This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
- From: Rich Felker <dalias at aerifal dot cx>
- To: Ulrich Bayer <ubayer at sba-research dot org>
- Cc: "Joseph S. Myers" <joseph at codesourcery dot com>, libc-alpha at sourceware dot org
- Date: Thu, 6 Jun 2013 10:15:30 -0400
- Subject: Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
- References: <5102DBFD dot 4060103 at sba-research dot org> <513DE7A1 dot 8080501 at sba-research dot org> <Pine dot LNX dot 4 dot 64 dot 1305151554100 dot 15900 at digraph dot polyomino dot org dot uk> <51AF6406 dot 30201 at sba-research dot org> <Pine dot LNX dot 4 dot 64 dot 1306051643310 dot 14749 at digraph dot polyomino dot org dot uk> <51B07F27 dot 2070401 at sba-research dot org>
On Thu, Jun 06, 2013 at 02:23:03PM +0200, Ulrich Bayer wrote:
> > Likewise, it's inappropriate to use the nonnull attribute on arguments
> > where the semantics if those arguments are NULL is specified (as a runtime
> > constraint violation), because GCC may optimize based on the argument not
> > being NULL - the attribute can be used only when a NULL argument means
> > undefined behavior.
>
> I tend to agree. It's a pity we loose GCC's warnings about null pointer
> arguments though. I don't like the fact that a program becomes more unsecure
> by the fact that is uses the Annex K functions.
I hardly find it a pity; rather, it's good reason for people NOT to
use these ill-conceived functions and to instead simply compile proper
portable C (portable in the sense of not depending on an optional
annex) with _FORTIFY_SOURCE.
> Although the _s functions
> gracefully handle the case when a NULL pointer is invoked, the user should not
> call the function with NULL as it results in a runtime-constraint violation.
> A compiler warning that something is NULL is always preferable to a runtime
> constraint (which might be an abort). Is there any other way so that GCC could
> warn about NULL but suppress optimization?
I'm unsure, but there's at lease one place that both the optimization
and the warning would be unwanted: valid test code to check that the
runtime-constraint violation handlers get called. I suppose it's also
possible that application software could intentionally raise a runtime
constraint violation as a means of termination when one of its _own_
interfaces' contracts has been violated.
Rich