From patchwork Wed Aug 28 15:32:35 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Zack Weinberg <zackw@panix.com>
X-Patchwork-Id: 34312
Received: (qmail 73881 invoked by alias); 28 Aug 2019 15:47:47 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 73868 invoked by uid 89); 28 Aug 2019 15:47:47 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-18.3 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_SHORT,
	SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.1 spammy=commentary, Loss
X-HELO: l2mail1.panix.com
From: Zack Weinberg <zackw@panix.com>
To: libc-alpha@sourceware.org
Cc: Joseph Myers <joseph@codesourcery.com>,
	Florian Weimer <fweimer@redhat.com>, Lukasz Majewski <lukma@denx.de>,
	Alistair Francis <alistair23@gmail.com>,
	Stepan Golosunov <stepan@golosunov.pp.ru>, Arnd Bergmann <arnd@arndb.de>,
	Adhemerval Zanella <adhemerval.zanella@linaro.org>,
	Samuel Thibault <samuel.thibault@ens-lyon.org>
Subject: [PATCH v2 09/10] Warn when gettimeofday is called with non-null tzp
	argument.
Date: Wed, 28 Aug 2019 11:32:35 -0400
Message-Id: <20190828153236.18229-10-zackw@panix.com>
In-Reply-To: <20190828153236.18229-1-zackw@panix.com>
References: <20190828153236.18229-1-zackw@panix.com>
MIME-Version: 1.0

Since there are no known uses of gettimeofday's vestigial "get time
zone" feature that are not bugs, add a fortify-style wrapper inline to
sys/time.h that issues a warning whenever gettimeofday is called with
a second argument that is not a compile-time null pointer
constant.

At present this is only possible with GCC; clang does not implement
attribute((warning)).  The wrapper is only activated when __OPTIMIZE__
is defined because it throws false positives when optimization is off,
even though it's an always-inline function.

An oversight in the implementation of __builtin_constant_p causes it
to fail to detect compile-time *pointer* constants unless they are
cast to an integer of a different size.  (Loss of data in this cast is
harmless; the overall expression is still constant if and only if the
original pointer was.)  This is GCC bug 95514.  Thanks to
Kamil Cukrowski <kamilcukrowski@gmail.com> for the workaround.
As a precaution, I added a static assertion to debug/warning-nop.c to
make sure that the cast _is_ casting to an integer of a different
size; this is too unlikely a scenario to be worth checking in the
public header, but if someone ever adds a port where short is the
same size as intptr_t, we'll still catch it.

Also make the public prototype of gettimeofday declare its second
argument with type "void *" unconditionally, consistent with POSIX.

	* time/sys/time.h (__timezone_ptr_t): Delete.
	(gettimeofday): Always declare second argument with type "void *".
	When possible, wrap with a fortify-style inline function that
	detects non-null or non-constant second argument and issues a
	warning.  Improve commentary.
	(settimeofday): Improve commentary.

	* time/gettimeofday.c (gettimeofday): Declare second argument with
	type "void *".
	* debug/warning-nop.c: Include sys/time.h and stdint.h.
	Add static_assert to verify the requirements of the workaround
	for GCC bug 95514.
---
 debug/warning-nop.c |  9 +++++++++
 time/gettimeofday.c |  4 ++--
 time/sys/time.h     | 47 ++++++++++++++++++++++++++++++++++-----------
 3 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/debug/warning-nop.c b/debug/warning-nop.c
index 8eeea396c3..3eab53b78f 100644
--- a/debug/warning-nop.c
+++ b/debug/warning-nop.c
@@ -67,4 +67,13 @@ nop (void)
 #define __builtin___strncpy_chk(dest, src, len, bos) NULL
 #define __builtin_object_size(bos, level) 0
 
