This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions

From: Rich Felker <dalias at aerifal dot cx>
To: Ulrich Bayer <ubayer at sba-research dot org>
Cc: "Joseph S. Myers" <joseph at codesourcery dot com>, libc-alpha at sourceware dot org
Date: Thu, 6 Jun 2013 10:15:30 -0400
Subject: Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
References: <5102DBFD dot 4060103 at sba-research dot org> <513DE7A1 dot 8080501 at sba-research dot org> <Pine dot LNX dot 4 dot 64 dot 1305151554100 dot 15900 at digraph dot polyomino dot org dot uk> <51AF6406 dot 30201 at sba-research dot org> <Pine dot LNX dot 4 dot 64 dot 1306051643310 dot 14749 at digraph dot polyomino dot org dot uk> <51B07F27 dot 2070401 at sba-research dot org>

On Thu, Jun 06, 2013 at 02:23:03PM +0200, Ulrich Bayer wrote:
> > Likewise, it's inappropriate to use the nonnull attribute on arguments 
> > where the semantics if those arguments are NULL is specified (as a runtime 
> > constraint violation), because GCC may optimize based on the argument not 
> > being NULL - the attribute can be used only when a NULL argument means 
> > undefined behavior.
> 
> I tend to agree. It's a pity we loose GCC's warnings about null pointer 
> arguments though. I don't like the fact that a program becomes more unsecure 
> by the fact that is uses the Annex K functions.

I hardly find it a pity; rather, it's good reason for people NOT to
use these ill-conceived functions and to instead simply compile proper
portable C (portable in the sense of not depending on an optional
annex) with _FORTIFY_SOURCE.

> Although the _s functions 
> gracefully handle the case when a NULL pointer is invoked, the user should not 
> call the function with NULL as it results in a runtime-constraint violation. 
> A compiler warning that something is NULL is always preferable to a runtime 
> constraint (which might be an abort). Is there any other way so that GCC could
> warn about NULL but suppress optimization?

I'm unsure, but there's at lease one place that both the optimization
and the warning would be unwanted: valid test code to check that the
runtime-constraint violation handlers get called. I suppose it's also
possible that application software could intentionally raise a runtime
constraint violation as a means of termination when one of its _own_
interfaces' contracts has been violated.

Rich

Follow-Ups:
- Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
  - From: Joseph S. Myers

References:
- [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
  - From: Ulrich Bayer
- Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
  - From: Joseph S. Myers
- Re: [RFC][PATCH v2] Initial support for C11 Annex K Bounds checking functions
  - From: Ulrich Bayer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]