diff mbox

[v2] Use C99-compliant scanf under _GNU_SOURCE with modern compilers.

Message ID 20180222044152.20029-1-zackw@panix.com
State Superseded
Headers

Commit Message

Zack Weinberg Feb. 22, 2018, 4:41 a.m. UTC 
  The only difference between noncompliant and C99-compliant scanf is
that the former accepts the archaic GNU extension '%as' (also %aS and
%a[...]) meaning to allocate space for the input string with malloc.
This extension conflicts with C99's use of %a as a format _type_
meaning to read a floating-point number; POSIX.1-2008 standardized
equivalent functionality using the modifier letter 'm' instead (%ms,
%mS, %m[...]).

The extension was already disabled in most conformance modes:
specifically, any mode that doesn't involve _GNU_SOURCE and _does_
involve either strict conformance to C99 or loose conformance to both
C99 and POSIX.1-2001 would get the C99-compliant scanf.  With
compilers new enough to use -std=gnu11 instead of -std=gnu89, or
equivalent, that includes the default mode.

This patch tightens things up further: you now get C99-compliant scanf
in all configurations except when _GNU_SOURCE is defined *and*
__STDC_VERSION__ or __cplusplus (whichever is relevant) indicates
C89/C++98.  This leaves the old scanf available under e.g. -std=c89
-D_GNU_SOURCE, but removes it from e.g. -std=gnu11 -D_GNU_SOURCE (it
was already not present under -std=gnu11 without -D_GNU_SOURCE) and
from -std=gnu89 without -D_GNU_SOURCE.

There needs to be an internal override so we can compile the
noncompliant scanf itself.  This is the same problem we had when we
removed 'gets' from _GNU_SOURCE and it's dealt with the same way:
there's a new __GLIBC_USE symbol, DEPRECATED_SCANF, which defaults to
off under the appropriate conditions for external code, but can be
overridden by individual files within stdio.

We also run into problems with PLT bypass, because libc_hidden_proto
uses __REDIRECT and so does the logic in stdio.h for choosing which
implementation of scanf to use; __REDIRECT isn't transitive, so a
couple of files that use sscanf internally have to bridge the gap with
macros.  I'm open to better ideas if anyone has one (N.B. I would
accept "internal code shouldn't call *scanf ever" as a better idea,
but I'm not gonna make that decision unilaterally).  Fortunately,
elf/check-localplt will catch any new internal uses of *scanf that
aren't shimmed.

On a related note, the interaction of the C99/not-C99 scanf redirect
with the __LDBL_COMPAT scanf redirect was complicated, confusing, and
possibly wrong.  I tried to match the intent rather than the letter of
the previous behavior.  I do not have access to physical hardware for
which __LDBL_COMPAT is relevant, so my ability to test it is limited.
Careful review and maybe even some volunteer testing would be
appreciated.

Finally, there are several tests in stdio-common that use the
extension.  bug21 is a regression test for a crash, and still
exercises the relevant code if changed to use %ms instead of %as.
scanf14 through scanf17 are more complicated since they are actually
testing the subtleties of the extension - under what circumstances is
'a' treated as a modifier letter, etc.  My approach here is to
duplicate scanf14.c and scanf16.c; the originals change to use %ms
instead, the copies select precisely the right conformance mode to get
%as with the old GNU meaning, plus everything else they need (it's not
as simple as saying -std=gnu89, unfortunately).  scanf15 and scanf17
become simpler because they no longer need to avoid _GNU_SOURCE, and
all of them no longer need diagnostic overrides.  Yay!

zw

--
	* include/features.h (__GLIBC_USE_DEPRECATED_SCANF): New __GLIBC_USE
        parameter.  Only use deprecated scanf when __USE_GNU is defined
        and __STDC_VERSION__ is less than 199901L or __cplusplus is less
        than 201103L, whichever is relevant for the language being compiled.

	* libio/stdio.h, libio/bits/stdio-ldbl.h: Decide whether or
	not to redirect scanf, fscanf, sscanf, vscanf, vfscanf, and
	vsscanf to their __isoc99_ variants based only on
        __GLIBC_USE(DEPRECATED_SCANF).

	* libio/iovsscanf.c, libio/vscanf.c, stdio-common/fscanf.c
	* stdio-common/scanf.c, stdio-common/vfscanf.c:
	Override __GLIBC_USE_DEPRECATED_SCANF to 1.
	* stdio-common/sscanf.c: Likewise.  Remove ldbl_hidden_def for
	__sscanf.
	* stdio-common/isoc99_sscanf.c: Add libc_hidden_def for __isoc99_sscanf.
        * include/stdio.h: Provide libc_hidden_proto for __isoc99_sscanf,
	not sscanf.

	* misc/mntent_r.c, time/tzset.c: Redirect sscanf to __isoc99_scanf
	with a macro.

	* stdio-common/bug21.c, stdio-common/scanf14.c:
	Use %ms instead of %as, %mS instead of %aS, %m[] instead of %a[];
	remove DIAG_IGNORE_NEEDS_COMMENT for -Wformat.
	* stdio-common/scanf16.c: Likewise.  Add __attribute__((format(scanf)))
	to xscanf, xfscanf, xsscanf.

	* stdio-common/scanf14a.c: New copy of scanf14.c which still uses
	%as, %aS, %a[].  Use conformance mode -std=gnu89,
	_POSIX_C_SOURCE=199506L, _XOPEN_SOURCE=1, _XOPEN_SOURCE_EXTENDED=1,
	which will use the nonconformant scanf implementation.
	Remove DIAG_IGNORE_NEEDS_COMMENT for -Wformat.
	* stdio-common/scanf16a.c: New copy of scanf16.c which still uses
	%as, %aS, %a[].  Use conformance mode -std=gnu89,
	_POSIX_C_SOURCE=199506L, _XOPEN_SOURCE=1, _XOPEN_SOURCE_EXTENDED=1,
	_ISOC99_SOURCE=1, which will use the nonconformant scanf
	implementation.  Add __attribute__((format(scanf))) to xscanf,
	xfscanf, xsscanf.

