[Bug c/83139] error: null destination pointer [-Werror=format-truncation=] for second call with same destination pointer

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83139

Martin Sebor  changed:

   What|Removed |Added

   Keywords||diagnostic
 Status|UNCONFIRMED |RESOLVED
 CC||msebor at gcc dot gnu.org
 Resolution|--- |INVALID

--- Comment #3 from Martin Sebor  ---
A reduced test case showing the IL the checker sees is below.  Your analysis is
correct.  The checker determines that the call to snprintf takes place when the
destination pointer is null and so issues a warning.  The call can also be made
when the destination pointer isn't null, so arguably the checker could walk up
the CFG to try to distinguish these two cases and issue a "destination pointer
may be null" kind of a warning to make it clear that the call may but need not
be safe.  But I think the warning is useful regardless of how it's phrased so
I'll go ahead and resolve this report as invalid.

$ cat c.c && gcc -O2 -S -Wall -fdump-tree-printf-return-value=/dev/stdout c.c
 /ssd/build/gcc-svn/gcc/xgcc -B /ssd/build/gcc-svn/gcc -O2 -S -Wall
-fdump-tree-printf-return-value=/dev/stdout c.c

;; Function get_config_path (get_config_path, funcdef_no=1, decl_uid=1897,
cgraph_uid=1, symbol_order=1)

c.c:13: __builtin_snprintf: objsize = 4294967295, fmtstr = "abc"
  Directive 1 at offset 0: "abc", length = 3
Result: 3, 3, 3, 3 (3, 3, 3, 3)
  Directive 2 at offset 3: "", length = 1
  Substituting 3 for return value.

c.c: In function ‘get_config_path’:
c.c:20:2: warning: null destination pointer [-Wformat-truncation=]
  __builtin_snprintf (pbuf, bufsize, "def");
  ^
c.c:20: __builtin_snprintf: objsize = 4294967295, fmtstr = "def"
  Directive 1 at offset 0: "def", length = 3
Result: 3, 3, 3, 3 (3, 3, 3, 3)
  Directive 2 at offset 3: "", length = 1
  Substituting 3 for return value.

get_config_path (char * default_path, char * pbuf, unsigned int bufsize)
{
  long unsigned int _1;
  char * _2;
  char _10;
  char _11;
  char _12;

   [local count: 1073741825]:
  if (default_path_4(D) != 0B)
goto ; [70.00%]
  else
goto ; [30.00%]

   [local count: 751619277]:
  _10 = *default_path_4(D);
  if (_10 != 0)
goto ; [34.00%]
  else
goto ; [66.00%]

   [local count: 818191271]:
  _1 = (long unsigned int) bufsize_6(D);
  __builtin_snprintf (pbuf_7(D), _1, "abc");
  if (pbuf_7(D) != 0B)
goto ; [70.00%]
  else
goto ; [30.00%]

   [local count: 572733889]:
  _11 = *pbuf_7(D);
  if (_11 != 0)
goto ; [34.00%]
  else
goto ; [66.00%]

   [local count: 560844966]:

   [local count: 1073741823]:
  # _2 = PHI <0B(9), default_path_4(D)(3), pbuf_7(D)(6), 0B(8)>
  return _2;

   [local count: 436423223]:
  __builtin_snprintf (pbuf_7(D), _1, "def");
  _12 = *pbuf_7(D);
  if (_12 != 0)
goto ; [83.89%]
  else
goto ; [16.11%]

   [local count: 187038523]:
  __builtin_snprintf (0B, _1, "def");
  goto ; [100.00%]

}

[Bug c/83139] error: null destination pointer [-Werror=format-truncation=] for second call with same destination pointer

[j...@jak-linux.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83139

--- Comment #2 from Julian Andres Klode  ---
Apparently, this is because check_path() is being inlined and checks that the
argument is NULL. Then when it sees the second use of pbuf, it considers it
possible that it is NULL.

I'm not sure it's really a bug. It depends on whether it would do the same if
check_path() were used elsewhere where the !pbuf check is actually important.

[Bug c/83139] error: null destination pointer [-Werror=format-truncation=] for second call with same destination pointer

[j...@jak-linux.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83139

--- Comment #1 from Julian Andres Klode  ---
Created attachment 42702
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=42702=edit
generated .i file