The attached changes add documentation of some of the options I worked on for GCC 8.
The links to the GCC 8 manual don't work because there is no gcc-8 documentation directory. I have checked them by hand by substituting the GCC 7 directory. (I wonder: would it be possible to populate the GCC 8 documentation directory ahead of the release to make the checking easier?) I fixed all the errors for the document pointed out by the Markup Validator at https://validator.w3.org/check. Martin
Index: changes.html =================================================================== RCS file: /cvs/gcc/wwwdocs/htdocs/gcc-8/changes.html,v retrieving revision 1.50 diff -u -r1.50 changes.html --- changes.html 1 Apr 2018 22:19:57 -0000 1.50 +++ changes.html 3 Apr 2018 20:47:33 -0000 @@ -1,3 +1,4 @@ +<!doctype html system> <html> <head> @@ -9,7 +10,7 @@ --> <body> -<h1>GCC 8 Release Series<br />Changes, New Features, and Fixes</h1> +<h1>GCC 8 Release Series<br>Changes, New Features, and Fixes</h1> <p> This page is a "brief" summary of some of the huge number of improvements @@ -108,6 +109,20 @@ thus mitigate the attack vector that relies on jumping over a stack guard page as provided by the operating system. </li> + <li> + GCC has been enhanced to detect more instances of meaningless or + mutually exclusive attribute specifications and hande such conflicts + more consistently. Mutually excclusive attribute specifications are + ignored with a warning regardless of whether they appear on the same + declaration or on distinct declarations of the same entitiy. For + example, because the <code>noreturn</code> attribute on the second + declaration below is mutually exclusive with the <code>malloc</code> + attribute on the first, it is ignored and a warning is issued. + <pre> + void* __attribute__ ((malloc)) f (unsigned); + void* __attribute__ ((noreturn)) f (unsigned); + + <span class="boldmagenta">warning: </span>ignoring attribute '<b>noreturn</b>' because it conflicts with attribute '<b>malloc</b>' [<span class="boldmagenta">-Wattributes</span>]</pre></li> </ul> @@ -163,10 +178,41 @@ <ul> <li>New command-line options have been added for the C and C++ compilers: <ul> - <li><code>-Wmultistatement-macros</code> warns about unsafe macros - expanding to multiple statements used as a body of a clause such - as <code>if</code>, <code>else</code>, <code>while</code>, - <code>switch</code>, or <code>for</code>.</li> + <li><code><a href="https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html#index-Wmultistatement-macros">-Wmultistatement-macros</a></code> + warns about unsafe macros expanding to multiple statements used + as a body of a statement such as <code>if</code>, <code>else</code>, + <code>while</code>, <code>switch</code>, or <code>for</code>.</li> + <li><code><a href="https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html#index-Wstringop-truncation">-Wstringop-truncation</a></code> + warns for calls to bounded string manipulation functions such as + <code>strncat</code>, <code>strncpy</code>, and <code>stpncpy</code> + that might either truncate the copied string or leave the destination + unchanged. For example, the following call to <code>strncat</code> + is diagnosed because it appends just three of the four characters + from the source string.<pre> + void append (char *buf, size_t bufsize) + { + strncat (buf, ".txt", 3); + } + <span class="boldmagenta">warning: '</span><b>strncat</b>' output truncated copying 3 bytes from a string of length 4 [<span class="boldmagenta">-Wstringop-truncation</span>]</pre> + Similarly, in the following example, the call to <code>strncpy</code> + specifies the size of the destination buffer as the bound. If the + length of the source string is equal to or greater than this size + the result of the copy will not be NUL-terminated. Therefore, + the call is also diagnosed. To avoid the warning, specify + <code>sizeof buf - 1</code> as the bound and set the last element of + the buffer to NUL.<pre> + void copy (const char *s) + { + char buf[80]; + strncpy (buf, s, sizeof buf); + … + } + <span class="boldmagenta">warning: '</span><b>strncpy</b>' specified bound 80 equals destination size [<span class="boldmagenta">-Wstringop-truncation</span>]</pre> + The <code>-Wstringop-truncation</code> option is included in + <code>-Wall</code>.<br> + Note that due to GCC bug <a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82944" title="missing -Wstringop-truncation on strncpy due to system header macro">82944</a>, defining <code>strncat</code>, <code>strncpy</code>, + or <code>stpncpy</code> as a macro in a system header as some + implementations do suppresses the warning.</li> </ul> </li> <li><code>-fno-strict-overflow</code> is now mapped to @@ -174,11 +220,57 @@ is now undefined by default at all optimization levels. Using <code>-fsanitize=signed-integer-overflow</code> is now the preferred way to audit code, <code>-Wstrict-overflow</code> is deprecated.</li> + <li>The <code><a href="https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html#index-Warray-bounds">-Warray-bounds</a></code> option has been + improved to detect more instances of out-of-bounds array indices and + pointer offsets. For example, negative or excessive indices into + flexible array members and string literals are detected.</li> + <li>The <code><a href="https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html#index-Wrestrict">-Wrestrict</a></code> option introduced in + GCC 7 has been enhanced to detect many more instances of overlapping + accesses to objects via <code>restrict</code>-qualified arguments to + standard memory and string manipulation functions such as + <code>memcpy</code> and <code>strcpy</code>. For example, + the <code>strcpy</code> call in the function below attempts to truncate + the string by replacing its initial characters with the last four. + However, because the function writes the terminating NUL into + <code>a[4]</code>, the copies overlap and the call is diagnosed.<pre> + void f (void) + { + char a[] = "abcd1234"; + strcpy (a, a + 4); + … + }</pre> + The <code>-Wrestrict</code> option is included in <code>-Wall</code>. + </li> + <li>Several optimizer enhancements have enabled improvements to + the <code><a href="https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html#index-Wformat-overflow">-Wformat-overflow</a></code> and + <code><a href="https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html#index-Wformat-truncation">-Wformat-truncation</a></code> options. + The warnings detect more instances of buffer overflow and truncation + than in GCC 7 and are better at avoiding certain kinds of false + positives.</li> </ul> <h3 id="cxx">C++</h3> <ul> - <li></li> + <li>New command-line options have been added for the C++ compiler: + <ul> + <li><code><a href="https://gcc.gnu.org/onlinedocs/gcc/C_002b_002b-Dialect-Options.html#index-Wclass-memaccess">-Wclass-memaccess</a></code> warns + when objects of non-trivial class types are manipulated in potentially + unsafe ways by raw memory functions such as <code>memcpy</code>, or + <code>realloc</code>. The warning helps detect calls that bypass + user-defined constructors or copy-assignment operators, corrupt + virtual table pointers, data members of <code>const</code>-qualified + types or references, or member pointers. The warning also detects + calls that would bypass access controls to data members. For example, + a call such as: + <pre> + memcpy (&std::cout, &std::cerr, sizeof std::cout);</pre> + results in + <pre> + <span class="boldmagenta">warning: </span>'<b>void* memcpy(void*, const void*, long unsigned int)</b>' writing to an object of type 'std::ostream' {aka 'class std::basic_ostream<char>'} with no trivial copy-assignment [<span class="boldmagenta">-Wclass-memaccess</span>]</pre> + The <code>-Wclass-memaccess</code> is included in <code>-Wall</code>. + </li> + </ul> +</li> </ul> <h3 id="fortran">Fortran</h3>