On Mon, Sep 16, 2024 at 02:45:47AM -0700, Bill Wendling wrote: > The 4294967295 simply means "I don't know." There's probably a bug in > the size calculation. I'll look into it.
I was able to build a minimized PoC, if that's helpful: https://godbolt.org/z/qohGd5xh1 #include <stdio.h> #include <stdlib.h> #include <unistd.h> struct variable { int a; int b; int length; short array[] __attribute__((counted_by(length))); }; struct bucket { int a; struct variable *growable; int b; }; int main(int argc, char *argv[]) { struct bucket *p; struct variable *v; p = malloc(sizeof(*p)); v = malloc(sizeof(*p->growable) + sizeof(*p->growable->array) * 32); v->length = 32; printf("%zu\n", __builtin_dynamic_object_size(v->array, 1)); p->growable = v; printf("%zu\n", __builtin_dynamic_object_size(p->growable->array, 1)); return 0; } GCC shows 64 64, but Clang shows 64 0. -- Kees Cook
