On 06/04/2012 11:46 AM, Richard Guenther wrote:
I think "accurately" is a wrong word here - doesn't that suggest it might
get "wrong"? The answer should always be conservatively correct, so
it might just be not as constrained as it should. So I think you need
to elaborate on "accurately" here.
It's wrong from the consumer point of view (i.e., the value returned by
__builtin_object_size is too large, and one could argue that it is not
conservative enough). It's not wrong according to the specification,
according to which (size_t)-1 is always correct (and thus a conservative
result). This mismatch is the main reason why _FORTIFY_SOURCE is a last
resort mechanism only.
What about this?
+This protection mechanism is only a last resort. As a programmer, you
+must not rely on its presence, but use explicit buffer length checks
+to avoid buffer overflows. GCC may not be able to determine object
+sizes with sufficient precision (that is, the reported sizes can be
+larger than what is actually available at run time), and the accuracy
+depends on compiler version and options.
In a sense, GCC *is* wrong, but of course, the problem is unsolvable in
the general case.
--
Florian Weimer / Red Hat Product Security Team
