From: "Alejandro Colomar (man-pages)" <alx.manpages@gmail.com>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: libc-alpha@sourceware.org, linux-man@vger.kernel.org,
Joseph Myers <joseph@codesourcery.com>
Subject: Re: [PATCH v2 2/2] timegm.3: Remove recommendation against use of timegm()
Date: Fri, 5 Nov 2021 01:47:50 +0100 [thread overview]
Message-ID: <73e53c80-6bdf-0d50-f359-f98e1490d79e@gmail.com> (raw)
In-Reply-To: <5cb8ec23-6e71-0619-3df4-b554942e66c6@cs.ucla.edu>
Hi Paul,
On 10/18/21 00:00, Paul Eggert wrote:
> On 10/17/21 11:02, Alejandro Colomar (man-pages) wrote:
>
>> timegm(3) is the only non-error-prone solution in glibc for using UTC
>> times, so it should not be marked as "avoid using".
>
> timegm is not portable, so it's reasonable for the documentation to warn
> against its use. Perhaps the warning could be made clearer.
Well, there's no portable alternative, as we discussed, so if a program
needs to do what timegm(3) does (handle UTC dates), it needs to call it.
The only portable alternatives are using other libraries such as boost
(C++). I prefer porting timegm(3) to those platforms instead. Since
C2X will add timegm(3), it's good news.
>
>
>> - int is unlikely to be >32 bits.
>
> There are a few platforms where int is >32 bits (these are typically
> ILP64).
Interesting; I didn't know that. What a weird thing.
> Although glibc doesn't currently support them, let's not place
> unnecessary obstacles in the way.
>
>
>> - Even if int ever happened to be 64 bit, this problem would still be
>> something very theoretical
>
> The behavior of the 'zdump' command would change. I imagine it'd affect
> other commands as well. Admittedly most people wouldn't notice.
>
>
>> if (tm->tm_year > SOME_ARBITRARY_HUGE_VALUE
>
> Let's not impose arbitrary limits.
Since glibc doesn't support 64-bit 'int' yet, the following restriction
could be added without altering the behavior of any existing program:
[
If any of the fields of 'struct tm' would overflow 'int32_t', the
behavior of timegm(3) is undefined.
]
It is arbitrary, yes, but in reality, the code would handle correctly
more than INT32_MAX; it would only cause overflow for values close to
INT64_MAX.
Moreover, it would only affect those weird platforms.
And in those cases:
- If the date is something sane, UB will never be triggered.
- If the date can be compromised (e.g., user input), the only thing that
the programmer needs to do to avoid UB, is to store the temporary values
in int32_t variables before storing them in the struct tm. That will
handle any overflow by truncating it (if the programmer wants to do
something else, that's fine, but it's the minimum to avoid UB). Not
much of a problem.
It would simplify very much glibc code, by imposing small restrictions
to the user.
Don't you think?
Thanks,
Alex
--
Alejandro Colomar
Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/
http://www.alejandro-colomar.es/
next prev parent reply other threads:[~2021-11-05 0:47 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-10 10:52 [PATCH] ctime.3: mktime() may modify tm_hour due to tm_isdst Alejandro Colomar
2021-10-11 10:27 ` Alejandro Colomar (man-pages)
2021-10-11 11:12 ` [PATCH v2 1/2] " Alejandro Colomar
2021-10-11 15:36 ` Paul Eggert
2021-10-15 21:49 ` Alejandro Colomar (man-pages)
2021-10-11 11:12 ` [PATCH v2 2/2] timegm.3: Remove recommendation against use of timegm() Alejandro Colomar
2021-10-11 15:40 ` Paul Eggert
2021-10-15 22:03 ` Alejandro Colomar (man-pages)
2021-10-16 0:20 ` Paul Eggert
2021-10-17 18:02 ` Alejandro Colomar (man-pages)
2021-10-17 22:00 ` Paul Eggert
2021-11-05 0:47 ` Alejandro Colomar (man-pages) [this message]
2021-11-08 8:05 ` Paul Eggert
2021-10-11 11:54 ` [PATCH v3 1/2] ctime.3: mktime() may modify tm_hour due to tm_isdst Alejandro Colomar
2021-10-11 11:54 ` [PATCH v3 2/2] timegm.3: Remove recommendation against their use Alejandro Colomar
2021-10-11 15:37 ` [PATCH] ctime.3: mktime() may modify tm_hour due to tm_isdst Paul Eggert
2021-10-11 22:05 ` Joseph Myers
2021-10-15 21:55 ` Alejandro Colomar (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=73e53c80-6bdf-0d50-f359-f98e1490d79e@gmail.com \
--to=alx.manpages@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-man@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).