improve out-of-bounds checking with GCC 10 attribute access [BZ #25219]

Adds the access attribute newly introduced in GCC 10 to the subset of
function declarations that are already covered by _FORTIFY_SOURCE and
that don't have corresponding GCC built-in equivalents.

Reviewed-by: DJ Delorie <dj@redhat.com>

2 files changed, 24 insertions, 14 deletions

diff --git a/string/bits/string_fortified.h b/string/bits/string_fortified.h
index e4d07cb50c..309d0f39b2 100644
--- a/string/bits/string_fortified.h
+++ b/string/bits/string_fortified.h
@@ -75,7 +75,7 @@ __NTH (memset (void *__dest, int __ch, size_t __len))
 # include <bits/strings_fortified.h>
 
 void __explicit_bzero_chk (void *__dest, size_t __len, size_t __destlen)
-  __THROW __nonnull ((1));
+  __THROW __nonnull ((1)) __attr_access ((__write_only__, 1, 2));
 
 __fortify_function void
 __NTH (explicit_bzero (void *__dest, size_t __len))
@@ -108,7 +108,8 @@ __NTH (strncpy (char *__restrict __dest, const char *__restrict __src,
 
 /* XXX We have no corresponding builtin yet.  */
 extern char *__stpncpy_chk (char *__dest, const char *__src, size_t __n,
-			    size_t __destlen) __THROW;
+			    size_t __destlen) __THROW
+  __attr_access ((__write_only__, 1, 3)) __attr_access ((__read_only__, 2));
 extern char *__REDIRECT_NTH (__stpncpy_alias, (char *__dest, const char *__src,
 					       size_t __n), stpncpy);
 
diff --git a/string/string.h b/string/string.h
index a0f2860cc2..d7ce0f4a1b 100644
--- a/string/string.h
+++ b/string/string.h
@@ -53,7 +53,7 @@ extern void *memmove (void *__dest, const void *__src, size_t __n)
 #if defined __USE_MISC || defined __USE_XOPEN || __GLIBC_USE (ISOC2X)
 extern void *memccpy (void *__restrict __dest, const void *__restrict __src,
 		      int __c, size_t __n)
-     __THROW __nonnull ((1, 2));
+    __THROW __nonnull ((1, 2)) __attr_access ((__write_only__, 1, 4));
 #endif /* Misc || X/Open.  */
 
 
@@ -108,12 +108,15 @@ extern void *rawmemchr (const void *__s, int __c)
 /* Search N bytes of S for the final occurrence of C.  */
 # ifdef __CORRECT_ISO_CPP_STRING_H_PROTO
 extern "C++" void *memrchr (void *__s, int __c, size_t __n)
-      __THROW __asm ("memrchr") __attribute_pure__ __nonnull ((1));
+      __THROW __asm ("memrchr") __attribute_pure__ __nonnull ((1))
+      __attr_access ((__read_only__, 1, 3));
 extern "C++" const void *memrchr (const void *__s, int __c, size_t __n)
-      __THROW __asm ("memrchr") __attribute_pure__ __nonnull ((1));
+      __THROW __asm ("memrchr") __attribute_pure__ __nonnull ((1))
+      __attr_access ((__read_only__, 1, 3));
 # else
 extern void *memrchr (const void *__s, int __c, size_t __n)
-      __THROW __attribute_pure__ __nonnull ((1));
+      __THROW __attribute_pure__ __nonnull ((1))
+      __attr_access ((__read_only__, 1, 3));
 # endif
 #endif
 
@@ -146,7 +149,7 @@ extern int strcoll (const char *__s1, const char *__s2)
 /* Put a transformation of SRC into no more than N bytes of DEST.  */
 extern size_t strxfrm (char *__restrict __dest,
 		       const char *__restrict __src, size_t __n)
-     __THROW __nonnull ((2));
+    __THROW __nonnull ((2)) __attr_access ((__write_only__, 1, 3));
 
 #ifdef __USE_XOPEN2K8
 /* POSIX.1-2008 extended locale interface (see locale.h).  */
@@ -158,7 +161,8 @@ extern int strcoll_l (const char *__s1, const char *__s2, locale_t __l)
 /* Put a transformation of SRC into no more than N bytes of DEST,
    using sorting rules from L.  */
 extern size_t strxfrm_l (char *__dest, const char *__src, size_t __n,
-			 locale_t __l) __THROW __nonnull ((2, 4));
+			 locale_t __l) __THROW __nonnull ((2, 4))
+     __attr_access ((__write_only__, 1, 3));
 #endif
 
 #if (defined __USE_XOPEN_EXTENDED || defined __USE_XOPEN2K8	\
@@ -368,7 +372,9 @@ extern char *strcasestr (const char *__haystack, const char *__needle)
    HAYSTACK is HAYSTACKLEN bytes long.  */
 extern void *memmem (const void *__haystack, size_t __haystacklen,
 		     const void *__needle, size_t __needlelen)
-     __THROW __attribute_pure__ __nonnull ((1, 3));
+     __THROW __attribute_pure__ __nonnull ((1, 3))
+    __attr_access ((__read_only__, 1, 2))
+    __attr_access ((__read_only__, 3, 4));
 
 /* Copy N bytes of SRC to DEST, return pointer to bytes after the
    last written byte.  */
@@ -409,17 +415,18 @@ extern char *strerror (int __errnum) __THROW;
 #  ifdef __REDIRECT_NTH
 extern int __REDIRECT_NTH (strerror_r,
 			   (int __errnum, char *__buf, size_t __buflen),
-			   __xpg_strerror_r) __nonnull ((2));
+			   __xpg_strerror_r) __nonnull ((2))
+    __attr_access ((__write_only__, 2, 3));
 #  else
 extern int __xpg_strerror_r (int __errnum, char *__buf, size_t __buflen)
-     __THROW __nonnull ((2));
+     __THROW __nonnull ((2)) __attr_access ((__write_only__, 2, 3));
 #   define strerror_r __xpg_strerror_r
 #  endif
 # else
 /* If a temporary buffer is required, at most BUFLEN bytes of BUF will be
    used.  */
 extern char *strerror_r (int __errnum, char *__buf, size_t __buflen)
-     __THROW __nonnull ((2)) __wur;
+     __THROW __nonnull ((2)) __wur  __attr_access ((__write_only__, 2, 3));
 # endif
 #endif
 
@@ -433,7 +440,8 @@ extern char *strerror_l (int __errnum, locale_t __l) __THROW;
 
 /* Set N bytes of S to 0.  The compiler will not delete a call to this
    function, even if S is dead after the call.  */
-extern void explicit_bzero (void *__s, size_t __n) __THROW __nonnull ((1));
+extern void explicit_bzero (void *__s, size_t __n) __THROW __nonnull ((1))
+    __attr_access ((__write_only__, 1, 2));
 
 /* Return the next DELIM-delimited token from *STRINGP,
    terminating it with a '\0', and update *STRINGP to point past it.  */
@@ -471,7 +479,8 @@ extern int strverscmp (const char *__s1, const char *__s2)
 extern char *strfry (char *__string) __THROW __nonnull ((1));
 
 /* Frobnicate N bytes of S.  */
-extern void *memfrob (void *__s, size_t __n) __THROW __nonnull ((1));
+extern void *memfrob (void *__s, size_t __n) __THROW __nonnull ((1))
+    __attr_access ((__write_only__, 1, 2));
 
 # ifndef basename
 /* Return the file name within directory of FILENAME.  We don't