[Bug sanitizer/111513] New: Incorrect -Wformat-overflow warning when using UBSAN with gettext()

[Bug sanitizer/111513] New: Incorrect -Wformat-overflow warning when using UBSAN with gettext()

[gcc@t-8ch.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111513

            Bug ID: 111513
           Summary: Incorrect -Wformat-overflow warning when using UBSAN
                    with gettext()
           Product: gcc
           Version: 13.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: gcc@t-8ch.de
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Created attachment 55957
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55957&action=edit
preprocessed source

The test program below exhibits the following compiler warning:

test.c: In function ‘main’:
test.c:14:9: warning: null format string [-Wformat-overflow=]
   14 |         printf(gettext("foo %s\n"), "foo");
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:14:9: warning: null format string [-Wformat-overflow=]


/* test.c
 *
 * compile with:
 *   gcc -Wall -fsanitize=undefined -O2 test.c
 */
#include <stdio.h>
#include <libintl.h>

int main(void)
{
        FILE *out = stdout;

        fputs("\n", out);
        printf(gettext("foo %s\n"), "foo");
        fputs("\n", out);
}


The warning can be "fixed" by *any* of the following steps:

* remove any of the fputs() calls
* inline the stdout parameter into the second fputs() call
* build without optimizations
* build without UBSAN

Given the weirdness with regards to the fputs() calls I suspect the issue in
GCC.

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/13.2.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure
--enable-languages=ada,c,c++,d,fortran,go,lto,objc,obj-c++ --enable-bootstrap
--prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/
--with-build-config=bootstrap-lto --with-linker-hash-style=gnu
--with-system-zlib --enable-__cxa_atexit --enable-cet=auto
--enable-checking=release --enable-clocale=gnu --enable-default-pie
--enable-default-ssp --enable-gnu-indirect-function --enable-gnu-unique-object
--enable-libstdcxx-backtrace --enable-link-serialization=1
--enable-linker-build-id --enable-lto --enable-multilib --enable-plugin
--enable-shared --enable-threads=posix --disable-libssp --disable-libstdcxx-pch
--disable-werror
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 13.2.1 20230801 (GCC) 

glibc version: 2.38

[Bug sanitizer/111513] Incorrect -Wformat-overflow warning when using UBSAN with gettext()

[gcc@t-8ch.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111513

Thomas Weißschuh <gcc@t-8ch.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gcc@t-8ch.de

--- Comment #1 from Thomas Weißschuh <gcc@t-8ch.de> ---
Created attachment 55958
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55958&action=edit
test program

[Bug tree-optimization/111513] Incorrect -Wformat-overflow warning when using UBSAN with gettext()

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111513

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Note from
https://gcc.gnu.org/onlinedocs/gcc-13.2.0/gcc/Instrumentation-Options.html#index-fsanitize_003dundefined
:
```
Note that sanitizers tend to increase the rate of false positive warnings, most
notably those around -Wmaybe-uninitialized. We recommend against combining
-Werror and [the use of] sanitizers.

```

So ...

[Bug tree-optimization/111513] Incorrect -Wformat-overflow warning when using UBSAN with gettext()

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111513

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
In this case GCC does not know that dcgettext does not return null and then
jump threading causes a patch where there is a check on the return value of
dcgettext for null and causes printf to take the null pointer.

Most likely a won't fix ...

[Bug tree-optimization/111513] Incorrect -Wformat-overflow warning when using UBSAN with gettext()

[gcc@t-8ch.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111513

--- Comment #4 from Thomas Weißschuh <gcc@t-8ch.de> ---
Thanks for the quick response Andrew!

I'll probably disable -Werror then.


FYI:

If I drop the `#include <libintl.h>` and instead declare `dcgettext` on my own,
adding `__attribute__((returns_nonnull)), the issue persists.

Maybe the special handling for gettext() in GCC with regards to format_arg
conflicts here.

/* test.c
 *
 * compile with:
 *   gcc -Wall -fsanitize=undefined -O2 test.c
 */
#include <stdio.h>

__attribute__((format_arg(2), returns_nonnull))
extern char *dcgettext (const char *__domainname, const char *__msgid, int
__category);

int main(void)
{
        FILE *out = stdout;

        fputs("\n", out);
        printf(dcgettext(NULL, "foo\n", 0));
        fputs("\n", out);
}

$ gcc   -Wall -fsanitize=undefined -O2   test.c  -Wextra
test.c: In function ‘main’:
test.c:16:9: warning: null format string [-Wformat-overflow=]
   16 |         printf(dcgettext(NULL, "foo\n", 0));
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:16:9: warning: null format string [-Wformat-overflow=]