From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: Zack Weinberg <zackw@panix.com>, libc-alpha@sourceware.org
Cc: Joseph Myers <joseph@codesourcery.com>,
Florian Weimer <fweimer@redhat.com>,
Lukasz Majewski <lukma@denx.de>,
Alistair Francis <alistair23@gmail.com>,
Stepan Golosunov <stepan@golosunov.pp.ru>,
Arnd Bergmann <arnd@arndb.de>,
Samuel Thibault <samuel.thibault@ens-lyon.org>
Subject: Re: [PATCH v2 09/10] Warn when gettimeofday is called with non-null tzp argument.
Date: Tue, 3 Sep 2019 16:56:26 -0300 [thread overview]
Message-ID: <a2be7bdb-319e-4470-d4cf-a3aff08a5e61@linaro.org> (raw)
In-Reply-To: <20190828153236.18229-10-zackw@panix.com>
On 28/08/2019 12:32, Zack Weinberg wrote:
> Since there are no known uses of gettimeofday's vestigial "get time
> zone" feature that are not bugs, add a fortify-style wrapper inline to
> sys/time.h that issues a warning whenever gettimeofday is called with
> a second argument that is not a compile-time null pointer
> constant.
>
> At present this is only possible with GCC; clang does not implement
> attribute((warning)). The wrapper is only activated when __OPTIMIZE__
> is defined because it throws false positives when optimization is off,
> even though it's an always-inline function.
>
> An oversight in the implementation of __builtin_constant_p causes it
> to fail to detect compile-time *pointer* constants unless they are
> cast to an integer of a different size. (Loss of data in this cast is
> harmless; the overall expression is still constant if and only if the
> original pointer was.) This is GCC bug 95514. Thanks to
> Kamil Cukrowski <kamilcukrowski@gmail.com> for the workaround.
> As a precaution, I added a static assertion to debug/warning-nop.c to
> make sure that the cast _is_ casting to an integer of a different
> size; this is too unlikely a scenario to be worth checking in the
> public header, but if someone ever adds a port where short is the
> same size as intptr_t, we'll still catch it.
The conditionals of making this work without false-positive seems quite
specific and fragile (gcc-only, optimized build) and the cast hack make
even more suspicious it won't break in some arcane build environment
(since it is an exported header, not internally used).
I would prefer to just wait gcc to correctly fix it and set its minimum
version to enable it with the expected semantic.
>
> Also make the public prototype of gettimeofday declare its second
> argument with type "void *" unconditionally, consistent with POSIX.
This is ok though.
>
> * time/sys/time.h (__timezone_ptr_t): Delete.
> (gettimeofday): Always declare second argument with type "void *".
> When possible, wrap with a fortify-style inline function that
> detects non-null or non-constant second argument and issues a
> warning. Improve commentary.
> (settimeofday): Improve commentary.
>
> * time/gettimeofday.c (gettimeofday): Declare second argument with
> type "void *".
> * debug/warning-nop.c: Include sys/time.h and stdint.h.
> Add static_assert to verify the requirements of the workaround
> for GCC bug 95514.
> ---
> debug/warning-nop.c | 9 +++++++++
> time/gettimeofday.c | 4 ++--
> time/sys/time.h | 47 ++++++++++++++++++++++++++++++++++-----------
> 3 files changed, 47 insertions(+), 13 deletions(-)
>
> diff --git a/debug/warning-nop.c b/debug/warning-nop.c
> index 8eeea396c3..3eab53b78f 100644
> --- a/debug/warning-nop.c
> +++ b/debug/warning-nop.c
> @@ -67,4 +67,13 @@ nop (void)
> #define __builtin___strncpy_chk(dest, src, len, bos) NULL
> #define __builtin_object_size(bos, level) 0
>
> +/* The code in sys/time.h that uses __warndecl has to work around GCC
> + bug 91554. The work-around is only effective if intptr_t is not
> + the same size as short. */
> +#include <stdint.h>
> +_Static_assert (sizeof (intptr_t) != sizeof (short),
> + "workaround for GCC bug 91554 in sys/time.h"
> + " is only effective when short is smaller than a pointer");
> +
> #include <string.h>
> +#include <sys/time.h>
> diff --git a/time/gettimeofday.c b/time/gettimeofday.c
> index c4f642631f..5bc91fc214 100644
> --- a/time/gettimeofday.c
> +++ b/time/gettimeofday.c
> @@ -23,10 +23,10 @@
> If *TZ is not NULL, clear it.
