Message ID | 20230710150454.5490-1-cristian@rodriguez.im |
---|---|
Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id A80313858C5E for <patchwork@sourceware.org>; Mon, 10 Jul 2023 15:05:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A80313858C5E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1689001527; bh=v59coXO9FJvsF5Em9TktBaMzAejKtGJTvbhUwrJ95eY=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=cTfpVwtmrMEgjuLaPA069sITJdkF4uMlzcUKUM6rIlG61NIdutfLc3tNNZeKLkFuy 9sxo3oqYbo1C77riuWdOhXRl+bFhxhlv30yey4f2qKgVtutRRnL49kP16ZOECHI8cH kEqlFkauHAU9mVzPeAbDL8rlHVsESSQqu9Z03MWA= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) by sourceware.org (Postfix) with ESMTPS id B7F163857350 for <libc-alpha@sourceware.org>; Mon, 10 Jul 2023 15:05:04 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B7F163857350 Received: by mail-ot1-x331.google.com with SMTP id 46e09a7af769-6b96712d49dso280005a34.0 for <libc-alpha@sourceware.org>; Mon, 10 Jul 2023 08:05:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689001504; x=1691593504; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=v59coXO9FJvsF5Em9TktBaMzAejKtGJTvbhUwrJ95eY=; b=j7d96Rb8vvgQmXSJ1dFO5JHLcKqMXt9JuceuhL7nJsUvnr7HRX+yP2S1lFC4sFq13X uUa6IF3lHYtBsLeH9KOqBgnO3RoU+VFhWYC+rlV+VUqRyubkbZm0l7E/NJxNGN9gc+Q1 1OLsy1f2uet6gL4DsNMtCgAF3n2AletrJ+LZL+hSNWWpqGxTTfKteEa3q2fz5gkQeyDF LxA29xLPNnq+Ups/lHWmbSim2JflXxZG62rQvm5ILDajseP9z1oOwEwJ3MkmwIEHzlvz bOEQyBcsECIiSF6D7iucG1o2BWqSfimXa+aiH2IC1GHouiurYJvNft5QlKdFasWoEUTF 40MA== X-Gm-Message-State: ABy/qLb2i3q25nvSX0JfbQlghuTcVjmI63ZxSXh5NSIpvA5oZlhwPoNK vYHHaWY2dcu1iTL2Sx1dsAIa28odd8HJmodz/j0= X-Google-Smtp-Source: APBJJlFkXEb/sMmUlGXxhvlksS2qtqntsTsB2DjdJ72bz+JBG6hbS7WZEv9JmN29/BoFqkV7zkfxGg== X-Received: by 2002:a9d:5a84:0:b0:6b8:e2bf:c4e8 with SMTP id w4-20020a9d5a84000000b006b8e2bfc4e8mr9083405oth.3.1689001503719; Mon, 10 Jul 2023 08:05:03 -0700 (PDT) Received: from tumbleweedvm.. (181-162-56-31.baf.movistar.cl. [181.162.56.31]) by smtp.gmail.com with ESMTPSA id r2-20020a9d7cc2000000b006b756242c98sm48236otn.19.2023.07.10.08.05.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jul 2023 08:05:03 -0700 (PDT) To: libc-alpha@sourceware.org Cc: =?utf-8?q?Cristian_Rodr=C3=ADguez?= <cristian@rodriguez.im> Subject: [PATCH 0/6] Support use of -fstrict-flex-arrays in user code Date: Mon, 10 Jul 2023 15:04:36 +0000 Message-ID: <20230710150454.5490-1-cristian@rodriguez.im> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> From: =?utf-8?q?Cristian_Rodr=C3=ADguez_via_Libc-alpha?= <libc-alpha@sourceware.org> Reply-To: =?utf-8?q?Cristian_Rodr=C3=ADguez?= <cristian@rodriguez.im> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> |
Series |
Support use of -fstrict-flex-arrays in user code
|
|
Message
Cristian Rodríguez
July 10, 2023, 3:04 p.m. UTC
Currently GCC 13 -fstrict-flex-arrays cannot be used safely with user code because the library makes use of pre-c99 flexible arrays. This series introduces a macro to annotate such uses and grandfathers-in this legacy use. This series only cover the user-visible *library* types. the linux kernel types are subject to a different patch set and discussion since the kernel has moved on to c11 leaving pre-c99 compatibilty behind. Cristian Rodríguez (6): Introduce __decl_is_flex_array macro dlfcn : annotate dls_serpath with __decl_is_flex_array inet: annotate tu_data and tu_stuff with __decl_is_flex_array inet: annotate ip6r0_addr with __decl_is_flex_array io: annotate fts_name with __decl_is_flex_array misc: annotate q_data with __decl_is_flex_array dlfcn/dlfcn.h | 2 +- inet/arpa/tftp.h | 6 ++++-- inet/netinet/ip6.h | 2 +- io/fts.h | 4 ++-- misc/search.h | 2 +- misc/sys/cdefs.h | 6 ++++++ 6 files changed, 15 insertions(+), 7 deletions(-)
