This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: MT-safe annotations for gcvt and related functions
- From: Alexandre Oliva <aoliva at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 18 Dec 2014 03:39:25 -0200
- Subject: Re: MT-safe annotations for gcvt and related functions
- Authentication-results: sourceware.org; auth=none
- References: <548ACAD9 dot 6010906 at redhat dot com> <or61db9z30 dot fsf at free dot home> <549089A1 dot 4030705 at redhat dot com>
On Dec 16, 2014, Florian Weimer <fweimer@redhat.com> wrote:
> On 12/16/2014 08:25 PM, Alexandre Oliva wrote:
>> The comments right after the lines you quoted above state:
>>
>> @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
>> @c args_value if it's too large, but gcvt never exercises this path.
>>
>> which agrees with your observation, but not with the conclusion. Do you
>> see any actual unsafe path that disagrees with my conclusions and
>> annotations in the comments above, or were you just going by the general
>> safety remarks about sprintf et al?
> I was going with the common knowledge that sprintf isn't
> async-signal-safe. :-/
Ah, good.
Here's a patch that adds further comments, elaborating the rationale for
gcvt to be safe.
Ok to install?
for ChangeLog
* manual/arith.texi (gcvt): Expand safety rationale.
---
manual/arith.texi | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/manual/arith.texi b/manual/arith.texi
index 72682f0..dd9d060 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -2670,6 +2670,14 @@ to @code{fcvt}.
@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
@c args_value if it's too large, but gcvt never exercises this path.
+@c vfprintf and printf_fp might malloc() other buffers too, but only if
+@c the involved sizes exceeded the alloca limit, but the NDIGIT_MAX
+@c limits ensure any required buffers will be well below the alloca
+@c limit. printf_fp also accesses the locale object, but it
+@c dereferences the locale pointer to a const locale object only once
+@c (due to compiler optimizations over all _NL_CURRENT uses), and it is
+@c called only once by vfprintf with the given format string, so it is
+@c safe even under concurrent locale changes.
@code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
ndigit, value}. It is provided only for compatibility's sake. It
returns @var{buf}.
--
Alexandre Oliva, freedom fighter http://FSFLA.org/~lxoliva/
You must be the change you wish to see in the world. -- Gandhi
Be Free! -- http://FSFLA.org/ FSF Latin America board member
Free Software Evangelist|Red Hat Brasil GNU Toolchain Engineer