From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by sourceware.org (Postfix) with ESMTP id 0338B385840F for ; Thu, 17 Mar 2022 11:26:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0338B385840F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=foss.arm.com Authentication-Results: sourceware.org; spf=none smtp.mailfrom=foss.arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8514B1FB for ; Thu, 17 Mar 2022 04:26:20 -0700 (PDT) Received: from [10.57.41.3] (unknown [10.57.41.3]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 2B0153F766; Thu, 17 Mar 2022 04:26:20 -0700 (PDT) Message-ID: Date: Thu, 17 Mar 2022 11:26:18 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH v2] newlib: fix build with <20220315032550.16502-1-vapier@gentoo.org> <2c68b0f8-03ad-d93d-dd35-002a66576ff8@foss.arm.com> <16551142-64aa-fdda-8f9e-7656c6b9390f@yahoo.de> From: Richard Earnshaw In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3491.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 11:26:22 -0000 On 17/03/2022 09:49, Corinna Vinschen wrote: > On Mar 16 22:41, Mike Frysinger wrote: >> On 16 Mar 2022 10:17, R. Diez wrote: >>>>> Therefore, compiling your code with GCC < 5 will silently break your application. >>>>> After all, the only reason to use __builtin_mul_overflow() is >>>>> that you need to check for overflow, is it? >>>> >>>> practically speaking, i don't think this is a big deal. newlib gained these >>>> checks only "recently" (<2 years ago). newlib has been around for much much >>>> longer, and the world didn't notice. >>> >>> Such general justifications wouldn't pass quality assurance (if we had one). >> >> in your opinion. software is not perfect, it's trade-offs. >> >>>> yes, if an app starts trying to allocate >>>> huge amounts of memory such that it triggers 32-bit overflows when calculating, >>>> the new size, it will probably internally allocate fewer bytes than requested, >>>> and things will get corrupted. but like, don't do that :p. such applications >>>> probably will have other problems already. >>> >>> You are suggesting that this only affects memory allocation, but the patch is for libc/include/sys/cdefs.h , so those mine traps will be available for everybody. >>> >>> People will tend to assume that anything in Newlib is correct, and code has a way to get copied around and re-used. >>> >>> There are many ways to mitigate the risk: >>> >>> - Require GCC 5. >>> - Provide a proper implementation of __builtin_mul_overflow(). >>> - Patch all users of __builtin_mul_overflow() within Newlib, so that they do not use it if the compiler does not provide it. >>> - Issue a compilation warning for GCC < 5 that the "stub" __builtin_mul_overflow() is broken. >>> Note that this is not actually a "stub" implementation in the common sense. >>> - Add an "assert( false ) // fix me" inside the implementation. >>> - Add a comment stating that the "stub" implementation is not actually correct. >> >> any option that prevents correct execution with gcc-4 is not an improvement. >> if you care this much, feel free to contribute a patch. or use gcc-5+ and >> not worry about it. >> -mike > > Does anybody actually care for building with gcc < 5? If not, we > should just make gcc 5 a prerequisite. > > It's not just about old GCC, it's about any C compiler that doesn't have that builtin. R. > Corinna >