extern inline __attribute__ ((__always_inline__)) int foo (char *dest) { return __builtin_object_size (dest, 1); } struct S { union { struct { int a, b; char c, d; } f; struct { struct { int a, b; char c, d[255]; } e; } g; } u; }; int main (void) { struct S s; return foo (s.u.g.e.d) < 255; } fails since: 2008-08-13 Richard Guenther <rguenther@suse.de> * tree.h (maybe_fold_offset_to_address): Declare. * tree-ssa-ccp.c (surely_varying_stmt_p): Fix typo in last commit. (ccp_fold): Handle pointer conversions the same as fold_stmt. Likewise for POINTER_PLUS_EXPR. (maybe_fold_offset_to_reference): Enable disabled code. (maybe_fold_offset_to_address): New function. (fold_stmt_r): Use it. (fold_gimple_assign): Likewise. * gimplify.c (gimplify_conversion): Use maybe_fold_offset_to_address. (gimplify_expr): Likewise. During gimplification foo ((char *) &s.u.g.e.d) is changed into: foo (&s.u.f.d), where the former has __builtin_object_size (x, 1) 255, while the latter just 1.
This causes valid programs to abort with -D_FORTIFY_SOURCE=2, when strcpy etc. is used to initialize that field. For memcpy etc. it makes no difference, those use __builtin_object_size (x, 0) always.
Testing a patch.
Subject: Bug 39343 Author: jakub Date: Tue Mar 3 11:29:51 2009 New Revision: 144571 URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=144571 Log: PR tree-optimization/39343 * tree-ssa-ccp.c (maybe_fold_offset_to_address): Don't check if COMPONENT_REF t has ARRAY_TYPE. * gcc.dg/pr39343.c: New test. Added: trunk/gcc/testsuite/gcc.dg/pr39343.c Modified: trunk/gcc/ChangeLog trunk/gcc/testsuite/ChangeLog trunk/gcc/tree-ssa-ccp.c
Fixed.