From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by sourceware.org (Postfix) with ESMTPS id DBA4C3858C5E for ; Mon, 10 Jul 2023 21:51:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DBA4C3858C5E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-262ff3a4659so3748409a91.0 for ; Mon, 10 Jul 2023 14:51:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689025877; x=1691617877; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=t+0n4X4GQG1P3Hm90YwezPVw7IqFRnWJDJm8Z4NTeTE=; b=KPn4w6pb/7dIrX/b+VUsjTht+r4NppqdWZHFoes1nQFsZitVRd4q0D0vkFxurgwBfZ LFZC0ANtWwmkfJVBGFAhQO8svplsg7tlOS4RUX9nmoGtemP5tnQlEbqR7FhvzAZxVKN9 45bD2NCt/p1YpqM2FUe+OGoiX/1aLDBaTw/DQegnGA3YTo7njqeKl7UtNvzFvfhbCUur RRTmW4OfCaM1Ns7kZGvLX8jgfAZs7aFhPfkQWAtwQgN/LUd6osM+tqS4LInjLA7fcOoU Q6Jpcr1cBLhovx9M57Sj8ljpYq3HmOyhxX2XlhAbqGbIyYiPUGOwUlDxYwTWpuh4M2CF 9HTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689025877; x=1691617877; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=t+0n4X4GQG1P3Hm90YwezPVw7IqFRnWJDJm8Z4NTeTE=; b=l5ghao5YABSJfsTENYs5t0djXg8beVLHDVEp/usiEdDQ9UnwLklRNKECEj1FTFWs+Q gdw3XMTJtavc6joLYhz878tBW2DXPoEt6Ji7aYUwJCGSwCzyv//zf8bSH9wfTuOdWz3i 4Q3VEVY/uUarwaGTYGSv3cZCKZMu5VuvHUoAv6yTMSwgPaC6RPZ3pwaTZDYzIktl4Lzj 1QPqZmja7IDfP0A7GwZWpvyHropAICj6VpmoA/UeV5mSPWuM0lkrDU/YmK3o2XafRC0r KZKic3uX58M3n2OzeyUBa/zaODEGYD50cLJ7G8UbxsXe2lYjpwcrIwM2jjHmJYzyOiEJ EgRg== X-Gm-Message-State: ABy/qLZJbaqvkW7tMdmBFMq9Q7hjuj7vhjaQncErP8NquB8ZSJIMkAK1 CzMmY6WYwPZ5zU+YAGHO8Yo= X-Google-Smtp-Source: APBJJlHCqckVjE79Se+fr5YdjxaoNR72rwPzUzS2kDZMbSCwjxOa6c4pNecISANvPcWC+ZnOoR3YEg== X-Received: by 2002:a17:90a:fa11:b0:25e:935f:8442 with SMTP id cm17-20020a17090afa1100b0025e935f8442mr12596067pjb.49.1689025876674; Mon, 10 Jul 2023 14:51:16 -0700 (PDT) Received: from [172.31.0.109] ([136.36.130.248]) by smtp.gmail.com with ESMTPSA id f6-20020a17090aa78600b00264066aeb5fsm6645235pjq.36.2023.07.10.14.51.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 10 Jul 2023 14:51:16 -0700 (PDT) Message-ID: <968d6ae8-eb28-886f-ecc8-912dfb536048@gmail.com> Date: Mon, 10 Jul 2023 15:51:14 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Subject: Re: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h Content-Language: en-US To: Zack Weinberg , Xi Ruoyao , Siddhesh Poyarekar , GNU libc development Cc: Adhemerval Zanella , Carlos O'Donell , "'Alejandro Colomar (man-pages)'" , Andreas Schwab , David Malcolm References: <20230710161300.1678172-1-xry111@xry111.site> <60947356-1710-4658-9169-9535505befd4@app.fastmail.com> <5d050e86-4c98-de22-5ef0-4cc9ead273d7@gotplt.org> <18affbe3-00c1-1cb1-6860-f7c78585f52b@gotplt.org> <25b31a74-5f06-1cce-dca5-ae84666c92b7@gmail.com> From: Jeff Law In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 7/10/23 14:55, Zack Weinberg wrote: > On Mon, Jul 10, 2023, at 4:33 PM, Jeff Law via Libc-alpha wrote: >> Essentially up to the point where the UB happens we have to preserve >> visible side effects. After the point where UB happens anything goes >> and our goal has been mark the paths through the CFG as dying at that >> point and forcing an immediate halt of the program (via __buitin_trap()). >> >> There this all gets fuzzy is something like the NULL pointer property >> where the fact that a pointer must be non-null can backward propagate. >> ie, if a parameter is marked as non-null, then we will mark the >> corresponding SSA_NAME in the compiler as non-null. Thus if there was >> some comparison of the SSA_NAME against NULL (perhaps well before the >> call), we'll optimize away that comparison. > > Yep, see, that in and of itself is dangerous. > > The bright line I would draw is: optimizations based on the assumption that control cannot proceed past the point where UB occurs are OK; optimizations based on the assumption that control cannot *reach* the point where UB occurs are *not* OK. Removing a comparison to NULL, based on the observation that *later in some execution trace* the program will definitely dereference that pointer, falls in the latter category, *even if* there are no externally visible side effects in between the two points. I'd tend to agree these days and I think you've captured the issue pretty well. And I suspect that probably contradicts statements I've made in the past in this space. Time and experience have caused my position to evolve. Jeff