> Returns 0 on success, -1 on errors. */
> int
> -___gettimeofday (struct timeval *tv, struct timezone *tz)
> +___gettimeofday (struct timeval *restrict tv, void *restrict tz)
> {
> if (__glibc_unlikely (tz != 0))
> - memset (tz, 0, sizeof *tz);
> + memset (tz, 0, sizeof (struct timezone));
>
> struct timespec ts;
> if (__clock_gettime (CLOCK_REALTIME, &ts))
> diff --git a/time/sys/time.h b/time/sys/time.h
> index 5dbc7fc627..a4e7fd20d1 100644
> --- a/time/sys/time.h
> +++ b/time/sys/time.h
> @@ -54,23 +54,48 @@ struct timezone
> int tz_minuteswest; /* Minutes west of GMT. */
> int tz_dsttime; /* Nonzero if DST is ever in effect. */
> };
> -
> -typedef struct timezone *__restrict __timezone_ptr_t;
> -#else
> -typedef void *__restrict __timezone_ptr_t;
> #endif
>
> -/* Get the current time of day and timezone information,
> - putting it into *TV and *TZ. If TZ is NULL, *TZ is not filled.
> - Returns 0 on success, -1 on errors.
> - NOTE: This form of timezone information is obsolete.
> - Use the functions and variables declared in <time.h> instead. */
> +/* Get the current time of day, putting it into *TV.
> + If TZ is not null, *TZ must be a struct timezone, and both fields
> + will be set to zero.
> + Calling this function with a non-null TZ is obsolete;
> + use localtime etc. instead.
> + This function itself is semi-obsolete;
> + most callers should use time or clock_gettime instead. */
> extern int gettimeofday (struct timeval *__restrict __tv,
> - __timezone_ptr_t __tz) __THROW __nonnull ((1));
> + void *__restrict __tz) __THROW __nonnull ((1));
> +
> +#if __GNUC_PREREQ (4,3) && defined __REDIRECT && defined __OPTIMIZE__
> +/* Issue a warning for use of gettimeofday with a non-null __tz argument. */
> +__warndecl (__warn_gettimeofday_nonnull_timezone,
> + "gettimeofday with non-null or non-constant timezone parameter;"
> + " this is obsolete and inaccurate, use localtime instead");
> +
> +extern int __REDIRECT_NTH (__gettimeofday_alias,
> + (struct timeval *__restrict __tv,
> + void *__restrict __tz), gettimeofday)
> + __nonnull ((1));
> +
> +/* The double cast below works around a limitation in __builtin_constant_p
> + in all released versions of GCC (as of August 2019).
> + See <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91554>. */
> +__fortify_function int
> +__NTH (gettimeofday (struct timeval *__restrict __tv, void *__restrict __tz))
> +{
> + if (! (__builtin_constant_p ((short) (__intptr_t) __tz) && __tz == 0))
> + __warn_gettimeofday_nonnull_timezone ();
> +
> + return __gettimeofday_alias (__tv, __tz);
> +}
> +#endif
>
> #ifdef __USE_MISC
> /* Set the current time of day and timezone information.
> - This call is restricted to the super-user. */
> + This call is restricted to the super-user.
