https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90752

            Bug ID: 90752
           Summary: missing -Warray-bounds accessing the result of string
                    functions
           Product: gcc
           Version: 9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

GCC doesn't diagnose any of the out-of-bounds accesses in the functions below
or any others like it that involved string built-ins.  The VRP pass has
sufficient information to issue -Warray-bounds, it simply doesn't consider
these cases.  They can be easily detected by extending
vrp_prop::check_mem_ref() to consider the first argument of each built-in call.
 (For bounded functions like stpncpy that return a pointer to the last copied
character, it should also consider the bound.)

extern char a[4];

int f (const void *s, unsigned n)
{
  char *p = __builtin_memcpy (a, s, n);
  return p[-1];   // missing -Warray-bounds
}

int g (const char *s)
{
  char *p = __builtin_stpcpy (a, s);
  return p[-5];   // missing -Warray-bounds
}

int h (const char *s)
{
  char *p = __builtin_strcpy (a, s);
  return p[4];   // missing -Warray-bounds
}

Reply via email to