[Bug c/83139] error: null destination pointer [-Werror=format-truncation=] for second call with same destination pointer

Mon Nov 27 21:39:00 GMT 2017

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83139

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |diagnostic
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |msebor at gcc dot gnu.org
         Resolution|---                         |INVALID

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
A reduced test case showing the IL the checker sees is below.  Your analysis is
correct.  The checker determines that the call to snprintf takes place when the
destination pointer is null and so issues a warning.  The call can also be made
when the destination pointer isn't null, so arguably the checker could walk up
the CFG to try to distinguish these two cases and issue a "destination pointer
may be null" kind of a warning to make it clear that the call may but need not
be safe.  But I think the warning is useful regardless of how it's phrased so
I'll go ahead and resolve this report as invalid.

$ cat c.c && gcc -O2 -S -Wall -fdump-tree-printf-return-value=/dev/stdout c.c
 /ssd/build/gcc-svn/gcc/xgcc -B /ssd/build/gcc-svn/gcc -O2 -S -Wall
-fdump-tree-printf-return-value=/dev/stdout c.c

;; Function get_config_path (get_config_path, funcdef_no=1, decl_uid=1897,
cgraph_uid=1, symbol_order=1)

c.c:13: __builtin_snprintf: objsize = 4294967295, fmtstr = "abc"
  Directive 1 at offset 0: "abc", length = 3
    Result: 3, 3, 3, 3 (3, 3, 3, 3)
  Directive 2 at offset 3: "", length = 1
  Substituting 3 for return value.

c.c: In function ‘get_config_path’:
c.c:20:2: warning: null destination pointer [-Wformat-truncation=]
  __builtin_snprintf (pbuf, bufsize, "def");
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
c.c:20: __builtin_snprintf: objsize = 4294967295, fmtstr = "def"
  Directive 1 at offset 0: "def", length = 3
    Result: 3, 3, 3, 3 (3, 3, 3, 3)
  Directive 2 at offset 3: "", length = 1
  Substituting 3 for return value.

get_config_path (char * default_path, char * pbuf, unsigned int bufsize)
{
  long unsigned int _1;
  char * _2;
  char _10;
  char _11;
  char _12;

  <bb 2> [local count: 1073741825]:
  if (default_path_4(D) != 0B)
    goto <bb 3>; [70.00%]
  else
    goto <bb 4>; [30.00%]

  <bb 3> [local count: 751619277]:
  _10 = *default_path_4(D);
  if (_10 != 0)
    goto <bb 7>; [34.00%]
  else
    goto <bb 4>; [66.00%]

  <bb 4> [local count: 818191271]:
  _1 = (long unsigned int) bufsize_6(D);
  __builtin_snprintf (pbuf_7(D), _1, "abc");
  if (pbuf_7(D) != 0B)
    goto <bb 5>; [70.00%]
  else
    goto <bb 9>; [30.00%]

  <bb 5> [local count: 572733889]:
  _11 = *pbuf_7(D);
  if (_11 != 0)
    goto <bb 6>; [34.00%]
  else
    goto <bb 8>; [66.00%]

  <bb 6> [local count: 560844966]:

  <bb 7> [local count: 1073741823]:
  # _2 = PHI <0B(9), default_path_4(D)(3), pbuf_7(D)(6), 0B(8)>
  return _2;

  <bb 8> [local count: 436423223]:
  __builtin_snprintf (pbuf_7(D), _1, "def");
  _12 = *pbuf_7(D);
  if (_12 != 0)
    goto <bb 6>; [83.89%]
  else
    goto <bb 7>; [16.11%]

  <bb 9> [local count: 187038523]:
  __builtin_snprintf (0B, _1, "def");
  goto <bb 7>; [100.00%]

}