[GRASS-dev] [GRASS-SVN] r52607 - grass/trunk/raster/r.lake

Hi,

sorry for ignorance, but what is the sense of such changes?

2012/8/9 <svn_grass@osgeo.org>:

Author: marisn
Date: 2012-08-09 04:31:49 -0700 (Thu, 09 Aug 2012)
New Revision: 52607

Modified:
   grass/trunk/raster/r.lake/main.c
   grass/trunk/raster/r.lake/r.lake.html

     if (smap_opt->answer && sdxy_opt->answer)
- G_fatal_error(_("Both seed map and coordinates cannot be specified"));
+ G_fatal_error("%s", _("Both seed map and coordinates cannot be specified"));

Martin

--
Martin Landa <landa.martin gmail.com> * http://geo.fsv.cvut.cz/~landa

Hi,

the older version triggers a GCC warning complaining about format string.

Vaclav

On 9 August 2012 17:44, Martin Landa <landa.martin@gmail.com> wrote:

Hi,

sorry for ignorance, but what is the sense of such changes?

2012/8/9 <svn_grass@osgeo.org>:

Author: marisn
Date: 2012-08-09 04:31:49 -0700 (Thu, 09 Aug 2012)
New Revision: 52607

Modified:
   grass/trunk/raster/r.lake/main.c
   grass/trunk/raster/r.lake/r.lake.html

     if (smap_opt->answer && sdxy_opt->answer)
- G_fatal_error(_("Both seed map and coordinates cannot be specified"));
+ G_fatal_error("%s", _("Both seed map and coordinates cannot be specified"));

Martin

--
Martin Landa <landa.martin gmail.com> * http://geo.fsv.cvut.cz/~landa
_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/grass-dev

Hi,

then it should be changes in *all* GRASS.

Markus

On Thu, Aug 9, 2012 at 6:19 PM, Vaclav Petras <wenzeslaus@gmail.com> wrote:

Hi,

the older version triggers a GCC warning complaining about format string.

Vaclav

On 9 August 2012 17:44, Martin Landa <landa.martin@gmail.com> wrote:

Hi,

sorry for ignorance, but what is the sense of such changes?

2012/8/9 <svn_grass@osgeo.org>:

Author: marisn
Date: 2012-08-09 04:31:49 -0700 (Thu, 09 Aug 2012)
New Revision: 52607

Modified:
   grass/trunk/raster/r.lake/main.c
   grass/trunk/raster/r.lake/r.lake.html

     if (smap_opt->answer && sdxy_opt->answer)
- G_fatal_error(_("Both seed map and coordinates cannot be specified"));
+ G_fatal_error("%s", _("Both seed map and coordinates cannot be specified"));

Martin

--
Martin Landa <landa.martin gmail.com> * http://geo.fsv.cvut.cz/~landa
_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/grass-dev

_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/grass-dev

- G_fatal_error(_("Both seed map and coordinates cannot be specified"));
+ G_fatal_error("%s", _("Both seed map and coordinates cannot be specified"));

Martin:

sorry for ignorance, but what is the sense of such changes?

Vaclav:

> the older version triggers a GCC warning complaining
> about format string.

gcc 4.7 or ?

Markus N wrote:

> then it should be changes in *all* GRASS.

better clarify that it is a false positive or real problem before
cluttering up the entire codebase for a dubious and/or needless
change.

short of this being demonstrated as a real problem, my vote would
be to not mess up the entire codebase and tell gcc to be quiet or
get gcc to fix their test.

2c,
Hamish

there was a similar situation with

G_done_msg("");
  vs.
G_done_msg(" ");

wrt making the code messy to make gcc warnings go away, but for no
real stability benefit that I knew of.

how did we resolve that?

Hamish

On Thu, Aug 9, 2012 at 10:35 PM, Hamish <hamish_b@yahoo.com> wrote:

- G_fatal_error(_("Both seed map and coordinates cannot be specified"));
+ G_fatal_error("%s", _("Both seed map and coordinates cannot be specified"));

Martin:

sorry for ignorance, but what is the sense of such changes?

Vaclav:

> the older version triggers a GCC warning complaining
> about format string.

gcc 4.7 or ?

Markus N wrote:

> then it should be changes in *all* GRASS.

better clarify that it is a false positive or real problem before
cluttering up the entire codebase for a dubious and/or needless
change.

short of this being demonstrated as a real problem, my vote would
be to not mess up the entire codebase and tell gcc to be quiet or
get gcc to fix their test.

