From: Zack Weinberg via Libc-alpha <libc-alpha@sourceware.org>
To: libc-alpha@sourceware.org
Subject: Re: bind(2): Missing [[gnu::nonnull]]
Date: Mon, 5 Dec 2022 13:53:48 -0500 [thread overview]
Message-ID: <acca49bb-4ae7-b4cd-3005-ad0acf149a9d@owlfolio.org> (raw)
In-Reply-To: <87y1rnf1mw.fsf@oldenburg.str.redhat.com>
On 2022-12-04 1:46 PM, Florian Weimer via Libc-alpha wrote:
> * Alejandro Colomar via Libc-alpha:
>> On 12/4/22 06:59, Xi Ruoyao wrote:
>>> On Sat, 2022-12-03 at 20:05 +0100, Andreas Schwab wrote:
>>>>> Currently the man page says:
>>>>
>>>> You can never depend on EFAULT for invalid addresses.
>>> Hmm, is this documented somewhere?
>>
>> I don't know, but let me have an educated guess:
>>
>> Holding a pointer to invalid memory is Undefined Behavior by the
>> standard, except if that pointer is NULL, or is still indeterminate
>> because the pointer has not yet been initialized with a valid address.
>> Using an uninitialized pointer is UB as using any uninitialized
>> variable. Using a NULL pointer is only okay for comparisons, or as a
>> sentinel value, but never for accessing memory. So chances are high
>> that the program will already have invoked UB at the time bind(2) is
>> called with an invalid address.
>
> Currently, Linux does not report for vDSO-accelerated system calls, but
> generates SIGSEGV. We received bug reports when we added vDSO support
> for time/gettimeofday/clock_gettime because some tests were relying on
> the EFAULT behavior.
I don't have time to dig through POSIX and find it now, but I'm like 95%
sure there's explicit wording to the effect that the OS is allowed to
send SIGSEGV under any circumstance that's documented to result in an
EFAULT error, and vice versa. That should be good enough for the
_manpages_, but I think the _headers_ probably need to be more cautious
about adding annotations that can cause compilers to draw new inferences
about which control flow paths are unreachable.
I imagine this would be a hard sell with the "never break userspace"
crowd but I would _like_ Linux to at least have a mode in which it would
always send SIGSEGV rather than producing EFAULT. It seems like it
would be helpful for debugging.
zw
prev parent reply other threads:[~2022-12-05 18:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-03 15:33 bind(2): Missing [[gnu::nonnull]] Alejandro Colomar via Libc-alpha
2022-12-03 15:55 ` Xi Ruoyao via Libc-alpha
2022-12-03 16:41 ` Alejandro Colomar via Libc-alpha
2022-12-03 19:05 ` Andreas Schwab
2022-12-03 19:12 ` Alejandro Colomar via Libc-alpha
2022-12-04 5:59 ` Xi Ruoyao via Libc-alpha
2022-12-04 11:14 ` Alejandro Colomar via Libc-alpha
2022-12-04 18:46 ` Florian Weimer via Libc-alpha
2022-12-05 18:53 ` Zack Weinberg via Libc-alpha [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acca49bb-4ae7-b4cd-3005-ad0acf149a9d@owlfolio.org \
--to=libc-alpha@sourceware.org \
--cc=zack@owlfolio.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).