Bug 88441 - missing warning on a buffer overflow with non-constant offset and constant size
Summary: missing warning on a buffer overflow with non-constant offset and constant size
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 9.0
: P3 normal
Target Milestone: 10.0
Assignee: Not yet assigned to anyone
Keywords: diagnostic
Depends on:
Blocks: Wstringop-overflow
  Show dependency treegraph
Reported: 2018-12-11 00:25 UTC by Martin Sebor
Modified: 2020-04-22 22:17 UTC (History)
0 users

See Also:
Known to work: 10.0
Known to fail: 9.3.0
Last reconfirmed:


Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sebor 2018-12-11 00:25:15 UTC
The calls to memcpy in both functions either very likely or certainly overflow the destination yet they are not diagnosed.  At least in the simple cases when the size of the destination (or source) object is known sufficiently early, before the calls are transformed to MEM_REF, the overflow could be diagnosed.

$ cat x.c && gcc -O2 -S -Wall -fdump-tree-gimple=/dev/stdout x.c
char a[8];

void f (int i, const void *p)
  // overflow very likely
  __builtin_memcpy (a + i, p, sizeof a);   // missing -Wstringop-overflow

void g (unsigned i, const void *p)
  // overflow certain
  if (i)
    __builtin_memcpy (a + i, p, sizeof a);   // missing -Wstringop-overflow
f (int i, const void * p)
  _1 = (sizetype) i;
  _2 = &a + _1;
  __builtin_memcpy (_2, p, 8);

g (unsigned int i, const void * p)
  if (i != 0) goto <D.1916>; else goto <D.1917>;
  _1 = (sizetype) i;
  _2 = &a + _1;
  __builtin_memcpy (_2, p, 8);
Comment 1 Martin Sebor 2020-04-22 22:17:24 UTC
Thanks to r279392 GCC 10 detects the certain overflow in g:

pr88441.c: In function ‘g’:
pr88441.c:13:5: warning: writing 8 bytes into a region of size 7 [-Wstringop-overflow=]
   13 |     __builtin_memcpy (a + i, p, sizeof a);   // missing -Wstringop-overflow
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr88441.c:1:6: note: at offset 0 to object ‘a’ with size 8 declared here
    1 | char a[8];
      |      ^

It feels like a separate question whether the possible/likely overflow should also be diagnosed when it's not certain.  Diagnosing it would be a design change for the overflow warnings that are currently meant to trigger for certain overflows, so I'm going to resolve this as fixed.