From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from xry111.site (xry111.site [IPv6:2001:470:683e::1]) by sourceware.org (Postfix) with ESMTPS id D8F833857348 for ; Mon, 10 Jul 2023 18:41:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D8F833857348 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=xry111.site Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=xry111.site DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xry111.site; s=default; t=1689014468; bh=DxYZs4BZGQ7TPHR4QFxrDjjwacvU2wBqo2DSsPWWrzc=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=MNZ4WpdsnPCDQLnR6jLvhYNCCoZqai8KR/WfqsHscsb9QOPEG4QL+bQcDGZHVu/7v d5jRoBbiYxlx2P8xT95R3oOICbKzVZXf0acnh5vr+UQa+rWkpVvEreOjPhPboVCAwE Lw6GSJUTOunFrpxl8AvG1dt2+rPpTyEVFMe5VesE= Received: from localhost.localdomain (xry111.site [IPv6:2001:470:683e::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) (Authenticated sender: xry111@xry111.site) by xry111.site (Postfix) with ESMTPSA id B461A65B9A; Mon, 10 Jul 2023 14:41:06 -0400 (EDT) Message-ID: <1efbe0b2dd8fefffc945c6734222c7d6e04cf465.camel@xry111.site> Subject: Re: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h From: Xi Ruoyao To: Siddhesh Poyarekar , Zack Weinberg , GNU libc development Cc: Adhemerval Zanella , Carlos O'Donell , "'Alejandro Colomar (man-pages)'" , Andreas Schwab Date: Tue, 11 Jul 2023 02:41:05 +0800 In-Reply-To: References: <20230710161300.1678172-1-xry111@xry111.site> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,LIKELY_SPAM_FROM,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Mon, 2023-07-10 at 13:51 -0400, Siddhesh Poyarekar wrote: > On 2023-07-10 13:12, Zack Weinberg wrote: > > On Mon, Jul 10, 2023, at 12:13 PM, Xi Ruoyao via Libc-alpha wrote: > > > During the review of a GCC analyzer test case, we found most stdio > > > functions accepting a FILE * argument expect it to be nonnull and jus= t > > > segfault when the argument is NULL.=C2=A0 Add nonnull attribute for t= hem. > >=20 > > I think this patchset has a high risk of breaking application code, > > because "this function will promptly crash if passed a NULL pointer" is > > a very different property from "any code path that would cause this > > function to be passed a NULL pointer is necessarily unreachable." > >=20 > > If we take it at all -- and my current gut feeling is that we > > *shouldn't* -- we should do so early in a release cycle to give us the > > best chance of discovering broken applications before the release. >=20 > Thanks for your comment; it made me take a closer look at this.=C2=A0 I= =20 > suppose it makes sense to push it in right after we tag 2.38 then, so=20 > that there's the rest of the year to test and fix broken applications=20 > before 2.39.=C2=A0 It may make sense to backport to the release branch fo= r=20 > distributions if we find it to be stable enough. >=20 > Would it be more acceptable to you if this gets wrapped into fortify,=20 > i.e. it gets enabled if _FORTIFY_SOURCE is defined?=C2=A0 In fact, the= =20 > wrappers in stdio2.h and the _chk variants of those functions should=20 > likely also get the __nonnull annotation. But it then means w/o -D_FORTIFY_SOURCE we'll still not see the warning, and GCC analyzer developers will still implement a lot of special cases :(. Maybe we should have a weaker version of nonnull which only performs the diagnostic, not the optimization. But it looks like they hate the idea: https://gcc.gnu.org/PR110617. --=20 Xi Ruoyao School of Aerospace Science and Technology, Xidian University