From: Szabolcs Nagy <nsz@port70.net>
To: Rich Felker <dalias@libc.org>
Cc: Alexander Monakov <amonakov@ispras.ru>,
"musl@lists.openwall.com" <musl@lists.openwall.com>,
Andy Caldwell <andycaldwell@microsoft.com>
Subject: Re: [musl] RE: [EXTERNAL] Re: [musl] [PATCH] fix avoidable segfault in catclose
Date: Sat, 27 Jan 2024 20:20:10 +0100 [thread overview]
Message-ID: <20240127192010.GB1254592@port70.net> (raw)
In-Reply-To: <20240127145608.GP4163@brightrain.aerifal.cx>
* Rich Felker <dalias@libc.org> [2024-01-27 09:56:08 -0500]:
> On Sat, Jan 27, 2024 at 03:58:02PM +0300, Alexander Monakov wrote:
> >
> > On Sat, 27 Jan 2024, Szabolcs Nagy wrote:
> >
> > > > Yes, this - the details aren't particularly interesting but the key is that "invoke UB"
> > > > is not the same as "crash/trap". I'm also contrasting this to the comments in the
> > > > glibc wiki and Markus's synopsis (from the earlier email) that "it has been musl policy
> > > > to crash on invalid args since the beginning" - in the face of UB, musl (and presumably
> > > > also glibc) _doesn't_ crash/trap, nor does it "fail early and catastrophically" it
> > > > instead "propagates the UB". In debug builds these are often equivalent, but the
> > > > specific path to UB might not be seen in a debug build, and only be seen in production
> > > > where the non-locality of UB effects are at their worst.
> > >
> > > i think you are still looking at this the wrong way:
> > >
> > > - the original code has ub.
> > > - so anything can happen.
> > > - whatever libc does, still anything can happen.
> > > - adding a check p==-1 in libc does not change anything.
> > > (the ub already happens in the caller. a compiler can even remove the
> > > call since it can know about catclose semantics.)
> > >
> > > given these facts on the theoretical level, we can look pragmatically at
> > > the actual transformations a compiler would likely do and we find that
> > > an invalid NULL+n dereference in practice is almost surely an immediate
> > > crash (on linux with dynamic linking or static linking without lto this
> > > is not only likely but actually guaranteed by existing toolchains) which
> > > is the best possible outcome for debugging, meanwhile an extra check in
> > > libc is worse: the code continues and misbehaves somewhere else.
> >
> > I don't think this follows. I believe the suggestion was to have
> >
> > if (catd == (nl_catd)-1) a_crash();
> >
> > which is the opposite of "continuing and misbehaving".
>
> Indeed, that was my understanding too. The reason I don't like this is
> that it's a lot of spurious code (not in a single place, but if we did
sorry i thought we were debating 'return EBADF'.
> stuff like this consistently everywhere) and on top of that it
> actively makes debugging more difficult. You have to trace the flow of
> execution from the trapping instruction back to the branch that led to
> it and figure out why that was taken rather than seeing the invalid
in a sense this is still 'continue and misbehave somewhere else':
if many code paths end in a_crash and the compiler merges them,
then we can lose the branch location, so we would need an a_crash
that the compiler does not merge to be able to find the branch.
> pointer directly in the instruction operand register (and knowing even
> before you see it, e.g. just with strace not even gdb, that the cause
> was an invalid pointer).
>
> Rich
prev parent reply other threads:[~2024-01-27 19:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-25 7:09 Ismael Luceno
2024-01-25 14:05 ` Rich Felker
2024-01-25 15:28 ` Ismael Luceno
2024-01-25 15:56 ` Rich Felker
2024-01-25 14:11 ` Markus Wichmann
2024-01-25 15:30 ` Ismael Luceno
2024-01-25 20:10 ` [musl] RE: [EXTERNAL] " Andy Caldwell
2024-01-25 21:25 ` Rich Felker
2024-01-26 17:13 ` Andy Caldwell
2024-01-26 17:27 ` Rich Felker
2024-01-26 19:12 ` Andy Caldwell
2024-01-26 19:57 ` Rich Felker
2024-01-26 20:16 ` Andy Caldwell
2024-01-27 11:04 ` Szabolcs Nagy
2024-01-27 12:58 ` Alexander Monakov
2024-01-27 14:56 ` Rich Felker
2024-01-27 19:20 ` Szabolcs Nagy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240127192010.GB1254592@port70.net \
--to=nsz@port70.net \
--cc=amonakov@ispras.ru \
--cc=andycaldwell@microsoft.com \
--cc=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).