use string length to relax -Wstringop-overflow for nonstrings (PR 85623)

GCC 8.1 warns for unbounded (and some bounded) string comparisons
involving arrays declared attribute nonstring (i.e., char arrays
that need not be nul-terminated).  For instance:

   extern __attribute__((nonstring)) char a[4];

   int f (void)
   {
     return strncmp (a, "123", sizeof a);
   }

   warning: ‘strcmp’ argument 1 declared attribute ‘nonstring’

Note that the warning refers to strcmp even though the call in
the source is to strncmp, because prior passes transform one to
the other.

The warning above is unnecessary (for strcmp) and incorrect for
strncmp because the call reads exactly four bytes from the non-
string array a regardless of the bound and so there is no risk
that it will read past the end of the array.

The attached change enhances the warning to use the length of
the string argument to suppress some of these needless warnings
for both bounded and unbounded string comparison functions.
When the length of the string is unknown, the warning uses its
size (when possible) as the upper bound on the number of accessed
bytes.  The change adds no new warnings.

I'm looking for approval to commit it to both trunk and 8-branch.

Martin

Am 2018-05-10 um 21:26 schrieb Martin Sebor:
> GCC 8.1 warns for unbounded (and some bounded) string comparisons
> involving arrays declared attribute nonstring (i.e., char arrays
> that need not be nul-terminated).  For instance:
> 
>    extern __attribute__((nonstring)) char a[4];
> 
>    int f (void)
>    {
>      return strncmp (a, "123", sizeof a);
>    }
> 
>    warning: ‘strcmp’ argument 1 declared attribute ‘nonstring’
> 
> Note that the warning refers to strcmp even though the call in
> the source is to strncmp, because prior passes transform one to
> the other.
> 
> The warning above is unnecessary (for strcmp) and incorrect for
> strncmp because the call reads exactly four bytes from the non-
> string array a regardless of the bound and so there is no risk
> that it will read past the end of the array.
> 
> The attached change enhances the warning to use the length of
> the string argument to suppress some of these needless warnings
> for both bounded and unbounded string comparison functions.
> When the length of the string is unknown, the warning uses its
> size (when possible) as the upper bound on the number of accessed
> bytes.  The change adds no new warnings.
> 
> I'm looking for approval to commit it to both trunk and 8-branch.

Hi Martin,

this patch is a nice improvement and makes "nonstring" a lot more 
useable. But shouldn't the attribute also handle these cases (similar to 
PR 85602):

#include <string.h>

typedef struct {
         char segname[16] __attribute__((__nonstring__));
         char sectname[16] __attribute__((__nonstring__));
} MachO_header;

const char *get_seg_sect(MachO_header *hdr)
{
         static char segname_sectname[sizeof(hdr->segname) + 
sizeof(hdr->sectname) + 2];

         memset(segname_sectname, 0, sizeof(segname_sectname));
         strncpy(segname_sectname, hdr->segname, sizeof(hdr->segname));
         strcat(segname_sectname, "@");
         strncat(segname_sectname, hdr->sectname, sizeof(hdr->sectname));

         return segname_sectname;
}

$ gcc-8 -c -O2 -W -Wall test-macho.c
In file included from /usr/include/string.h:630,
                  from test-macho.c:1:
test-macho.c: In function 'get_seg_sect':
test-macho.c:14:48: warning: argument to 'sizeof' in '__builtin_strncpy' 
call is the same expression as the source; did you mean to use the size 
of the destination? [-Wsizeof-pointer-memaccess]
   strncpy(segname_sectname, hdr->segname, sizeof(hdr->segname));
                                                 ^
test-macho.c:16:49: warning: argument to 'sizeof' in '__builtin_strncat' 
call is the same expression as the source; did you mean to use the size 
of the destination? [-Wsizeof-pointer-memaccess]
   strncat(segname_sectname, hdr->sectname, sizeof(hdr->sectname));
                                                  ^

As you can see __attribute__((__nonstring__)) doesn't silence the warning.

