On Wed, 5 Oct 2016, Martin Sebor wrote: > > Or it could show up a logical error where the code should have had a > > wint_t variable and checked for WEOF somewhere but just assumed things > > would fit in wchar_t > > WEOF that fits in a wint_t also fits in a wchar_t when the two types > have the same precision, the case where GCC issues the warning (and > where WEOF expands to 0xffffffffu). So this isn't an example of > a problem that could arise on the targets that brought this up, or > any other targets that I'm aware of.
The problem is e.g. code calling getwchar and not checking for WEOF. 0xffffffffu does not fit in a 32-bit signed variable unless your code is confusing signed and unsigned freely. And even if you consider it OK to check after conversion to wchar_t rather than before, the lack of a wint_t variable for the result seems likely to accompany a missing check. > > (and so could be passing a negative value where the > > ABI means the callee expects wint_t values to be zero-extended, with > > consequent undefined behavior there). > > Sign extension is also not an issue on the target where the warning > is issued (x86_64 ILP32) and where wchar_t is int and wint_t is > unsigned long. There are plenty of architectures where the ABI does require the high part to be extended in a particular way; that's why the Linux kernel has syscall wrappers, because improperly extended 32-bit syscall arguments caused security issues in the past. In some cases it's even architecturally undefined what the processor does when an instruction input isn't properly extended (although at least in the MIPS case the required extension there is always sign-extension, whether the 32-bit value is considered signed or unsigned). I'd actually hope for future forms of sanitization to be able to detect at runtime when you have undefined behavior from incorrectly typed arguments to variadic functions. I think the warning is the correct thing for anyone trying to write C as a high-level language and be type-correct and properly check before doing conversions that might change values unless those changes are actually intended, and that warning rather than lesser warnings for "C as portable assembler" is the appropriate default for format checking. -- Joseph S. Myers jos...@codesourcery.com