	* stdio-common/scanf15.c, stdio-common/scanf17.c: No need to
	override feature selection macros or provide definitions of u_char etc.
	* stdio-common/Makefile (tests): Add scanf14a and scanf16a.
	(CFLAGS-scanf15.c, CFLAGS-scanf17.c): Remove.
	(CFLAGS-scanf14a.c, CFLAGS-scanf16a.c): New.
---
 NEWS                         |  17 +++++
 include/features.h           |  22 ++++++
 include/stdio.h              |   2 +-
 libio/bits/stdio-ldbl.h      |   7 +-
 libio/iovsscanf.c            |   5 ++
 libio/stdio.h                |  22 +++---
 libio/vscanf.c               |   5 ++
 misc/mntent_r.c              |   4 ++
 stdio-common/Makefile        |  13 ++--
 stdio-common/bug21.c         |  11 +--
 stdio-common/fscanf.c        |   5 ++
 stdio-common/isoc99_sscanf.c |   1 +
 stdio-common/scanf.c         |   5 ++
 stdio-common/scanf14.c       |  35 +++-------
 stdio-common/scanf14a.c      | 126 ++++++++++++++++++++++++++++++++++
 stdio-common/scanf15.c       |  14 ++--
 stdio-common/scanf16.c       |  20 +++---
 stdio-common/scanf16a.c      | 156 +++++++++++++++++++++++++++++++++++++++++++
 stdio-common/scanf17.c       |  14 ++--
 stdio-common/sscanf.c        |   6 +-
 stdio-common/vfscanf.c       |   5 ++
 time/tzset.c                 |   4 ++
 22 files changed, 407 insertions(+), 92 deletions(-)
 create mode 100644 stdio-common/scanf14a.c
 create mode 100644 stdio-common/scanf16a.c

Comments

Andreas Schwab Feb. 22, 2018, 9:41 a.m. UTC | #1 
I'm getting this failure on powerpc (all variants):

powerpc64-linux-gcc ../sysdeps/ieee754/ldbl-opt/nldbl-sscanf.c -c -std=gnu11 -fgnu89-inline  -O2 -Wall -Werror -Wundef -Wwrite-strings -fmerge-all-constants -fno-stack-protector -frounding-math -g -Wstrict-prototypes -Wold-style-definition -mlong-double-128   -fPIC        -D__NO_MATH_INLINES -D__LIBC_INTERNAL_MATH_INLINES -I../include -I/suse/schwab/src/libc/c-ppc64/math  -I/suse/schwab/src/libc/c-ppc64  -I../sysdeps/unix/sysv/linux/powerpc/powerpc64/fpu  -I../sysdeps/unix/sysv/linux/powerpc/powerpc64  -I../sysdeps/unix/sysv/linux/wordsize-64  -I../sysdeps/unix/sysv/linux/powerpc  -I../sysdeps/powerpc/nptl  -I../sysdeps/unix/sysv/linux/include -I../sysdeps/unix/sysv/linux  -I../sysdeps/nptl  -I../sysdeps/pthread  -I../sysdeps/gnu  -I../sysdeps/unix/inet  -I../sysdeps/unix/sysv  -I../sysdeps/unix/powerpc  -I../sysdeps/unix  -I../sysdeps/posix  -I../sysdeps/powerpc/powerpc64/fpu/multiarch  -I../sysdeps/powerpc/powerpc64/fpu  -I../sysdeps/powerpc/powerpc64/multiarch  -I../sysdeps/powerpc/powerpc64  -I../sysdeps/wordsize-64  -I../sysdeps/powerpc/fpu  -I../sysdeps/powerpc  -I../sysdeps/ieee754/ldbl-128ibm/include -I../sysdeps/ieee754/ldbl-128ibm  -I../sysdeps/ieee754/ldbl-opt  -I../sysdeps/ieee754/dbl-64  -I../sysdeps/ieee754/flt-32  -I../sysdeps/ieee754  -I../sysdeps/generic  -I.. -I../libio -I.   -D_LIBC_REENTRANT -include /suse/schwab/src/libc/c-ppc64/libc-modules.h -DMODULE_NAME=libnldbl -include ../include/libc-symbols.h   -DPIC -DLIBC_NONSHARED=1     -DTOP_NAMESPACE=glibc -o /suse/schwab/src/libc/c-ppc64/math/nldbl-sscanf.oS -MD -MP -MF /suse/schwab/src/libc/c-ppc64/math/nldbl-sscanf.oS.dt -MT /suse/schwab/src/libc/c-ppc64/math/nldbl-sscanf.oS
In file included from <command-line>:0:0:
../sysdeps/ieee754/ldbl-opt/nldbl-sscanf.c:17:23: error: ‘_IO_sscanf’ aliased to undefined symbol ‘sscanf’
 strong_alias (sscanf, _IO_sscanf)
                       ^
./../include/libc-symbols.h:135:26: note: in definition of macro ‘_strong_alias’
   extern __typeof (name) aliasname __attribute__ ((alias (#name)));
                          ^~~~~~~~~
../sysdeps/ieee754/ldbl-opt/nldbl-sscanf.c:17:1: note: in expansion of macro ‘strong_alias’
 strong_alias (sscanf, _IO_sscanf)
 ^~~~~~~~~~~~
/suse/schwab/src/libc/c-ppc64/sysd-rules:781: recipe for target '/suse/schwab/src/libc/c-ppc64/math/nldbl-sscanf.oS' failed

Andreas.
Joseph Myers Feb. 22, 2018, 1:42 p.m. UTC | #2 
On Thu, 22 Feb 2018, Zack Weinberg wrote:

> On a related note, the interaction of the C99/not-C99 scanf redirect
> with the __LDBL_COMPAT scanf redirect was complicated, confusing, and
> possibly wrong.  I tried to match the intent rather than the letter of
> the previous behavior.  I do not have access to physical hardware for
> which __LDBL_COMPAT is relevant, so my ability to test it is limited.
> Careful review and maybe even some volunteer testing would be
> appreciated.