Franz.

On 05/14/2018 10:43 AM, Franz Sirl wrote:
> Am 2018-05-10 um 21:26 schrieb Martin Sebor:
>> GCC 8.1 warns for unbounded (and some bounded) string comparisons
>> involving arrays declared attribute nonstring (i.e., char arrays
>> that need not be nul-terminated).  For instance:
>>
>>    extern __attribute__((nonstring)) char a[4];
>>
>>    int f (void)
>>    {
>>      return strncmp (a, "123", sizeof a);
>>    }
>>
>>    warning: ‘strcmp’ argument 1 declared attribute ‘nonstring’
>>
>> Note that the warning refers to strcmp even though the call in
>> the source is to strncmp, because prior passes transform one to
>> the other.
>>
>> The warning above is unnecessary (for strcmp) and incorrect for
>> strncmp because the call reads exactly four bytes from the non-
>> string array a regardless of the bound and so there is no risk
>> that it will read past the end of the array.
>>
>> The attached change enhances the warning to use the length of
>> the string argument to suppress some of these needless warnings
>> for both bounded and unbounded string comparison functions.
>> When the length of the string is unknown, the warning uses its
>> size (when possible) as the upper bound on the number of accessed
>> bytes.  The change adds no new warnings.
>>
>> I'm looking for approval to commit it to both trunk and 8-branch.
>
> Hi Martin,
>
> this patch is a nice improvement and makes "nonstring" a lot more
> useable. But shouldn't the attribute also handle these cases (similar to
> PR 85602):
>
> #include <string.h>
>
> typedef struct {
>         char segname[16] __attribute__((__nonstring__));
>         char sectname[16] __attribute__((__nonstring__));
> } MachO_header;
>
> const char *get_seg_sect(MachO_header *hdr)
> {
>         static char segname_sectname[sizeof(hdr->segname) +
> sizeof(hdr->sectname) + 2];
>
>         memset(segname_sectname, 0, sizeof(segname_sectname));
>         strncpy(segname_sectname, hdr->segname, sizeof(hdr->segname));
>         strcat(segname_sectname, "@");
>         strncat(segname_sectname, hdr->sectname, sizeof(hdr->sectname));
>
>         return segname_sectname;
> }
>
> $ gcc-8 -c -O2 -W -Wall test-macho.c
> In file included from /usr/include/string.h:630,
>                  from test-macho.c:1:
> test-macho.c: In function 'get_seg_sect':
> test-macho.c:14:48: warning: argument to 'sizeof' in '__builtin_strncpy'
> call is the same expression as the source; did you mean to use the size
> of the destination? [-Wsizeof-pointer-memaccess]
>   strncpy(segname_sectname, hdr->segname, sizeof(hdr->segname));
>                                                 ^
> test-macho.c:16:49: warning: argument to 'sizeof' in '__builtin_strncat'
> call is the same expression as the source; did you mean to use the size
> of the destination? [-Wsizeof-pointer-memaccess]
>   strncat(segname_sectname, hdr->sectname, sizeof(hdr->sectname));
>                                                  ^
>
> As you can see __attribute__((__nonstring__)) doesn't silence the warning.

Thanks for the heads up.  I've added my comments to the bug.
I will see if I can enhance the warning to detect the attribute
and suppress the warning for the use case above.  I think I'd
prefer to do that separately from this bug fix since the two
affect different warnings and will likely need changes to
different areas of the compiler (front-end vs middle-end).

