1.\" $OpenBSD: gcc-local.1,v 1.54 2017/06/10 16:00:27 schwarze Exp $ 2.\" 3.\" Copyright (c) 2002 Marc Espie 4.\" Copyright (c) 2003 Anil Madhavapeddy 5.\" 6.\" All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd $Mdocdate: June 10 2017 $ 29.Dt GCC-LOCAL 1 30.Os 31.Sh NAME 32.Nm gcc-local 33.Nd local modifications to gcc 34.Sh DESCRIPTION 35.Ox 36uses derivatives of 37.Xr gcc 1 38versions 3.3.6 or 4.2.1, 39depending on machine architecture. 40In all cases, 41the software comes with specific modifications for 42.Ox : 43.Bl -dash 44.It 45.Nm gcc 46does not search under 47.Pa /usr/local 48for include files nor for libraries: 49as a system compiler, it only searches the system paths by default. 50.It 51On all architectures where the stack is non-executable, 52trampoline code marks the smallest possible area around the trampoline stub 53executable using 54.Xr mprotect 2 . 55.It 56Trampoline code generation is disabled by default. 57Code requiring trampolines will not compile without 58.Fl ftrampolines . 59The warning flag 60.Fl Wtrampolines 61can be used to locate trampoline instances if trampoline generation 62is re-enabled. 63.It 64The 65.Fl O2 66option does not include 67.Fl fstrict-aliasing , 68as this option causes issues on some legacy code. 69.Fl fstrict-aliasing 70is very unsafe with code that plays tricks with casts, bypassing the 71already weak type system of C. 72.It 73The 74.Fl O2 75option does not include 76.Fl fstrict-overflow , 77as this option causes issues on some legacy code. 78.Fl fstrict-overflow 79can cause surprising optimizations to occur, possibly deleting security 80critical overflow checks. 81.It 82The 83.Fl O2 84option does not include the 85.Fl ftree-vrp 86optimization as it is known to be broken in 87.Nm gcc 4.2.1 . 88.It 89.Nm gcc 90recognizes the extra format attribute syslog, to better match 91the definition of 92.Xr syslog 3 , 93and silence erroneous warnings when used with 94.Fl pedantic . 95.It 96.Nm gcc 97recognizes the attribute 98.Cm __nonnull__ , 99which can be used to mark arguments that can't be 100.Dv NULL . 101The printf format attribute does not imply 102.Cm __nonnull__ 103for the format. 104This allows for correct format checking on the 105.Xr err 3 106function family. 107.It 108.Nm gcc 109recognizes the extra attribute 110.Cm __sentinel__ , 111which can be used to mark varargs function that need a 112.Dv NULL 113pointer to mark argument termination, like 114.Xr execl 3 . 115This exposes latent bugs for 64-bit architectures, 116where a terminating 0 will expand to a 32-bit int, and not a full-fledged 11764-bits pointer. 118.It 119On alpha, 120.Fl mieee 121is enabled by default to enable full compliance with 122the IEEE floating point standard, 123although the 124.Dq inexact 125flag is not maintained. 126Additionally, rounding mode is dynamic. 127.It 128.Nm gcc 129comes with the 130.Dq ProPolice 131stack protection extension, which is enabled by default. 132This extension reorders local variable declarations and adds stack consistency 133checks at runtime, in order to detect stack overflows, and will attempt to 134report the problem in the system logs by calling 135.Xr syslog 3 136with a 137.Dv LOG_CRIT 138priority message: 139.Dq stack overflow in function XXX , 140and abort the faulting process. 141It can be turned off using the 142.Fl fno-stack-protector 143command line option. 144Note that the stack protector relies on some support code in libc. 145Stand-alone programs not linked against libc must either provide their own 146support bits or use the 147.Fl fno-stack-protector 148option. 149.Pp 150There is a 151.Fl fstack-protector-all 152option that turns stack protection code on for all functions 153and disables any heuristic that flags some functions as safe. 154This extended checking has a moderate runtime cost though. 155There is a 156.Fl fstack-protector-strong 157option, similar to 158.Fl fstack-protector , 159which includes additional functions to be protected \(em those that 160have local array definitions 161or have references to local frame addresses. 162.It 163On amd64, 164.Fl msave-args 165can be passed to the compiler to have functions save their register 166arguments on the stack, while maintaining compatibility with the 167System 5 AMD64 ABI. 168This enables tools and debuggers that understand this semantic to 169trivially generate stack traces that include function arguments. 170.It 171On the alpha, amd64, arm, hppa, i386, mips64, powerpc, sh and sparc64 172architectures, 173.Nm gcc 174generates position-independent executables 175.Pq PIEs 176by default, allowing the system to load the resulting binary 177at a random location. 178This behavior can be turned off by passing 179.Fl fno-pie 180to the compiler and 181.Fl nopie 182to the linker. 183.It 184.Nm gcc 185recognizes a new flag which is enabled by default, 186.Fl Wbounded , 187to perform basic checks on functions which accept buffers and sizes. 188An extra attribute, 189.Cm __bounded__ , 190has been added to mark functions that can be 191checked this way. 192.It 193.Nm gcc 194recognizes a new format attribute, kprintf, to deal with the extra format 195arguments 196.Ql %b , 197.Ql %r , 198and 199.Ql %z 200used in the 201.Ox 202kernel. 203.It 204.Nm gcc 205does not store its version string in objects. 206This behavior can be restored with 207.Fl fident . 