From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by sourceware.org (Postfix) with ESMTPS id CBB983858CDA for ; Mon, 10 Jul 2023 19:06:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CBB983858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=owlfolio.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=owlfolio.org Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 81EEA5C00EF; Mon, 10 Jul 2023 15:06:35 -0400 (EDT) Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Mon, 10 Jul 2023 15:06:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlfolio.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm1; t= 1689015995; x=1689102395; bh=Uq+qbko03N9uMxVgEL0yjn/GEPVqj85fU1r mgaEybLA=; b=s7BCk6fjmST8ijKkcodIcNe1pRluvNO5C4zxIoTTujuWiMfqGkt Va9MtErmU3l7t2GsBkBUHUoK8bRy9EVMFAz8ZKOst+o6iqfahtoVtd389oGsm9T4 v7ZiQFNF0NmcVT33w2KzSbJl8GV1aZp3gzPMgYR1jq4djN8BeR5hdvVUVu0ZTktQ mp7TBIlDuHhrfEJHSRlekvzNWaLcWJ8WNZXN+/9/qvTi+TOGT/9d+hLttiS4P2o8 ryL1VbiNN27hCEyTOMdpmDzD9465qnJDqA/e4sMkBLOsdPBTau1Ca0u5yJDxXzr7 bRXwW+/cb9SDRHgVTNVE1C0ays3xYzg2QDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1689015995; x=1689102395; bh=Uq+qbko03N9uMxVgEL0yjn/GEPVqj85fU1r mgaEybLA=; b=Sl72EtujJNkG4pQ8Lxj57k0xeKDJppcxU/VMnZQbyzBoJNcto0p qc8DXZCBvUk86aBVVt82BOI7QC554fnqtDmvGettjv00v2zYsGuRYu2MV5FSKHtv ZOtqg2xJK7CgYI4f3n+PNz7rDrl5UCfskNeyBIz6FaW4EBlk8ZBV4Ib1UDE02ywP TLT4vCX/okCtz8g0xxF9vqc3LiqMzQ0dwJ7ZfLuXEfdCaxo88KiYdGsDIA383xfp ycxuv0rHeWNn+Gfa92n6DAVDnfWfNsCNrHAsBWugO96MB1m55wabNEiAGvXNLo6K GbTSrZ4FEUvgb/YvqBJwe3JDf6dETy2dDWA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrvdekgdduvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtgfesthhqredtreerjeenucfhrhhomhepfdgk rggtkhcuhggvihhnsggvrhhgfdcuoeiirggtkhesohiflhhfohhlihhordhorhhgqeenuc ggtffrrghtthgvrhhnpeduueeigeehffekiefhtdehiedvueffteevtefhudfguedtueei tdetgfetieeiieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpeiirggtkhesohiflhhfohhlihhordhorhhg X-ME-Proxy: Feedback-ID: i876146a2:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0520FBC0083; Mon, 10 Jul 2023 15:06:35 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.9.0-alpha0-531-gfdfa13a06d-fm-20230703.001-gfdfa13a0 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20230710161300.1678172-1-xry111@xry111.site> Date: Mon, 10 Jul 2023 15:06:07 -0400 From: "Zack Weinberg" To: "Xi Ruoyao" , "GNU libc development" Cc: "Adhemerval Zanella" , "Carlos O'Donell" , "'Alejandro Colomar (man-pages)'" , "Andreas Schwab" , "Siddhesh Poyarekar" Subject: Re: [PATCH v5] libio: Add nonnull attribute for most FILE * arguments in stdio.h Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,JMQ_SPF_NEUTRAL,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Mon, Jul 10, 2023, at 1:27 PM, Xi Ruoyao wrote: > On Mon, 2023-07-10 at 13:12 -0400, Zack Weinberg wrote: >> On Mon, Jul 10, 2023, at 12:13 PM, Xi Ruoyao via Libc-alpha wrote: >> > During the review of a GCC analyzer test case, we found most stdio >> > functions accepting a FILE * argument expect it to be nonnull and >> > just segfault when the argument is NULL.=C2=A0 Add nonnull attribut= e for >> > them. >> >> I think this patchset has a high risk of breaking application code, >> because "this function will promptly crash if passed a NULL pointer" >> is a very different property from "any code path that would cause >> this function to be passed a NULL pointer is necessarily >> unreachable." >> >> If we take it at all -- and my current gut feeling is that we >> *shouldn't* -- we should do so early in a release cycle to give us >> the best chance of discovering broken applications before the >> release. > > If they want to rely on "it must crash if passed a NULL pointer", they > should really use -fisolate-erroneous-paths-attribute. The documentation for this option is not very clear to me, so I can't tell if this is a sufficient workaround for the kind of breakage I've seen in the past from over-zealous use of __attribute__((nonnull)). In general, I think C compilers should _never_ assume that a construct with UB is unreachable. Converting constructs that are certain to cause runtime UB into trap instructions _can_ be OK, but in the case where a library function is provably called with arguments that cause UB, all of the side effects of evaluating the function's arguments still need to occur before the trap is executed. zw