Comments
On Mon, Jul 10, 2023 at 11:05 AM Cristian Rodríguez <cristian@rodriguez.im> wrote: > Currently GCC 13 -fstrict-flex-arrays cannot be used safely with user > code because the library makes use of pre-c99 flexible arrays. > > This series introduces a macro to annotate such uses and grandfathers-in > this legacy use. > > This series only cover the user-visible *library* types. the linux kernel > types > are subject to a different patch set and discussion since the kernel has > moved on to c11 leaving pre-c99 compatibilty behind. > > > > Any comments about this series.. ? as is it should introduce no regressions.
On 19/07/23 09:40, Cristian Rodríguez via Libc-alpha wrote: > On Mon, Jul 10, 2023 at 11:05 AM Cristian Rodríguez <cristian@rodriguez.im> > wrote: > >> Currently GCC 13 -fstrict-flex-arrays cannot be used safely with user >> code because the library makes use of pre-c99 flexible arrays. >> >> This series introduces a macro to annotate such uses and grandfathers-in >> this legacy use. >> >> This series only cover the user-visible *library* types. the linux kernel >> types >> are subject to a different patch set and discussion since the kernel has >> moved on to c11 leaving pre-c99 compatibilty behind. >> >> >> >> > Any comments about this series.. ? as is it should introduce no > regressions. Can't we use the already define __flexarr/__glibc_c99_flexarr_available macro instead? Or do we really need to handle the usage of -fstrict-flex-arrays with pre-c99 usage?
On Wed, Jul 19, 2023 at 10:27 AM Adhemerval Zanella Netto < adhemerval.zanella@linaro.org> wrote: > > > On 19/07/23 09:40, Cristian Rodríguez via Libc-alpha wrote: > > On Mon, Jul 10, 2023 at 11:05 AM Cristian Rodríguez < > cristian@rodriguez.im> > > wrote: > > > >> Currently GCC 13 -fstrict-flex-arrays cannot be used safely with user > >> code because the library makes use of pre-c99 flexible arrays. > >> > >> This series introduces a macro to annotate such uses and grandfathers-in > >> this legacy use. > >> > >> This series only cover the user-visible *library* types. the linux > kernel > >> types > >> are subject to a different patch set and discussion since the kernel has > >> moved on to c11 leaving pre-c99 compatibilty behind. > >> > >> > >> > >> > > Any comments about this series.. ? as is it should introduce no > > regressions. > > > Can't we use the already define __flexarr/__glibc_c99_flexarr_available > macro > instead? If I did only that, sizeof public structures may change causing an abi break. if breaking the ABi is an option then one can switch completely to c99 flexible arrays and using/importing DECL_FLEX_ARRAY macro from the linux kernel and move on. I concluded it was better to grandfather them in and leave them as special cases is the less painful solution for user visible parts, internals can just use standard flex arrays.
