[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 --- Comment #9 from Aldy Hernandez --- Author: aldyh Date: Wed Sep 13 16:50:00 2017 New Revision: 252389 URL: https://gcc.gnu.org/viewcvs?rev=252389&root=gcc&view=rev Log: PR c++/81586 - valgrind error in output_buffer_append_r with -Wall gcc/ChangeLog: PR c++/81586 * pretty-print.c (pp_format): Correct the handling of %s precision. Modified: branches/range-gen2/gcc/ChangeLog branches/range-gen2/gcc/pretty-print.c
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 --- Comment #8 from Martin Sebor --- Author: msebor Date: Thu Aug 10 17:40:11 2017 New Revision: 251029 URL: https://gcc.gnu.org/viewcvs?rev=251029&root=gcc&view=rev Log: PR c++/81586 - valgrind error in output_buffer_append_r with -Wall gcc/ChangeLog: PR c++/81586 * pretty-print.c (pp_format): Correct the handling of %s precision. Modified: trunk/gcc/ChangeLog trunk/gcc/pretty-print.c
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 Martin Sebor changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #7 from Martin Sebor --- Fixed in r251029.
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 --- Comment #6 from David Binderman --- (In reply to Martin Sebor from comment #5) > Patch: https://gcc.gnu.org/ml/gcc-patches/2017-07/msg01866.html Did this patch ever get into trunk gcc ? I have some evidence that gcc trunk revision 250947 doesn't have it.
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 Martin Sebor changed: What|Removed |Added Keywords||patch --- Comment #5 from Martin Sebor --- Patch: https://gcc.gnu.org/ml/gcc-patches/2017-07/msg01866.html
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 Martin Sebor changed: What|Removed |Added Status|NEW |ASSIGNED Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org --- Comment #4 from Martin Sebor --- Let me fix it.
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 --- Comment #3 from Martin Sebor --- I don't see a problem with the code in maybe_warn. It does this: /* Buffer for the directive in the host character set (used when the source character set is different). */ char hostdir[32]; ... return fmtwarn (dirloc, pargrange, NULL, info.warnopt (), fmtstr, dir.len, target_to_host (hostdir, sizeof hostdir, dir.beg), res.min, navail); The call being made has fmtstr = "%<%.*s%> directive output truncated writing %wu bytes into a region of size %wu", dir.len = 73, and hostdir = "af_get_next_segv end of file..." (with strlen (hostdir) == 31). With that, while the "%.*s" directive in fmtstr says to read at most 73 bytes from hostdir, since hostdir is only 31 characters long, the directive should read exactly that many and no more than that. I think the bug is actually in pp_format where the "%.*s" directive is handled: case '.': { int n; const char *s; /* We handle '%.Ns' and '%.*s' or '%M$.*N$s' (where M == N + 1). The format string should be verified already from the first phase. */ p++; if (ISDIGIT (*p)) { char *end; n = strtoul (p, &end, 10); p = end; gcc_assert (*p == 's'); } else { gcc_assert (*p == '*'); p++; gcc_assert (*p == 's'); n = va_arg (*text->args_ptr, int); ^ Here n is extracted from the variable argument list (the corresponding argument is dir.len). /* This consumes a second entry in the formatters array. */ gcc_assert (formatters[argno] == formatters[argno+1]); argno++; } s = va_arg (*text->args_ptr, const char *); pp_append_text (pp, s, s + n); ^ Here s points to hostdir and n is 73, but strlen(s) is just 31. This code doesn't handle the precision correctly. The precision is the maximum number of non-nul characters to print. The fix is to set n to be no greater than strlen(s): if (strlen (s) < n) n = strlen (s); pp_append_text (pp, s, s + n);
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 Martin Liška changed: What|Removed |Added Status|UNCONFIRMED |NEW Last reconfirmed||2017-07-27 CC||marxin at gcc dot gnu.org, ||msebor at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #2 from Martin Liška --- Confirmed, following patch will be needed: diff --git a/gcc/gimple-ssa-sprintf.c b/gcc/gimple-ssa-sprintf.c index 644cf7e33b1..72ec10a77b9 100644 --- a/gcc/gimple-ssa-sprintf.c +++ b/gcc/gimple-ssa-sprintf.c @@ -2500,7 +2500,7 @@ maybe_warn (substring_loc &dirloc, source_range *pargrange, : G_("%<%.*s%> directive writing %wu bytes " "into a region of size %wu"))); return fmtwarn (dirloc, pargrange, NULL, - info.warnopt (), fmtstr, dir.len, + info.warnopt (), fmtstr, MIN (dir.len, 31), target_to_host (hostdir, sizeof hostdir, dir.beg), res.min, navail); } I'm not sure about the constant (maybe 32) and there are multiple invocations of the fmtwarn function. Leaving to Martin.
[Bug c++/81586] valgrind error in output_buffer_append_r with -Wall
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81586 --- Comment #1 from David Binderman --- The following much reduced C++ code seems to demonstrate the bug: extern "C" int snprintf(char *, unsigned long, const char *...) ; struct S { char * a; }; void f( S * af) { snprintf(af->a, sizeof(af), "af_get_next_segv end of file reading segmen t tail AFF file is truncated 0"); }