From patchwork Thu Dec 18 05:39:25 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexandre Oliva X-Patchwork-Id: 4332 Received: (qmail 15374 invoked by alias); 18 Dec 2014 05:39:41 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 15360 invoked by uid 89); 18 Dec 2014 05:39:40 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL, BAYES_00, SPF_HELO_PASS, SPF_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com From: Alexandre Oliva To: Florian Weimer Cc: GNU C Library Subject: Re: MT-safe annotations for gcvt and related functions References: <548ACAD9.6010906@redhat.com> <549089A1.4030705@redhat.com> Date: Thu, 18 Dec 2014 03:39:25 -0200 In-Reply-To: <549089A1.4030705@redhat.com> (Florian Weimer's message of "Tue, 16 Dec 2014 20:36:01 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) MIME-Version: 1.0 On Dec 16, 2014, Florian Weimer wrote: > On 12/16/2014 08:25 PM, Alexandre Oliva wrote: >> The comments right after the lines you quoted above state: >> >> @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s >> @c args_value if it's too large, but gcvt never exercises this path. >> >> which agrees with your observation, but not with the conclusion. Do you >> see any actual unsafe path that disagrees with my conclusions and >> annotations in the comments above, or were you just going by the general >> safety remarks about sprintf et al? > I was going with the common knowledge that sprintf isn't > async-signal-safe. :-/ Ah, good. Here's a patch that adds further comments, elaborating the rationale for gcvt to be safe. Ok to install? for ChangeLog * manual/arith.texi (gcvt): Expand safety rationale. --- manual/arith.texi | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/manual/arith.texi b/manual/arith.texi index 72682f0..dd9d060 100644 --- a/manual/arith.texi +++ b/manual/arith.texi @@ -2670,6 +2670,14 @@ to @code{fcvt}. @safety{@prelim{}@mtsafe{}@assafe{}@acsafe{}} @c gcvt calls sprintf, that ultimately calls vfprintf, which malloc()s @c args_value if it's too large, but gcvt never exercises this path. +@c vfprintf and printf_fp might malloc() other buffers too, but only if +@c the involved sizes exceeded the alloca limit, but the NDIGIT_MAX +@c limits ensure any required buffers will be well below the alloca +@c limit. printf_fp also accesses the locale object, but it +@c dereferences the locale pointer to a const locale object only once +@c (due to compiler optimizations over all _NL_CURRENT uses), and it is +@c called only once by vfprintf with the given format string, so it is +@c safe even under concurrent locale changes. @code{gcvt} is functionally equivalent to @samp{sprintf(buf, "%*g", ndigit, value}. It is provided only for compatibility's sake. It returns @var{buf}.