0, 1));
+ strncpy (buf, S (0), UR (0, 2));
+ strncpy (buf, S (0), UR (0, 3));
+ strncpy (buf, S (0), UR (0, 4));
+ strncpy (buf, S (0), UR (0, 5));
+ strncpy (buf, S (0), UR (0, 6));
+ strncpy (buf, S (0), UR (1, 6));
+ strncpy (buf, S (0), UR (2, 6));
+ strncpy (buf, S (0), UR (3, 6));
+ strncpy (buf, S (0), UR (4, 6));
+ strncpy (buf, S (0), UR (5, 6));
+
+ strncpy (buf, S (9), UR (0, 1));
+ strncpy (buf, S (8), UR (0, 2));
+ strncpy (buf, S (7), UR (0, 3));
+ strncpy (buf, S (6), UR (0, 4));
+ strncpy (buf, S (8), UR (0, 5));
+ strncpy (buf, S (7), UR (0, 6));
+ strncpy (buf, S (6), UR (1, 6));
+ strncpy (buf, S (5), UR (2, 6));
+ strncpy (buf, S (9), UR (3, 6));
+ strncpy (buf, S (8), UR (4, 6));
+ strncpy (buf, S (7), UR (5, 6));
+
+ strncpy (buf, S (0), UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+ strncpy (buf, S (1), UR (7, 8)); /* { dg-warning "writing between 7 and 8 bytes into a region of size 5 " } */
+ strncpy (buf, S (2), UR (ssize_max, ssize_max + 1)); /* { dg-warning "writing between \[0-9\]+ and \[0-9\]+ bytes into a region of size 5 " } */
+
+ strncpy (buf, S (2), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+
+ strncpy (buf + 5, S (0), UR (0, 1));
+ strncpy (buf + 5, S (1), UR (0, 1));
+ strncpy (buf + 5, S (0), UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 " } */
+ strncpy (buf + 5, S (1), UR (1, 2)); /* { dg-warning "writing between 1 and 2 bytes into a region of size 0 " } */
+
+ strncpy (buf, src, UR (0, 1));
+ strncpy (buf, src, UR (0, 2));
+ strncpy (buf, src, UR (0, 3));
+ strncpy (buf, src, UR (0, 4));
+ strncpy (buf, src, UR (0, 5));
+ strncpy (buf, src, UR (0, 6));
+ strncpy (buf, src, UR (1, 6));
+ strncpy (buf, src, UR (2, 6));
+ strncpy (buf, src, UR (3, 6));
+ strncpy (buf, src, UR (4, 6));
+ strncpy (buf, src, UR (5, 6));
+ strncpy (buf, src, UR (6, 7)); /* { dg-warning "writing between 6 and 7 bytes into a region of size 5 " } */
+
+ /* Exercise strncpy into a destination of unknown size with a valid
+ and invalid constant number of bytes. */
+ strncpy (dst, S (0), UR (5, 6));
+ strncpy (dst, S (1), UR (6, 7));
+ strncpy (dst, S (2), UR (7, 8));
+
+ strncpy (dst, S (3), UR (ssize_max, ssize_max + 1));
+
+ strncpy (dst, S (4), UR (ssize_max + 1, ssize_max + 2)); /* { dg-warning "specified size between \[0-9\]+ and \[0-9\]+ exceeds maximum object size" } */
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c
new file mode 100644
index 0000000..489f880
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-5.c
@@ -0,0 +1,260 @@
+/* Test exercising -Wrawmem-overflow and -Wstringop-overflow warnings. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wstringop-overflow=1" } */
+
+#define offsetof(type, mem) __builtin_offsetof (type, mem)
+
+/* Return the number of bytes from member MEM of TYPE to the end
+ of object OBJ. */
+#define offsetfrom(type, obj, mem) (sizeof (obj) - offsetof (type, mem))
+
+
+typedef __SIZE_TYPE__ size_t;
+extern void* memcpy (void*, const void*, size_t);
+extern void* memset (void*, int, __SIZE_TYPE__);
+
+
+struct A { char a, b; };
+struct B { struct A a; char c, d; };
+
+/* Function to call to "escape" pointers from tests below to prevent
+ GCC from assuming the values of the objects they point to stay
+ the unchanged. */
+void escape (void*, ...);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+/* Verify that writing past the end of a local array is diagnosed. */
+
+void test_memop_warn_local (const void *src)
+{
+ size_t n;
+
+ n = range (8, 32);
+
+ struct A a[2];
+
+ memcpy (a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+ escape (a, src);
+
+ /* At -Wrawmem-overflow=1 the destination is considered to be
+ the whole array and its size is therefore sizeof a. */
+ memcpy (&a[0], src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+ escape (a, src);
+
+ /* Verify the same as above but by writing into the first mmeber
+ of the first element of the array. */
+ memcpy (&a[0].a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" } */
+ escape (a, src);
+
+ n = range (12, 32);
+
+ struct B b[2];
+
+ memcpy (&b[0], src, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 8 overflows the destination" } */
+ escape (b);
+
+ /* The following idiom of clearing multiple members of a struct is
+ used in a few places in the Linux kernel. Verify that a warning
+ is issued for it when it writes past the end of the array object. */
+ memset (&b[0].a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" } */
+ escape (b);
+
+ memset (&b->a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" } */
+ escape (b);
+
+ memset (&b[0].c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" } */
+ escape (b);
+
+ memset (&b->c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" } */
