1.\" $OpenBSD: gcc-local.1,v 1.19 2008/11/04 23:59:37 martynas Exp $ 2.\" 3.\" Copyright (c) 2002 Marc Espie 4.\" Copyright (c) 2003 Anil Madhavapeddy 5.\" 6.\" All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd $Mdocdate: November 4 2008 $ 29.Dt GCC-LOCAL 1 30.Os 31.Sh NAME 32.Nm gcc-local 33.Nd local modifications to gcc 34.Sh DESCRIPTION 35Some 36.Ox 37platforms use a derivative of 38.Nm gcc 2.95.3 , 39others use a derivative of 40.Nm gcc 3.3.5 . 41In both cases, 42the 43.Nm gcc 44software comes with specific modifications for 45.Ox . 46.Bl -dash 47.It 48.Nm gcc 49does not search under 50.Pa /usr/local 51for include files nor for libraries: 52as a system compiler, it only searches the system paths by default. 53.It 54On 55.Ox , 56the 57.Fl pthread 58option should be used to link threaded code, isolating the program from 59operating system details. 60.It 61On most architectures, 62trampoline code marks the smallest possible area around the trampoline stub 63executable using 64.Xr mprotect 2 , 65since the stack area is by default non-executable. 66.It 67On 68.Ox , 69by default, trampoline code generation is disabled. 70Code requiring trampolines will not compile without 71.Fl ftrampolines . 72The warning flag 73.Fl Wtrampolines 74can be used to locate trampoline instances if trampoline generation 75is re-enabled. 76.It 77The 78.Fl O2 79option does not include 80.Fl fstrict-aliasing , 81as this option causes issues on some legacy code. 82.Fl fstrict-aliasing 83is very unsafe with code that plays tricks with casts, bypassing the 84already weak type system of C. 85.It 86The option 87.Fl fno-builtin-<function> 88was backported from 89.Nm gcc 3.3.5 , 90to 91.Nm gcc 2.95.3 , 92and can be used without having to differentiate between 93both compilers. 94.It 95.Nm gcc 96recognizes the extra format attribute syslog, to better match 97the definition of 98.Xr syslog 3 , 99and silence erroneous warnings when used with 100.Fl pedantic . 101.It 102Even in 2.95.3, 103.Nm gcc 104recognizes the attribute 105.Dv __nonnull__ , 106which can be used to mark arguments that can't be 107.Dv NULL . 108The printf format attribute does not imply 109.Dv __nonnull__ 110for the format. 111This allows for correct format checking on the 112.Xr err 3 113function family. 114.It 115.Nm gcc 116recognizes the extra attribute 117.Dv __sentinel__ , 118which can be used to mark varargs function that need a 119.Dv NULL 120pointer to mark argument termination, like 121.Xr execl 3 . 122This exposes latent bugs for 64-bit architectures, 123where a terminating 0 will expand to a 32-bit int, and not a full-fledged 12464-bits pointer. 125.It 126On some 127.Ox 128platforms, 129.Nm gcc 130still uses 131.Xr setjmp 3 / 132.Xr longjmp 3 - 133style exceptions, and so needs extra fixes beyond the pure 2.95.3 release. 134.It 135On a few 136platforms (mostly a.out), 137.Nm gcc 138uses a linker wrapper to write stubs that call global constructors and 139destructors. 140Those platforms use 141.Nm gcc 2.95.3 , 142and those calls can be traced using 143.Fl Wl,-trace-ctors-dtors , 144using 145.Xr syslog_r 3 . 146.It 147On alpha, 148.Fl mieee 149is enabled by default to enable full compliance with 150the IEEE floating point standard, 151although the 152.Dq inexact 153flag is not maintained. 154.It 155On 156.Ox , 157.Nm gcc 158comes with the 159.Dq ProPolice 160stack protection extension, which is enabled by default. 161This extension reorders local variable declarations and adds stack consistency 162checks at run time, in order to detect stack overflows, and will attempt to 163report the problem in the system logs by calling 164.Xr syslog 3 165with a 166.Dv LOG_CRIT 167priority message: 168.Dq stack overflow in function XXX , 169and abort the faulting process. 170It can be turned off using the 171.Fl fno-stack-protector 172commandline option. 173Note that the stack protector relies on some support code in libc. 174Stand-alone programs not linked against libc must either provide their own 175support bits, or use the 176.Fl fno-stack-protector 177option. 178There is also a 179.Fl fstack-protector-all 180option, that turns stack protection code on for all functions, 181and disables any heuristic that flags some functions as safe. 182This extended checking has a moderate runtime cost, though. 183.It 184.Nm gcc 185recognizes a new flag, 186.Fl Wbounded , 187to perform basic checks on functions which accept buffers and sizes. 