According to <https://gcc.gnu.org/wiki/CompileFarm> there are powerpc64 
systems (both BE and LE - -mlong-double-64 is supported for both of those) 
running CentOS 7 in the GCC Compile Farm, which should be suitable for 
glibc testing.  (Note that the glibc testsuite has essentially no coverage 
for -mlong-double-64 at present.)
diff mbox

Patch

diff --git a/NEWS b/NEWS
index 60dd2f778d..fc2d9ff02a 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,23 @@  Deprecated and removed features, and other changes affecting compatibility:
    investigate using (f)getc_unlocked and (f)putc_unlocked, and, if
    necessary, flockfile and funlockfile.
 
+ * An archaic GNU extension to scanf, under which '%as', '%aS', and '%a[...]'
+   meant to scan a string and allocate space for it with malloc, is now
+   restricted to programs compiled in C89 mode, with _GNU_SOURCE defined.
+   It was formerly available to programs compiled as C99 or higher that
+   defined _GNU_SOURCE, and to programs compiled as C89 whether or not
+   they defined _GNU_SOURCE.
+
+   We are phasing this extension out because it conflicts with C99's use of
+   '%a' for floating-point numbers.  POSIX.1-2008 includes the feature of
+   allocating a buffer for string input with malloc, using the modifier
+   letter 'm' instead.  Programs using '%as', '%aS', or '%a[...]' with the
+   old GNU meaning should change to '%ms', '%mS', or '%m[...]' respectively.
+
+   GCC's -Wformat warnings can detect most uses of this extension, as long
+   as all functions that call vscanf, vfscanf, or vsscanf are annotated with
+   __attribute__ ((format (scanf, ...))).
+
  * The macros 'major', 'minor', and 'makedev' are now only available from
    the header <sys/sysmacros.h>; not from <sys/types.h> or various other
    headers that happen to include <sys/types.h>.  These macros are rarely
diff --git a/include/features.h b/include/features.h
index d22c32eee6..4ff75495c4 100644
--- a/include/features.h
+++ b/include/features.h
@@ -140,6 +140,7 @@ 
 #undef	__USE_FORTIFY_LEVEL
 #undef	__KERNEL_STRICT_NAMES
 #undef	__GLIBC_USE_DEPRECATED_GETS
+#undef	__GLIBC_USE_DEPRECATED_SCANF
 
 /* Suppress kernel-name space pollution unless user expressedly asks
    for it.  */
@@ -401,6 +402,27 @@ 
 # define __GLIBC_USE_DEPRECATED_GETS 1
 #endif
 
+/* GNU formerly extended the scanf functions with modified format
+   specifiers %as, %aS, and %a[...] that allocate a buffer for the
+   input using malloc.  This extension conflicts with ISO C99, which
+   defines %a as a standalone format specifier that reads a floating-
+   point number; moreover, POSIX.1-2008 provides the same feature
+   using the modifier letter 'm' instead (%ms, %mS, %m[...]).
+
+   We now follow C99 unless GNU extensions are active and the compiler
+   is specifically in C89 or C++98 mode (strict or not).  For
+   instance, with GCC, -std=gnu11 will have C99-compliant scanf with
+   or without -D_GNU_SOURCE, but -std=c89 -D_GNU_SOURCE will have the
+   old extension.  */
+#if defined __USE_GNU &&						\
+  (defined __cplusplus							\
+   ? (__cplusplus < 201103L && !defined __GXX_EXPERIMENTAL_CXX0X__)	\
+   : (!defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L))
+# define __GLIBC_USE_DEPRECATED_SCANF 1
+#else
+# define __GLIBC_USE_DEPRECATED_SCANF 0
+#endif
+
 /* Get definitions of __STDC_* predefined macros, if the compiler has
    not preincluded this header automatically.  */
 #include <stdc-predef.h>
diff --git a/include/stdio.h b/include/stdio.h
index f140813ad6..9f37ef0194 100644
--- a/include/stdio.h
+++ b/include/stdio.h
@@ -67,6 +67,7 @@  extern int __isoc99_vscanf (const char *__restrict __format,
 extern int __isoc99_vsscanf (const char *__restrict __s,
 			     const char *__restrict __format,
 			     __gnuc_va_list __arg) __THROW;
+libc_hidden_proto (__isoc99_sscanf)
 libc_hidden_proto (__isoc99_vsscanf)
 libc_hidden_proto (__isoc99_vfscanf)
 
@@ -158,7 +159,6 @@  libc_hidden_proto (__dprintf)
 libc_hidden_proto (fprintf)
 libc_hidden_proto (vfprintf)
 libc_hidden_proto (sprintf)
-libc_hidden_proto (sscanf)
 libc_hidden_proto (fwrite)
 libc_hidden_proto (perror)
 libc_hidden_proto (remove)
diff --git a/libio/bits/stdio-ldbl.h b/libio/bits/stdio-ldbl.h
index 99d9bcc233..dfcbe5375a 100644
--- a/libio/bits/stdio-ldbl.h
+++ b/libio/bits/stdio-ldbl.h
@@ -26,9 +26,7 @@  __LDBL_REDIR_DECL (sprintf)
 __LDBL_REDIR_DECL (vfprintf)
 __LDBL_REDIR_DECL (vprintf)
 __LDBL_REDIR_DECL (vsprintf)
-#if defined __USE_ISOC99 && !defined __USE_GNU \
-    && !defined __REDIRECT \
-    && (defined __STRICT_ANSI__ || defined __USE_XOPEN2K)
+#if !__GLIBC_USE (DEPRECATED_SCANF)
 __LDBL_REDIR1_DECL (fscanf, __nldbl___isoc99_fscanf)
 __LDBL_REDIR1_DECL (scanf, __nldbl___isoc99_scanf)
 __LDBL_REDIR1_DECL (sscanf, __nldbl___isoc99_sscanf)
@@ -44,8 +42,7 @@  __LDBL_REDIR_DECL (vsnprintf)
 #endif
 
