Re: Use of size_t and ssize_t in mseek

[Rich Felker <dalias@aerifal.cx>]

On Sat, Jun 29, 2013 at 06:39:27PM +0200, Jens Gustedt wrote:
> Am Samstag, den 29.06.2013, 12:13 -0400 schrieb Rich Felker:
> > With that said, I'm not opposed to adding Annex K, but I think we
> > should look into how invasive it would be, i.e. whether most/all
> > interfaces can just be wrappers for the non-bounds-checking versions
> > or whether major internal changes would be required to some existing
> > interfaces.
> 
> I implemented quite a lot of them for P99, so I don't think that there
> would be major problems. Many of them are just some if/else clauses
> that check the run time constraints.
> 
> There are some additional functionalities, though, so these would
> demand extra coding and objects, especially the run time constraint
> handling, but I think these are quite limited and wouldn't require
> much effort.

The requirements for printf_s, scanf_s, and related functions look
quite invasive and would affect programs not using these interfaces.
Otherwise, the Annex K interfaces look like a considerable amount of
bloat with highly questionable usefulness, but mostly non-invasive. My
feeling is that we should hold off on a decision about them to see if
any applications actually start using them.

Personally, I'd much rather see a libc-agnostic implementation of
_FORTIFY_SOURCE as a set of include files installed in their own
special directory which use #include_next to get the libc versions,
then #undef all the functions and #define them to "fortify" versions,
using purely GCC features rather than any hooks into libc. This would
actually aid in security for real-world applications.

> Then some interfaces are clearly different such that they can't simply
> be copied over, notably bsearch and qsort functions, since they
> receive additional arguments to provide context to the object
> comparison.

These are much easier; the extra argument can be passed via TLS. It's
printf_s and scanf_s that are hard.

> IIRC, what I couldn't handle within P99 was checking of printf
> arguments, but from within musl this should be relatively straight
> forward.

Not really. There would need to be a way to convey to the printf core
that it's supposed to do this extra checking, and a way to make it
call the constraint handlers.

Rich


P.S. One other reason I hate Annex K is that the constraint handler
design is non-thread-safe and non-library-safe. There's only one
global constraint handler, shared by all threads and by all
libraries/modules that might be using Annex K functions. That means
there's really no valid way to write code that depends on a particular
constraint handler being installed. And the default handler is
implementation-defined, so it wouldn't even be reasonable to say
"leave the default handler there". The only thing reasonable code
using these interfaces can expect when a constraint is violated is
implementation-defined behavior, which is only a tiny step up from
undefined behavior...