+ escape (b);
+
+ memset (&b[0].d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+ escape (b);
+
+ memset (&b->d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" } */
+ escape (b);
+
+ /* Same as above but clearing just elements of the second element
+ of the array. */
+ memset (&b[1].a.b, 0, offsetfrom (struct B, b[1], a.b) + 1); /* { dg-warning "writing 4 bytes into a region of size 3" } */
+ escape (b);
+
+ memset (&b[1].c, 0, offsetfrom (struct B, b[1], c) + 1); /* { dg-warning "writing 3 bytes into a region of size 2" } */
+ escape (b);
+
+ memset (&b[1].d, 0, offsetfrom (struct B, b[1], d) + 1); /* { dg-warning "writing 2 bytes into a region of size 1" } */
+ escape (b);
+}
+
+/* Verify that writing past the end of a dynamically allocated array
+ of known size is diagnosed. */
+
+void test_memop_warn_alloc (const void *src)
+{
+ size_t n;
+
+ n = range (8, 32);
+
+ struct A *a = __builtin_malloc (sizeof *a * 2);
+
+ memcpy (a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (a, src);
+
+ /* At -Wrawmem-overflow=1 the destination is considered to be
+ the whole array and its size is therefore sizeof a. */
+ memcpy (&a[0], src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (a, src);
+
+ /* Verify the same as above but by writing into the first mmeber
+ of the first element of the array. */
+ memcpy (&a[0].a, src, n); /* { dg-warning "writing between 8 and 32 bytes into a region of size 4 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (a, src);
+
+ n = range (12, 32);
+
+ struct B *b = __builtin_malloc (sizeof *b * 2);
+
+ memcpy (&b[0], src, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 8 overflows the destination" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ /* The following idiom of clearing multiple members of a struct is
+ used in a few places in the Linux kernel. Verify that a warning
+ is issued for it when it writes past the end of the array object. */
+ memset (&b[0].a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b->a.b, 0, offsetfrom (struct B, b, a.b) + 1); /* { dg-warning "writing 8 bytes into a region of size 7" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[0].c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b->c, 0, offsetfrom (struct B, b, c) + 1); /* { dg-warning "writing 7 bytes into a region of size 6" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[0].d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b->d, 0, offsetfrom (struct B, b, d) + 1); /* { dg-warning "writing 6 bytes into a region of size 5" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ /* Same as above but clearing just elements of the second element
+ of the array. */
+ memset (&b[1].a.b, 0, offsetfrom (struct B, b[1], a.b) + 1); /* { dg-warning "writing 4 bytes into a region of size 3" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[1].c, 0, offsetfrom (struct B, b[1], c) + 1); /* { dg-warning "writing 3 bytes into a region of size 2" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+
+ memset (&b[1].d, 0, offsetfrom (struct B, b[1], d) + 1); /* { dg-warning "writing 2 bytes into a region of size 1" "memcpy into allocated" { xfail *-*-*} } */
+ escape (b);
+}
+
+
+void test_memop_nowarn (const void *src)
+{
+ struct B b[2];
+
+ size_t n = range (sizeof b, 32);
+
+ /* Verify that clearing the whole array is not diagnosed regardless
+ of whether the expression pointing to its beginning is obtained
+ from the array itself or its first member(s). */
+ memcpy (b, src, n);
+ escape (b);
+
+ memcpy (&b[0], src, n);
+ escape (b);
+
+ memcpy (&b[0].a, src, n);
+ escape (b, src);
+
+ memcpy (&b[0].a.a, src, n);
+ escape (b, src);
+
+ /* Clearing multiple elements of an array of structs. */
+ memset (&b[0].a.b, 0, sizeof b - offsetof (struct B, a.b));
+ escape (b);
+
+ memset (&b->a.b, 0, sizeof b - offsetof (struct B, a.b));
+ escape (b);
+
+ memset (&b[0].c, 0, sizeof b - offsetof (struct B, c));
+ escape (b);
+
+ memset (&b->c, 0, sizeof b - offsetof (struct B, c));
+ escape (b);
+
+ memset (&b[0].d, 0, sizeof b - offsetof (struct B, d));
+ escape (b);
+
+ memset (&b->d, 0, sizeof b - offsetof (struct B, d));
+ escape (b);
+
+ /* Same as above but clearing just elements of the second element
+ of the array. */
+ memset (&b[1].a.b, 0, sizeof b[1] - offsetof (struct B, a.b));
+ escape (b);
+
+ memset (&b[1].c, 0, sizeof b[1] - offsetof (struct B, c));
+ escape (b);
+
+ memset (&b[1].d, 0, sizeof b[1] - offsetof (struct B, d));
+ escape (b);
+}
+
+
+/* The foollowing function could specify in its API that it takes
+ an array of exactly two elements, as shown below. Verify that
+ writing into both elements is not diagnosed. */
+void test_memop_nowarn_arg (struct A[2], const void*);
+