188An extra attribute, 189.Dv __bounded__ , 190has been added to mark functions that can be 191checked this way. 192.It 193.Nm gcc 194recognizes a new format attribute, kprintf, to deal with the extra format 195arguments 196.Ql %b , 197.Ql %r , 198and 199.Ql %z 200used in the 201.Ox 202kernel. 203.It 204.Nm gcc 205does not store its version string in objects. 206This behavior can be restored with 207.Fl fident . 208.It 209On 210.Ox , 211.Nm gcc 212will not move variables initialized with the value zero 213from the data section to the bss section. 214The default behaviour of 215.Nm gcc 3.3.5 216on other systems is to perform this action, which can be restored for 217.Ox 218with 219.Fl fzero-initialized-in-bss . 220.It 221On 222.Ox , 223.Nm gcc 224does not warn for cast expressions used as lvalues outside of 225.Fl pedantic . 226.It 227Even in 2.95.3, 228.Nm gcc 229recognizes the preprocessor flag 230.Fl CC 231that lets comments in macros pass through to the output (except in 232.Fl traditional 233mode). 234This is used to allow annotations in macros for 235.Xr lint 1 . 236.It 237On 238.Ox , 239.Nm gcc 240supports two extra warning options: 241.Bl -item 242.It 243.Fl Wstack-larger-than- Ns Va N 244will report functions using more than 245.Va N 246bytes of stack space for their local variables. 247Stack space used for other purposes (such as register window saving, 248callee-saved registers, or outbound arguments storage) 249is not taken into account for this check. 250.It 251.Fl Wvariable-decl 252will report automatic variable declarations whose size cannot be 253determined at compile-time. 254.El 255.El 256.Sh ATTRIBUTES 257The 258.Dv __bounded__ 259attribute is used to type-check functions whose parameters pass fixed-length 260buffers and their sizes. 261The syntax for normal buffers is: 262.Pp 263.Li __attribute__ ((__bounded__ ( 264.Dv __buffer__ , 265.Va buffer , 266.Va length 267.Li ))) 268.Pp 269where 270.Fa buffer 271contains the parameter number (starting from 1) of the pointer to the buffer, 272and 273.Fa length 274contains the parameter number of the buffer length argument. 275.Pp 276.Nm gcc 277will emit a warning if the length argument is a constant larger than the 278actual size of the buffer. 279If the buffer is not a statically declared array of fixed length, no warnings 280will be generated. 281Refer to 282.Xr memcpy 3 283for an example of a function with this check. 284.Pp 285For checking strings, just use 286.Dv __string__ 287instead of 288.Dv __buffer__ : 289.Pp 290.Li __attribute__ ((__bounded__ ( 291.Dv __string__ , 292.Va buffer , 293.Va length 294.Li ))) 295.Pp 296In addition to the checks described above, this also tests if the 297.Va length 298argument was wrongly derived from a 299.Fn sizeof "void *" 300operation. 301.Xr strlcpy 3 302is a good example of a string function with this check. 303.Pp 304Some functions specify the length as two arguments: 305the number of elements and the size of each element. 306In this case, use the 307.Dv __size__ 308attribute: 309.Pp 310.Li __attribute__ ((__bounded__ ( 311.Dv __size__ , 312.Va buffer , 313.Va nmemb , 314.Va size 315.Li ))) 316.Pp 317where 318.Va buffer 319contains the parameter number of the pointer to the buffer, 320.Va nmemb 321contains the parameter number of the number of members, and 322.Va size 323has the parameter number of the size of each element. 324The type checks performed by 325.Dv __size__ 326are the same as the 327.Dv __buffer__ 328attribute. 329See 330.Xr fread 3 331for an example of this type of function. 332.Pp 333If a function accepts a buffer parameter and specifies that it has to be of a 334minimum length, the __minbytes__ attribute can be used: 335.Pp 336.Li __attribute__ ((__bounded__ ( 337.Dv __minbytes__ , 338.Va buffer , 339.Va minsize 340.Li ))) 341.Pp 342where 343.Va buffer 344contains the parameter number of the pointer to the buffer, and 345.Va minsize 346specifies the minimum number of bytes that the buffer should be. 347.Xr ctime_r 3 348is an example of this type of function. 349.Pp 350If 351.Fl Wbounded 352is specified with 353.Fl Wformat , 354additional checks are performed on 355.Xr sscanf 3 356format strings. 357The 358.Ql %s 359fields are checked for incorrect bound lengths by checking the size of the 360buffer associated with the format argument. 361.Sh SEE ALSO 362.Xr gcc 1 363.Pp 364.Pa http://www.research.ibm.com/trl/projects/security/ssp/ 365.Sh CAVEATS 366The 367.Fl Wbounded 368flag only works with statically allocated fixed-size buffers. 369Since it is applied at compile-time, dynamically allocated memory buffers 370and non-constant arguments are ignored. 371