1.\" $OpenBSD: gcc-local.1,v 1.57 2023/10/29 23:31:16 millert Exp $ 2.\" 3.\" Copyright (c) 2002 Marc Espie 4.\" Copyright (c) 2003 Anil Madhavapeddy 5.\" 6.\" All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd $Mdocdate: October 29 2023 $ 29.Dt GCC-LOCAL 1 30.Os 31.Sh NAME 32.Nm gcc-local 33.Nd local modifications to gcc 34.Sh DESCRIPTION 35.Ox 36uses derivatives of 37.Xr gcc 1 38versions 3.3.6 or 4.2.1, 39depending on machine architecture. 40In all cases, 41the software comes with specific modifications for 42.Ox : 43.Bl -dash 44.It 45For the C programming language, 46.Nm gcc 47defaults to the 48.Em gnu99 49standard, 50not 51.Em gnu89 . 52The 53.Fl std 54option can be used to select a different language standard. 55.It 56.Nm gcc 57does not search under 58.Pa /usr/local 59for include files nor for libraries: 60as a system compiler, it only searches the system paths by default. 61.It 62On all architectures where the stack is non-executable, 63trampoline code marks the smallest possible area around the trampoline stub 64executable using 65.Xr mprotect 2 . 66.It 67Trampoline code generation is disabled by default. 68Code requiring trampolines will not compile without 69.Fl ftrampolines . 70The warning flag 71.Fl Wtrampolines 72can be used to locate trampoline instances if trampoline generation 73is re-enabled. 74.It 75The 76.Fl O2 77option does not include 78.Fl fstrict-aliasing , 79as this option causes issues on some legacy code. 80.Fl fstrict-aliasing 81is very unsafe with code that plays tricks with casts, bypassing the 82already weak type system of C. 83.It 84The 85.Fl O2 86option does not include 87.Fl fstrict-overflow , 88as this option causes issues on some legacy code. 89.Fl fstrict-overflow 90can cause surprising optimizations to occur, possibly deleting security 91critical overflow checks. 92.It 93The 94.Fl O2 95option does not include the 96.Fl ftree-vrp 97optimization as it is known to be broken in 98.Nm gcc 4.2.1 . 99.It 100.Nm gcc 101recognizes the extra format attribute syslog, to better match 102the definition of 103.Xr syslog 3 , 104and silence erroneous warnings when used with 105.Fl pedantic . 106.It 107.Nm gcc 108recognizes the attribute 109.Cm __nonnull__ , 110which can be used to mark arguments that can't be 111.Dv NULL . 112The printf format attribute does not imply 113.Cm __nonnull__ 114for the format. 115This allows for correct format checking on the 116.Xr err 3 117function family. 118.It 119.Nm gcc 120recognizes the extra attribute 121.Cm __sentinel__ , 122which can be used to mark varargs function that need a 123.Dv NULL 124pointer to mark argument termination, like 125.Xr execl 3 . 126This exposes latent bugs for 64-bit architectures, 127where a terminating 0 will expand to a 32-bit int, and not a full-fledged 12864-bits pointer. 129.It 130On alpha, 131.Fl mieee 132is enabled by default to enable full compliance with 133the IEEE floating point standard, 134although the 135.Dq inexact 136flag is not maintained. 137Additionally, rounding mode is dynamic. 138.It 139.Nm gcc 140comes with the 141.Dq ProPolice 142stack protection extension, which is enabled by default. 143This extension reorders local variable declarations and adds stack consistency 144checks at runtime, in order to detect stack overflows, and will attempt to 145report the problem in the system logs by calling 146.Xr syslog 3 147with a 148.Dv LOG_CRIT 149priority message: 150.Dq stack overflow in function XXX , 151and abort the faulting process. 152It can be turned off using the 153.Fl fno-stack-protector 154command line option. 155Note that the stack protector relies on some support code in libc. 156Stand-alone programs not linked against libc must either provide their own 157support bits or use the 158.Fl fno-stack-protector 159option. 160.Pp 161There is a 162.Fl fstack-protector-all 163option that turns stack protection code on for all functions 164and disables any heuristic that flags some functions as safe. 165This extended checking has a moderate runtime cost though. 166There is a 167.Fl fstack-protector-strong 168option, similar to 169.Fl fstack-protector , 170which includes additional functions to be protected \(em those that 171have local array definitions 172or have references to local frame addresses. 173.It 174On amd64, 175.Fl msave-args 176can be passed to the compiler to have functions save their register 177arguments on the stack, while maintaining compatibility with the 178System 5 AMD64 ABI. 179This enables tools and debuggers that understand this semantic to 180trivially generate stack traces that include function arguments. 181.It 182On the alpha, amd64, arm, hppa, i386, mips64, powerpc, sh and sparc64 183architectures, 184.Nm gcc 185generates position-independent executables 186.Pq PIEs 187by default, allowing the system to load the resulting binary 188at a random location. 189This behavior can be turned off by passing 190.Fl fno-pie 191to the compiler and 192.Fl nopie 193to the linker. 194.It 195.Nm gcc 196recognizes a new flag which is enabled by default, 197.Fl Wbounded , 198to perform basic checks on functions which accept buffers and sizes. 199An extra attribute, 200.Cm __bounded__ , 201has been added to mark functions that can be 202checked this way. 203.It 204.Nm gcc 205recognizes a new format attribute, kprintf, to deal with the extra format 206arguments 207.Ql %b , 208.Ql %r , 209and 210.Ql %z 211used in the 212.Ox 213kernel. 214.It 215.Nm gcc 216does not store its version string in objects. 