Warn when gettimeofday is called with non-null tzp argument.

Since there are no known uses of gettimeofday's vestigial "get time
zone" feature that are not bugs, add a fortify-style wrapper inline to
sys/time.h that issues a warning whenever gettimeofday is called with
a second argument that is not a compile-time null pointer
constant.

At present this is only possible with GCC; clang does not implement
attribute((warning)).  The wrapper is only activated when __OPTIMIZE__
is defined because it throws false positives when optimization is off,
even though it's an always-inline function.

An oversight in the implementation of __builtin_constant_p causes it
to fail to detect compile-time *pointer* constants unless they are
cast to an integer of a different size.  (Loss of data in this cast is
harmless; the overall expression is still constant if and only if the
original pointer was.)  This is GCC bug 95514.  Thanks to
Kamil Cukrowski <kamilcukrowski@gmail.com> for the workaround.
As a precaution, I added a static assertion to debug/warning-nop.c to
make sure that the cast _is_ casting to an integer of a different
size; this is too unlikely a scenario to be worth checking in the
public header, but if someone ever adds a port where short is the
same size as intptr_t, we'll still catch it.

diff --git a/debug/warning-nop.c b/debug/warning-nop.c
index 4ab7e182b728d4b5b7e9240a925624856db99001..9bd890a20b26a2ff2d728e489a6d3bb89beb7c55 100644 (file)
--- a/debug/warning-nop.c
+++ b/debug/warning-nop.c
@@ -67,4 +67,13 @@ nop (void)
 #define __builtin___strncpy_chk(dest, src, len, bos) NULL
 #define __builtin_object_size(bos, level) 0
 
+/* The code in sys/time.h that uses __warndecl has to work around GCC
+    bug 91554.  The work-around is only effective if intptr_t is not
+    the same size as short.  */
+#include <stdint.h>
+_Static_assert (sizeof (intptr_t) != sizeof (short),
+                "workaround for GCC bug 91554 in sys/time.h"
+                " is only effective when short is smaller than a pointer");
+
 #include <string.h>
+#include <sys/time.h>

diff --git a/time/sys/time.h b/time/sys/time.h
index 21fa9ed4518108337cde0380305c329f7db90a46..6b6f71d2e5a22781bf5b9d898cdee71a4ff2826b 100644 (file)
--- a/time/sys/time.h
+++ b/time/sys/time.h
@@ -66,6 +66,30 @@ struct timezone
 extern int gettimeofday (struct timeval *__restrict __tv,
                         void *__restrict __tz) __THROW __nonnull ((1));
 
+#if __GNUC_PREREQ (4,3) && defined __REDIRECT && defined __OPTIMIZE__
+/* Issue a warning for use of gettimeofday with a non-null __tz argument.  */
+__warndecl (__warn_gettimeofday_nonnull_timezone,
+            "gettimeofday with non-null or non-constant timezone parameter;"
+            " this is obsolete and inaccurate, use localtime instead");
+
+extern int __REDIRECT_NTH (__gettimeofday_alias,
+                           (struct timeval *__restrict __tv,
+                            void *__restrict __tz), gettimeofday)
+  __nonnull ((1));
+
+/* The double cast below works around a limitation in __builtin_constant_p
+   in all released versions of GCC (as of August 2019).
+   See <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91554>.  */
+__fortify_function int
+__NTH (gettimeofday (struct timeval *__restrict __tv, void *__restrict __tz))
+{
+  if (! (__builtin_constant_p ((short) (__intptr_t) __tz) && __tz == 0))
+    __warn_gettimeofday_nonnull_timezone ();
+
+  return __gettimeofday_alias (__tv, __tz);
+}
+#endif
+
 #ifdef __USE_MISC
 /* Set the current time of day and timezone information.
    This call is restricted to the super-user.