+void test_memop_nowarn_arg (struct A *a, const void *src)
+{
+ memcpy (a, src, 2 * sizeof *a);
+ escape (a, src);
+
+ memcpy (a, src, range (2 * sizeof *a, 123));
+ escape (a, src);
+}
+
+
+struct C { char a[3], b; };
+struct D { struct C c; char d, e; };
+
+extern char* strncpy (char*, const char*, __SIZE_TYPE__);
+
+void test_stringop_warn (void)
+{
+ size_t n = range (2 * sizeof (struct D) + 1, 33);
+
+ struct C c[2];
+
+ /* Similarly, at -Wstringop-overflow=1 the destination is considered
+ to be the whole array and its size is therefore sizeof c. */
+ strncpy (c[0].a, "123", n); /* { dg-warning "writing between 13 and 33 bytes into a region of size 8 overflows the destination" } */
+
+ escape (c);
+}
+
+
+void test_stringop_nowarn (void)
+{
+ struct D d[2];
+
+ strncpy (d[0].c.a, "123", range (sizeof d, 32));
+ escape (d);
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c b/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c
new file mode 100644
index 0000000..9572ce1
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/builtin-stringop-chk-6.c
@@ -0,0 +1,112 @@
+/* Test exercising -Wrawmem-overflow and -Wstringop-overflow warnings. */
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wstringop-overflow=2" } */
+
+#define offsetof(type, mem) __builtin_offsetof (type, mem)
+
+/* Return the number of bytes from member MEM of TYPE to the end
+ of object OBJ. */
+#define offsetfrom(type, obj, mem) (sizeof (obj) - offsetof (type, mem))
+
+
+typedef __SIZE_TYPE__ size_t;
+extern void* memcpy (void*, const void*, size_t);
+extern void* memset (void*, int, __SIZE_TYPE__);
+
+
+struct A { char a, b; };
+struct B { struct A a; char c, d; };
+
+/* Function to call to "escape" pointers from tests below to prevent
+ GCC from assuming the values of the objects they point to stay
+ the unchanged. */
+void escape (void*, ...);
+
+/* Function to "generate" a random number each time it's called. Declared
+ (but not defined) and used to prevent GCC from making assumptions about
+ their values based on the variables uses in the tested expressions. */
+size_t random_unsigned_value (void);
+
+/* Return a random unsigned value between MIN and MAX. */
+
+static inline size_t
+range (size_t min, size_t max)
+{
+ const size_t val = random_unsigned_value ();
+ return val < min || max < val ? min : val;
+}
+
+
+void test_memop_warn_object (const void *src)
+{
+ unsigned n = range (17, 29);
+
+ struct A a[2];
+
+ /* At both -Wstringop-overflow=2, like at 1, the destination of functions
+ that operate on raw memory is considered to be the whole array and its
+ size is therefore sizeof a. */
+ memcpy (&a[0], src, n); /* { dg-warning "writing between 17 and 29 bytes into a region of size 4 overflows the destination" } */
+ escape (a);
+}
+
+void test_memop_warn_subobject (const void *src)
+{
+ unsigned n = range (17, 31);
+
+ struct B b[2];
+
+ /* At -Wrawmem-overflow=2 the destination is considered to be
+ the member sobobject of the first array element and its size
+ is therefore sizeof b[0].a. */
+ memcpy (&b[0].a, src, n); /* { dg-warning "writing between 17 and 31 bytes into a region of size 8 overflows the destination" } */
+
+ escape (b);
+}
+
+void test_memop_nowarn_subobject (void)
+{
+ struct B b[2];
+
+ /* The following idiom of clearing multiple members of a struct
+ has been seen in a few places in the Linux kernel. Verify
+ that a warning is not issued for it. */
+ memset (&b[0].c, 0, sizeof b[0] - offsetof (struct B, c));
+
+ escape (b);
+}
+
+struct C { char a[3], b; };
+struct D { struct C c; char d, e; };
+
+extern char* strncpy (char*, const char*, __SIZE_TYPE__);
+
+void test_stringop_warn_object (const char *str)
+{
+ unsigned n = range (2 * sizeof (struct D), 32);
+
+ struct C c[2];
+
+ /* Similarly, at -Wstringop-overflow=2 the destination is considered
+ to be the array member of the first element of the array c and its
+ size is therefore sizeof c[0].a. */
+ strncpy (c[0].a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (c);
+
+ strncpy (c[0].a, str, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (c);
+}
+
+void test_stringop_warn_subobject (const char *src)
+{
+ unsigned n = range (2 * sizeof (struct D), 32);
+
+ struct D d[2];
+
+ /* Same as above. */
+ strncpy (d[0].c.a, "123", n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (d);
+
+ strncpy (d[0].c.a, src, n); /* { dg-warning "writing between 12 and 32 bytes into a region of size 3 overflows the destination" } */
+ escape (d);
+}
diff --git a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
index 44677f1..daff680 100644
--- a/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
+++ b/gcc/testsuite/gcc.dg/builtin-strncat-chk-1.c
@@ -24,15 +24,15 @@ test (int arg, ...)
