On Tue, Jul 31, 2018 at 09:17:52AM -0600, Martin Sebor wrote: > On 07/31/2018 12:38 AM, Jakub Jelinek wrote: > > On Mon, Jul 30, 2018 at 09:45:49PM -0600, Martin Sebor wrote: > > > Even without _FORTIFY_SOURCE GCC diagnoses (some) writes past > > > the end of subobjects by string functions. With _FORTIFY_SOURCE=2 > > > it calls abort. This is the default on popular distributions, > > > > Note that _FORTIFY_SOURCE=2 is the mode that goes beyond what the standard > > requires, imposes extra requirements. So from what this mode accepts or > > rejects we shouldn't determine what is or isn't considered valid. > > I'm not sure what the additional requirements are but the ones > I am referring to are the enforcing of struct member boundaries. > This is in line with the standard requirements of not accessing > [sub]objects via pointers derived from other [sub]objects.
In the middle-end the distinction between what was originally a reference to subobjects and what was a reference to objects is quickly lost (whether through SCCVN or other optimizations). We've run into this many times with the __builtin_object_size already. So, if e.g. struct S { char a[3]; char b[5]; } s = { "abc", "defg" }; ... strlen ((char *) &s) is well defined but strlen (s.a) is not in C, for the middle-end you might not figure out which one is which. Jakub