This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug middle-end/50460] [4.7 Regression] __builtin___strcpy_chk/__builtin_object_size don't work
- From: "jakub at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Tue, 20 Sep 2011 09:59:49 +0000
- Subject: [Bug middle-end/50460] [4.7 Regression] __builtin___strcpy_chk/__builtin_object_size don't work
- Auto-submitted: auto-generated
- References: <bug-50460-4@http.gcc.gnu.org/bugzilla/>
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50460
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
Target Milestone|--- |4.7.0
--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-09-20 09:59:49 UTC ---
Seems to be caused by PR48571, we throw away the important info (that the
access was through a.buf1 rather than &a), which is essential for
-D_FORTIFY_SOURCE=2.
The change happens already during gimplification:
- strcpy (&a.buf1[4], D.2732);
+ strcpy (&MEM[(void *)&a + 4B], D.2732);
while in *.original it was
strcpy ((char *) &a.buf1 + 4, str1 + 5);
Not reconstrucing the array ref is fine, but before *.objsz pass we really
shouldn't throw away the buf1 from it, so it should be tmp = &a.buf1 + 4;
-D_FORTIFY_SOURCE=2 cares whether the user wrote
strcpy ((char *) &a + 4, ...); (in which case it allows to overwrite the
whole object) or strcpy ((char *) &a.buf1 + 4, ...); (in which case it is
allowed to overwrite just the buf1 field).
Richard, can you please have a look at this?