*p = 0;
strncat (p, "abcdefghi", 10);
*p = 0;
- strncat (p, "abcdefghij", 10); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghij", 10); /* { dg-warning "writing 11 bytes into a region of size 10 overflows the destination" } */
*p = 0;
strncat (p, "abcdefgh", 11);
*p = 0;
- strncat (p, "abcdefghijkl", 11); /* { dg-warning "will always overflow" } */
+ strncat (p, "abcdefghijkl", 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
*p = 0;
strncat (p, q, 9);
*p = 0;
- strncat (p, q, 10); /* { dg-warning "might overflow" } */
+ strncat (p, q, 10); /* { dg-warning "specified bound 10 equals the size of the destination" } */
*p = 0;
- strncat (p, q, 11); /* { dg-warning "might overflow" } */
+ strncat (p, q, 11); /* { dg-warning "specified bound 11 exceeds the size 10 of the destination" } */
}
diff --git a/gcc/testsuite/gcc.dg/fstack-protector-strong.c b/gcc/testsuite/gcc.dg/fstack-protector-strong.c
index 8e9d891..94dc350 100644
--- a/gcc/testsuite/gcc.dg/fstack-protector-strong.c
+++ b/gcc/testsuite/gcc.dg/fstack-protector-strong.c
@@ -106,7 +106,7 @@ int
foo8 ()
{
char base[100];
- memcpy ((void *)base, (const void *)pg0, 105);
+ memcpy ((void *)base, (const void *)pg0, 105); /* { dg-warning "writing 105 bytes into a region of size 100" } */
return (int)(base[32]);
}
diff --git a/gcc/testsuite/gcc.dg/memcpy-2.c b/gcc/testsuite/gcc.dg/memcpy-2.c
index 24464abd..7f839d2 100644
--- a/gcc/testsuite/gcc.dg/memcpy-2.c
+++ b/gcc/testsuite/gcc.dg/memcpy-2.c
@@ -7,7 +7,7 @@ typedef __SIZE_TYPE__ size_t;
extern inline __attribute__((gnu_inline, always_inline, artificial)) void *
memcpy (void *__restrict dest, const void *__restrict src, size_t len)
{
- return __builtin___memcpy_chk (dest, /* { dg-warning "will always overflow destination buffer" } */
+ return __builtin___memcpy_chk (dest, /* { dg-warning "writing" } */
src, len, __builtin_object_size (dest, 0));
}
diff --git a/gcc/testsuite/gcc.dg/pr40340-1.c b/gcc/testsuite/gcc.dg/pr40340-1.c
index aae84c6..78540a2 100644
--- a/gcc/testsuite/gcc.dg/pr40340-1.c
+++ b/gcc/testsuite/gcc.dg/pr40340-1.c
@@ -20,5 +20,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-2.c b/gcc/testsuite/gcc.dg/pr40340-2.c
index a0d6e084..1dc21d1 100644
--- a/gcc/testsuite/gcc.dg/pr40340-2.c
+++ b/gcc/testsuite/gcc.dg/pr40340-2.c
@@ -12,5 +12,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/pr40340-5.c b/gcc/testsuite/gcc.dg/pr40340-5.c
index f50514c..e517147 100644
--- a/gcc/testsuite/gcc.dg/pr40340-5.c
+++ b/gcc/testsuite/gcc.dg/pr40340-5.c
@@ -13,5 +13,5 @@ main (void)
return 0;
}
-/* { dg-warning "will always overflow destination buffer" "" { target *-*-* } 10 } */
+/* { dg-warning "writing" "" { target *-*-* } 10 } */
/* { dg-message "file included" "In file included" { target *-*-* } 0 } */
diff --git a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
index 7ce9eae..b5a59f4 100644
--- a/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
+++ b/gcc/testsuite/gcc.dg/torture/Wsizeof-pointer-memaccess1.c
@@ -710,4 +710,4 @@ f4 (char *x, char **y, int z, char w[64])
return z;
}
-/* { dg-prune-output "\[\n\r\]*will always overflow\[\n\r\]*" } */
+/* { dg-prune-output "\[\n\r\]*writing\[\n\r\]*" } */
diff --git a/gcc/testsuite/gcc.dg/torture/pr71132.c b/gcc/testsuite/gcc.dg/torture/pr71132.c
index 2991718..2544eb1 100644
--- a/gcc/testsuite/gcc.dg/torture/pr71132.c
+++ b/gcc/testsuite/gcc.dg/torture/pr71132.c
@@ -1,4 +1,9 @@
/* { dg-do compile } */
+/* { dg-additional-options "-Wno-stringop-overflow" } */
+/* The loop below writes past the end of the global object a.