> + Setting the timezone in this way is obsolete, but we don't yet
> + warn about it because it still has some uses for which there is
> + no alternative. */
> extern int settimeofday (const struct timeval *__tv,
> const struct timezone *__tz)
> __THROW;
>
next prev parent reply other threads:[~2019-09-03 19:56 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 15:32 [PATCH v2 00/10] Y2038 preparation: use clock_[gs]ettime to implement the other time-getting and -setting functions Zack Weinberg
2019-08-28 15:32 ` [PATCH v2 01/10] Change most internal uses of __gettimeofday to __clock_gettime Zack Weinberg
2019-08-29 20:30 ` Adhemerval Zanella
2019-08-29 20:42 ` Samuel Thibault
2019-08-28 15:32 ` [PATCH v2 02/10] Finish move of clock_* functions to libc Zack Weinberg
2019-08-30 17:40 ` Adhemerval Zanella
2019-09-03 7:29 ` Florian Weimer
2019-09-03 13:25 ` Adhemerval Zanella
2019-09-03 13:31 ` Florian Weimer
2019-09-03 13:44 ` Adhemerval Zanella
2019-09-03 14:34 ` Zack Weinberg
2019-09-03 18:50 ` Adhemerval Zanella
2019-08-28 15:32 ` [PATCH v2 03/10] Use clock_settime to implement stime; withdraw stime Zack Weinberg
2019-08-30 17:54 ` Adhemerval Zanella
2019-08-28 15:32 ` [PATCH v2 04/10] Use clock_settime to implement settimeofday Zack Weinberg
2019-09-02 13:22 ` Adhemerval Zanella
2019-09-03 14:44 ` Zack Weinberg
2019-08-28 15:32 ` [PATCH v2 05/10] Use clock_gettime to implement time Zack Weinberg
2019-08-28 18:16 ` Florian Weimer
2019-08-28 18:36 ` Zack Weinberg
2019-08-28 18:49 ` Florian Weimer
2019-08-28 20:01 ` Paul Eggert
2019-08-28 20:21 ` Florian Weimer
2019-08-28 21:12 ` Paul Eggert
2019-08-28 21:39 ` Florian Weimer
2019-08-29 17:49 ` Zack Weinberg
2019-09-02 13:32 ` Florian Weimer
2019-09-02 18:35 ` Adhemerval Zanella
2019-08-28 15:32 ` [PATCH v2 06/10] Use clock_gettime to implement ftime; withdraw ftime Zack Weinberg
2019-09-02 18:42 ` Adhemerval Zanella
2019-08-28 15:32 ` [PATCH v2 07/10] Use clock_gettime to implement timespec_get Zack Weinberg
2019-09-02 19:25 ` Adhemerval Zanella
2019-08-28 15:32 ` [PATCH v2 08/10] Use clock_gettime to implement gettimeofday Zack Weinberg
2019-08-28 18:27 ` Florian Weimer
2019-09-02 19:31 ` Adhemerval Zanella
2019-08-28 15:32 ` [PATCH v2 09/10] Warn when gettimeofday is called with non-null tzp argument Zack Weinberg
2019-09-03 19:56 ` Adhemerval Zanella [this message]
2019-08-28 15:32 ` [PATCH v2 10/10] Revise the documentation of simple calendar time Zack Weinberg
2019-08-29 1:09 ` Paul Eggert
2019-08-29 17:41 ` Zack Weinberg
2019-08-30 19:17 ` Paul Eggert
2019-08-28 17:15 ` [PATCH v2 00/10] Y2038 preparation: use clock_[gs]ettime to implement the other time-getting and -setting functions Joseph Myers
2019-09-03 14:43 ` Zack Weinberg
2019-09-10 17:32 ` Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a2be7bdb-319e-4470-d4cf-a3aff08a5e61@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=alistair23@gmail.com \
--cc=arnd@arndb.de \
--cc=fweimer@redhat.com \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=lukma@denx.de \
--cc=samuel.thibault@ens-lyon.org \
--cc=stepan@golosunov.pp.ru \
--cc=zackw@panix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).