 #ifdef	__USE_ISOC99
-# if !defined __USE_GNU && !defined __REDIRECT \
-     && (defined __STRICT_ANSI__ || defined __USE_XOPEN2K)
+# if !__GLIBC_USE (DEPRECATED_SCANF)
 __LDBL_REDIR1_DECL (vfscanf, __nldbl___isoc99_vfscanf)
 __LDBL_REDIR1_DECL (vscanf, __nldbl___isoc99_vscanf)
 __LDBL_REDIR1_DECL (vsscanf, __nldbl___isoc99_vsscanf)
diff --git a/libio/iovsscanf.c b/libio/iovsscanf.c
index e56ab8bd7d..e80bc91110 100644
--- a/libio/iovsscanf.c
+++ b/libio/iovsscanf.c
@@ -24,6 +24,11 @@ 
    This exception applies to code released by its copyright holders
    in files containing the exception.  */
 
+/* This file defines one of the deprecated scanf variants.  */
+#include <features.h>
+#undef __GLIBC_USE_DEPRECATED_SCANF
+#define __GLIBC_USE_DEPRECATED_SCANF 1
+
 #include "libioP.h"
 #include "strfile.h"
 
diff --git a/libio/stdio.h b/libio/stdio.h
index 731f8e56f4..da6b2825bc 100644
--- a/libio/stdio.h
+++ b/libio/stdio.h
@@ -387,13 +387,11 @@  extern int scanf (const char *__restrict __format, ...) __wur;
 extern int sscanf (const char *__restrict __s,
 		   const char *__restrict __format, ...) __THROW;
 
-#if defined __USE_ISOC99 && !defined __USE_GNU \
-    && (!defined __LDBL_COMPAT || !defined __REDIRECT) \
-    && (defined __STRICT_ANSI__ || defined __USE_XOPEN2K)
+/* For historical reasons, the C99-compliant versions of the scanf
+   functions are at alternative names.  When __LDBL_COMPAT is in
+   effect, this is handled in bits/stdio-ldbl.h.  */
+#if !__GLIBC_USE (DEPRECATED_SCANF) && !defined __LDBL_COMPAT
 # ifdef __REDIRECT
-/* For strict ISO C99 or POSIX compliance disallow %as, %aS and %a[
-   GNU extension which conflicts with valid %a followed by letter
-   s, S or [.  */
 extern int __REDIRECT (fscanf, (FILE *__restrict __stream,
 				const char *__restrict __format, ...),
 		       __isoc99_fscanf) __wur;
@@ -435,13 +433,9 @@  extern int vsscanf (const char *__restrict __s,
 		    const char *__restrict __format, __gnuc_va_list __arg)
      __THROW __attribute__ ((__format__ (__scanf__, 2, 0)));
 
-# if !defined __USE_GNU \
-     && (!defined __LDBL_COMPAT || !defined __REDIRECT) \
-     && (defined __STRICT_ANSI__ || defined __USE_XOPEN2K)
-#  ifdef __REDIRECT
-/* For strict ISO C99 or POSIX compliance disallow %as, %aS and %a[
-   GNU extension which conflicts with valid %a followed by letter
-   s, S or [.  */
+/* Same redirection as above for the v*scanf family.  */
+# if !__GLIBC_USE (DEPRECATED_SCANF)
+#  if defined __REDIRECT && !defined __LDBL_COMPAT
 extern int __REDIRECT (vfscanf,
 		       (FILE *__restrict __s,
 			const char *__restrict __format, __gnuc_va_list __arg),
@@ -455,7 +449,7 @@  extern int __REDIRECT_NTH (vsscanf,
 			    const char *__restrict __format,
 			    __gnuc_va_list __arg), __isoc99_vsscanf)
      __attribute__ ((__format__ (__scanf__, 2, 0)));
-#  else
+#  elif !defined __REDIRECT
 extern int __isoc99_vfscanf (FILE *__restrict __s,
 			     const char *__restrict __format,
 			     __gnuc_va_list __arg) __wur;
diff --git a/libio/vscanf.c b/libio/vscanf.c
index 9c27122c27..0f9b4c597a 100644
--- a/libio/vscanf.c
+++ b/libio/vscanf.c
@@ -24,6 +24,11 @@ 
    This exception applies to code released by its copyright holders
    in files containing the exception.  */
 
+/* This file defines one of the deprecated scanf variants.  */
+#include <features.h>
+#undef __GLIBC_USE_DEPRECATED_SCANF
+#define __GLIBC_USE_DEPRECATED_SCANF 1
+
 #include "libioP.h"
 #include "stdio.h"
 
diff --git a/misc/mntent_r.c b/misc/mntent_r.c
index 7a82658654..4e1a56620a 100644
--- a/misc/mntent_r.c
+++ b/misc/mntent_r.c
@@ -26,6 +26,10 @@ 
 #define flockfile(s) _IO_flockfile (s)
 #define funlockfile(s) _IO_funlockfile (s)
 
+/* __REDIRECT isn't transitive.  */
+#undef sscanf
+#define sscanf __isoc99_sscanf
+
 #undef __setmntent
 #undef __endmntent
 #undef __getmntent_r
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index 9dfc115313..6b7f0172f0 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -61,6 +61,7 @@  tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
 	 tst-printf-bz18872 tst-vfprintf-width-prec tst-fmemopen4 \
 	 tst-vfprintf-user-type \
 	 tst-vfprintf-mbs-prec \
+	 scanf14a scanf16a
 
 test-srcs = tst-unbputc tst-printf
 
@@ -136,13 +137,11 @@  CFLAGS-isoc99_scanf.c += -fexceptions
 CFLAGS-errlist.c += $(fno-unit-at-a-time)
 CFLAGS-siglist.c += $(fno-unit-at-a-time)
 
