develooper Front page | perl.perl5.porters | Postings from May 2013

[perl #117893] -Wformat-security issues in blead

Thread Next
From:
Dominic Hargreaves
Date:
May 6, 2013 16:22
Subject:
[perl #117893] -Wformat-security issues in blead
Message ID:
rt-3.6.HEAD-28177-1367857360-1919.117893-75-0@perl.org
# New Ticket Created by  Dominic Hargreaves 
# Please include the string:  [perl #117893]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org:443/rt3/Ticket/Display.html?id=117893 >



This is a bug report for perl from dom@earth.li,
generated with the help of perlbug 1.39 running under perl 5.14.2.


-----------------------------------------------------------------
When preparing test Debian packages of perl 5.7.11, I noticed that
there are several incidents of this warning triggered by gcc. Note
that Debian builds with -Werror=format-security by default, making this
into a build failure.

git clean -dfx && sh Configure -des -Dusedevel -Accflags="-Wformat -Werror=format-security" && make miniperl

`sh  cflags "optimize='-O2'" pp.o`  pp.c
          CCCMD =  cc -DPERL_CORE -c -Wformat -Werror=format-security -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64  -std=c89 -O2 -Wall -ansi -W -Wextra -Wdeclaration-after-statement -Wendif-labels -Wc++-compat -Wwrite-strings
pp.c: In function ‘Perl_pp_repeat’:
pp.c:1657:5: error: format not a string literal and no format arguments [-Werror=format-security]
pp.c:1715:8: error: format not a string literal and no format arguments [-Werror=format-security]
cc1: some warnings being treated as errors
make: *** [pp.o] Error 1

Bisecting results in:

~/working/perl/Porting/bisect.pl --start v5.16.3 --force-manifest --target=config.sh -Accflags="-Wformat -Werror=format-security" make miniperl
[...]
a1894d81735066945ef520af52cc180d1e0dfb10 is the first bad commit
commit a1894d81735066945ef520af52cc180d1e0dfb10
Author: Karl Williamson <public@khwilliamson.com>
Date:   Thu Dec 6 22:42:18 2012 -0700

    Silence some g++ compiler warnings

    Changing these slightly got rid of the warnings like:
    toke.c:9168: warning: format not a string literal and no format arguments

The implication of the commit message is that the warnings are being
fixed, but this commit is indeed the one introducing the problem
for toke.c.

Note that in current blead, toke.c is okay, so this commit may not
directly be all that exciting.

This is a regression compared to 5.16, so it would be good if it could
be fixed, but I'm not sufficiently familiar with the codebase to know
where to start.

Sorry for the delay in reporting this.

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=high
---
Site configuration information for perl 5.14.2:

Configured by Debian Project at Fri Apr 12 09:56:36 UTC 2013.

Summary of my perl5 (revision 5 version 14 subversion 2) configuration:
   
  Platform:
    osname=linux, osvers=2.6.32-5-686-bigmem, archname=i486-linux-gnu-thread-multi-64int
    uname='linux murphy 2.6.32-5-686-bigmem #1 smp mon feb 25 01:53:47 utc 2013 i686 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.14 -Darchlib=/usr/lib/perl/5.14 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.14.2 -Dsitearch=/usr/local/lib/perl/5.14.2 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.14.2 -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fstack-protector -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.7.2', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/i386-linux-gnu /lib/../lib /usr/lib/i386-linux-gnu /usr/lib/../lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=, so=so, useshrplib=true, libperl=libperl.so.5.14.2
    gnulibc_version='2.13'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib -fstack-protector'

Locally applied patches:
    

---
@INC for perl 5.14.2:
    /etc/perl
    /usr/local/lib/perl/5.14.2
    /usr/local/share/perl/5.14.2
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.14
    /usr/share/perl/5.14
    /usr/local/lib/site_perl
    .

---
Environment for perl 5.14.2:
    HOME=/home/dom
    LANG=en_GB.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=~/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About