https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83278
Bug ID: 83278 Summary: missing -Wformat-overflow for an inlined __builtin___sprintf_chk with a local buffer Product: gcc Version: 8.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- The example below shows a inconsistency in the compile-time detection of overflowing calls to strcpy. The first call (in f()) is detected, the second one (in g()) results in a duplicate warning, and third one (in h()) is not detected. $ cat d.c && gcc -O2 -S -Wall d.c void sink (char*); void f (const char *s) { char a[3]; __builtin_sprintf (a, "%s", s); // warning (good) sink (a); } void call_f (void) { f ("12345"); } char a[3]; void g (const char *s) { __builtin___sprintf_chk (a, 1, // duplicate warning __builtin_object_size (a, 1), "%s", s); } void call_g (void) { g ("123456"); } void h (const char *s) { char a[3]; __builtin___sprintf_chk (a, 1, // missing warning (bug) __builtin_object_size (a, 1), "%s", s); sink (a); } void call_h (void) { h ("1234567"); } d.c: In function ‘call_f’: d.c:7:26: warning: ‘%s’ directive writing 5 bytes into a region of size 3 [-Wformat-overflow=] __builtin_sprintf (a, "%s", s); // warning (good) ^~ d.c:14:6: f ("12345"); ~~~~~~~ d.c:7:3: note: ‘__builtin_sprintf’ output 6 bytes into a destination of size 3 __builtin_sprintf (a, "%s", s); // warning (good) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ d.c: In function ‘call_g’: d.c:22:60: warning: ‘%s’ directive writing 6 bytes into a region of size 3 [-Wformat-overflow=] __builtin_object_size (a, 1), "%s", s); ^~ d.c:27:6: g ("123456"); ~~~~~~~~ d.c:21:3: note: ‘__builtin___sprintf_chk’ output 7 bytes into a destination of size 3 __builtin___sprintf_chk (a, 1, // duplicate warning ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __builtin_object_size (a, 1), "%s", s); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘g’, inlined from ‘call_g’ at d.c:27:3: d.c:21:3: warning: ‘__builtin___sprintf_chk’ writing 7 bytes into a region of size 3 overflows the destination [-Wstringop-overflow=]