[Bug sanitizer/104929] New: UBSAN: false positive with sprintf

[Bug sanitizer/104929] New: UBSAN: false positive with sprintf

[jengelh at inai dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929

            Bug ID: 104929
           Summary: UBSAN: false positive with sprintf
           Product: gcc
           Version: 11.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jengelh at inai dot de
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

// g++ -Wall -fsanitize=undefined -O2 -c t.cpp
#include <cstdio>
size_t fun(char *s)
{
        sprintf(s, " ");
        return __builtin_strlen(s);
}

Observed:
t.cpp: In function ‘size_t fun(char*)’:
t.cpp:5:16: warning: null destination pointer [-Wformat-overflow=]
    5 |         sprintf(s, " ");
//gcc version 11.2.1 20220103 [revision
d4a1d3c4b377f1d4acb34fe1b55b5088a3f293f6] (SUSE Linux), Linux amd64 glibc-2.35

Expected:
Don't warn(?)

[Bug sanitizer/104929] UBSAN: false positive with sprintf

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
It's a quite known limitation that usage of sanitizers tends to emit false
positives of various warnings.

[Bug sanitizer/104929] UBSAN: false positive with sprintf

[schwab@linux-m68k.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929

--- Comment #2 from Andreas Schwab <schwab@linux-m68k.org> ---
I think the point here is that s is not guaranteed to be non-NULL.  You can add 
if (s == 0) __builtin_unreachable();
to suppress the warning.

[Bug sanitizer/104929] UBSAN: false positive with sprintf

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104929

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
In this particular case the problem is that UBSAN adds the non-NULL tests, so
the IL becomes if (!s) __ubsan_handle_nonnull_arg (...); sprintf(s,  " "); if
(!s) __ubsan_handle_nonnull_arg (...); return __builtin_strlen(s);
and then jump threading thinks it is a good idea to thread it, so turns it into
if (!s) { __ubsan_handle_nonnull_arg (...); sprintf(NULL, " ");
__ubsan_handle_nonnull_arg (...); } else sprintf(s, " ");
and that is why the warning is emitted (pain of all the middle-end warnings).
The ways out of this might be convince jump threading to punt in such cases
(when  those are clearly ubsan tests) because we expect them to be extremely
unlikely,
or use some new internal function from between the ubsan pass and sanopt, where
the test for non-NULL wouldn't be explicit in the IL until very late (that
would also prevent the jump threading), or during the jump threading when we
detect these ubsan-ish tests suppress some of the warnings on the threaded
stmts.