This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug tree-optimization/83278] New: missing -Wformat-overflow for an inlined __builtin___sprintf_chk with a local buffer
- From: "msebor at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Mon, 04 Dec 2017 20:48:36 +0000
- Subject: [Bug tree-optimization/83278] New: missing -Wformat-overflow for an inlined __builtin___sprintf_chk with a local buffer
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83278
Bug ID: 83278
Summary: missing -Wformat-overflow for an inlined
__builtin___sprintf_chk with a local buffer
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
The example below shows a inconsistency in the compile-time detection of
overflowing calls to strcpy. The first call (in f()) is detected, the second
one (in g()) results in a duplicate warning, and third one (in h()) is not
detected.
$ cat d.c && gcc -O2 -S -Wall d.c
void sink (char*);
void f (const char *s)
{
char a[3];
__builtin_sprintf (a, "%s", s); // warning (good)
sink (a);
}
void call_f (void)
{
f ("12345");
}
char a[3];
void g (const char *s)
{
__builtin___sprintf_chk (a, 1, // duplicate warning
__builtin_object_size (a, 1), "%s", s);
}
void call_g (void)
{
g ("123456");
}
void h (const char *s)
{
char a[3];
__builtin___sprintf_chk (a, 1, // missing warning (bug)
__builtin_object_size (a, 1), "%s", s);
sink (a);
}
void call_h (void)
{
h ("1234567");
}
d.c: In function ‘call_f’:
d.c:7:26: warning: ‘%s’ directive writing 5 bytes into a region of size 3
[-Wformat-overflow=]
__builtin_sprintf (a, "%s", s); // warning (good)
^~
d.c:14:6:
f ("12345");
~~~~~~~
d.c:7:3: note: ‘__builtin_sprintf’ output 6 bytes into a destination of size 3
__builtin_sprintf (a, "%s", s); // warning (good)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
d.c: In function ‘call_g’:
d.c:22:60: warning: ‘%s’ directive writing 6 bytes into a region of size 3
[-Wformat-overflow=]
__builtin_object_size (a, 1), "%s", s);
^~
d.c:27:6:
g ("123456");
~~~~~~~~
d.c:21:3: note: ‘__builtin___sprintf_chk’ output 7 bytes into a destination of
size 3
__builtin___sprintf_chk (a, 1, // duplicate warning
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__builtin_object_size (a, 1), "%s", s);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘g’,
inlined from ‘call_g’ at d.c:27:3:
d.c:21:3: warning: ‘__builtin___sprintf_chk’ writing 7 bytes into a region of
size 3 overflows the destination [-Wstringop-overflow=]