public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/104929] New: UBSAN: false positive with sprintf
@ 2022-03-15 9:25 jengelh at inai dot de
2022-03-15 9:27 ` [Bug sanitizer/104929] " marxin at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: jengelh at inai dot de @ 2022-03-15 9:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929
Bug ID: 104929
Summary: UBSAN: false positive with sprintf
Product: gcc
Version: 11.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: jengelh at inai dot de
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
// g++ -Wall -fsanitize=undefined -O2 -c t.cpp
#include <cstdio>
size_t fun(char *s)
{
sprintf(s, " ");
return __builtin_strlen(s);
}
Observed:
t.cpp: In function ‘size_t fun(char*)’:
t.cpp:5:16: warning: null destination pointer [-Wformat-overflow=]
5 | sprintf(s, " ");
//gcc version 11.2.1 20220103 [revision
d4a1d3c4b377f1d4acb34fe1b55b5088a3f293f6] (SUSE Linux), Linux amd64 glibc-2.35
Expected:
Don't warn(?)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/104929] UBSAN: false positive with sprintf
2022-03-15 9:25 [Bug sanitizer/104929] New: UBSAN: false positive with sprintf jengelh at inai dot de
@ 2022-03-15 9:27 ` marxin at gcc dot gnu.org
2022-03-15 9:42 ` schwab@linux-m68k.org
2022-03-15 9:56 ` jakub at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2022-03-15 9:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
It's a quite known limitation that usage of sanitizers tends to emit false
positives of various warnings.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/104929] UBSAN: false positive with sprintf
2022-03-15 9:25 [Bug sanitizer/104929] New: UBSAN: false positive with sprintf jengelh at inai dot de
2022-03-15 9:27 ` [Bug sanitizer/104929] " marxin at gcc dot gnu.org
@ 2022-03-15 9:42 ` schwab@linux-m68k.org
2022-03-15 9:56 ` jakub at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: schwab@linux-m68k.org @ 2022-03-15 9:42 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929
--- Comment #2 from Andreas Schwab <schwab@linux-m68k.org> ---
I think the point here is that s is not guaranteed to be non-NULL. You can add
if (s == 0) __builtin_unreachable();
to suppress the warning.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/104929] UBSAN: false positive with sprintf
2022-03-15 9:25 [Bug sanitizer/104929] New: UBSAN: false positive with sprintf jengelh at inai dot de
2022-03-15 9:27 ` [Bug sanitizer/104929] " marxin at gcc dot gnu.org
2022-03-15 9:42 ` schwab@linux-m68k.org
@ 2022-03-15 9:56 ` jakub at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: jakub at gcc dot gnu.org @ 2022-03-15 9:56 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929
--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
In this particular case the problem is that UBSAN adds the non-NULL tests, so
the IL becomes if (!s) __ubsan_handle_nonnull_arg (...); sprintf(s, " "); if
(!s) __ubsan_handle_nonnull_arg (...); return __builtin_strlen(s);
and then jump threading thinks it is a good idea to thread it, so turns it into
if (!s) { __ubsan_handle_nonnull_arg (...); sprintf(NULL, " ");
__ubsan_handle_nonnull_arg (...); } else sprintf(s, " ");
and that is why the warning is emitted (pain of all the middle-end warnings).
The ways out of this might be convince jump threading to punt in such cases
(when those are clearly ubsan tests) because we expect them to be extremely
unlikely,
or use some new internal function from between the ubsan pass and sanopt, where
the test for non-NULL wouldn't be explicit in the IL until very late (that
would also prevent the jump threading), or during the jump threading when we
detect these ubsan-ish tests suppress some of the warnings on the threaded
stmts.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-15 9:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-15 9:25 [Bug sanitizer/104929] New: UBSAN: false positive with sprintf jengelh at inai dot de
2022-03-15 9:27 ` [Bug sanitizer/104929] " marxin at gcc dot gnu.org
2022-03-15 9:42 ` schwab@linux-m68k.org
2022-03-15 9:56 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).