[Bug tree-optimization/83278] New: missing -Wformat-overflow for an inlined __builtin___sprintf_chk with a local buffer

Mon, 04 Dec 2017 12:49:43 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83278

            Bug ID: 83278
           Summary: missing -Wformat-overflow for an inlined
                    __builtin___sprintf_chk with a local buffer
           Product: gcc
           Version: 8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

The example below shows a inconsistency in the compile-time detection of
overflowing calls to strcpy.  The first call (in f()) is detected, the second
one (in g()) results in a duplicate warning, and third one (in h()) is not
detected.

$ cat d.c && gcc -O2 -S -Wall d.c
void sink (char*);

void f (const char *s)
{
  char a[3];

  __builtin_sprintf (a, "%s", s);   // warning (good)

  sink (a);
}

void call_f (void)
{
  f ("12345");
}

char a[3];

void g (const char *s)
{
  __builtin___sprintf_chk (a, 1,   // duplicate warning
                            __builtin_object_size (a, 1), "%s", s);
}

void call_g (void)
{
  g ("123456");
}

void h (const char *s)
{
  char a[3];

  __builtin___sprintf_chk (a, 1,   // missing warning (bug)
                           __builtin_object_size (a, 1), "%s", s);

  sink (a);
}

void call_h (void)
{
  h ("1234567");
}
d.c: In function ‘call_f’:
d.c:7:26: warning: ‘%s’ directive writing 5 bytes into a region of size 3
[-Wformat-overflow=]
   __builtin_sprintf (a, "%s", s);   // warning (good)
                          ^~
d.c:14:6:
   f ("12345");
      ~~~~~~~              
d.c:7:3: note: ‘__builtin_sprintf’ output 6 bytes into a destination of size 3
   __builtin_sprintf (a, "%s", s);   // warning (good)
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
d.c: In function ‘call_g’:
d.c:22:60: warning: ‘%s’ directive writing 6 bytes into a region of size 3
[-Wformat-overflow=]
                             __builtin_object_size (a, 1), "%s", s);
                                                            ^~
d.c:27:6:
   g ("123456");
      ~~~~~~~~                                               
d.c:21:3: note: ‘__builtin___sprintf_chk’ output 7 bytes into a destination of
size 3
   __builtin___sprintf_chk (a, 1,   // duplicate warning
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                             __builtin_object_size (a, 1), "%s", s);
                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘g’,
    inlined from ‘call_g’ at d.c:27:3:
d.c:21:3: warning: ‘__builtin___sprintf_chk’ writing 7 bytes into a region of
size 3 overflows the destination [-Wstringop-overflow=]

Reply via email to