208.It 209The option 210.Fl fstack-shuffle 211will randomize the order of stack variables at compile time with 212.Nm gcc 4.2.1 , 213which can be helpful to find bugs. 214This option is silently ignored by 215.Nm gcc 3.3.6 . 216.It 217.Nm gcc 218will not move variables initialized with the value zero 219from the data section to the bss section. 220The default behaviour of 221.Nm gcc 3.3.6 222and 223.Nm gcc 4.2.1 224on other systems is to perform this action, which can be restored for 225.Ox 226with 227.Fl fzero-initialized-in-bss . 228.It 229.Nm gcc 230does not warn for cast expressions used as lvalues outside of 231.Fl pedantic . 232.It 233.Nm gcc 4.2.1 234does not warn for passing pointer arguments or assignment with 235different signedness outside of 236.Fl pedantic . 237This can be 238re-enabled with the 239.Fl Wpointer-sign 240flag. 241.It 242.Nm gcc 243recognizes the preprocessor flag 244.Fl CC 245that lets comments in macros pass through to the output (except in 246.Fl traditional 247mode). 248.It 249The warning option 250.Fl Wsystem-headers , 251which makes 252.Nm gcc 253report warnings in systems headers, 254is enabled by default. 255.It 256.Nm gcc 257supports two extra warning options: 258.Bl -item 259.It 260.Fl Wframe-larger-than= Ns Va N 261.Po 262and its non-portable alias 263.Fl Wstack-larger-than- Ns Va N 264.Pc 265will report functions using more than 266.Va N 267bytes of stack space for their local variables. 268Stack space used for other purposes (such as register window saving, 269callee-saved registers, or outbound arguments storage) 270is not taken into account for this check. 271.It 272.Fl Wvariable-decl 273will report automatic variable declarations whose size cannot be 274determined at compile-time. 275.El 276.It 277.Nm gcc 4.2.1 278and 279.Nm gcc 3.3.6 280have backported support for the GCC binary integer constants extension, 281which was first introduced in 282.Nm gcc 4.3 . 283.It 284The behavior of 285.Fl Wshadow 286in 287.Nm gcc 4.2.1 288has been altered to behave similarly to 289.Nm gcc 4.8 290and not warn about variables or parameters that shadow a global 291function unless the variable or parameter is of type pointer-to-function. 292.El 293.Sh ATTRIBUTES 294The 295.Cm __bounded__ 296attribute is used to type-check functions whose parameters pass fixed-length 297buffers and their sizes. 298The syntax for normal buffers is: 299.Pp 300.Ic __attribute__ Ns Po Po 301.Cm __bounded__ Ns Pq Cm __buffer__ , Va buffer , length 302.Pc Pc 303.Pp 304where 305.Fa buffer 306contains the parameter number (starting from 1) of the pointer to the buffer, 307and 308.Fa length 309contains the parameter number of the buffer length argument. 310.Pp 311.Nm gcc 312will emit a warning if the length argument is a constant larger than the 313actual size of the buffer. 314If the buffer is not a statically declared array of fixed length, no warnings 315will be generated. 316Refer to 317.Xr memcpy 3 318for an example of a function with this check. 319.Pp 320For checking strings, just use 321.Cm __string__ 322instead of 323.Cm __buffer__ : 324.Pp 325.Ic __attribute__ Ns Po Po 326.Cm __bounded__ Ns Pq Cm __string__ , Va buffer , length 327.Pc Pc 328.Pp 329In addition to the checks described above, this also tests if the 330.Va length 331argument was wrongly derived from a 332.Fn sizeof "void *" 333operation. 334.Xr strlcpy 3 335is a good example of a string function with this check. 336.Pp 337If a function needs string checking like 338.Cm __string__ 339but operates on element counts rather than buffer sizes, use 340.Cm __wcstring__ : 341.Pp 342.Ic __attribute__ Ns Po Po 343.Cm __bounded__ Ns Pq Cm __wcstring__ , Va buffer , count 344.Pc Pc 345.Pp 346An example of a string function with this check is 347.Xr wcslcpy 3 . 348.Pp 349Some functions specify the length as two arguments: 350the number of elements and the size of each element. 351In this case, use the 352.Cm __size__ 353attribute: 354.Pp 355.Ic __attribute__ Ns Po Po 356.Cm __bounded__ Ns Pq Cm __size__ , Va buffer , nmemb , size 357.Pc Pc 358.Pp 359where 360.Va buffer 361contains the parameter number of the pointer to the buffer, 362.Va nmemb 363contains the parameter number of the number of members, and 364.Va size 365has the parameter number of the size of each element. 366The type checks performed by 367.Cm __size__ 368are the same as the 369.Cm __buffer__ 370attribute. 371See 372.Xr fread 3 373for an example of this type of function. 374.Pp 375If a function accepts a buffer parameter and specifies that it has to be of a 376minimum length, the __minbytes__ attribute can be used: 377.Pp 378.Ic __attribute__ Ns Po Po 379.Cm __bounded__ Ns Pq Cm __minbytes__ , Va buffer , minsize 380.Pc Pc 381.Pp 382where 383.Va buffer 384contains the parameter number of the pointer to the buffer, and 385.Va minsize 386specifies the minimum number of bytes that the buffer should be. 387.Xr ctime_r 3 388is an example of this type of function. 389.Pp 390If 391.Fl Wbounded 392is specified with 393.Fl Wformat , 394additional checks are performed on 395.Xr sscanf 3 396format strings. 397The 398.Ql %s 399fields are checked for incorrect bound lengths by checking the size of the 400buffer associated with the format argument. 401.Sh SEE ALSO 402.Xr gcc 1 403.Sh CAVEATS 404The 405.Fl Wbounded 406flag only works with statically allocated fixed-size buffers. 407Since it is applied at compile-time, dynamically allocated memory buffers 408and non-constant arguments are ignored. 409