From: Jan Beulich <jbeulich@suse.com>
To: Andrew Burgess <aburgess@redhat.com>
Cc: binutils@sourceware.org
Subject: Re: [PATCH] bfd: make _bfd_section_size_insane part of the public API
Date: Wed, 10 Jan 2024 13:47:57 +0100 [thread overview]
Message-ID: <f1eb82b6-4cda-4583-852a-4b986ce2aa9d@suse.com> (raw)
In-Reply-To: <87frz58n7j.fsf@redhat.com>
On 10.01.2024 12:03, Andrew Burgess wrote:
> Jan Beulich <jbeulich@suse.com> writes:
>> On 06.12.2023 17:15, Andrew Burgess wrote:
>>> If a BFD user is making use of a function like
>>> bfd_get_section_contents to read a section into a pre-allocated
>>> buffer, then that BFD user might also want to make use of
>>> _bfd_section_size_insane prior to allocating the buffer they intend to
>>> use in order to validate that the buffer size that plan to allocate is
>>> sane.
>>>
>>> This commit makes _bfd_section_size_insane public, by renaming it to
>>> bfd_section_size_insane.
>>>
>>> I've updated the existing uses within bfd/, I don't believe this
>>> function is used outside of bfd/ currently.
>>>
>>> One place that I plan to make use of this function is in
>>> gdb/gdb_bfd.c, in the function gdb_bfd_get_full_section_contents.
>>> This change isn't included in this commit, but will come later if/when
>>> this has been merged into bfd.
>>
>> Having seen your ping (and no other response), let me share my view:
>> This function implements a certain policy, internal to the library.
>> By exposing it, you would make external users dependent upon this
>> specific policy. What if later we change our view on what's "insane"?
>
> I would expect and want external users to get the updated definition.
And then break if we decide to lower the limit of "insane"?
> The function name of "insane" is a little unfortunate. I think if the
> function had a better name then this change would seem far less
> contentious. Consider a name of:
>
> validate_section_size_against_other_bfd_infernal_properties_of_the_elf_to_ensure_that_the_requested_size_is_likely_valid()
>
>> IOW external consumers want to implement their own, independent policy
>> (if so desired).
>
> Sure, consumers _could_ implement their own policy, but IMHO, this would
> be far worse than exposing the *_insane() function.
>
> What I (as a consumer) want is to check if the size that the BFD library
> is reporting is valid or not. To do that I need to check details of the
> ELF that I, as a BFD users, shouldn't have to bother with. (I thought)
> the point of BFD was to abstract details of the file format.
Well, your wording (correctly) makes an important distinction: "valid" !=
"sane". If this was a validity check, no question would arise about it
being okay to expose.
>> Taking your intended usage example, things would be different if e.g.
>> bfd_get_full_section_contents() itself used this check unconditionally.
>> Then I could see a desire to have a way of checking up front whether
>> allocating a buffer makes sense at all. And really I consider it
>> questionable for bfd_get_full_section_contents(), when asked to
>> allocate a buffer, to actually enforce such a library-internal policy.
>> Like with exposing bfd_section_size_insane(), any change to the policy
>> may affect external users in unexpected ways.
>
> I don't understand this paragraph at all. I'm sure I must be reading it
> wrong, but it feels like you're saying we shouldn't use
> bfd_section_size_insane(), which would mean we don't check for this one
> particular error case, but I'm not sure why you'd feel that way. Like I
> said, I'm sure that's _not_ what you're suggesting, I just don't see
> what it is you are trying to say.
>
> You start this paragraph by saying "Taking your intended usage example,
> ..." but don't really offer an alternative solution. I'd be interested
> if you did have some thoughts.
The only alternative I can think about is for every component to enforce
its own view of "sane".
> Maybe a better solution is to change bfd_get_section_size() so that this
> function doesn't always just return the recorded section size, but
> instead returns 0 (or maybe -1 to indicate an error?) based on calling
> bfd_section_size_insane()? This feels far more risky as there's likely
> many calls to bfd_section_size() in the wild that don't expect to get
> back a size of 0.... but maybe that's a cleaner solution?
Indeed, this risk makes such a change undesirable. Plus when merely
dumping headers, for example, the true value will want returning (and
displaying) anyway. I was rather thinking the other way around, to
perhaps drop the "insane" checking, for being purely heuristic and
prone to break at some (hopefully distant) future point. A reasonably
well implemented allocation function ought to be able to fail without
first trying hard to free up memory, when enough cannot be made
available anyway.
Jan
next prev parent reply other threads:[~2024-01-10 12:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-06 16:15 Andrew Burgess
2024-01-02 11:21 ` Ping: " Andrew Burgess
2024-01-05 12:03 ` Jan Beulich
2024-01-10 11:03 ` Andrew Burgess
2024-01-10 12:47 ` Jan Beulich [this message]
2024-01-10 13:48 ` Andrew Burgess
2024-01-10 14:26 ` Jan Beulich
2024-01-10 16:20 ` Andrew Burgess
2024-01-10 21:22 ` Alan Modra
2024-01-11 8:23 ` Jan Beulich
2024-03-06 11:17 ` Andrew Burgess
2024-03-06 11:30 ` Jan Beulich
2024-03-25 18:33 ` Andrew Burgess
2024-01-10 17:54 ` Tom Tromey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1eb82b6-4cda-4583-852a-4b986ce2aa9d@suse.com \
--to=jbeulich@suse.com \
--cc=aburgess@redhat.com \
--cc=binutils@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).