-# The following is a hack since we must compile scanf1{5,7}.c without any
-# GNU extension.  The latter are needed, though, when internal headers
-# are used.  So made sure we see the installed headers first.
-CFLAGS-scanf15.c += -I../libio -I../stdlib -I../wcsmbs -I../time -I../string \
-		   -I../wctype
-CFLAGS-scanf17.c += -I../libio -I../stdlib -I../wcsmbs -I../time -I../string \
-		   -I../wctype
+# scanf14a.c and scanf16a.c test a deprecated extension which is no
+# longer visible under most conformance levels; see the source files
+# for more detail.
+CFLAGS-scanf14a.c += -std=gnu89
+CFLAGS-scanf16a.c += -std=gnu89
 
 # tst-gets.c tests a deprecated function.
 CFLAGS-tst-gets.c += -Wno-deprecated-declarations
diff --git a/stdio-common/bug21.c b/stdio-common/bug21.c
index 7a8c6a3542..1f06c0dab4 100644
--- a/stdio-common/bug21.c
+++ b/stdio-common/bug21.c
@@ -1,5 +1,4 @@ 
 #include <stdio.h>
-#include <libc-diag.h>
 
 static int
 do_test (void)
@@ -7,15 +6,7 @@  do_test (void)
   static const char buf[] = " ";
   char *str;
 
-  /* GCC in C99 mode treats %a as the C99 format expecting float *,
-     but glibc with _GNU_SOURCE treats %as as the GNU allocation
-     extension, so resulting in "warning: format '%a' expects argument
-     of type 'float *', but argument 3 has type 'char **'".  This
-     applies to the other %as, %aS and %a[] formats below as well.  */
-  DIAG_PUSH_NEEDS_COMMENT;
-  DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wformat");
-  int r = sscanf (buf, "%as", &str);
-  DIAG_POP_NEEDS_COMMENT;
+  int r = sscanf (buf, "%ms", &str);
   printf ("%d %p\n", r, str);
 
   return r != -1 || str != NULL;
diff --git a/stdio-common/fscanf.c b/stdio-common/fscanf.c
index b60a2a3b81..9f2a7cdef9 100644
--- a/stdio-common/fscanf.c
+++ b/stdio-common/fscanf.c
@@ -15,6 +15,11 @@ 
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+/* This file defines one of the deprecated scanf variants.  */
+#include <features.h>
+#undef __GLIBC_USE_DEPRECATED_SCANF
+#define __GLIBC_USE_DEPRECATED_SCANF 1
+
 #include <libioP.h>
 #include <stdarg.h>
 #include <stdio.h>
diff --git a/stdio-common/isoc99_sscanf.c b/stdio-common/isoc99_sscanf.c
index 56a60a2c05..d0f826a13e 100644
--- a/stdio-common/isoc99_sscanf.c
+++ b/stdio-common/isoc99_sscanf.c
@@ -33,3 +33,4 @@  __isoc99_sscanf (const char *s, const char *format, ...)
 
   return done;
 }
+libc_hidden_def (__isoc99_sscanf)
diff --git a/stdio-common/scanf.c b/stdio-common/scanf.c
index e61b5f1ad3..5089e29b6b 100644
--- a/stdio-common/scanf.c
+++ b/stdio-common/scanf.c
@@ -15,6 +15,11 @@ 
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+/* This file defines one of the deprecated scanf variants.  */
+#include <features.h>
+#undef __GLIBC_USE_DEPRECATED_SCANF
+#define __GLIBC_USE_DEPRECATED_SCANF 1
+
 #include <stdarg.h>
 #include <stdio.h>
 
diff --git a/stdio-common/scanf14.c b/stdio-common/scanf14.c
index 2bcd9c9893..22e5f08341 100644
--- a/stdio-common/scanf14.c
+++ b/stdio-common/scanf14.c
@@ -2,7 +2,10 @@ 
 #include <stdlib.h>
 #include <string.h>
 #include <wchar.h>
-#include <libc-diag.h>
+
+#if __GLIBC_USE_DEPRECATED_SCANF
+# error "This file should not be compiled with deprecated scanf"
+#endif
 
 #define FAIL() \
   do {							\
@@ -24,14 +27,7 @@  main (void)
     FAIL ();
   else if (f != 0.25 || memcmp (c, "s x", 3) != 0)
     FAIL ();
-  /* GCC in C99 mode treats %a as the C99 format expecting float *,
-     but glibc with _GNU_SOURCE treats %as as the GNU allocation
-     extension, so resulting in "warning: format '%a' expects argument
-     of type 'float *', but argument 3 has type 'char **'".  This
-     applies to the other %as, %aS and %a[] formats below as well.  */
-  DIAG_PUSH_NEEDS_COMMENT;
-  DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wformat");
-  if (sscanf (" 1.25s x", "%as%2c", &sp, c) != 2)
+  if (sscanf (" 1.25s x", "%ms%2c", &sp, c) != 2)
     FAIL ();
   else
     {
@@ -40,15 +36,11 @@  main (void)
       memset (sp, 'x', sizeof "1.25s");
       free (sp);
     }
-  DIAG_POP_NEEDS_COMMENT;
   if (sscanf (" 2.25s x", "%las%2c", &d, c) != 2)
     FAIL ();
   else if (d != 2.25 || memcmp (c, " x", 2) != 0)
     FAIL ();
-  /* See explanation above.  */
-  DIAG_PUSH_NEEDS_COMMENT;
-  DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wformat");
-  if (sscanf (" 3.25S x", "%4aS%3c", &lsp, c) != 2)
+  if (sscanf (" 3.25S x", "%4mS%3c", &lsp, c) != 2)
     FAIL ();
   else
     {
@@ -57,7 +49,7 @@  main (void)
       memset (lsp, 'x', sizeof L"3.25");
       free (lsp);
     }
-  if (sscanf ("4.25[0-9.] x", "%a[0-9.]%8c", &sp, c) != 2)
+  if (sscanf ("4.25[0-9.] x", "%m[0-9.]%8c", &sp, c) != 2)
     FAIL ();
   else
     {
@@ -66,7 +58,6 @@  main (void)
       memset (sp, 'x', sizeof "4.25");
       free (sp);
     }
-  DIAG_POP_NEEDS_COMMENT;
   if (sscanf ("5.25[0-9.] x", "%la[0-9.]%2c", &d, c) != 2)
     FAIL ();
   else if (d != 5.25 || memcmp (c, " x", 2) != 0)
@@ -95,10 +86,7 @@  main (void)
 	FAIL ();
       if (fseek (fp, 0, SEEK_SET) != 0)
 	FAIL ();
-      /* See explanation above.  */
-      DIAG_PUSH_NEEDS_COMMENT;
-      DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wformat");
-      if (fscanf (fp, "%as%2c", &sp, c) != 2)
+      if (fscanf (fp, "%ms%2c", &sp, c) != 2)
 	FAIL ();
       else
 	{
@@ -107,16 +95,12 @@  main (void)
 	  memset (sp, 'x', sizeof "1.25s");
 	  free (sp);
 	}
-      DIAG_POP_NEEDS_COMMENT;
 
