From patchwork Fri Aug 17 16:22:22 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 178281 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) by ozlabs.org (Postfix) with SMTP id A30F92C00C7 for ; Sat, 18 Aug 2012 02:22:56 +1000 (EST) Comment: DKIM? See http://www.dkim.org DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=gcc.gnu.org; s=default; x=1345825376; h=Comment: DomainKey-Signature:Received:Received:Received:Received:Received: Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: Content-Type:Mailing-List:Precedence:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:Sender:Delivered-To; bh=CSfKZg7 O48L0j1Ds9i//427J5lk=; b=iRsTWkxWthv5CqxbyFenJyyIuIyWQPACe4QCdxc o7Yt3P55zseznqlfqT3jgutfGr/Jd/36IsE0rou7mV3UxVsG+B0Qvi4y3m22dAnM T79YVvnQtHjLmE+rOVReyvtLb6ezcJsk3Rtbsm8/Jqs/m7g+UqZwMZEk2Nn/UeYw nnEI= Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org; h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To; b=MTJHMQbyxJzeUJiEs9Omr94djIlNYVwc5tONy9qVpdWs2R+hRurWIBz7On+ikt VJR8zzt825Zz9drPIn6p6VHyP87VqFKGWfdMNqSfF6ZXx+ukwYXVcHdS8Cm55Nmy 8mMc6jCxTKmqGhFFu7K5fdkApXKBqGuI1suhEXU3Qq2f4=; Received: (qmail 23141 invoked by alias); 17 Aug 2012 16:22:46 -0000 Received: (qmail 23123 invoked by uid 22791); 17 Aug 2012 16:22:42 -0000 X-SWARE-Spam-Status: No, hits=-7.0 required=5.0 tests=AWL, BAYES_00, KHOP_RCVD_UNTRUST, RCVD_IN_DNSWL_HI, RCVD_IN_HOSTKARMA_W, RP_MATCHES_RCVD, SPF_HELO_PASS X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 17 Aug 2012 16:22:25 +0000 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7HGMOV7012861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 17 Aug 2012 12:22:24 -0400 Received: from dhcp-5-241.str.redhat.com (dhcp-5-241.str.redhat.com [10.32.5.241]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q7HGMNLM022891 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 17 Aug 2012 12:22:24 -0400 Message-ID: <502E6FBE.7070609@redhat.com> Date: Fri, 17 Aug 2012 18:22:22 +0200 From: Florian Weimer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0 MIME-Version: 1.0 To: GCC Patches Subject: [RFC] Warning for potentially unbound writes to function parameters X-IsSubscribed: yes Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org In some real-world code, I noticed a curious pattern: using the unsafe string functions on function parameter arguments. This leads to gets()-style unsafe APIs. I've looked at how to implement a warning for this, and came up with the attached patch. Do you think this makes sense? 1 #include 2 3 const char *data (void); 4 5 void test (char *target) 6 { 7 strcpy(target, data ()); 8 } 9 10 11 void test_2 (char *target) 12 { 13 char *p = target; 14 strcpy(p, data ()); 15 } 16 /tmp/t.c: In function ‘test’: /tmp/t.c:7:9: warning: potentially unbound write to function parameter ‘target’ [-Wunbound-parameter-write] strcpy(target, data ()); ^ /tmp/t.c: In function ‘test_2’: /tmp/t.c:14:9: warning: potentially unbound write to function parameter ‘target’ [-Wunbound-parameter-write] strcpy(p, data ()); ^ Obviously, the warning and its name need adjusting, and more functions need to be covered. But I want to check first if you think the warning makes sense at all, and if I've found the right place to implement it (this approach seems to require optimization, alas). commit 324c7189c9cf871584da988f12d1a686df0d6e0c Author: Florian Weimer Date: Fri Aug 17 18:19:13 2012 +0200 Implement -Wunbound-parameter-write (proof of concept) diff --git a/gcc/builtins.c b/gcc/builtins.c index 4b177c4..dc90484 100644 --- a/gcc/builtins.c +++ b/gcc/builtins.c @@ -3274,6 +3274,14 @@ expand_builtin_strcpy (tree exp, rtx target) { tree dest = CALL_EXPR_ARG (exp, 0); tree src = CALL_EXPR_ARG (exp, 1); + if (TREE_CODE (dest) == SSA_NAME) + { + tree dest_var = SSA_NAME_VAR (dest); + if (TREE_CODE (dest_var) == PARM_DECL) + warning_at (EXPR_LOCATION (exp), OPT_Wunbound_parameter_write, + "potentially unbound write to function parameter %qD", + dest_var); + } return expand_builtin_strcpy_args (dest, src, target); } return NULL_RTX; diff --git a/gcc/common.opt b/gcc/common.opt index deb89e3..fe892b7 100644 --- a/gcc/common.opt +++ b/gcc/common.opt @@ -562,6 +562,10 @@ Wlarger-than= Common RejectNegative Joined UInteger Warning -Wlarger-than= Warn if an object is larger than bytes +Wunbound-parameter-write +Common Var(warn_unbound_parameter_write) Warning +Warn if a function without array bounds checking writes to a pointer passed as an parameter + Wunsafe-loop-optimizations Common Var(warn_unsafe_loop_optimizations) Warning Warn if the loop cannot be optimized due to nontrivial assumptions.