From: "Zack Weinberg" <zack@owlfolio.org>
To: "Siddhesh Poyarekar" <siddhesh@gotplt.org>,
"Xi Ruoyao" <xry111@xry111.site>,
"GNU libc development" <libc-alpha@sourceware.org>
Cc: "Adhemerval Zanella" <adhemerval.zanella@linaro.org>,
"Carlos O'Donell" <carlos@redhat.com>,
"'Alejandro Colomar (man-pages)'" <alx.manpages@gmail.com>,
"Andreas Schwab" <schwab@suse.de>
Subject: Re: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h
Date: Mon, 10 Jul 2023 14:56:59 -0400 [thread overview]
Message-ID: <60947356-1710-4658-9169-9535505befd4@app.fastmail.com> (raw)
In-Reply-To: <ed86d013-1df5-2880-3e39-0caf8f49a999@gotplt.org>
On Mon, Jul 10, 2023, at 1:51 PM, Siddhesh Poyarekar wrote:
> On 2023-07-10 13:12, Zack Weinberg wrote:
>> On Mon, Jul 10, 2023, at 12:13 PM, Xi Ruoyao via Libc-alpha wrote:
>>> During the review of a GCC analyzer test case, we found most stdio
>>> functions accepting a FILE * argument expect it to be nonnull and
>>> just segfault when the argument is NULL. Add nonnull attribute
>>> for them.
>>
>> I think this patchset has a high risk of breaking application code,
>> because "this function will promptly crash if passed a NULL pointer"
>> is a very different property from "any code path that would cause
>> this function to be passed a NULL pointer is necessarily
>> unreachable."
>>
>> If we take it at all -- and my current gut feeling is that we
>> *shouldn't* -- we should do so early in a release cycle to give us
>> the best chance of discovering broken applications before the
>> release.
>
> Thanks for your comment; it made me take a closer look at this. I
> suppose it makes sense to push it in right after we tag 2.38 then, so
> that there's the rest of the year to test and fix broken applications
> before 2.39.
That would be fine with me.
> Would it be more acceptable to you if this gets wrapped into fortify,
> i.e. it gets enabled if _FORTIFY_SOURCE is defined?
I tend to agree with Xi that having the presence of __nonnull depend on
_FORTIFY_SOURCE would cause more problems than it solves. Also, since
several Linux distributions enable _FORTIFY_SOURCE by default, we'd
still be risking significant breakage if we shipped that in 2.38.
> In fact, the wrappers in stdio2.h and the _chk variants of those
> functions should likely also get the __nonnull annotation.
Yes, divergence between the _chk variants and the unfortified variants
should be avoided as much as possible.
zw
next prev parent reply other threads:[~2023-07-10 18:57 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 16:13 Xi Ruoyao
2023-07-10 17:12 ` Zack Weinberg
2023-07-10 17:27 ` Xi Ruoyao
2023-07-10 19:06 ` Zack Weinberg
2023-07-10 19:31 ` Xi Ruoyao
2023-07-10 17:51 ` Siddhesh Poyarekar
2023-07-10 18:41 ` Xi Ruoyao
2023-07-10 20:14 ` _Nullable and _Nonnull in GCC's analyzer (was: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h) Alejandro Colomar
2023-07-10 20:16 ` Alejandro Colomar
2023-08-08 10:01 ` Martin Uecker
2023-08-09 0:14 ` enh
2023-08-09 1:11 ` Siddhesh Poyarekar
2023-08-09 7:26 ` Martin Uecker
2023-08-09 10:42 ` ISO C's [static] (was: _Nullable and _Nonnull in GCC's analyzer) Alejandro Colomar
2023-08-09 12:03 ` Martin Uecker
2023-08-09 12:37 ` Alejandro Colomar
2023-08-09 14:24 ` Martin Uecker
2023-08-09 13:46 ` Xi Ruoyao
2023-08-11 23:34 ` _Nullable and _Nonnull in GCC's analyzer (was: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h) enh
2023-07-10 18:56 ` Zack Weinberg [this message]
2023-07-10 19:31 ` [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h Siddhesh Poyarekar
2023-07-10 19:35 ` Xi Ruoyao
2023-07-10 19:46 ` Siddhesh Poyarekar
2023-07-10 20:23 ` Xi Ruoyao
2023-07-10 20:33 ` Jeff Law
2023-07-10 20:44 ` Xi Ruoyao
2023-07-10 20:55 ` Zack Weinberg
2023-07-10 21:03 ` Xi Ruoyao
2023-07-10 21:22 ` Zack Weinberg
2023-07-10 21:33 ` Xi Ruoyao
2023-07-11 19:12 ` Zack Weinberg
2023-07-11 20:12 ` Siddhesh Poyarekar
2023-07-12 8:59 ` Xi Ruoyao
2023-07-10 22:09 ` Paul Eggert
2023-07-11 19:18 ` Zack Weinberg
2023-07-11 20:45 ` Jeff Law
2023-07-11 23:59 ` Paul Eggert
2023-07-12 2:40 ` Jeff Law
2023-07-10 22:48 ` Siddhesh Poyarekar
2023-07-11 0:45 ` Sam James
2023-07-10 21:51 ` Jeff Law
2023-07-11 13:03 ` Cristian Rodríguez
2023-07-10 22:34 ` Siddhesh Poyarekar
2023-07-10 22:59 ` Jeff Law
2023-07-11 0:51 ` Sam James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60947356-1710-4658-9169-9535505befd4@app.fastmail.com \
--to=zack@owlfolio.org \
--cc=adhemerval.zanella@linaro.org \
--cc=alx.manpages@gmail.com \
--cc=carlos@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=schwab@suse.de \
--cc=siddhesh@gotplt.org \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).