+1

I don't get any warning about the format string. IMHO much more
interesting are the warnings in r.lake about not initialized file
descriptors.

Any idea why the warning about format strings is triggered for
G_warning() and G_fatal_error(), but not for G_message()? I assume
that G_message would have been affected as well because the relevant
code seems to be identical. Interestingly, in g.proj, G_message()
seems to trigger the same (bogus?) compiler warning, according to the
change log.

Any idea why this affects only r.lake and not other modules, apart
from g.proj, and there also G_message()?

If this is a real problem, why fix the symptoms and not the cause?
That would probably be the macro defining _().

my 2c

Markus M

2c,
Hamish
_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/grass-dev

On Fri, Aug 10, 2012 at 12:39 AM, Markus Metz
<markus.metz.giswork@gmail.com> wrote:
...

If this is a real problem, why fix the symptoms and not the cause?
That would probably be the macro defining _().

+1
It worked for the past 10-xx years, so I don't see a reason why
messing up the code when one specific gcc version complains.

Markus

Hello,
just to clarify.
It's not a GCC bug but a valid warning of an exploitable issue:
http://en.wikipedia.org/wiki/Uncontrolled_format_string
Still for most of GRASS codebase it's harmless as strings are fixed
and not user provided.
Those, who don't see any warnings, should try CFLAGS="-Wall -Wformat
-Wno-format-extra-args -Wformat-security -Wformat-nonliteral
-Wformat=2" make

The question now is - why we shouldn't change code to get rid of most
of compiler warnings? Gazzillion of irrelevant warnings might just
hide some more important ones thus I personally would be +1 for
working around most common warnings to make compilation more silent
and thus more easy to spot any new issues.

Maris.

PS. Markus M - please provide Your CFLAGS as I don't see any warnings
when compiling r.lake with gcc version 4.6.3 (Gentoo 4.6.3 p1.3,
pie-0.5.1).

2012/8/10 Markus Neteler <neteler@osgeo.org>:

On Fri, Aug 10, 2012 at 12:39 AM, Markus Metz
<markus.metz.giswork@gmail.com> wrote:
...

If this is a real problem, why fix the symptoms and not the cause?
That would probably be the macro defining _().

+1
It worked for the past 10-xx years, so I don't see a reason why
messing up the code when one specific gcc version complains.

Markus
_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/grass-dev

On Fri, Aug 10, 2012 at 7:45 AM, Maris Nartiss <maris.gis@gmail.com> wrote:

Hello,
just to clarify.
It's not a GCC bug but a valid warning of an exploitable issue:
http://en.wikipedia.org/wiki/Uncontrolled_format_string
Still for most of GRASS codebase it's harmless as strings are fixed
and not user provided.
Those, who don't see any warnings, should try CFLAGS="-Wall -Wformat
-Wno-format-extra-args -Wformat-security -Wformat-nonliteral
-Wformat=2" make

You can also use "pscan" (comes with Debian Fedora, ...):

[neteler@north grass70]$ find . -name '*.c' | xargs pscan | wc -l
122

Random examples of pscan output:

./lib/gis/datum.c:115 SECURITY: sprintf call should have "%s" as argument 1
./lib/gis/datum.c:120 SECURITY: sprintf call should have "%s" as argument 1
./lib/gis/view.c:465 SECURITY: fprintf call should have "%s" as argument 1

Markus

On Fri, Aug 10, 2012 at 9:28 AM, Markus Neteler <neteler@osgeo.org> wrote:

You can also use "pscan" (comes with Debian Fedora, ...):

I.e.
http://www.debian.org/security/audit/examples/pscan

[neteler@north grass70]$ find . -name '*.c' | xargs pscan | wc -l
122

Here another one:
RATS: http://www.debian.org/security/audit/examples/RATS
--> results: http://gis.cri.fmach.it/download/grass7_rats_output.html

Markus

Hi,

2012/8/10 Markus Neteler <neteler@osgeo.org>:

If this is a real problem, why fix the symptoms and not the cause?
That would probably be the macro defining _().

