On Tue, Jul 31, 2018 at 09:17:52AM -0600, Martin Sebor wrote:
> On 07/31/2018 12:38 AM, Jakub Jelinek wrote:
> > On Mon, Jul 30, 2018 at 09:45:49PM -0600, Martin Sebor wrote:
> > > Even without _FORTIFY_SOURCE GCC diagnoses (some) writes past
> > > the end of subobjects by string functions. With _FORTIFY_SOURCE=2
> > > it calls abort. This is the default on popular distributions,
> >
> > Note that _FORTIFY_SOURCE=2 is the mode that goes beyond what the standard
> > requires, imposes extra requirements. So from what this mode accepts or
> > rejects we shouldn't determine what is or isn't considered valid.
>
> I'm not sure what the additional requirements are but the ones
> I am referring to are the enforcing of struct member boundaries.
> This is in line with the standard requirements of not accessing
> [sub]objects via pointers derived from other [sub]objects.
In the middle-end the distinction between what was originally a reference
to subobjects and what was a reference to objects is quickly lost
(whether through SCCVN or other optimizations).
We've run into this many times with the __builtin_object_size already.
So, if e.g.
struct S { char a[3]; char b[5]; } s = { "abc", "defg" };
...
strlen ((char *) &s) is well defined but
strlen (s.a) is not in C, for the middle-end you might not figure out which
one is which.
Jakub