+ When the loop is transformed into a call to memcpy the buffer
+ overflow is detected and diagnosed by the -Wstringop-overflow
+ option enabled by default. */
typedef unsigned size_t;
struct {
diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c
index 5779a95..c8c1c28 100644
--- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c
+++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c
@@ -1285,7 +1285,7 @@ void test_vsprintf_chk_int (__builtin_va_list va)
void test_snprintf_c_const (void)
{
- T (-1, "%c", 0); /* { dg-warning "specified destination size \[0-9\]+ too large" } */
+ T (-1, "%c", 0); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */
/* Verify the full text of the diagnostic for just the distinct messages
and use abbreviations in subsequent test cases. */
@@ -1333,9 +1333,9 @@ void test_snprintf_chk_c_const (void)
/* Verify that specifying a size of the destination buffer that's
bigger than its actual size (normally determined and passed to
the function by __builtin_object_size) is diagnosed. */
- __builtin___snprintf_chk (buffer, 3, 0, 2, " "); /* { dg-warning "always overflow|specified size 3 exceeds the size 2 of the destination" } */
+ __builtin___snprintf_chk (buffer, 3, 0, 2, " "); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" } */
- T (-1, "%c", 0); /* { dg-warning "specified destination size \[^ \]* too large" } */
+ T (-1, "%c", 0); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */
T (0, "%c", 0);
T (0, "%c%c", 0, 0);
@@ -1446,7 +1446,7 @@ void test_vsprintf_int (__builtin_va_list va)
void test_vsnprintf_s (__builtin_va_list va)
{
- T (-1, "%s"); /* { dg-warning "specified destination size \[^ \]* too large" } */
+ T (-1, "%s"); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */
T (0, "%s");
T (1, "%s");
@@ -1469,9 +1469,9 @@ void test_vsnprintf_chk_s (__builtin_va_list va)
/* Verify that specifying a size of the destination buffer that's
bigger than its actual size (normally determined and passed to
the function by __builtin_object_size) is diagnosed. */
- __builtin___vsnprintf_chk (buffer, 123, 0, 122, "%-s", va); /* { dg-warning "always overflow|specified size 123 exceeds the size 122 of the destination object" } */
+ __builtin___vsnprintf_chk (buffer, 123, 0, 122, "%-s", va); /* { dg-warning "specified bound 123 exceeds the size 122 of the destination" } */
- __builtin___vsnprintf_chk (buffer, __SIZE_MAX__, 0, 2, "%-s", va); /* { dg-warning "always overflow|destination size .\[0-9\]+. too large" } */
+ __builtin___vsnprintf_chk (buffer, __SIZE_MAX__, 0, 2, "%-s", va); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */
T (0, "%s");
T (1, "%s");
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PING 2] [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-09 22:50 ` [PING] " Martin Sebor
@ 2016-11-16 15:58 ` Martin Sebor
2016-11-22 0:18 ` Ping 3 " Martin Sebor
2016-12-07 19:42 ` [PING] " Jeff Law
1 sibling, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-16 15:58 UTC (permalink / raw)
To: Jakub Jelinek, Jeff Law, gcc-patches, Tobias Burnus
I'm still looking for a review of the patch below, first posted
on 10/28 and last updated/pinged last Wednesday:
https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00896.html
Thanks
On 11/09/2016 03:49 PM, Martin Sebor wrote:
> The attached minor update to the patch also resolves bug 77784 that
> points out that -Wformat-length issues a warning also issued during
> the expansion of some of the __builtin___sprintf_chk intrinsics.
>
> Martin
>
> On 11/04/2016 02:16 PM, Martin Sebor wrote:
>> Attached is an update to the patch that takes into consideration
>> the feedback I got. It goes back to adding just one option,
>> -Wstringop-overflow, as in the original, while keeping the Object
>> Size type as an argument. It uses type-1 as the default setting
>> for string functions (strcpy et al.) and, unconditionally, type-0
>> for raw memory functions (memcpy, etc.)
>>
>> I retested Binutils 2.27 and the Linux kernel again with this patch
>> and also added Glibc, and it doesn't complain about anything (both
>> Binutils and the kernel also build cleanly with an unpatched GCC
>> with_FORTIFY_SOURCE=2 or its rough equivalent for the kernel).
>> The emit-rtl.c warning (bug 78174) has also been suppressed by
>> the change to bos type-0 for memcpy.
>>
>> While the patch doesn't trigger any false positives (AFAIK) it is
>> subject to a fair number of false negatives due to the limitations
>> of the tree-object-size pass, and due to transformations done by
>> other passes that prevent it from detecting some otherwise obvious
>> overflows. Although unfortunate, I believe the warnings that are
>> emitted are useful as the first line of defense in software that
>> doesn't use _FORTIFY_SOURCE (such as GCC itself). And this can
>> of course be improved if some of the limitations are removed over
>> time.
>>
>> Martin
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-02 19:32 ` Jakub Jelinek
2016-11-04 20:16 ` Martin Sebor
2016-11-07 0:50 ` Martin Sebor
@ 2016-11-16 18:10 ` Jeff Law
2 siblings, 0 replies; 22+ messages in thread
From: Jeff Law @ 2016-11-16 18:10 UTC (permalink / raw)
To: Jakub Jelinek, Martin Sebor; +Cc: gcc-patches, Tobias Burnus
[ I'm catching up on a variety of things... So apologies if y'all
have settled these issues. ]
On 11/02/2016 01:32 PM, Jakub Jelinek wrote:
> But obviously not all levels of the warning can/should be enabled
> with -Wall/-Werror. There are cases which are worth warning by default
> (the case where we want to inform the user if you reach this stmt,
> you'll get your program killed (will call __chk_fail)) is something
> that ought like before be enabled by default; can have a warning
> switch users can disable.
> Then there is the case where there is a sure buffer overflow (not using
> -D_FORTIFY_SOURCE, but still __bos (, 0) tells the buffer is too short,
> and it is unconditional (no tricks with PHIs where one path has short
> and another part has long size). This is something that is useful
> in -Wall.
> The rest I'm very doubtful about even for -Wextra.
I would hesitate on distinguishing between something that flows via a
PHI vs something that is explicit in the IL.
