From: Alexandre Oliva <aoliva@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>
Subject: Re: MT-safe annotations for gcvt and related functions
Date: Thu, 18 Dec 2014 05:39:00 -0000 [thread overview]
Message-ID: <or388d8qk2.fsf@free.home> (raw)
In-Reply-To: <549089A1.4030705@redhat.com> (Florian Weimer's message of "Tue, 16 Dec 2014 20:36:01 +0100")
On Dec 16, 2014, Florian Weimer <fweimer@redhat.com> wrote:
> On 12/16/2014 08:25 PM, Alexandre Oliva wrote:
>> The comments right after the lines you quoted above state:
>>
>> @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
>> @c args_value if it's too large, but gcvt never exercises this path.
>>
>> which agrees with your observation, but not with the conclusion. Do you
>> see any actual unsafe path that disagrees with my conclusions and
>> annotations in the comments above, or were you just going by the general
>> safety remarks about sprintf et al?
> I was going with the common knowledge that sprintf isn't
> async-signal-safe. :-/
Ah, good.
Here's a patch that adds further comments, elaborating the rationale for
gcvt to be safe.
Ok to install?
for ChangeLog
* manual/arith.texi (gcvt): Expand safety rationale.
---
manual/arith.texi | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/manual/arith.texi b/manual/arith.texi
index 72682f0..dd9d060 100644
--- a/manual/arith.texi
+++ b/manual/arith.texi
@@ -2670,6 +2670,14 @@ to @code{fcvt}.
@safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}}
@c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s
@c args_value if it's too large, but gcvt never exercises this path.
+@c vfprintf and printf_fp might malloc() other buffers too, but only if
+@c the involved sizes exceeded the alloca limit, but the NDIGIT_MAX
+@c limits ensure any required buffers will be well below the alloca
+@c limit. printf_fp also accesses the locale object, but it
+@c dereferences the locale pointer to a const locale object only once
+@c (due to compiler optimizations over all _NL_CURRENT uses), and it is
+@c called only once by vfprintf with the given format string, so it is
+@c safe even under concurrent locale changes.
@code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g",
ndigit, value}. It is provided only for compatibility's sake. It
returns @var{buf}.
--
Alexandre Oliva, freedom fighter http://FSFLA.org/~lxoliva/
You must be the change you wish to see in the world. -- Gandhi
Be Free! -- http://FSFLA.org/ FSF Latin America board member
Free Software Evangelist|Red Hat Brasil GNU Toolchain Engineer
next prev parent reply other threads:[~2014-12-18 5:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-12 11:00 Florian Weimer
2014-12-16 19:25 ` Alexandre Oliva
2014-12-16 19:36 ` Florian Weimer
2014-12-18 5:39 ` Alexandre Oliva [this message]
2014-12-18 5:41 ` Alexandre Oliva
2015-01-30 14:57 ` Florian Weimer
2015-01-30 19:26 ` Torvald Riegel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=or388d8qk2.fsf@free.home \
--to=aoliva@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).