+/* The code in sys/time.h that uses __warndecl has to work around GCC
+    bug 91554.  The work-around is only effective if intptr_t is not
+    the same size as short.  */
+#include <stdint.h>
+_Static_assert (sizeof (intptr_t) != sizeof (short),
+                "workaround for GCC bug 91554 in sys/time.h"
+                " is only effective when short is smaller than a pointer");
+
 #include <string.h>
+#include <sys/time.h>
diff --git a/time/gettimeofday.c b/time/gettimeofday.c
index c4f642631f..5bc91fc214 100644
--- a/time/gettimeofday.c
+++ b/time/gettimeofday.c
@@ -23,10 +23,10 @@
    If *TZ is not NULL, clear it.
    Returns 0 on success, -1 on errors.  */
 int
-___gettimeofday (struct timeval *tv, struct timezone *tz)
+___gettimeofday (struct timeval *restrict tv, void *restrict tz)
 {
   if (__glibc_unlikely (tz != 0))
-    memset (tz, 0, sizeof *tz);
+    memset (tz, 0, sizeof (struct timezone));
 
   struct timespec ts;
   if (__clock_gettime (CLOCK_REALTIME, &ts))
diff --git a/time/sys/time.h b/time/sys/time.h
index 5dbc7fc627..a4e7fd20d1 100644
--- a/time/sys/time.h
+++ b/time/sys/time.h
@@ -54,23 +54,48 @@ struct timezone
     int tz_minuteswest;		/* Minutes west of GMT.  */
     int tz_dsttime;		/* Nonzero if DST is ever in effect.  */
   };
-
-typedef struct timezone *__restrict __timezone_ptr_t;
-#else
-typedef void *__restrict __timezone_ptr_t;
 #endif
 
-/* Get the current time of day and timezone information,
-   putting it into *TV and *TZ.  If TZ is NULL, *TZ is not filled.
-   Returns 0 on success, -1 on errors.
-   NOTE: This form of timezone information is obsolete.
-   Use the functions and variables declared in <time.h> instead.  */
+/* Get the current time of day, putting it into *TV.
+   If TZ is not null, *TZ must be a struct timezone, and both fields
+   will be set to zero.
+   Calling this function with a non-null TZ is obsolete;
+   use localtime etc. instead.
+   This function itself is semi-obsolete;
+   most callers should use time or clock_gettime instead. */
 extern int gettimeofday (struct timeval *__restrict __tv,
-			 __timezone_ptr_t __tz) __THROW __nonnull ((1));
+			 void *__restrict __tz) __THROW __nonnull ((1));
+
+#if __GNUC_PREREQ (4,3) && defined __REDIRECT && defined __OPTIMIZE__
+/* Issue a warning for use of gettimeofday with a non-null __tz argument.  */
+__warndecl (__warn_gettimeofday_nonnull_timezone,
+            "gettimeofday with non-null or non-constant timezone parameter;"
+            " this is obsolete and inaccurate, use localtime instead");
+
+extern int __REDIRECT_NTH (__gettimeofday_alias,
+                           (struct timeval *__restrict __tv,
+                            void *__restrict __tz), gettimeofday)
+  __nonnull ((1));
+
+/* The double cast below works around a limitation in __builtin_constant_p
+   in all released versions of GCC (as of August 2019).
+   See <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91554>.  */
+__fortify_function int
+__NTH (gettimeofday (struct timeval *__restrict __tv, void *__restrict __tz))
+{
+  if (! (__builtin_constant_p ((short) (__intptr_t) __tz) && __tz == 0))
+    __warn_gettimeofday_nonnull_timezone ();
+
+  return __gettimeofday_alias (__tv, __tz);
+}
+#endif
 
 #ifdef __USE_MISC
 /* Set the current time of day and timezone information.
-   This call is restricted to the super-user.  */
+   This call is restricted to the super-user.
+   Setting the timezone in this way is obsolete, but we don't yet
+   warn about it because it still has some uses for which there is
+   no alternative.  */
 extern int settimeofday (const struct timeval *__tv,
 			 const struct timezone *__tz)
      __THROW;