This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: MT-safe annotations for gcvt and related functions

From: Alexandre Oliva <aoliva at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Thu, 18 Dec 2014 03:39:25 -0200
Subject: Re: MT-safe annotations for gcvt and related functions
Authentication-results: sourceware.org; auth=none
References: <548ACAD9 dot 6010906 at redhat dot com> <or61db9z30 dot fsf at free dot home> <549089A1 dot 4030705 at redhat dot com>

On Dec 16, 2014, Florian Weimer <fweimer@redhat.com> wrote:

> On 12/16/2014 08:25 PM, Alexandre Oliva wrote:
>> The comments right after the lines you quoted above state:
>> 
>> @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
>> @c args_value if it's too large, but gcvt never exercises this path.
>> 
>> which agrees with your observation, but not with the conclusion.  Do you
>> see any actual unsafe path that disagrees with my conclusions and
>> annotations in the comments above, or were you just going by the general
>> safety remarks about sprintf et al?

> I was going with the common knowledge that sprintf isn't
> async-signal-safe. :-/

Ah, good.

Here's a patch that adds further comments, elaborating the rationale for
gcvt to be safe.

Ok to install?


for ChangeLog

	* manual/arith.texi (gcvt): Expand safety rationale.
---
 manual/arith.texi |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/manual/arith.texi b/manual/arith.texi
index 72682f0..dd9d060 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -2670,6 +2670,14 @@ to @code{fcvt}.
 @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
 @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
 @c args_value if it's too large, but gcvt never exercises this path.
+@c vfprintf and printf_fp might malloc() other buffers too, but only if
+@c the involved sizes exceeded the alloca limit, but the NDIGIT_MAX
+@c limits ensure any required buffers will be well below the alloca
+@c limit.  printf_fp also accesses the locale object, but it
+@c dereferences the locale pointer to a const locale object only once
+@c (due to compiler optimizations over all _NL_CURRENT uses), and it is
+@c called only once by vfprintf with the given format string, so it is
+@c safe even under concurrent locale changes.
 @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
 ndigit, value}.  It is provided only for compatibility's sake.  It
 returns @var{buf}.


-- 
Alexandre Oliva, freedom fighter    http://FSFLA.org/~lxoliva/
You must be the change you wish to see in the world. -- Gandhi
Be Free! -- http://FSFLA.org/   FSF Latin America board member
Free Software Evangelist|Red Hat Brasil GNU Toolchain Engineer

References:
- MT-safe annotations for gcvt and related functions
  - From: Florian Weimer
- Re: MT-safe annotations for gcvt and related functions
  - From: Alexandre Oliva
- Re: MT-safe annotations for gcvt and related functions
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]