217This behavior can be restored with 218.Fl fident . 219.It 220The option 221.Fl fstack-shuffle 222will randomize the order of stack variables at compile time with 223.Nm gcc 4.2.1 , 224which can be helpful to find bugs. 225This option is silently ignored by 226.Nm gcc 3.3.6 . 227.It 228.Nm gcc 229will not move variables initialized with the value zero 230from the data section to the bss section. 231The default behaviour of 232.Nm gcc 3.3.6 233and 234.Nm gcc 4.2.1 235on other systems is to perform this action, which can be restored for 236.Ox 237with 238.Fl fzero-initialized-in-bss . 239.It 240.Nm gcc 241does not warn for cast expressions used as lvalues outside of 242.Fl pedantic . 243.It 244.Nm gcc 4.2.1 245does not warn for passing pointer arguments or assignment with 246different signedness outside of 247.Fl pedantic . 248This can be 249re-enabled with the 250.Fl Wpointer-sign 251flag. 252.It 253.Nm gcc 254recognizes the preprocessor flag 255.Fl CC 256that lets comments in macros pass through to the output (except in 257.Fl traditional 258mode). 259.It 260The warning option 261.Fl Wsystem-headers , 262which makes 263.Nm gcc 264report warnings in systems headers, 265is enabled by default. 266.It 267.Nm gcc 268supports two extra warning options: 269.Bl -item 270.It 271.Fl Wframe-larger-than= Ns Va N 272.Po 273and its non-portable alias 274.Fl Wstack-larger-than- Ns Va N 275.Pc 276will report functions using more than 277.Va N 278bytes of stack space for their local variables. 279Stack space used for other purposes (such as register window saving, 280callee-saved registers, or outbound arguments storage) 281is not taken into account for this check. 282.It 283.Fl Wvariable-decl 284will report automatic variable declarations whose size cannot be 285determined at compile-time. 286.El 287.It 288.Nm gcc 4.2.1 289and 290.Nm gcc 3.3.6 291have backported support for the GCC binary integer constants extension, 292which was first introduced in 293.Nm gcc 4.3 . 294.It 295The behavior of 296.Fl Wshadow 297in 298.Nm gcc 4.2.1 299has been altered to behave similarly to 300.Nm gcc 4.8 301and not warn about variables or parameters that shadow a global 302function unless the variable or parameter is of type pointer-to-function. 303.El 304.Sh ATTRIBUTES 305The 306.Cm __bounded__ 307attribute is used to type-check functions whose parameters pass fixed-length 308buffers and their sizes. 309The syntax for normal buffers is: 310.Pp 311.Ic __attribute__ Ns Po Po 312.Cm __bounded__ Ns Pq Cm __buffer__ , Va buffer , length 313.Pc Pc 314.Pp 315where 316.Fa buffer 317contains the parameter number (starting from 1) of the pointer to the buffer, 318and 319.Fa length 320contains the parameter number of the buffer length argument. 321.Pp 322.Nm gcc 323will emit a warning if the length argument is a constant larger than the 324actual size of the buffer. 325If the buffer is not a statically declared array of fixed length, no warnings 326will be generated. 327Refer to 328.Xr memcpy 3 329for an example of a function with this check. 330.Pp 331For checking strings, just use 332.Cm __string__ 333instead of 334.Cm __buffer__ : 335.Pp 336.Ic __attribute__ Ns Po Po 337.Cm __bounded__ Ns Pq Cm __string__ , Va buffer , length 338.Pc Pc 339.Pp 340In addition to the checks described above, this also tests if the 341.Va length 342argument was wrongly derived from a 343.Fn sizeof "void *" 344operation. 345.Xr strlcpy 3 346is a good example of a string function with this check. 347.Pp 348If a function needs string checking like 349.Cm __string__ 350but operates on element counts rather than buffer sizes, use 351.Cm __wcstring__ : 352.Pp 353.Ic __attribute__ Ns Po Po 354.Cm __bounded__ Ns Pq Cm __wcstring__ , Va buffer , count 355.Pc Pc 356.Pp 357An example of a string function with this check is 358.Xr wcslcpy 3 . 359.Pp 360Some functions specify the length as two arguments: 361the number of elements and the size of each element. 362In this case, use the 363.Cm __size__ 364attribute: 365.Pp 366.Ic __attribute__ Ns Po Po 367.Cm __bounded__ Ns Pq Cm __size__ , Va buffer , nmemb , size 368.Pc Pc 369.Pp 370where 371.Va buffer 372contains the parameter number of the pointer to the buffer, 373.Va nmemb 374contains the parameter number of the number of members, and 375.Va size 376has the parameter number of the size of each element. 377The type checks performed by 378.Cm __size__ 379are the same as the 380.Cm __buffer__ 381attribute. 382See 383.Xr fread 3 384for an example of this type of function. 385.Pp 386If a function accepts a buffer parameter and specifies that it has to be of a 387minimum length, the __minbytes__ attribute can be used: 388.Pp 389.Ic __attribute__ Ns Po Po 390.Cm __bounded__ Ns Pq Cm __minbytes__ , Va buffer , minsize 391.Pc Pc 392.Pp 393where 394.Va buffer 395contains the parameter number of the pointer to the buffer, and 396.Va minsize 397specifies the minimum number of bytes that the buffer should be. 398.Xr ctime_r 3 399is an example of this type of function. 400.Pp 401If 402.Fl Wbounded 403is specified with 404.Fl Wformat , 405additional checks are performed on 406.Xr sscanf 3 407format strings. 408The 409.Ql %s 410fields are checked for incorrect bound lengths by checking the size of the 411buffer associated with the format argument. 412.Sh SEE ALSO 413.Xr gcc 1 414.Sh CAVEATS 415The 416.Fl Wbounded 417flag only works with statically allocated fixed-size buffers. 418Since it is applied at compile-time, dynamically allocated memory buffers 419and non-constant arguments are ignored. 420