On Mon, Jun 4, 2012 at 11:59 AM, Florian Weimer <fwei...@redhat.com> wrote: > On 06/04/2012 11:46 AM, Richard Guenther wrote: >> >> I think "accurately" is a wrong word here - doesn't that suggest it might >> get "wrong"? The answer should always be conservatively correct, so >> it might just be not as constrained as it should. So I think you need >> to elaborate on "accurately" here. > > > It's wrong from the consumer point of view (i.e., the value returned by > __builtin_object_size is too large, and one could argue that it is not > conservative enough). It's not wrong according to the specification, > according to which (size_t)-1 is always correct (and thus a conservative > result). This mismatch is the main reason why _FORTIFY_SOURCE is a last > resort mechanism only. > > What about this? > > > +This protection mechanism is only a last resort. As a programmer, you > +must not rely on its presence, but use explicit buffer length checks > +to avoid buffer overflows. GCC may not be able to determine object > +sizes with sufficient precision (that is, the reported sizes can be > +larger than what is actually available at run time), and the accuracy > +depends on compiler version and options. > > In a sense, GCC *is* wrong, but of course, the problem is unsolvable in the > general case.
Looks better. Thanks, Richard. > > -- > Florian Weimer / Red Hat Product Security Team
