From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=I6Ug=C4=xry111.site=xry111@sourceware.org>
Received: from xry111.site (xry111.site [89.208.246.23])
	by sourceware.org (Postfix) with ESMTPS id AF5BD3858C5E
	for <libc-alpha@sourceware.org>; Mon, 10 Jul 2023 19:35:22 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AF5BD3858C5E
Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=xry111.site
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=xry111.site
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xry111.site;
	s=default; t=1689017721;
	bh=RhvwQMzMaBkGqzRcQ70zZpdBn4yIqoUoqL2yofgKGAY=;
	h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
	b=dpXL+ebcTzZSuuOoDaC6yZLlFAAnGZ2+Rr+MlAfaaGwJZWuZF1UrZOAni+SzyOikb
	 +JKihPpAQ2xCOVk2rSZLskEZHxeu6g0W3urUFp2Pc3eNLp4wt95YM62TqnveG7akdY
	 FSZaV+UmLTaM3m8bJgcUsTYZYsLYqCiGAsKGiinc=
Received: from localhost.localdomain (xry111.site [IPv6:2001:470:683e::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-384))
	(Client did not present a certificate)
	(Authenticated sender: xry111@xry111.site)
	by xry111.site (Postfix) with ESMTPSA id 7AF8765A2C;
	Mon, 10 Jul 2023 15:35:20 -0400 (EDT)
Message-ID: <de4b1987522a3f9e1e2eecc0aae47960e55cc203.camel@xry111.site>
Subject: Re: [PATCH v5] libio: Add nonnull attribute for most FILE *
 arguments in stdio.h
From: Xi Ruoyao <xry111@xry111.site>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>, Zack Weinberg
 <zack@owlfolio.org>,  GNU libc development <libc-alpha@sourceware.org>
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>, Carlos O'Donell
 <carlos@redhat.com>, "'Alejandro Colomar (man-pages)'"
 <alx.manpages@gmail.com>,  Andreas Schwab <schwab@suse.de>, David Malcolm
 <dmalcolm@redhat.com>
Date: Tue, 11 Jul 2023 03:35:19 +0800
In-Reply-To: <5d050e86-4c98-de22-5ef0-4cc9ead273d7@gotplt.org>
References: <20230710161300.1678172-1-xry111@xry111.site>
	 <a3a0c195-1149-461b-807e-46eaa3d68fcc@app.fastmail.com>
	 <ed86d013-1df5-2880-3e39-0caf8f49a999@gotplt.org>
	 <60947356-1710-4658-9169-9535505befd4@app.fastmail.com>
	 <5d050e86-4c98-de22-5ef0-4cc9ead273d7@gotplt.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.4 
MIME-Version: 1.0
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,LIKELY_SPAM_FROM,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On Mon, 2023-07-10 at 15:31 -0400, Siddhesh Poyarekar wrote:
> On 2023-07-10 14:56, Zack Weinberg wrote:
> > > Would it be more acceptable to you if this gets wrapped into fortify,
> > > i.e. it gets enabled if _FORTIFY_SOURCE is defined?
> >=20
> > I tend to agree with Xi that having the presence of __nonnull depend on
> > _FORTIFY_SOURCE would cause more problems than it solves.=C2=A0 Also, s=
ince
> > several Linux distributions enable _FORTIFY_SOURCE by default, we'd
> > still be risking significant breakage if we shipped that in 2.38.
>=20
> I'm less concerned about the distribution breakage because they'll more=
=20
> likely than not get fixed; in fact my suggestion to put it behind the=20
> _FORTIFY_SOURCE wall was precisely for that reason.=C2=A0 I'd like us to =
weed=20
> out such cases in the distribution and get them fixed rather than=20
> maintaining status quo.=C2=A0 I'm relatively more concerned about=20
> non-distribution applications that tend to, e.g. disable security=20
> features because they see them as either performance hindrances or want=
=20
> some legacy broken code to just work.
>=20
> Of course, I'm not concerned enough about these applications (sorry) to=
=20
> insist that it be put behind _FORTIFY_SOURCE, but I think it's a=20
> reasonable compromise.=C2=A0 That doesn't directly solve the analyzer pro=
blem=20
> though.=C2=A0 Maybe if it's OK to have the analyzer affect codegen, we co=
uld=20
> have the analyzer define _FORTIFY_SOURCE=3D3 and thus enable additional=
=20
> diagnostics too, like the __wur that also gets enabled only on=20
> fortification.=C2=A0 Is that something worth considering?

Or can we just guard the __nonnull usage against __GNUC_PREREQ (x, 0)
where x is 12 or 13?  In the recent GCC releases the optimizer won't
kill a side effect before an UB so it should be much safer (see my reply
to Zack), and it's unlikely they'll use the latest GCC for some legacy
broken code.

--=20
Xi Ruoyao <xry111@xry111.site>
School of Aerospace Science and Technology, Xidian University