From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: Re: Use of size_t and ssize_t in mseek
Date: Wed, 3 Jul 2013 21:28:00 -0400 [thread overview]
Message-ID: <20130704012800.GK29800@brightrain.aerifal.cx> (raw)
In-Reply-To: <1372523967.8324.19.camel@eris.loria.fr>
On Sat, Jun 29, 2013 at 06:39:27PM +0200, Jens Gustedt wrote:
> Am Samstag, den 29.06.2013, 12:13 -0400 schrieb Rich Felker:
> > With that said, I'm not opposed to adding Annex K, but I think we
> > should look into how invasive it would be, i.e. whether most/all
> > interfaces can just be wrappers for the non-bounds-checking versions
> > or whether major internal changes would be required to some existing
> > interfaces.
>
> I implemented quite a lot of them for P99, so I don't think that there
> would be major problems. Many of them are just some if/else clauses
> that check the run time constraints.
>
> There are some additional functionalities, though, so these would
> demand extra coding and objects, especially the run time constraint
> handling, but I think these are quite limited and wouldn't require
> much effort.
The requirements for printf_s, scanf_s, and related functions look
quite invasive and would affect programs not using these interfaces.
Otherwise, the Annex K interfaces look like a considerable amount of
bloat with highly questionable usefulness, but mostly non-invasive. My
feeling is that we should hold off on a decision about them to see if
any applications actually start using them.
Personally, I'd much rather see a libc-agnostic implementation of
_FORTIFY_SOURCE as a set of include files installed in their own
special directory which use #include_next to get the libc versions,
then #undef all the functions and #define them to "fortify" versions,
using purely GCC features rather than any hooks into libc. This would
actually aid in security for real-world applications.
> Then some interfaces are clearly different such that they can't simply
> be copied over, notably bsearch and qsort functions, since they
> receive additional arguments to provide context to the object
> comparison.
These are much easier; the extra argument can be passed via TLS. It's
printf_s and scanf_s that are hard.
> IIRC, what I couldn't handle within P99 was checking of printf
> arguments, but from within musl this should be relatively straight
> forward.
Not really. There would need to be a way to convey to the printf core
that it's supposed to do this extra checking, and a way to make it
call the constraint handlers.
Rich
P.S. One other reason I hate Annex K is that the constraint handler
design is non-thread-safe and non-library-safe. There's only one
global constraint handler, shared by all threads and by all
libraries/modules that might be using Annex K functions. That means
there's really no valid way to write code that depends on a particular
constraint handler being installed. And the default handler is
implementation-defined, so it wouldn't even be reasonable to say
"leave the default handler there". The only thing reasonable code
using these interfaces can expect when a constraint is violated is
implementation-defined behavior, which is only a tiny step up from
undefined behavior...
next prev parent reply other threads:[~2013-07-04 1:28 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-27 3:52 Matthew Fernandez
2013-06-27 4:10 ` Rich Felker
2013-06-27 4:16 ` Matthew Fernandez
2013-06-27 4:23 ` Rich Felker
2013-06-27 4:31 ` Matthew Fernandez
2013-06-27 15:34 ` Rich Felker
2013-06-28 0:49 ` Matthew Fernandez
2013-06-28 1:22 ` Rich Felker
2013-06-28 1:34 ` Matthew Fernandez
2013-06-28 1:48 ` Rich Felker
2013-06-28 1:56 ` Matthew Fernandez
2013-06-29 4:13 ` Rich Felker
2013-06-29 13:38 ` Matthew Fernandez
2013-06-29 14:17 ` Rich Felker
2013-06-29 14:56 ` Jens Gustedt
2013-06-29 15:48 ` Rich Felker
2013-06-29 16:01 ` Jens Gustedt
2013-06-29 16:13 ` Rich Felker
2013-06-29 16:39 ` Jens Gustedt
2013-07-04 1:28 ` Rich Felker [this message]
2013-07-04 6:11 ` Jens Gustedt
2013-07-04 6:37 ` Rich Felker
2013-07-04 7:11 ` Jens Gustedt
2013-07-04 8:12 ` Rich Felker
2013-07-04 8:45 ` Jens Gustedt
2013-07-04 15:24 ` Rich Felker
2013-07-04 11:10 ` Szabolcs Nagy
2013-07-04 11:58 ` Jens Gustedt
2013-07-04 15:26 ` Rich Felker
2013-06-27 10:35 ` Szabolcs Nagy
2013-06-27 15:05 ` Rich Felker
2013-06-27 16:47 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130704012800.GK29800@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).