<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - Wrong optimization of sprintf"

   href="https://llvm.org/bugs/show_bug.cgi?id=27526">27526</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Wrong optimization of sprintf

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>clang

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>-New Bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedclangbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>cherepan@mccme.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>The program:

#include <stdio.h>

int main()

{

  char s[] = "abcdef";

  sprintf(s, "%s", s + 3);

  printf(">%s<\n", s);

}

should print ">def<" but prints "><" when compiled with clang -O. It works fine

when compiled with gcc.

Tested with clang 3.50 and 3.9.0 (trunk 267340) on Debian x86-64.

The reason is that sprintf(..., "%s", ...) is optimized into memcpy(..., ...,

strlen(...) + 1) and glibc's memcpy then presumably copies the string

backwards.

To use memcpy one have to be sure that memory blocks don't overlap. This is

more or less guaranteed for sprintf as its description in C11, 7.21.6.6p2

reads: "If copying takes place between objects that overlap, the behavior is

undefined."

But there is a subtle point here. The 's' conversion specifier doesn't copy the

terminating null from the source string -- C11, 7.21.6.1p8: "Characters from

the array are

written up to (but not including) the terminating null character." IOW copying

non-null chars and writing the terminating null char to the destination array

are two distinct actions. In particular, I don't think C11 requires the

argument for the 's' specifier not to overlap with the (future) terminating

null in the destination array.

Then, C11, 7.21.6p1 reads: "The formatted input/output functions shall behave

as if there is a sequence point after the

actions associated with each specifier." That is, in our example, all non-null

chars have to be fully read and written before the terminating null is written.

To summarize: sprintf(..., "%s", ...) is a two-step process and cannot be

reduced to one memcpy.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>