RFR(S): 8252407: Build failure with gcc-8+ and asan
Kim Barrett
kim.barrett at oracle.com
Wed Sep 2 07:56:06 UTC 2020
> On Sep 2, 2020, at 3:19 AM, Florian Weimer <fweimer at redhat.com> wrote:
>
> * Magnus Ihse Bursie:
>
>> Maybe we should have a common library for all native code where we
>> supply our own string operation functions? It will then be much easier
>> to make sure the implementation passes different compiler versions,
>> and that we provide sane semantics (which isn't really the case with
>> the original C library functions; hence all this warning churning).
>
> When I looked at this (sorry that I never sent a patch), pretty much all
> uses of strncpy were actually bugs: The code should check the actual
> string length using strlen, report an error if it would be truncated,
> and then use memcpy with the length already computed, plus one.
>
> In other words, the strncpy warnings are correct, and there is only
> churn in the sense that GCC gets smarter at discovering bugs.
Having been involved in reviews of a lot of these warnings, I think that’s
seriously overstating the cases where there have been actual bugs. There
have been some actual bugs found, but there have been a lot of definite
false positives. Particularly from -Wstringop-truncation.
More information about the net-dev
mailing list