gcc 9 -Warray-bounds warnings about memset() in generated code

[dkl]

What version of protobuf and what language are you using?
Version: master
Language: C++

What operating system (Linux, Windows, ...) and version?
Ubuntu 19.10 on x86_64

What runtime / compiler are you using (e.g., python version or gcc version)
g++ (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008

What did you do?
Used a proto file such as the following:

syntax = "proto2";

message Message1 {
    required int32 a = 1;
    required int32 b = 2;
}

and compiled it with protoc foo.proto --cpp_out=. && g++ -O3 -Wall foo.pb.cc -c

What did you expect to see
compiles without warnings

What did you see instead?

In file included from /usr/include/string.h:494,
                 from /usr/include/c++/9/cstring:42,
                 from /usr/local/include/google/protobuf/io/coded_stream.h:118,
                 from foo.pb.h:23,
                 from foo.pb.cc:4:
In function ‘void* memset(void*, int, size_t)’,
    inlined from ‘void Message1::SharedCtor()’ at foo.pb.cc:111:11,
    inlined from ‘Message1::Message1()’ at foo.pb.cc:96:13,
    inlined from ‘void InitDefaultsscc_info_Message1_foo_2eproto()’ at foo.pb.cc:94:1:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:71:33: warning: ‘void* __builtin_memset(void*, int, long unsigned int)’ offset [29, 32] from the object at ‘_Message1_default_instance_’ is out of the bounds of referenced subobject ‘Message1::a_’ with type ‘int’ at offset 24 [-Warray-bounds]
   71 |   return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
      |          ~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It warns about memset() being called on a field, but writing not just to that field, but also to following fields. See also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90376

The warning doesn't appear when using -O2 instead of -O3, but -O3 is common in CMake release builds (which is how it showed up here).

Anything else we should know about your project / environment

[clementperon]

Hi,

I got the same issue, protobuf 3.11.4 and gcc 9.2.1.
Did you find a fix for that ?

Thanks,
Clement

[dkl]

As work-around we're using -Wno-array-bounds when compiling the generated sources now (CMake):

set_source_files_properties(${PROTO_SRCS} PROPERTIES COMPILE_FLAGS -Wno-array-bounds)

[ahmedtd]

This appears to be the offending memset:

protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc

Line 2605 in e667bf6

"::memset(&$first$_, 0, static_cast<size_t>(\n"

[clementperon]

@ahmedtd Yes it is. For me this warning is legit as the memset is writing out of the struct size passed as src*.
I try to fix it by casting explicitly the src to a void* or char* to avoid GCC checking for an outbound memory write. But didn't success IDK ¯_(ツ)_/¯.
Maybe It wasn't a static cast, just a C cast so if you want to retest this it would be really nice, thank you !

[ahmedtd]

I think doing the memset (and memcpy above) in terms of the individual field names is undefined behavior.

This is how they fixed the problem in the Linux kernel: do the memsets in term of offsets within the parent object. That requires offsetof, which isn't currently available in the generated pb.cc file (needs <cstddef>).

I'm not sure if it's OK to add that dependency.

[Richardyuyu]

My security tool finds security vulnerable for *.pb.cc files using memcpy/ memset, and it has security concern that the buffer copy does not check size and will lead to buffer overflow.
Using memcpy/ memset is unsecure, is there any plan to remove the uses towards something more secure?

[dflogeras]

Also affected on multiple arm environments: armv7a-unknown-linux-gnuebihf- and armv6j-unknown-linux-ucliceabihf- (both Gentoo) compiling at -O3 (-O2 doesn't issue the warning for me). Both gcc-9.3.0.

[DinoStray]

The same warning for gcc (Ubuntu 9.3.0-10ubuntu2) 9.3.0

[acozzette]

Should be fixed by #7913.