为什么这段代码会触发MSVS2012的“写入溢出警告（C6386）”

Question

I have the following piece of C code:

#include <stdint.h>

typedef union{
    uint8_t c[4];
    uint16_t s[2];
    uint32_t l;
}U4;

uint32_t cborder32(uint32_t l)
{
    U4 mask,res;
    unsigned char* p = (unsigned char*)&l;
    mask.l = 0x00010203;
    res.c[(uint8_t)(mask.c[0])] = (uint8_t)p[0]; // <-- this line gives C6386
    res.c[(uint8_t)(mask.c[1])] = (uint8_t)p[1];
    res.c[(uint8_t)(mask.c[2])] = (uint8_t)p[2];
    res.c[(uint8_t)(mask.c[3])] = (uint8_t)p[3];
    return res.l;
}

And it triggers a Write overrun warning when running code analysis on it. http://msdn.microsoft.com/query/dev11.query?appId=Dev11IDEF1&l=EN-US&k=k%28C6386%29&rd=true

The error is:

C6386 Write overrun Buffer overrun while writing to 'res.c': the writable size is '4' bytes, but '66052' bytes might be written. Invalid write to 'res.c[66051]', (writable range is 0 to 3)

And I just don't understand why ... Is there anyone who can explain me why?

Answer 1

I'd put this down as a potential bug in the Microsoft product. It appears to be using the full value of mask.l ( 0x01020304 being decimal 66051 ) when figuring out the array index, despite the fact you clearly want mask.c[0] forced to a uint8_t value.

So the first step is to notify Microsoft. They may come back and tell you you're wrong, and hopefully give you the C++ standard section that states why what you're doing is wrong. Or they may just state the code analysis tool is "best effort only". Since it's not actually preventing you from compiling (and it's not generating errors or warnings during compilation), they could still claim VC++ is compliant.

I would hope, of course, they wouldn't take that tack since they have a lot of interest in ensuring their tools are the best around.

---

The second step you should take is question why you want to do what you're doing in that way in the first place. What you have seems to be a simple byte-ordering switcher based on a mask. The statement:

res.c[(uint8_t)(mask.c[0])] = (uint8_t)p[0];

is problematic anyway since (uint8_t)(mask.c[0]) may well evaluate out to something greater than 3, and you're going to write beyond the end of your union in that case.

You may think that ensuring mask has no bytes greater than 3 may prevent this but it may be that the analyser doesn't know this. In any case, there are many ways already to switch byte order, such as with the htons family of functions or, since your stuff is hard-coded anyway, just use one of:

res.c[0] = p[0]; res.c[1] = p[1]; res.c[2] = p[2]; res.c[3] = p[3];

or:

res.c[0] = p[3]; res.c[1] = p[2]; res.c[2] = p[1]; res.c[3] = p[0];

or something else, for stranger byte ordering requirements. Using this method doesn't cause any complaints from the analyser at all.

---

If you really want to do it with the current mask method, you can remove the analyser warning (at least in VS2013 which is what I'm using) by temporarily supressing it (for one line):

#pragma warning(suppress : 6386)
res.c[mask.c[0]] = p[0];
res.c[mask.c[1]] = p[1];
res.c[mask.c[2]] = p[2];
res.c[mask.c[3]] = p[3];

(with casts removed since the types are already correct).