       if (freopen (fname, "r", stdin) == NULL)
 	FAIL ();
       else
 	{
-	  /* See explanation above.  */
-	  DIAG_PUSH_NEEDS_COMMENT;
-	  DIAG_IGNORE_NEEDS_COMMENT (4.9, "-Wformat");
-	  if (scanf ("%as%2c", &sp, c) != 2)
+	  if (scanf ("%ms%2c", &sp, c) != 2)
 	    FAIL ();
 	  else
 	    {
@@ -125,7 +109,6 @@  main (void)
 	      memset (sp, 'x', sizeof "1.25s");
 	      free (sp);
 	    }
-	  DIAG_POP_NEEDS_COMMENT;
 	}
 
       fclose (fp);
diff --git a/stdio-common/scanf14a.c b/stdio-common/scanf14a.c
new file mode 100644
index 0000000000..34099b8fe3
--- /dev/null
+++ b/stdio-common/scanf14a.c
@@ -0,0 +1,126 @@ 
+/* This test exercises the deprecated GNU %as, %aS, and %a[...] scanf
+   modifiers, which are not available to programs compiled as C99
+   anymore; therefore, this file is compiled with -std=gnu89 and C99
+   syntax must not be used.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wchar.h>
+
+#if !__GLIBC_USE_DEPRECATED_SCANF
+# error "This file should be compiled with deprecated scanf"
+#endif
+
+
+#define FAIL() \
+  do {							\
+    result = 1;						\
+    printf ("test at line %d failed\n", __LINE__);	\
+  } while (0)
+
+int
+main (void)
+{
+  wchar_t *lsp;
+  char *sp;
+  float f;
+  double d;
+  char c[8];
+  int result = 0;
+
+  if (sscanf (" 0.25s x", "%e%3c", &f, c) != 2)
+    FAIL ();
+  else if (f != 0.25 || memcmp (c, "s x", 3) != 0)
+    FAIL ();
+  if (sscanf (" 1.25s x", "%as%2c", &sp, c) != 2)
+    FAIL ();
+  else
+    {
+      if (strcmp (sp, "1.25s") != 0 || memcmp (c, " x", 2) != 0)
+	FAIL ();
+      memset (sp, 'x', sizeof "1.25s");
+      free (sp);
+    }
+  if (sscanf (" 2.25s x", "%las%2c", &d, c) != 2)
+    FAIL ();
+  else if (d != 2.25 || memcmp (c, " x", 2) != 0)
+    FAIL ();
+  if (sscanf (" 3.25S x", "%4aS%3c", &lsp, c) != 2)
+    FAIL ();
+  else
+    {
+      if (wcscmp (lsp, L"3.25") != 0 || memcmp (c, "S x", 3) != 0)
+	FAIL ();
+      memset (lsp, 'x', sizeof L"3.25");
+      free (lsp);
+    }
+  if (sscanf ("4.25[0-9.] x", "%a[0-9.]%8c", &sp, c) != 2)
+    FAIL ();
+  else
+    {
+      if (strcmp (sp, "4.25") != 0 || memcmp (c, "[0-9.] x", 8) != 0)
+	FAIL ();
+      memset (sp, 'x', sizeof "4.25");
+      free (sp);
+    }
+  if (sscanf ("5.25[0-9.] x", "%la[0-9.]%2c", &d, c) != 2)
+    FAIL ();
+  else if (d != 5.25 || memcmp (c, " x", 2) != 0)
+    FAIL ();
+
+  const char *tmpdir = getenv ("TMPDIR");
+  if (tmpdir == NULL || tmpdir[0] == '\0')
+    tmpdir = "/tmp";
+
+  char fname[strlen (tmpdir) + sizeof "/tst-scanf14.XXXXXX"];
+  sprintf (fname, "%s/tst-scanf14.XXXXXX", tmpdir);
+  if (fname == NULL)
+    FAIL ();
+
+  /* Create a temporary file.   */
+  int fd = mkstemp (fname);
+  if (fd == -1)
+    FAIL ();
+
+  FILE *fp = fdopen (fd, "w+");
+  if (fp == NULL)
+    FAIL ();
+  else
+    {
+      if (fputs (" 1.25s x", fp) == EOF)
+	FAIL ();
+      if (fseek (fp, 0, SEEK_SET) != 0)
+	FAIL ();
+      if (fscanf (fp, "%as%2c", &sp, c) != 2)
+	FAIL ();
+      else
+	{
+	  if (strcmp (sp, "1.25s") != 0 || memcmp (c, " x", 2) != 0)
+	    FAIL ();
+	  memset (sp, 'x', sizeof "1.25s");
+	  free (sp);
+	}
+
+      if (freopen (fname, "r", stdin) == NULL)
+	FAIL ();
+      else
+	{
+	  if (scanf ("%as%2c", &sp, c) != 2)
+	    FAIL ();
+	  else
+	    {
+	      if (strcmp (sp, "1.25s") != 0 || memcmp (c, " x", 2) != 0)
+		FAIL ();
+	      memset (sp, 'x', sizeof "1.25s");
+	      free (sp);
+	    }
+	}
+
+      fclose (fp);
+    }
+
+  remove (fname);
+
+  return result;
+}
diff --git a/stdio-common/scanf15.c b/stdio-common/scanf15.c
index a3ab15dea2..142e215ad3 100644
--- a/stdio-common/scanf15.c
+++ b/stdio-common/scanf15.c
@@ -1,18 +1,12 @@ 
-#undef _GNU_SOURCE
-#define _XOPEN_SOURCE 600
-#undef _LIBC
-#undef _IO_MTSAFE_IO
-/* The following macro definitions are a hack.  They word around disabling
-   the GNU extension while still using a few internal headers.  */
-#define u_char unsigned char
-#define u_short unsigned short
-#define u_int unsigned int
-#define u_long unsigned long
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <wchar.h>
 
