On Ubuntu 16.04:

$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.5) 5.4.0 20160609
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ make
[...]
In function ‘wcsncpy’,
    inlined from ‘calculate_zip_path’ at ./Modules/getpath.c:797:5:
/usr/include/x86_64-linux-gnu/bits/wchar2.h:200:9: warning: call to ‘__wcsncpy_chk_warn’ declared with attribute warning: wcsncpy called with length bigger than size of destination buffer
  return __wcsncpy_chk_warn (__dest, __src, __n,
         ^
In function ‘wcsncpy’,
    inlined from ‘calculate_zip_path’ at ./Modules/getpath.c:806:9:
/usr/include/x86_64-linux-gnu/bits/wchar2.h:200:9: warning: call to ‘__wcsncpy_chk_warn’ declared with attribute warning: wcsncpy called with length bigger than size of destination buffer
  return __wcsncpy_chk_warn (__dest, __src, __n,
         ^
In function ‘wcsncpy’,
    inlined from ‘calculate_argv0_path’ at ./Modules/getpath.c:683:5:
/usr/include/x86_64-linux-gnu/bits/wchar2.h:200:9: warning: call to ‘__wcsncpy_chk_warn’ declared with attribute warning: wcsncpy called with length bigger than size of destination buffer
  return __wcsncpy_chk_warn (__dest, __src, __n,
         ^
In function ‘wcsncpy’,
    inlined from ‘calculate_argv0_path’ at ./Modules/getpath.c:736:13:
/usr/include/x86_64-linux-gnu/bits/wchar2.h:200:9: warning: call to ‘__wcsncpy_chk_warn’ declared with attribute warning: wcsncpy called with length bigger than size of destination buffer
  return __wcsncpy_chk_warn (__dest, __src, __n,
         ^

In function ‘wcsncpy’,
    inlined from ‘calculate_zip_path’ at ./Modules/getpath.c:797:5:
/usr/include/x86_64-linux-gnu/bits/wchar2.h:200:9: warning: call to ‘__wcsncpy_chk_warn’ declared with attribute warning: wcsncpy called with length bigger than size of destination buffer
  return __wcsncpy_chk_warn (__dest, __src, __n,
         ^

Line 797:

    wcsncpy(calculate->zip_path, prefix, MAXPATHLEN);

calculate type is "PyCalculatePath *" which is defined as:

typedef struct {
    ...
    wchar_t zip_path[MAXPATHLEN+1];    /* ".../lib/pythonXY.zip" */
    ...
} PyCalculatePath;

Earlier, all bytes are set to 0:

    memset(&calculate, 0, sizeof(calculate));

So I don't see how wcsncpy() can overflow.


By the way, I'm unable to reproduce the warning on Fedora 27 with GCC 7.2.1. Are you using -D_FORTIFY_SOURCE=1? Are you compiling Python in release mode? Can you try to find the command line compiling getpath.c?

Here is the command line:

gcc -pthread -c -Wno-unused-result -Wsign-compare -g -Og -Wall -Wstrict-prototypes    -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration   -I. -I./Include    -DPy_BUILD_CORE -DPYTHONPATH='":"' \
	-DPREFIX='"/usr/local"' \
	-DEXEC_PREFIX='"/usr/local"' \
	-DVERSION='"3.7"' \
	-DVPATH='""' \
	-o Modules/getpath.o ./Modules/getpath.c

The same on Ubuntu 17.10 with gcc 7.2.0.

Ah, I missed the warning because I forge -O0 when I build Python.

https://wiki.ubuntu.com/ToolChain/CompilerFlags

Ubuntu adds -D_FORTIFY_SOURCE=2 flag by default.

The warnings can be seen with "-D_FORTIFY_SOURCE=2 -Og", but not with "-D_FORTIFY_SOURCE=2 -O3". Moreover, "-D_FORTIFY_SOURCE=2 -O0" complains that _FORTIFY_SOURCE requires to optimize the code.

It looks more like a false alarm because -D_FORTIFY_SOURCE=2 is incompatible with -Og.

Maybe we should force -D_FORTIFY_SOURCE=0 when we build Python in debug mode?

I don't think so.  It's good to have fortify enabled, especially in debug mode :-)

If the warnings are harmless and there isn't an easy way to suppress them, then I'm ok to close this issue.

getpath.c uses many buffers of MAXPATHLEN+1 wide characters. Example:

    wchar_t argv0_path[MAXPATHLEN+1];

These buffers are initialized to zero to make sure that the last character is always a NULL character.

To keep the final NULL character, string copies use:

   wcsncpy(dest, src, MAXPATHLEN);

This code is wrong: it truncates the string if it's longer than MAXPATHLEN characters.

I modified the code to move global buffers closer to where there are used, and to dynamically allocate strings on the heap, rather using fixed sizes. But I didn't finish to "cleanup" Modules/getpath.c and PC/getpathp.c. The code still uses the buffer of fixed size and truncate strings.

The real fix would be to avoid these fixed-size buffers, and only use dynamically allocated strings.

I modified the code to allow to report errors. Previously, it wasn't possible exception using Py_FatalError() which is not a nice way to report errors, especially when Python is embedded in an application.

See bpo-32030 for my huge refactoring work on the Python initialization code.

Warnings are emitted when compile with gcc-5, gcc-6 and gcc-7, but not when compile with gcc-4.8 or gcc-8.

Versions:

gcc-4.8 (Ubuntu 4.8.5-4ubuntu8) 4.8.5
gcc-5 (Ubuntu 5.5.0-12ubuntu1) 5.5.0 20171010
gcc-6 (Ubuntu 6.4.0-17ubuntu1) 6.4.0 20180424
gcc-7 (Ubuntu 7.3.0-16ubuntu3) 7.3.0
gcc-8 (Ubuntu 8-20180414-1ubuntu2) 8.0.1 20180414 (experimental) [trunk revision 259383]

I just recompiled the master branch of Python twice using these flags:

* -D_FORTIFY_SOURCE=2 -Og
* -D_FORTIFY_SOURCE=2 -O3

I got a few warnings, the same that I get without FORTIFY SOURCE.

Using -D_FORTIFY_SOURCE=2 -O3, I get one warning, but it's no longer from getpath.c but in socketmodule.c. So I created a new issue: bpo-38282 "socketmodule.c: _FORTIFY_SOURCE=2 warning in AF_ALG case of getsockaddrarg()".

I close this issue. It has been fixed in the master branch.