Martin

Ping: https://gcc.gnu.org/ml/gcc-patches/2018-05/msg00509.html

On 05/10/2018 01:26 PM, Martin Sebor wrote:
> GCC 8.1 warns for unbounded (and some bounded) string comparisons
> involving arrays declared attribute nonstring (i.e., char arrays
> that need not be nul-terminated).  For instance:
>
>   extern __attribute__((nonstring)) char a[4];
>
>   int f (void)
>   {
>     return strncmp (a, "123", sizeof a);
>   }
>
>   warning: ‘strcmp’ argument 1 declared attribute ‘nonstring’
>
> Note that the warning refers to strcmp even though the call in
> the source is to strncmp, because prior passes transform one to
> the other.
>
> The warning above is unnecessary (for strcmp) and incorrect for
> strncmp because the call reads exactly four bytes from the non-
> string array a regardless of the bound and so there is no risk
> that it will read past the end of the array.
>
> The attached change enhances the warning to use the length of
> the string argument to suppress some of these needless warnings
> for both bounded and unbounded string comparison functions.
> When the length of the string is unknown, the warning uses its
> size (when possible) as the upper bound on the number of accessed
> bytes.  The change adds no new warnings.
>
> I'm looking for approval to commit it to both trunk and 8-branch.
>
> Martin

On 05/10/2018 01:26 PM, Martin Sebor wrote:
> GCC 8.1 warns for unbounded (and some bounded) string comparisons
> involving arrays declared attribute nonstring (i.e., char arrays
> that need not be nul-terminated).  For instance:
> 
>   extern __attribute__((nonstring)) char a[4];
> 
>   int f (void)
>   {
>     return strncmp (a, "123", sizeof a);
>   }
> 
>   warning: ‘strcmp’ argument 1 declared attribute ‘nonstring’
> 
> Note that the warning refers to strcmp even though the call in
> the source is to strncmp, because prior passes transform one to
> the other.
> 
> The warning above is unnecessary (for strcmp) and incorrect for
> strncmp because the call reads exactly four bytes from the non-
> string array a regardless of the bound and so there is no risk
> that it will read past the end of the array.
> 
> The attached change enhances the warning to use the length of
> the string argument to suppress some of these needless warnings
> for both bounded and unbounded string comparison functions.
> When the length of the string is unknown, the warning uses its
> size (when possible) as the upper bound on the number of accessed
> bytes.  The change adds no new warnings.
> 
> I'm looking for approval to commit it to both trunk and 8-branch.
> 
> Martin
> 
> gcc-85623.diff
> 
> 
> PR c/85623 - strncmp() warns about attribute 'nonstring' incorrectly in -Wstringop-overflow
> 
> gcc/ChangeLog:
> 
> 	PR c/85623
> 	* calls.c (maybe_warn_nonstring_arg): Use string length to set
> 	or ajust the presumed bound on an operation to avoid unnecessary
> 	warnings.
s/ajust/adjust/

> 
> gcc/testsuite/ChangeLog:
> 
> 	PR c/85623
> 	* c-c++-common/attr-nonstring-3.c: Adjust.
> 	* c-c++-common/attr-nonstring-4.c: Adjust.
> 	* c-c++-common/attr-nonstring-6.c: New test.
> 
> diff --git a/gcc/calls.c b/gcc/calls.c
> index 9eb0467..f5c8ad4 100644
> --- a/gcc/calls.c
> +++ b/gcc/calls.c
> @@ -55,6 +55,7 @@ along with GCC; see the file COPYING3.  If not see
>  #include "stringpool.h"
>  #include "attribs.h"
>  #include "builtins.h"
> +#include "gimple-fold.h"
>  
>  /* Like PREFERRED_STACK_BOUNDARY but in units of bytes, not bits.  */
>  #define STACK_BYTES (PREFERRED_STACK_BOUNDARY / BITS_PER_UNIT)
> @@ -1612,15 +1613,36 @@ maybe_warn_nonstring_arg (tree fndecl, tree exp)
>    /* The bound argument to a bounded string function like strncpy.  */
>    tree bound = NULL_TREE;
>  
> +  /* The range of lengths of a string argument to one of the comparison
> +     functions.  If the length is less than the bound it is used instead.  */
> +  tree lenrng[2] = { NULL_TREE, NULL_TREE };
> +
>    /* It's safe to call "bounded" string functions with a non-string
>       argument since the functions provide an explicit bound for this
>       purpose.  */
>    switch (DECL_FUNCTION_CODE (fndecl))
>      {
> -    case BUILT_IN_STPNCPY:
> -    case BUILT_IN_STPNCPY_CHK:
> +    case BUILT_IN_STRCMP:
>      case BUILT_IN_STRNCMP:
>      case BUILT_IN_STRNCASECMP:
> +      {
> +	/* For these, if one argument refers to one or more of a set
> +	   of string constants or arrays of known size, determine
> +	   the range of their known or possible lengths and use it
> +	   conservatively as the bound for the unbounded function,
> +	   and to adjust the range of the bound of the bounded ones.  */
> +	unsigned stride = with_bounds ? 2 : 1;
> +	for (unsigned argno = 0; argno < nargs && !*lenrng; argno += stride)
> +	  {
> +	    tree arg = CALL_EXPR_ARG (exp, argno);
> +	    if (!get_attr_nonstring_decl (arg))
> +	      get_range_strlen (arg, lenrng);
> +	  }
> +      }
> +      /* Fall through.  */
> +
> +    case BUILT_IN_STPNCPY:
> +    case BUILT_IN_STPNCPY_CHK:
>      case BUILT_IN_STRNCPY:
>      case BUILT_IN_STRNCPY_CHK:
>        {
> @@ -1647,6 +1669,33 @@ maybe_warn_nonstring_arg (tree fndecl, tree exp)
> +	{
> +	  /* Replace the bound on the oparation with the upper bound
s/oparation/operation/