It is entirely possible that an unrelated path isolation might take a
PHI where one path is short and one long and split it into two paths.
At that point they're both going to be explicit in the IL. You'd then
have to use something like global anticipability analysis to determine
if they're executed unconditionally.
Jeff
^ permalink raw reply [flat|nested] 22+ messages in thread
* Ping 3 [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-16 15:58 ` [PING 2] " Martin Sebor
@ 2016-11-22 0:18 ` Martin Sebor
2016-12-06 4:04 ` Ping 4 " Martin Sebor
0 siblings, 1 reply; 22+ messages in thread
From: Martin Sebor @ 2016-11-22 0:18 UTC (permalink / raw)
To: Jakub Jelinek, Jeff Law, gcc-patches, Tobias Burnus
Ping: https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00896.html
On 11/16/2016 08:58 AM, Martin Sebor wrote:
> I'm still looking for a review of the patch below, first posted
> on 10/28 and last updated/pinged last Wednesday:
>
> https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00896.html
>
> Thanks
>
> On 11/09/2016 03:49 PM, Martin Sebor wrote:
>> The attached minor update to the patch also resolves bug 77784 that
>> points out that -Wformat-length issues a warning also issued during
>> the expansion of some of the __builtin___sprintf_chk intrinsics.
>>
>> Martin
>>
>> On 11/04/2016 02:16 PM, Martin Sebor wrote:
>>> Attached is an update to the patch that takes into consideration
>>> the feedback I got. It goes back to adding just one option,
>>> -Wstringop-overflow, as in the original, while keeping the Object
>>> Size type as an argument. It uses type-1 as the default setting
>>> for string functions (strcpy et al.) and, unconditionally, type-0
>>> for raw memory functions (memcpy, etc.)
>>>
>>> I retested Binutils 2.27 and the Linux kernel again with this patch
>>> and also added Glibc, and it doesn't complain about anything (both
>>> Binutils and the kernel also build cleanly with an unpatched GCC
>>> with_FORTIFY_SOURCE=2 or its rough equivalent for the kernel).
>>> The emit-rtl.c warning (bug 78174) has also been suppressed by
>>> the change to bos type-0 for memcpy.
>>>
>>> While the patch doesn't trigger any false positives (AFAIK) it is
>>> subject to a fair number of false negatives due to the limitations
>>> of the tree-object-size pass, and due to transformations done by
>>> other passes that prevent it from detecting some otherwise obvious
>>> overflows. Although unfortunate, I believe the warnings that are
>>> emitted are useful as the first line of defense in software that
>>> doesn't use _FORTIFY_SOURCE (such as GCC itself). And this can
>>> of course be improved if some of the limitations are removed over
>>> time.
>>>
>>> Martin
>>
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: Ping 4 [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-22 0:18 ` Ping 3 " Martin Sebor
@ 2016-12-06 4:04 ` Martin Sebor
0 siblings, 0 replies; 22+ messages in thread
From: Martin Sebor @ 2016-12-06 4:04 UTC (permalink / raw)
To: Jeff Law, gcc-patches, Tobias Burnus
I lost track of this patch among all the others but I don't see
a reply to it in the archives.
https://gcc.gnu.org/ml/gcc-patches/2016-11/msg02173.html
The only controversial part about this one that I recall was whether
object size type 0 or 1 should be used for raw memory functions like
memcpy. The last patch uses type-0 to resolve the concern.
On 11/21/2016 05:18 PM, Martin Sebor wrote:
> Ping: https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00896.html
>
> On 11/16/2016 08:58 AM, Martin Sebor wrote:
>> I'm still looking for a review of the patch below, first posted
>> on 10/28 and last updated/pinged last Wednesday:
>>
>> https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00896.html
>>
>> Thanks
>>
>> On 11/09/2016 03:49 PM, Martin Sebor wrote:
>>> The attached minor update to the patch also resolves bug 77784 that
>>> points out that -Wformat-length issues a warning also issued during
>>> the expansion of some of the __builtin___sprintf_chk intrinsics.
>>>
>>> Martin
>>>
>>> On 11/04/2016 02:16 PM, Martin Sebor wrote:
>>>> Attached is an update to the patch that takes into consideration
>>>> the feedback I got. It goes back to adding just one option,
>>>> -Wstringop-overflow, as in the original, while keeping the Object
>>>> Size type as an argument. It uses type-1 as the default setting
>>>> for string functions (strcpy et al.) and, unconditionally, type-0
>>>> for raw memory functions (memcpy, etc.)
>>>>
>>>> I retested Binutils 2.27 and the Linux kernel again with this patch
>>>> and also added Glibc, and it doesn't complain about anything (both
>>>> Binutils and the kernel also build cleanly with an unpatched GCC
>>>> with_FORTIFY_SOURCE=2 or its rough equivalent for the kernel).
>>>> The emit-rtl.c warning (bug 78174) has also been suppressed by
>>>> the change to bos type-0 for memcpy.
>>>>
>>>> While the patch doesn't trigger any false positives (AFAIK) it is
>>>> subject to a fair number of false negatives due to the limitations
>>>> of the tree-object-size pass, and due to transformations done by
>>>> other passes that prevent it from detecting some otherwise obvious
>>>> overflows. Although unfortunate, I believe the warnings that are
>>>> emitted are useful as the first line of defense in software that
>>>> doesn't use _FORTIFY_SOURCE (such as GCC itself). And this can
>>>> of course be improved if some of the limitations are removed over
>>>> time.