On 19/07/23 11:57, Cristian Rodríguez wrote: > > > On Wed, Jul 19, 2023 at 10:27 AM Adhemerval Zanella Netto <adhemerval.zanella@linaro.org <mailto:adhemerval.zanella@linaro.org>> wrote: > > > > On 19/07/23 09:40, Cristian Rodríguez via Libc-alpha wrote: > > On Mon, Jul 10, 2023 at 11:05 AM Cristian Rodríguez <cristian@rodriguez.im <mailto:cristian@rodriguez.im>> > > wrote: > > > >> Currently GCC 13 -fstrict-flex-arrays cannot be used safely with user > >> code because the library makes use of pre-c99 flexible arrays. > >> > >> This series introduces a macro to annotate such uses and grandfathers-in > >> this legacy use. > >> > >> This series only cover the user-visible *library* types. the linux kernel > >> types > >> are subject to a different patch set and discussion since the kernel has > >> moved on to c11 leaving pre-c99 compatibilty behind. > >> > >> > >> > >> > > Any comments about this series.. ? as is it should introduce no > > regressions. > > > Can't we use the already define __flexarr/__glibc_c99_flexarr_available macro > instead? > > > If I did only that, sizeof public structures may change causing an abi break. > if breaking the ABi is an option then one can switch completely to c99 flexible arrays and using/importing DECL_FLEX_ARRAY macro from the linux kernel and move on. > > I concluded it was better to grandfather them in and leave them as special cases is the less painful solution for user visible parts, internals can just use standard flex arrays. > Fair enough, it is unfortunate that we had to use old flexible array syntax on public headers.
On Wed, Jul 19, 2023 at 1:48 PM Adhemerval Zanella Netto < adhemerval.zanella@linaro.org> wrote: > > Fair enough, it is unfortunate that we had to use old flexible array syntax > on public headers. > Any hope on getting this merged or get other feedback ?
On 2023-07-19 07:57, Cristian Rodríguez via Libc-alpha wrote: >> Can't we use the already define __flexarr/__glibc_c99_flexarr_available >> macro >> instead? > > If I did only that, sizeof public structures may change causing an abi > break. Why would it cause an ABI break? For example, no program's machine code should depend on sizeof (FTSENT). fts.h's FTSENT is supposed to be an incomplete data type, like FILE: the system allocates FTSENT objects, not user code. So I don't see the harm in replacing [1] with [] in the definition of FTSENT's fts_name member, if the compiler supports flex arrays.
Hi Paul, Cristian, On 2023-08-12 00:10, Paul Eggert wrote: > On 2023-07-19 07:57, Cristian Rodríguez via Libc-alpha wrote: >>> Can't we use the already define __flexarr/__glibc_c99_flexarr_available >>> macro >>> instead? >> >> If I did only that, sizeof public structures may change causing an abi >> break. > > Why would it cause an ABI break? > > For example, no program's machine code should depend on sizeof (FTSENT). +1 > fts.h's FTSENT is supposed to be an incomplete data type, like FILE: the > system allocates FTSENT objects, not user code. So I don't see the harm > in replacing [1] with [] in the definition of FTSENT's fts_name member, > if the compiler supports flex arrays. > I'll raise the bid, and claim that no valid program can depend on sizeof() of any struct with a flexible array member, of any kind (old `[1]`, zero-length `[0]`, nor standard `[]`). It is conceptually wrong to calculate sizeof() it, and the right thing to do is to call offseof(s, fam). In the best case, sizeof() will return the same as offsetof(3), and the program will happen to work. But in some cases, it will return a value slightly bigger (ISO C guarantees that it will not be smaller, for no reason I think), and in those cases, the program must have a bug. That bug can either be benign, and the program will just be wasting a few bytes, or it can be bad, and read memory a few bytes off from where it was written (still within the allocation bounds, so it won't crash; at least not directly due to that, but maybe by a secondary bug). See this GCC thread where I propose adding a warning when sizeof(flexi_struct) is used in arithmetics. There's an example program showing why sizeof() is (almost) always a bad thing with these structures. In the only use case where sizeof() is valid, reducing it wouldn't change program behavior (it's within a malloc(MAX(sizeof(s), ...));). Cheers, Alex
