https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91977
Bug ID: 91977
Summary: missing -Wstringop-overflow on memcpy into a pointer
plus offset
Product: gcc
Version: 9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
In GCC 8 and above, -Wstringop-overflow detects the first buffer overflow but
not the second in the test program below.
$ cat b.c && gcc -O2 -S -Wall -fdump-tree-strlen=/dev/stdout b.c
char a[7];
void f (const void *s)
{
__builtin_memcpy (a + 4, s, 4); // -Wstringop-overflow
}
void g (const void *s)
{
char *d = a + 4;
__builtin_memcpy (d, s, 4); // no warning
}
;; Function f (f, funcdef_no=0, decl_uid=1925, cgraph_uid=1, symbol_order=1)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
f (const void * s)
{
<bb 2> [local count: 1073741824]:
__builtin_memcpy (&MEM <char[7]> [(void *)&a + 4B], s_2(D), 4);
return;
}
b.c: In function ‘f’:
b.c:5:3: warning: ‘__builtin_memcpy’ forming offset 7 is out of the bounds [0,
7] of object ‘a’ with type ‘char[7]’ [-Warray-bounds]
5 | __builtin_memcpy (a + 4, s, 4); // -Wstringop-overflow
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
b.c:1:6: note: ‘a’ declared here
1 | char a[7];
| ^
;; Function g (g, funcdef_no=1, decl_uid=1928, cgraph_uid=2, symbol_order=2)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
g (const void * s)
{
unsigned int _3;
<bb 2> [local count: 1073741824]:
_3 = MEM <unsigned int> [(char * {ref-all})s_2(D)];
MEM <unsigned int> [(char * {ref-all})&a + 4B] = _3;
return;
}