OK for the trunk with the nits fixed.

Also note that I've acked a patch from Martin L (I believe) that removes
the chkp/bounds checking bits that were deprecated in gcc-8.  So there's
some chance the bounds-related bits will need to be updated depending on
whether or not Martin's L's patch has been committed.

This isn't strictly a regression.  So unless this is affecting some
critical code (ie glibc, kernel or something similar) this probably
would require an explicit OK from Jakub or Richi to be eligible for the
gcc-8 branch.

jeff

On 05/21/2018 05:02 PM, Jeff Law wrote:
> On 05/10/2018 01:26 PM, Martin Sebor wrote:
>> GCC 8.1 warns for unbounded (and some bounded) string comparisons
>> involving arrays declared attribute nonstring (i.e., char arrays
>> that need not be nul-terminated).  For instance:
>>
>>   extern __attribute__((nonstring)) char a[4];
>>
>>   int f (void)
>>   {
>>     return strncmp (a, "123", sizeof a);
>>   }
>>
>>   warning: ‘strcmp’ argument 1 declared attribute ‘nonstring’
>>
>> Note that the warning refers to strcmp even though the call in
>> the source is to strncmp, because prior passes transform one to
>> the other.
>>
>> The warning above is unnecessary (for strcmp) and incorrect for
>> strncmp because the call reads exactly four bytes from the non-
>> string array a regardless of the bound and so there is no risk
>> that it will read past the end of the array.
>>
>> The attached change enhances the warning to use the length of
>> the string argument to suppress some of these needless warnings
>> for both bounded and unbounded string comparison functions.
>> When the length of the string is unknown, the warning uses its
>> size (when possible) as the upper bound on the number of accessed
>> bytes.  The change adds no new warnings.
>>
>> I'm looking for approval to commit it to both trunk and 8-branch.
>>
>> Martin
>>
>> gcc-85623.diff
>>
>>
>> PR c/85623 - strncmp() warns about attribute 'nonstring' incorrectly in -Wstringop-overflow
>>
>> gcc/ChangeLog:
>>
>> 	PR c/85623
>> 	* calls.c (maybe_warn_nonstring_arg): Use string length to set
>> 	or ajust the presumed bound on an operation to avoid unnecessary
>> 	warnings.
> s/ajust/adjust/
>
>>
>> gcc/testsuite/ChangeLog:
>>
>> 	PR c/85623
>> 	* c-c++-common/attr-nonstring-3.c: Adjust.
>> 	* c-c++-common/attr-nonstring-4.c: Adjust.
>> 	* c-c++-common/attr-nonstring-6.c: New test.
>>
>> diff --git a/gcc/calls.c b/gcc/calls.c
>> index 9eb0467..f5c8ad4 100644
>> --- a/gcc/calls.c
>> +++ b/gcc/calls.c
>> @@ -55,6 +55,7 @@ along with GCC; see the file COPYING3.  If not see
>>  #include "stringpool.h"
>>  #include "attribs.h"
>>  #include "builtins.h"
>> +#include "gimple-fold.h"
>>
>>  /* Like PREFERRED_STACK_BOUNDARY but in units of bytes, not bits.  */
>>  #define STACK_BYTES (PREFERRED_STACK_BOUNDARY / BITS_PER_UNIT)
>> @@ -1612,15 +1613,36 @@ maybe_warn_nonstring_arg (tree fndecl, tree exp)
