This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]

From: Martin Sebor <msebor at gmail dot com>
To: Florian Weimer <fweimer at redhat dot com>, "H.J. Lu" <hjl dot tools at gmail dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>, msebor at redhat dot com
Date: Thu, 23 May 2019 10:21:17 -0600
Subject: Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
References: <20190522224053.15351-1-hjl.tools@gmail.com> <877eah1wmk.fsf@oldenburg2.str.redhat.com> <CAMe9rOo6NB16mBMVFKL63Y0s1U6+d=ThezVj1BCggAwutBAnRA@mail.gmail.com> <87tvdlw62m.fsf@oldenburg2.str.redhat.com> <CAMe9rOqF-VzB9y+K2zvX7up=zmowpb4sewfudo2UhqxLP-oURA@mail.gmail.com> <87mujdw54b.fsf@oldenburg2.str.redhat.com>

On 5/23/19 9:41 AM, Florian Weimer wrote:

* H. J. Lu:

On Thu, May 23, 2019 at 8:20 AM Florian Weimer <fweimer@redhat.com> wrote:


* H. J. Lu:

On Thu, May 23, 2019 at 12:02 AM Florian Weimer <fweimer@redhat.com> wrote:


* H. J. Lu:

In function ‘error’,
     inlined from ‘do_one_test’ at bench-strstr.c:149:7,
     inlined from ‘do_test’ at bench-strstr.c:201:5,
     inlined from ‘test_main’ at bench-strstr.c:220:2:
../include/bits/../../misc/bits/error.h:42:5: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
    42 |     __error_alias (__status, __errnum, __format, __va_arg_pack ());
       |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Isn't this warning wrong for glibc in general (but not for
_dl_debug_printf)?

I think printing "(null)" for null pointers is a widely-used GNU
extension.


Only for limited cases:

[hjl@gnu-cfl-1 tmp]$ cat x.c
#include <stdio.h>

char *p;

int
main ()
{
   printf("null string:%s\n", p);
   printf ("%s\n", p);
   return 0;
}
[hjl@gnu-cfl-1 tmp]$ gcc x.c
[hjl@gnu-cfl-1 tmp]$ ./a.out
null string:(null)
Segmentation fault
[hjl@gnu-cfl-1 tmp]$


Ah, because GCC transforms printf with "%s\n" to puts?  Hmm.


Yes.


We document the printf behavior:

|    If you accidentally pass a null pointer as the argument for a ‘%s’
| conversion, the GNU C Library prints it as ‘(null)’.  We think this is
| more useful than crashing.  But it’s not good practice to pass a null
| argument intentionally.

So we should perhaps fix puts to behave in the same way.  (puts isn't
even annotated with __nonnull today.)


There are two transformations that don't handle null pointers: printf
to puts and sprintf to strcpy (or memcpy).  They have been in GCC since
at least 2005, and in Clang since at least 2011.  I'd rather discourage
relying on the Glibc printf extension than remove the transformations
or suppress the warning.

Martin

Follow-Ups:
- Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: Paul Eggert

References:
- [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: H.J. Lu
- Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: Florian Weimer
- Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: H.J. Lu
- Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: Florian Weimer
- Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: H.J. Lu
- Re: [PATCH] Don't pass NULL pointer to error [BZ #24556]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]