[Bug network/30293] Socket API is not alias safe

["eblake at redhat dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=30293

--- Comment #1 from Eric Blake <eblake at redhat dot com> ---
In particular, the intent of the POSIX amendment is that user code (such as
this example abridged from 'man 2 bind' on Fedora 37) must compile without
compiler diagnostics about an alias violation under default compiler warning
levels, and must produce the intended semantics without the compiler
mis-optimizing it on the grounds of undefined behavior from an alias violation:

       #include <sys/socket.h>
       #include <sys/un.h>
       #include <stdlib.h>
       #include <stdio.h>
       #include <string.h>

       #define MY_SOCK_PATH "/somepath"
       #define handle_error(msg) \
           do { perror(msg); exit(EXIT_FAILURE); } while (0)

       int
       main(int argc, char *argv[])
       {
           int sfd, cfd;
           struct sockaddr_un my_addr;

           sfd = socket(AF_UNIX, SOCK_STREAM, 0);
           if (sfd == -1)
               handle_error("socket");

           memset(&my_addr, 0, sizeof(my_addr));
           my_addr.sun_family = AF_UNIX;
           strncpy(my_addr.sun_path, MY_SOCK_PATH,
                   sizeof(my_addr.sun_path) - 1);

           if (bind(sfd, (struct sockaddr *) &my_addr,
                   sizeof(my_addr)) == -1)  // compiler must not flag this
               handle_error("bind");
           //...
       }

However, other (bad) user code, such as the following, may still trigger
undefined behavior, even if the compiler is no longer able to diagnose it
because of whatever was done to the structs in order to make the
sockaddr.sa_family/sockaddr_un.sun_family aliasing be well-defined behavior:

    struct sockaddr too_small = { .sa_family = AF_UNIX };
    int sfd = socket(AF_UNIX, SOCK_STREAM, 0);
    bind(sfd, &too_small, sizeof(struct sockaddr_storage)); // BAD - don't do
this; the compiler can't flag this as an aliasing violation, but might be able
to flag it for potential out-of-bounds referencing

Conversely, POSIX does not intend to require that the various sockaddr* types
must be universal aliases (that is, sockaddr* does not have to be synonymous
with void* or char*, if an implementation has a way to fine-tune how much it
can alias):

    struct stat *st;
    struct sockaddr *sa = (struct sockaddr *)st; // BAD - compiler may, but not
must, flag this as an obvious aliasing violation, as it is not one of the casts
required by POSIX to be diagnostic-free

[If the POSIX amendment is itself inaccurate, the Austin Group welcomes
comments on how to improve the wording before Issue 8 is finalized]

-- 
You are receiving this mail because:
You are on the CC list for the bug.