>>>>
>>>> Martin
>>>
>>
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PING] [PATCH] enhance buffer overflow warnings (and c/53562)
2016-11-09 22:50 ` [PING] " Martin Sebor
2016-11-16 15:58 ` [PING 2] " Martin Sebor
@ 2016-12-07 19:42 ` Jeff Law
2016-12-08 0:20 ` Martin Sebor
1 sibling, 1 reply; 22+ messages in thread
From: Jeff Law @ 2016-12-07 19:42 UTC (permalink / raw)
To: Martin Sebor, Jakub Jelinek, gcc-patches, Tobias Burnus
On 11/09/2016 03:49 PM, Martin Sebor wrote:
>
>
> gcc-53562.diff
>
>
> PR c/53562 - Add -Werror= support for -D_FORTIFY_SOURCE / __builtin___memcpy_chk
> PR middle-end/77784 - duplicate warning for snprintf when n > object size
> PR middle-end/78149 - missing warning on strncpy buffer overflow due to an excessive bound
> PR middle-end/78138 - missing warnings on buffer overflow with non-constant source length
>
> gcc/c-family/ChangeLog:
> PR c/53562
> * c.opt (-Wstringop-overflow): New option.
>
> gcc/ChangeLog:
> PR c/53562
> PR middle-end/77784
> PR middle-end/78149
> PR middle-end/78138
>
> * builtins.c (expand_builtin_strcat, expand_builtin_strncat): New
> functions.
> (compute_dest_size, get_size_range, check_sizes, check_strncat_sizes)
> (check_memop_sizes): Same.
> (expand_builtin_memcpy): Call check memop_sizes.
> (expand_builtin_mempcpy): Same.
> (expand_builtin_memset): Same,
> (expand_builtin_bzero): Same.
> (expand_builtin_memory_chk): Call check_sizes.
> (expand_builtin_strcpy): Same.
> (expand_builtin_strncpy): Same.
> (maybe_emit_sprintf_chk_warning): Same.
> (expand_builtin): Handle strcat and strncat.
> (fini_object_sizes): Reset pointers.
> (compute_object_size): New function.
> * gimple-ssa-sprintf.c (pass_sprintf_length::handle_gimple_call):
> Avoid issuing warnings also issued during built-in expansion.
> * doc/invoke.texi (Warning Options): Document -Wstringop-overflow.
>
> gcc/testsuite/ChangeLog:
> PR c/53562
> PR middle-end/77784
> PR middle-end/78149
> PR middle-end/78138
>
> * c-c++-common/Wsizeof-pointer-memaccess2.c: Adjust expected diagnostic.
> * g++.dg/ext/builtin-object-size3.C (bar): Same.
> * g++.dg/ext/strncpy-chk1.C: Same.
> * g++.dg/opt/memcpy1.C: Same.
> * g++.dg/torture/Wsizeof-pointer-memaccess1.C: Same.
> * gcc.c-torture/compile/pr55569.c: Disable -Wstringop-overflow.
> * gcc.dg/Wobjsize-1.c: Adjust expected diagnostic.
> * gcc.dg/attr-alloc_size.c: Same.
> * gcc.dg/builtin-stringop-chk-1.c: Adjust expected diagnostic.
> * gcc.dg/builtin-stringop-chk-2.c: Same.
> * gcc.dg/builtin-stringop-chk-4.c: New test.
> * gcc.dg/builtin-strncat-chk-1.c: Adjust expected diagnostic.
> * gcc.dg/memcpy-2.c: Same.
> * gcc.dg/pr40340-1.c: Same.
> * gcc.dg/pr40340-2.c (main): Same.
> * gcc.dg/pr40340-5.c (main): Same.
> * gcc.dg/torture/Wsizeof-pointer-memaccess1.c: Same.
> * gcc.dg/torture/pr71132.c: Disable -Wstringop-overflow.
> * gcc.dg/tree-ssa/builtin-sprintf-warn-1.c: Adjust text of expected
> warning.
>
> * gcc.dg/fstack-protector-strong.c: Add expected diagnostic.
> diff --git a/gcc/builtins.c b/gcc/builtins.c
> index cc711a0..cb7bbaf 100644
> --- a/gcc/builtins.c
> +++ b/gcc/builtins.c
> @@ -3011,6 +3013,295 @@ expand_builtin_memcpy_args (tree dest, tree src, tree len, rtx target, tree exp)
> return dest_addr;
> }
>
> +/* Fill the 2-element RANGE array with the minimum and maximum values
> + EXP is known to have and return true, otherwise null and return
> + false. */
> +
> +static bool
> +get_size_range (tree exp, tree range[2])
> +{
> + if (tree_fits_uhwi_p (exp))
> + {
> + range[0] = range[1] = exp;
> + return true;
> + }
> +
> + if (TREE_CODE (exp) == SSA_NAME)
> + {
> + wide_int min, max;
> + enum value_range_type range_type = get_range_info (exp, &min, &max);
> +
> + if (range_type == VR_RANGE)
> + {
> + /* Interpret the bound in the variable's type. */
> + range[0] = wide_int_to_tree (TREE_TYPE (exp), min);
> + range[1] = wide_int_to_tree (TREE_TYPE (exp), max);
> + return true;
> + }
> + else if (range_type == VR_ANTI_RANGE)
> + {
> + /* An anti-range implies the original variable is signed and
> + its lower bound is negative and the upper bound positive.
