https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79221
Eric Gallager <egallager at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2017-08-29
CC| |egallager at gcc dot gnu.org
Ever confirmed|0 |1
--- Comment #1 from Eric Gallager <egallager at gcc dot gnu.org> ---
(In reply to Martin Sebor from comment #0)
> Similar to bug 79220, the -Wstringop-overflow option diagnoses the buffer
> overflow in the call to strcat in f() in the program below but fails to do
> the same for the strcat() overflow in g(). As in the referenced bug, GCC
> transforms the second strcat() to an assignment followed by a call to
> memcpy, defeating the overflow detection. GCC should avoid this
> transformation when the destination isn't big enough for the copy.
>
> I expect this bug will be resolved by a comprehensive fix for bug 79220 but
> it seems that keeping track of each of these troublesome -- even though not
> invalid -- transformations separately might help assure that the fix does,
> in fact, resolve all these related problems.
>
> (Both cases of overflow are diagnosed when _FORTIFY_SOURCE is defined.)
>
Confirmed that only 1 is diagnosed normally. Posting -D_FORTIFY_SOURCE=2 output
for comparison:
$ /usr/local/bin/gcc -c -O2 -S -Wall -Wextra -Wpedantic
-fdump-tree-optimized=/dev/stdout -D_FORTIFY_SOURCE=2 79221.c
;; Function f (f, funcdef_no=8, decl_uid=2062, cgraph_uid=8, symbol_order=9)
Removing basic block 3
f (int i)
{
const char * iftmp.0_1;
<bb 2> [100.00%] [count: INV]:
if (i_2(D) < 0)
goto <bb 4>; [36.00%] [count: INV]
else
goto <bb 3>; [64.00%] [count: INV]
<bb 3> [64.00%] [count: INV]:
<bb 4> [100.00%] [count: INV]:
# iftmp.0_1 = PHI <"01234567"(2), "89abcd"(3)>
__builtin___strcat_chk (&d, iftmp.0_1, 3); [tail call]
return;
}
In file included from /usr/include/string.h:148:0,
from 79221.c:1:
79221.c: In function ‘f’:
79221.c:8:2: warning: ‘__builtin___strcat_chk’ writing between 7 and 9 bytes
into a region of size 3 overflows the destination [-Wstringop-overflow=]
strcat (d, s);
^~~~~~
;; Function gf (gf, funcdef_no=9, decl_uid=2066, cgraph_uid=9, symbol_order=10)
Removing basic block 3
gf (int i)
{
char[9] * iftmp.2_1;
<bb 2> [100.00%] [count: INV]:
if (i_2(D) < 0)
goto <bb 4>; [36.00%] [count: INV]
else
goto <bb 3>; [64.00%] [count: INV]
<bb 3> [64.00%] [count: INV]:
<bb 4> [100.00%] [count: INV]:
# iftmp.2_1 = PHI <"12345678"(2), "87654321"(3)>
__builtin___strcat_chk (&d, iftmp.2_1, 3); [tail call]
return;
}
79221.c: In function ‘gf’:
79221.c:15:2: warning: ‘__builtin___strcat_chk’ writing 9 bytes into a region
of size 3 overflows the destination [-Wstringop-overflow=]
strcat (d, s);
^~~~~~
$
