[Bug c/93640] New: The write_only and read_write attributes can be mistyped due to invalid strncmp size argument

[dominik.b.czarnota+bugzilla at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93640

            Bug ID: 93640
           Summary: The write_only and read_write attributes can be
                    mistyped due to invalid strncmp size argument
           Product: gcc
           Version: 10.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: dominik.b.czarnota+bugzilla at gmail dot com
  Target Milestone: ---

Hey,

There is a small bug in gcc trunk (which I believe will be gcc 10).

The PoC code is below. This compiles while it should not, because there is no
'write_onlX' attribute:

```
 __attribute__ ((access (write_onlX, 1))) int foo (char*);

 __attribute__ ((access (read_writX, 1))) int bar (char*);

int foo(char* x) {
    return sizeof(x) * 2;
}

int bar(char* x) {
    return sizeof(x) * 2;
}
```

If we mistype it more, it will actually throw a compile error, so e.g. a
`write_onYX` and `read_wriYX` would trigger the following errors:

```
<source>:1:2: error: attribute 'access' invalid mode 'write_onYX'; expected one
of 'read_only', 'read_write', or 'write_only'

    1 |  __attribute__ ((access (write_onYX, 1))) int foo (char*);

      |  ^~~~~~~~~~~~~

<source>:3:2: error: attribute 'access' invalid mode 'read_wriYX'; expected one
of 'read_only', 'read_write', or 'write_only'

    3 |  __attribute__ ((access (read_wriYX, 1))) int bar (char*);

      |  ^~~~~~~~~~~~~

Compiler returned: 1
```

All this can be observed on https://godbolt.org/z/Pj-5vp


The issue comes from the code below (that can be seen e.g. here:
https://github.com/gcc-mirror/gcc/blob/8d9254fc8aa32619f640efb01cfe87cc6cdc9ce1/gcc/c-family/c-attribs.c#L4061-L4062)
from gcc/c-family/c-attribs.c#L4061-L4062 :

  const bool read_only = strncmp (ps, "read_only", 9) == 0;
  const bool write_only = strncmp (ps, "write_only", 9) == 0;
  if (!read_only && !write_only && strncmp (ps, "read_write", 9))

While the "read_only" string has indeed 9 characters (without the null byte)
both the "write_only" and "read_write" have a length of 10 and so the `strcnmp`
call misses the last byte of them.

This can be easily fixed by changing the size argument from 9 to 10 in those
two cases. I haven't filed a patch as it is more convenient to write this down
here through a web browser (than cloning repo, creating patch, sending e-mails
etc).

There are more, other cases like this which I haven't triaged fully. I will
report them anyway in another bug report.