Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Russ Allbery <rra@debian.org> writes:
> Adam Borowski <kilobyte@angband.pl> writes:
>> On Wed, Sep 25, 2013 at 09:38:18AM -0700, Russ Allbery wrote:
>>> Programs that don't check the return status of functions that they
>>> think won't ever fail are a bit of a pet peeve of mine, in part
>>> because it would make a lot of sense for localtime() to be able to
>>> fail when the question it was asked is undefined. But no one ever
>>> checks the return status of localtime() for much the same reason that
>>> you spell out for not checking the return status of crypt(), which
>>> means that localtime() is required by all this legacy code to return
>>> arbitrary nonsense instead of an error.
>> __attribute__((warn_unused_result))
> Now that is an *excellent* idea for crypt(). In fact, I'm surprised
> that it's not already tagged with that attribute. I think I'll suggest
> that on libc-alpha. Thanks!
> Doing that for localtime() may be too much of an uphill climb. :/
Of course, I figure out right after I send that mail that this doesn't
work, since in both cases the result is almost always used. The problem
is that it's used without checking for NULL, which would require a
different sort of machinery other than what warn_unused_result does.
warn_unused_result only works for cases like this when the function
returns an error code, not when the function returns some data structure
that the caller will then go on to use normally.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: