__fortified_attr_access seems to be defined incorrectly for _FORTIFY_SOURCE==3. The documentation for the size-index of access attribute (https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-access-function-attribute) has the following: ``` When no size-index argument is specified, the pointer argument must be either null or point to a space that is suitably aligned and large for __at least one object__ of the referenced type (this implies that a past-the-end pointer is not a valid argument). ``` Notice the __at least__ part here. That means the definition of __fortified_attr_access is wrong when _FORTIFY_SOURCE==3, when passing around 0 size structs. An example is: ``` #include <stdio.h> #include <unistd.h> int main(void) { struct test_st {}; int fd = 0; int count = 0; struct test_st test_info[16]; count = read(fd, test_info, sizeof(test_info)); return(0); } ``` With _FORTIFY_SOURCE==3 we get: __attribute__ ((__access__ (__write_only__, 2))) Which means the size has to be at least 1 but test_info has size of 0 and we are passing a size of 0 to read even. This is moved from GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113922 .
``` When no size-index argument is specified, the pointer argument must be either null or point to a space that is suitably aligned and large for __at least one object__ of the referenced type (this implies that a past-the-end pointer is not a valid argument). ``` Well technically, the pointer argument *is* suitably aligned and large for 16 objects of 0 size, but the implication that it is hence not a past-the-end pointer is invalid. I'll drop the access attribute (since the additional value from having it is not really significant enough) but IMO -Wstringop-overflow needs to be fixed to handle pointers to zero-sized structs, i.e. it needs to ignore them and not conjure up an access size of 1 out of nowhere.
Patch posted: https://patchwork.sourceware.org/project/glibc/patch/20240215171506.3154505-1-siddhesh@sourceware.org/
(In reply to Siddhesh Poyarekar from comment #1) > ``` > When no size-index argument is specified, the pointer argument must be > either null or point to a space that is suitably aligned and large for __at > least one object__ of the referenced type (this implies that a past-the-end > pointer is not a valid argument). > ``` > > Well technically, the pointer argument *is* suitably aligned and large for > 16 objects of 0 size, but the implication that it is hence not a > past-the-end pointer is invalid. I'll drop the access attribute (since the > additional value from having it is not really significant enough) but IMO > -Wstringop-overflow needs to be fixed to handle pointers to zero-sized > structs, i.e. it needs to ignore them and not conjure up an access size of 1 > out of nowhere. Actually, no, I was wrong. The referenced type is void*, which is why the warning is 'correct'. Maybe there's scope for better wording, but it does make sense to warn in such cases: extern void f2 (void *) __attribute__ ((__access__ (__write_only__, 1))); void f1 (void) { struct A {} a[16]; f2 (a); }
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bf9688e623262c5fa9f91e4de0e84db45025076f commit bf9688e623262c5fa9f91e4de0e84db45025076f Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Thu Feb 15 07:40:56 2024 -0500 cdefs: Drop access attribute for _FORTIFY_SOURCE=3 (BZ #31383) When passed a pointer to a zero-sized struct, the access attribute without the third argument misleads -Wstringop-overflow diagnostics to think that a function is writing 1 byte into the zero-sized structs. The attribute doesn't add that much value in this context, so drop it completely for _FORTIFY_SOURCE=3. Resolves: BZ #31383 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Done.