> + Since that means that the expression's value could be zero
> + nothing interesting can be inferred from this. */
I'm not sure I agree with this comment. For example, we often get an
anti-range like ~[0,0].
I don't mind punting anti-ranges, but I think the comments needs
updating unless there's something else in this code that ensures that an
anti range reaching this point fits the property above.
> +/* Try to verify that the sizes and lengths of the arguments to a string
> + manipulation function given by EXP are within valid bounds and that
> + the operation does not lead to buffer overflow. Arguments other than
> + EXP may be null. When non-null, the arguments have the following
> + meaning:
> + SIZE is the user-supplied size argument to the function (such as in
> + memcpy(d, s, SIZE) or strncpy(d, s, SIZE). It specifies the exact
> + number of bytes to write.
> + MAXLEN is the user-supplied bound on the length of the source sequence
> + (such as in strncat(d, s, N). It specifies the upper limit on the number
> + of bytes to write.
> + STR is the source string (such as in strcpy(d, s)) when the epxression
> + EXP is a string function call (as opposed to a memory call like memcpy).
> + As an exception, STR can also be an integer denoting the precomputed
> + length of the source string.
> + OBJSIZE is the size of the destination object specified by the last
> + argument to the _chk builtins, typically resulting from the expansion
> + of __builtin_object_size (such as in __builtin___strcpy_chk(d, s,
> + OBJSIZE).
> +
> + When SIZE is null LEN is checked to verify that it doesn't exceed
> + SIZE_MAX.
> +
> + If the call is successfully verfified as safe from buffer overflow
> + the function returns true, otherwise false.. */
s/verfified/verified/
>
> +
> + /* There is no way here to determine the length of the string in
> + the destination to which the SRC string is being appended so
> + just diagnose cases when the srouce string is longer than
s/srouce/source/
With the comment fixes noted above, this is OK.
jeff
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PING] [PATCH] enhance buffer overflow warnings (and c/53562)
2016-12-07 19:42 ` [PING] " Jeff Law
@ 2016-12-08 0:20 ` Martin Sebor
0 siblings, 0 replies; 22+ messages in thread
From: Martin Sebor @ 2016-12-08 0:20 UTC (permalink / raw)
To: Jeff Law, Jakub Jelinek, gcc-patches, Tobias Burnus
>> + /* An anti-range implies the original variable is signed and
>> + its lower bound is negative and the upper bound positive.
>> + Since that means that the expression's value could be zero
>> + nothing interesting can be inferred from this. */
> I'm not sure I agree with this comment. For example, we often get an
> anti-range like ~[0,0].
>
> I don't mind punting anti-ranges, but I think the comments needs
> updating unless there's something else in this code that ensures that an
> anti range reaching this point fits the property above.
I'm not sure it's 100% correct either so I replaced the comment
with a FIXME as reminder to revisit it. It is what I saw while
debugging this code. For example, in this:
char d[3];
void f (int n)
{
if (n < -7 || 4 < n)
n = -7;
__builtin_memset (d, 0, n);
}
VRP reports this:
n_4: [-7, 4] EQUIVALENCES: { n_5(D) } (1 elements)
...
prephitmp_9: ~[5, 18446744073709551608]
...
# prephitmp_9 = PHI <_8(3), 18446744073709551609(2)>
__builtin_memset (&d, 0, prephitmp_9);
> With the comment fixes noted above, this is OK.
Thanks. I've made the changes above. While retesting the patch
I noticed a couple of Fortran test failures that I must have missed
the first time around. I fixed those and wound up committing r243419.
Martin
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2016-12-08 0:20 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-28 2:19 [PATCH] enhance buffer overflow warnings (and c/53562) Martin Sebor
2016-10-30 22:45 ` Martin Sebor
2016-10-31 12:39 ` Tobias Burnus
2016-10-31 16:44 ` Martin Sebor
2016-11-01 2:39 ` Martin Sebor
2016-11-01 14:10 ` Jakub Jelinek
2016-11-01 19:12 ` Jeff Law
2016-11-01 19:14 ` Jakub Jelinek
2016-11-02 2:55 ` Martin Sebor
2016-11-02 7:38 ` Jakub Jelinek
2016-11-02 15:46 ` Martin Sebor
2016-11-02 16:55 ` Martin Sebor
2016-11-02 19:32 ` Jakub Jelinek
2016-11-04 20:16 ` Martin Sebor
2016-11-09 22:50 ` [PING] " Martin Sebor
2016-11-16 15:58 ` [PING 2] " Martin Sebor
2016-11-22 0:18 ` Ping 3 " Martin Sebor
2016-12-06 4:04 ` Ping 4 " Martin Sebor
2016-12-07 19:42 ` [PING] " Jeff Law
2016-12-08 0:20 ` Martin Sebor
2016-11-07 0:50 ` Martin Sebor
2016-11-16 18:10 ` Jeff Law
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).