https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104964
Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #10 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
OK, I have a representative reproducer, which TBH is not too different from the
one you posted, just that it succeeds with __builtin_object_size and fails with
__builtin_dynamic_object_size:
struct __string_ext
{
char s_str[0];
};
typedef struct
{
int o_prefix;
struct __string_ext i;
} string_obj;
#define SUFFIX ".suffix"
string_obj *
__acl_to_any_text (unsigned long n)
{
unsigned long off = 0;
unsigned long size = sizeof SUFFIX;
string_obj *obj = __builtin_malloc (sizeof (string_obj) + size);
if (n == 0)
__builtin_unreachable ();
while (n-- != 0)
{
if (off + 1 > size - sizeof SUFFIX)
{
size <<= 1;
string_obj *tmp = __builtin_realloc (obj, sizeof (string_obj) +
size);
if (!tmp)
__builtin_unreachable ();
obj = tmp;
}
obj->i.s_str[off++] = 'A';
}
char *t = obj->i.s_str + off;
__strcpy_chk (t, SUFFIX, __builtin_dynamic_object_size (t, 1));
return obj;
}
int
main ()
{
string_obj *s = __acl_to_any_text (32);
__builtin_printf ("%zu: %s\n", __builtin_strlen (s->i.s_str), s->i.s_str);
return 0;
}
$ gcc/cc1 -g -o test.s -quiet -Wall -O3 fs3.c
fs3.c: In function ‘__acl_to_any_text’:
fs3.c:40:3: warning: ‘__builtin___memcpy_chk’ writing 8 bytes into a region of
size 0 overflows the destination [-Wstringop-overflow=]
40 | __strcpy_chk (t, SUFFIX, __builtin_dynamic_object_size (t, 1));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The only reason why __builtin_object_size fails is because of the non-constant
OFF. If that is removed, __builtin_object_size also returns the declared size
of s_str, i.e. 0. The check for a traditionally declared trailing array ()i.e.
a[0] or a[1]) seems to be broken for nested structs like the above. Change
that to s_str[] (the struct then needs another member above) and it works fine.