On 2023-08-12 13:07, Alejandro Colomar wrote: > Hi Paul, Cristian, > > On 2023-08-12 00:10, Paul Eggert wrote: >> On 2023-07-19 07:57, Cristian Rodríguez via Libc-alpha wrote: >>>> Can't we use the already define __flexarr/__glibc_c99_flexarr_available >>>> macro >>>> instead? >>> >>> If I did only that, sizeof public structures may change causing an abi >>> break. >> >> Why would it cause an ABI break? >> >> For example, no program's machine code should depend on sizeof (FTSENT). > > +1 > > >> fts.h's FTSENT is supposed to be an incomplete data type, like FILE: the >> system allocates FTSENT objects, not user code. So I don't see the harm >> in replacing [1] with [] in the definition of FTSENT's fts_name member, >> if the compiler supports flex arrays. >> > > I'll raise the bid, and claim that no valid program can depend on > sizeof() of any struct with a flexible array member, of any kind (old > `[1]`, zero-length `[0]`, nor standard `[]`). > > It is conceptually wrong to calculate sizeof() it, and the right thing to > do is to call offseof(s, fam). > > In the best case, sizeof() will return the same as offsetof(3), and the > program will happen to work. But in some cases, it will return a value > slightly bigger (ISO C guarantees that it will not be smaller, for no > reason I think), and in those cases, the program must have a bug. That > bug can either be benign, and the program will just be wasting a few > bytes, or it can be bad, and read memory a few bytes off from where it > was written (still within the allocation bounds, so it won't crash; at > least not directly due to that, but maybe by a secondary bug). > > See this GCC thread where I propose adding a warning when Oops, I forgot to paste the link. <https://inbox.sourceware.org/gcc/dac8afb7-5026-c702-85d2-c3ad977d9a48@kernel.org/T/> > sizeof(flexi_struct) is used in arithmetics. There's an example program > showing why sizeof() is (almost) always a bad thing with these structures. > In the only use case where sizeof() is valid, reducing it wouldn't > change program behavior (it's within a malloc(MAX(sizeof(s), ...));). > > Cheers, > Alex >
On Fri, Aug 11, 2023 at 6:10 PM Paul Eggert <eggert@cs.ucla.edu> wrote: > On 2023-07-19 07:57, Cristian Rodríguez via Libc-alpha wrote: > >> Can't we use the already define __flexarr/__glibc_c99_flexarr_available > >> macro > >> instead? > > > > If I did only that, sizeof public structures may change causing an abi > > break. > > Why would it cause an ABI break? > > For example, no program's machine code should depend on sizeof (FTSENT). > fts.h's FTSENT is supposed to be an incomplete data type, like FILE: the > system allocates FTSENT objects, not user code. So I don't see the harm > in replacing [1] with [] in the definition of FTSENT's fts_name member, > if the compiler supports flex arrays. > I , unsurprisingly, agree with your rationale. been just extremely conservative to avoid breaking even wrong programs..all this would be easier if there was a way to "error: sizeof cannot be used correctly on struct blabla" and fail compile in the first place.
On 2023-08-12 07:53, Cristian Rodríguez wrote: > I , unsurprisingly, agree with your rationale. Then let's do that instead. > been just extremely > conservative to avoid breaking even wrong programs. I can't offhand see what plausible-but-wrong program would break. One can imagine implausible scenarios where these invalid programs would break. But they're so unlikely we needn't worry about them.