>>    /* The bound argument to a bounded string function like strncpy.  */
>>    tree bound = NULL_TREE;
>>
>> +  /* The range of lengths of a string argument to one of the comparison
>> +     functions.  If the length is less than the bound it is used instead.  */
>> +  tree lenrng[2] = { NULL_TREE, NULL_TREE };
>> +
>>    /* It's safe to call "bounded" string functions with a non-string
>>       argument since the functions provide an explicit bound for this
>>       purpose.  */
>>    switch (DECL_FUNCTION_CODE (fndecl))
>>      {
>> -    case BUILT_IN_STPNCPY:
>> -    case BUILT_IN_STPNCPY_CHK:
>> +    case BUILT_IN_STRCMP:
>>      case BUILT_IN_STRNCMP:
>>      case BUILT_IN_STRNCASECMP:
>> +      {
>> +	/* For these, if one argument refers to one or more of a set
>> +	   of string constants or arrays of known size, determine
>> +	   the range of their known or possible lengths and use it
>> +	   conservatively as the bound for the unbounded function,
>> +	   and to adjust the range of the bound of the bounded ones.  */
>> +	unsigned stride = with_bounds ? 2 : 1;
>> +	for (unsigned argno = 0; argno < nargs && !*lenrng; argno += stride)
>> +	  {
>> +	    tree arg = CALL_EXPR_ARG (exp, argno);
>> +	    if (!get_attr_nonstring_decl (arg))
>> +	      get_range_strlen (arg, lenrng);
>> +	  }
>> +      }
>> +      /* Fall through.  */
>> +
>> +    case BUILT_IN_STPNCPY:
>> +    case BUILT_IN_STPNCPY_CHK:
>>      case BUILT_IN_STRNCPY:
>>      case BUILT_IN_STRNCPY_CHK:
>>        {
>> @@ -1647,6 +1669,33 @@ maybe_warn_nonstring_arg (tree fndecl, tree exp)
>> +	{
>> +	  /* Replace the bound on the oparation with the upper bound
> s/oparation/operation/
>
> OK for the trunk with the nits fixed.
>
> Also note that I've acked a patch from Martin L (I believe) that removes
> the chkp/bounds checking bits that were deprecated in gcc-8.  So there's
> some chance the bounds-related bits will need to be updated depending on
> whether or not Martin's L's patch has been committed.
>
> This isn't strictly a regression.  So unless this is affecting some
> critical code (ie glibc, kernel or something similar) this probably
> would require an explicit OK from Jakub or Richi to be eligible for the
> gcc-8 branch.

There are a number of warnings in Binutils/GDB that people have
been suppressing by pragmas because the attribute isn't always
effective, most due to bug 85643:

   https://sourceware.org/ml/binutils/2018-05/msg00212.html

I don't know if this bug is also among those instances (there
are several threads on the mailing lists and I may have missed
some).

If the warning for the strncmp() test case above isn't one of
them it certainly is a bug/oversight in the warning that makes
the attribute less useful than it's meant to be and the warning
more noisy.

Jakub/Richard, can you please review the bug and the patch and
decide if it's also appropriate for GCC 8?

Martin