11 Regression] Bogus -Wformat-overflow= warnings with -fsanitize=undefined

msebor at gcc dot gnu.org Wed, 03 Jun 2020 08:53:15 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95496


Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |85741

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
The instrumentation added by the sanitizers is known to lead to introducing
invalid code (typically by jump threading) that triggers spurious warnings. 
The dump for the attached file shows a number of invalid calls to fprintf. 
Some of those result in diagnostics (in fact, they all should).

The first one looks like this.  Note the tests for null and the subsequent uses
of nulls in the fprintf calls:

  _707 = section_618->name;
  _708 = dcgettext ("bfd", "\nThe Export Tables (interpreted %s section
contents)\n\n", 5);
  if (vfile_98(D) == 0B)
    goto <bb 222>; [0.00%]
  else
    goto <bb 224>; [100.00%]

  <bb 222> [count: 0]:
  __builtin___ubsan_handle_nonnull_arg (&*.Lubsan_data103);
  if (_708 == 0B)
    goto <bb 223>; [0.00%]
  else
    goto <bb 466>; [100.00%]

  <bb 223> [count: 0]:
  __builtin___ubsan_handle_nonnull_arg (&*.Lubsan_data104);
  fprintf (vfile_98(D), _708, _707);
  _709 = dcgettext ("bfd", "Export Flags \t\t\t%lx\n", 5);
  if (vfile_98(D) == 0B)
    goto <bb 225>; [0.00%]
  else
    goto <bb 226>; [100.00%]

  <bb 224> [local count: 7698574]:
  if (_708 == 0B)
    goto <bb 223>; [0.00%]
  else
    goto <bb 500>; [100.00%]

  <bb 225> [count: 0]:
  # _992 = PHI <_1012(466), _709(223)>
  __builtin___ubsan_handle_nonnull_arg (&*.Lubsan_data106);
  if (_992 == 0B)
    goto <bb 227>; [0.00%]
  else
    goto <bb 465>; [100.00%]

  <bb 226> [local count: 7698574]:
  # _2952 = PHI <_709(223), _1227(500)>
  if (_2952 == 0B)
    goto <bb 227>; [0.00%]
  else
    goto <bb 499>; [100.00%]

  <bb 227> [count: 0]:
  # _2558 = PHI <0B(225), 0B(226)>
  __builtin___ubsan_handle_nonnull_arg (&*.Lubsan_data107);
  fprintf (vfile_98(D), 0B, _637);   <<< null format: warning

The calls with the null format are first seen in the dom3 dump, just after
thread3.  The instrumentation (and jump threading) and the warnings are
inherently incompatible.  They need to cooperate to avoid the spurious
warnings.  The sanitizers could mark up the code somehow to either keep jump
threading from doing what it does or to let the warnings know the calls were
synthesized.  Until something like this is implemented the guidance we have
been giving to users is to expect false positives from the warnings when using
sanitizers (or disable the warnings).

$ gcc -O2 -S -fsanitize=undefined -fdump-tree-strlen=/dev/stdout peXXigen.c |
sed -n "/^_bfd_pe_print_private_bfd_data_commo/,/^}/p" | grep "fprintf (" |
grep 0B
  fprintf (0B, "\nTime/Date\t\t%08lx", _26);
  fprintf (0B, "\nMajorLinkerVersion\t%d\n", _2667);
  fprintf (0B, "MinorLinkerVersion\t%d\n", _2958);
  fprintf (0B, "\nSectionAlignment\t%08x\n", _2856);
  fprintf (0B, "FileAlignment\t\t%08x\n", _2834);
  fprintf (0B, "MajorOSystemVersion\t%d\n", _2815);
  fprintf (0B, "MinorOSystemVersion\t%d\n", _2801);
  fprintf (0B, "MajorImageVersion\t%d\n", _2787);
  fprintf (0B, "MinorImageVersion\t%d\n", _2773);
  fprintf (0B, "MajorSubsystemVersion\t%d\n", _2766);
  fprintf (0B, "MinorSubsystemVersion\t%d\n", _2752);
  fprintf (0B, "Win32Version\t\t%08x\n", _2738);
  fprintf (0B, "SizeOfImage\t\t%08x\n", _2720);
  fprintf (0B, "SizeOfHeaders\t\t%08x\n", _2708);
  fprintf (0B, "CheckSum\t\t%08x\n", _2696);
  fprintf (0B, "\nDllCharacteristics\t%08x\n", _946);
  fprintf (0B, "\nLoaderFlags\t\t%08lx\n", _2618);
  fprintf (0B, "NumberOfRvaAndSizes\t%08lx\n", _2594);
  fprintf (0B, "Entry %1x ", j_2977);
  fprintf (0B, " %08lx ", _696);
  fprintf (vfile_98(D), 0B, _637);
  fprintf (vfile_98(D), 0B, _643);
  fprintf (vfile_98(D), 0B, _790, _780);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B, _676);
  fprintf (vfile_98(D), 0B, _682);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B);
  fprintf (0B, "   %x", em_data_1082);
  fprintf (0B, "Subsystem\t\t%08x", _2689);
  fprintf (0B, _1020);
  fprintf (0B, _721, _670);
  fprintf (0B, _708, _707);
  fprintf (0B, _851, _850, addr_852);
  fprintf (0B, "Subsystem\t\t%08x", _2689);
  fprintf (0B, "Magic\t\t\t%04x", _30);
  fprintf (0B, "Magic\t\t\t%04x", _30);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B);
  fprintf (vfile_98(D), 0B, _682);
  fprintf (vfile_98(D), 0B, _682);
  fprintf (vfile_98(D), 0B, _613, _606);
  fprintf (vfile_98(D), 0B, _2485, _2483);
  fprintf (vfile_98(D), 0B, _1136);
  fprintf (vfile_98(D), 0B, _232);


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85741
[Bug 85741] [meta-bug] bogus/missing -Wformat-overflow

[Bug sanitizer/95496] [10/11 Regression] Bogus -Wformat-overflow= warnings with -fsanitize=undefined

Reply via email to