https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98247
Bug ID: 98247
Summary: gcc analyzer does not detect Flexible Array Member
misuse
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: vince.a.bridgers at gmail dot com
Target Milestone: ---
This is more of a query than a bug at this point (or possible "feature
enhancement request"). This initial request follows a similar (but different)
issue filed against clang, see https://bugs.llvm.org/show_bug.cgi?id=48136.
The modified reproducer is shown below. While I understand generally the
compiler cannot know how large a FAM is allocated to be, the question becomes
is there some way gcc analysis can track a beyond bounds memory access at
static analysis time and flag the below case as suspicious? Perhaps this can be
done by constraining the idiom, and indeed that is what some reliable and
secure programming standards do when this matters. Perhaps this is already
covered by gcc, and if so my apologies for missing it - feel free to close this
an invalid with explanation. If there's way to address this already in gcc 11
(or beyond) I'm interested in understanding this.
Thanks
$ gcc --version
gcc (GCC) 11.0.0 20200516 (experimental)
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ gcc -fanalyzer fam.c
$ # no output, interpreted to mean no errors found.
#include <stdlib.h>
#include <string.h>
struct str {
size_t len;
char data[];
};
int main(void)
{
struct str *str = malloc(sizeof(str) + 10);
if (str) {
str->len = 10;
memset(str->data, 'x', 10);
free(str);
}
return 0;
}