+1
It worked for the past 10-xx years, so I don't see a reason why
messing up the code when one specific gcc version complains.

agreed, in any case such changes should be discussed in ML before
applying them in SVN.

grep "G_fatal_error(\"%s\", _(" * -R --include=*.c -l
general/g.proj/input.c
raster/r.lake/main.c

Martin

--
Martin Landa <landa.martin gmail.com> * http://geo.fsv.cvut.cz/~landa

On Fri, Aug 10, 2012 at 11:44 AM, Martin Landa <landa.martin@gmail.com> wrote:

Hi,

2012/8/10 Markus Neteler <neteler@osgeo.org>:

If this is a real problem, why fix the symptoms and not the cause?
That would probably be the macro defining _().

+1
It worked for the past 10-xx years, so I don't see a reason why
messing up the code when one specific gcc version complains.

agreed, in any case such changes should be discussed in ML before
applying them in SVN.

grep "G_fatal_error(\"%s\", _(" * -R --include=*.c -l
general/g.proj/input.c
raster/r.lake/main.c

My compile flags are -Wall -Wextra -fno-common -fexceptions
-Werror=implicit-function-declaration
These are not enough to trigger the warnings, the gcc 4.6.3 I use
needs at least one of
-Wall -Wformat -Wno-format-extra-args -Wformat-security
-Wformat-nonliteral -Wformat=2

With regard to r.lake, the warnings seem to be bogus because the
contents of the message strings are out of user control.

If these warnings should be fixed, I guess the right place is either
fixing the _ macro or G_message(), G_warning(), G_fatal_error(). Any
user input always goes first through the parser, thus the parser could
be modified and afterwards the extra format-related -W flags are no
longer needed.

In any case it seems to me that fixing that for every instance of
G_message(), G_warning(), G_fatal_error() and any print functions is
not really feasible.

Markus M

Markus Neteler wrote:

then it should be changes in *all* GRASS.

No, it shouldn't be changed at all.

This change cannot be made in the case where the format string has
parameters, so there's no reason to change it for the parameter-less
case.

Please revert.

--
Glynn Clements <glynn@gclements.plus.com>

Maris Nartiss wrote:

just to clarify.
It's not a GCC bug but a valid warning of an exploitable issue:

No it isn't. GCC cannot tell the difference between an exploitable
case and a non-exploitable case unless the format string is a literal,
but internationalisation requires dynamic format strings.

http://en.wikipedia.org/wiki/Uncontrolled_format_string
Still for most of GRASS codebase it's harmless as strings are fixed
and not user provided.
Those, who don't see any warnings, should try CFLAGS="-Wall -Wformat
-Wno-format-extra-args -Wformat-security -Wformat-nonliteral
-Wformat=2" make

The question now is - why we shouldn't change code to get rid of most
of compiler warnings?

Because it's more correct to change the compiler options. If you don't
want lots of bogus warnings, don't use warning flags which have a high
proportion of false positives.

Gazzillion of irrelevant warnings might just
hide some more important ones thus I personally would be +1 for
working around most common warnings to make compilation more silent
and thus more easy to spot any new issues.

If you want to change the code to eliminate warnings, start with the
ones which indicate genuine issues with the code, such as
uninitialised or unused variables, type mismatches, etc.

Actually, on second thoughts, don't. That task should be left to
someone who prefers correctness over hiding warnings. There have been
too many *real* bugs hidden by simplistic "fix warning" changes,
mostly a result of hiding type-mismatch warnings by inserting a type
cast, when in fact the data really did have the wrong type.

--
Glynn Clements <glynn@gclements.plus.com>

Martin Landa wrote:

sorry for ignorance, but what is the sense of such changes?

None. Fixed in r52626.

--
Glynn Clements <glynn@gclements.plus.com>

On Sat, Aug 11, 2012 at 8:19 PM, Glynn Clements
<glynn@gclements.plus.com> wrote:

Martin Landa wrote:

sorry for ignorance, but what is the sense of such changes?

None. Fixed in r52626.

There is another on in r52516.

Markus

Markus Neteler wrote:

>> sorry for ignorance, but what is the sense of such changes?
>
> None. Fixed in r52626.

There is another on in r52516.

Not any more :wink:

FWIW, if anyone wants to check for genuine format string issues,
configure --without-nls then compile with -Wformat-security. With NLS
disabled, the _() macro just returns its argument, so you won't get
warnings for translated string literals.

--
Glynn Clements <glynn@gclements.plus.com>