+#if __GLIBC_USE_DEPRECATED_SCANF
+# error "This file should not be compiled with deprecated scanf"
+#endif
+
 #define FAIL() \
   do {							\
     result = 1;						\
diff --git a/stdio-common/scanf16.c b/stdio-common/scanf16.c
index 3e3cb417f2..db640e2e9c 100644
--- a/stdio-common/scanf16.c
+++ b/stdio-common/scanf16.c
@@ -4,13 +4,17 @@ 
 #include <string.h>
 #include <wchar.h>
 
+#if __GLIBC_USE_DEPRECATED_SCANF
+# error "This file should not be compiled with deprecated scanf"
+#endif
+
 #define FAIL() \
   do {							\
     result = 1;						\
     printf ("test at line %d failed\n", __LINE__);	\
   } while (0)
 
-static int
+static int __attribute__ ((format (scanf, 2, 3)))
 xsscanf (const char *str, const char *fmt, ...)
 {
   va_list ap;
@@ -20,7 +24,7 @@  xsscanf (const char *str, const char *fmt, ...)
   return ret;
 }
 
-static int
+static int __attribute__ ((format (scanf, 1, 2)))
 xscanf (const char *fmt, ...)
 {
   va_list ap;
@@ -30,7 +34,7 @@  xscanf (const char *fmt, ...)
   return ret;
 }
 
-static int
+static int __attribute__ ((format (scanf, 2, 3)))
 xfscanf (FILE *f, const char *fmt, ...)
 {
   va_list ap;
@@ -54,7 +58,7 @@  main (void)
     FAIL ();
   else if (f != 0.25 || memcmp (c, "s x", 3) != 0)
     FAIL ();
-  if (xsscanf (" 1.25s x", "%as%2c", &sp, c) != 2)
+  if (xsscanf (" 1.25s x", "%ms%2c", &sp, c) != 2)
     FAIL ();
   else
     {
@@ -67,7 +71,7 @@  main (void)
     FAIL ();
   else if (d != 2.25 || memcmp (c, " x", 2) != 0)
     FAIL ();
-  if (xsscanf (" 3.25S x", "%4aS%3c", &lsp, c) != 2)
+  if (xsscanf (" 3.25S x", "%4mS%3c", &lsp, c) != 2)
     FAIL ();
   else
     {
@@ -76,7 +80,7 @@  main (void)
       memset (lsp, 'x', sizeof L"3.25");
       free (lsp);
     }
-  if (xsscanf ("4.25[0-9.] x", "%a[0-9.]%8c", &sp, c) != 2)
+  if (xsscanf ("4.25[0-9.] x", "%m[0-9.]%8c", &sp, c) != 2)
     FAIL ();
   else
     {
@@ -113,7 +117,7 @@  main (void)
 	FAIL ();
       if (fseek (fp, 0, SEEK_SET) != 0)
 	FAIL ();
-      if (xfscanf (fp, "%as%2c", &sp, c) != 2)
+      if (xfscanf (fp, "%ms%2c", &sp, c) != 2)
 	FAIL ();
       else
 	{
@@ -127,7 +131,7 @@  main (void)
 	FAIL ();
       else
 	{
-	  if (xscanf ("%as%2c", &sp, c) != 2)
+	  if (xscanf ("%ms%2c", &sp, c) != 2)
 	    FAIL ();
 	  else
 	    {
diff --git a/stdio-common/scanf16a.c b/stdio-common/scanf16a.c
new file mode 100644
index 0000000000..684eeb08f4
--- /dev/null
+++ b/stdio-common/scanf16a.c
@@ -0,0 +1,156 @@ 
+/* This test exercises the deprecated GNU %as, %aS, and %a[...] scanf
+   modifiers, which are not available to programs compiled as C99
+   anymore; therefore, this file is compiled with -std=gnu89 and C99
+   syntax must not be used.  */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wchar.h>
+
+#if !__GLIBC_USE_DEPRECATED_SCANF
+# error "This file should be compiled with deprecated scanf"
+#endif
+
+#define FAIL() \
+  do {							\
+    result = 1;						\
+    printf ("test at line %d failed\n", __LINE__);	\
+  } while (0)
+
+static int __attribute__ ((format (scanf, 2, 3)))
+xsscanf (const char *str, const char *fmt, ...)
+{
+  va_list ap;
+  va_start (ap, fmt);
+  int ret = vsscanf (str, fmt, ap);
+  va_end (ap);
+  return ret;
+}
+
+static int __attribute__ ((format (scanf, 1, 2)))
+xscanf (const char *fmt, ...)
+{
+  va_list ap;
+  va_start (ap, fmt);
+  int ret = vscanf (fmt, ap);
+  va_end (ap);
+  return ret;
+}
+
+static int __attribute__ ((format (scanf, 2, 3)))
+xfscanf (FILE *f, const char *fmt, ...)
+{
+  va_list ap;
+  va_start (ap, fmt);
+  int ret = vfscanf (f, fmt, ap);
+  va_end (ap);
+  return ret;
+}
+
+int
+main (void)
+{
+  wchar_t *lsp;
+  char *sp;
+  float f;
+  double d;
+  char c[8];
+  int result = 0;
+
+  if (xsscanf (" 0.25s x", "%e%3c", &f, c) != 2)
+    FAIL ();
+  else if (f != 0.25 || memcmp (c, "s x", 3) != 0)
+    FAIL ();
+  if (xsscanf (" 1.25s x", "%as%2c", &sp, c) != 2)
+    FAIL ();
+  else
+    {
+      if (strcmp (sp, "1.25s") != 0 || memcmp (c, " x", 2) != 0)
+	FAIL ();
+      memset (sp, 'x', sizeof "1.25s");
+      free (sp);
+    }
+  if (xsscanf (" 2.25s x", "%las%2c", &d, c) != 2)
+    FAIL ();
+  else if (d != 2.25 || memcmp (c, " x", 2) != 0)
+    FAIL ();
+  if (xsscanf (" 3.25S x", "%4aS%3c", &lsp, c) != 2)
+    FAIL ();
+  else
+    {
+      if (wcscmp (lsp, L"3.25") != 0 || memcmp (c, "S x", 3) != 0)
+	FAIL ();
+      memset (lsp, 'x', sizeof L"3.25");
+      free (lsp);
+    }
+  if (xsscanf ("4.25[0-9.] x", "%a[0-9.]%8c", &sp, c) != 2)
+    FAIL ();
+  else
+    {
+      if (strcmp (sp, "4.25") != 0 || memcmp (c, "[0-9.] x", 8) != 0)
+	FAIL ();
+      memset (sp, 'x', sizeof "4.25");
+      free (sp);
+    }
+  if (xsscanf ("5.25[0-9.] x", "%la[0-9.]%2c", &d, c) != 2)
+    FAIL ();
+  else if (d != 5.25 || memcmp (c, " x", 2) != 0)
+    FAIL ();
+
+  const char *tmpdir = getenv ("TMPDIR");
+  if (tmpdir == NULL || tmpdir[0] == '\0')
+    tmpdir = "/tmp";
+
+  char fname[strlen (tmpdir) + sizeof "/tst-scanf16.XXXXXX"];
+  sprintf (fname, "%s/tst-scanf16.XXXXXX", tmpdir);
+  if (fname == NULL)
+    FAIL ();
+
+  /* Create a temporary file.   */
+  int fd = mkstemp (fname);
+  if (fd == -1)
+    FAIL ();
+
+  FILE *fp = fdopen (fd, "w+");
+  if (fp == NULL)
+    FAIL ();
+  else
+    {
+      if (fputs (" 1.25s x", fp) == EOF)
+	FAIL ();
+      if (fseek (fp, 0, SEEK_SET) != 0)
+	FAIL ();
+      if (xfscanf (fp, "%as%2c", &sp, c) != 2)
+	FAIL ();
+      else
+	{
+	  if (strcmp (sp, "1.25s") != 0 || memcmp (c, " x", 2) != 0)
+	    FAIL ();
+	  memset (sp, 'x', sizeof "1.25s");
+	  free (sp);
+	}
+
+      if (freopen (fname, "r", stdin) == NULL)
+	FAIL ();
+      else
+	{
+	  if (xscanf ("%as%2c", &sp, c) != 2)
+	    FAIL ();
+	  else
+	    {
+	      if (strcmp (sp, "1.25s") != 0 || memcmp (c, " x", 2) != 0)
+		FAIL ();
+	      memset (sp, 'x', sizeof "1.25s");
+	      free (sp);
+	    }
+	}
+
+      fclose (fp);
+    }
+
+  remove (fname);
+
+  return result;
+}
diff --git a/stdio-common/scanf17.c b/stdio-common/scanf17.c
index b6c0e63ab0..5a0ae42686 100644
--- a/stdio-common/scanf17.c
+++ b/stdio-common/scanf17.c
@@ -1,19 +1,13 @@ 
-#undef _GNU_SOURCE
-#define _XOPEN_SOURCE 600
-#undef _LIBC
-#undef _IO_MTSAFE_IO
-/* The following macro definitions are a hack.  They word around disabling
-   the GNU extension while still using a few internal headers.  */
-#define u_char unsigned char
-#define u_short unsigned short
-#define u_int unsigned int
-#define u_long unsigned long
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <wchar.h>
 
+#if __GLIBC_USE_DEPRECATED_SCANF
+# error "This file should not be compiled with deprecated scanf"
+#endif
+
 #define FAIL() \
   do {							\
     result = 1;						\
diff --git a/stdio-common/sscanf.c b/stdio-common/sscanf.c
index 88cd641798..7d08752d46 100644
--- a/stdio-common/sscanf.c
+++ b/stdio-common/sscanf.c
@@ -15,6 +15,11 @@ 
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+/* This file defines one of the deprecated scanf variants.  */
+#include <features.h>
+#undef __GLIBC_USE_DEPRECATED_SCANF
+#define __GLIBC_USE_DEPRECATED_SCANF 1
+
 #include <stdarg.h>
 #include <stdio.h>
 #include <libioP.h>
@@ -34,7 +39,6 @@  __sscanf (const char *s, const char *format, ...)
 
   return done;
 }
-ldbl_hidden_def (__sscanf, sscanf)
 ldbl_strong_alias (__sscanf, sscanf)
 #undef _IO_sscanf
 /* This is for libg++.  */
diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index 3263268c7e..f083889490 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -15,6 +15,11 @@ 
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+/* This file defines one of the deprecated scanf variants.  */
+#include <features.h>
+#undef __GLIBC_USE_DEPRECATED_SCANF
+#define __GLIBC_USE_DEPRECATED_SCANF 1
+
 #include <assert.h>
 #include <errno.h>
 #include <limits.h>
diff --git a/time/tzset.c b/time/tzset.c
index b51786704a..80b2e30c20 100644
--- a/time/tzset.c
+++ b/time/tzset.c
@@ -27,6 +27,10 @@ 
 
 #include <timezone/tzfile.h>
 
+/* __REDIRECT isn't transitive.  */
+#undef sscanf
+#define sscanf __isoc99_sscanf
+
 #define SECSPERDAY 86400
 
 char *__tzname[2] = { (char *) "GMT", (char *) "GMT" };