Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130704081245.GN29800@brightrain.aerifal.cx>
Date: Thu, 4 Jul 2013 04:12:45 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Use of size_t and ssize_t in mseek

On Thu, Jul 04, 2013 at 09:11:29AM +0200, Jens Gustedt wrote:
> > qsort_s can store the comparison function and context in TLS, and then
> > pass to qsort a comparison function that grabs these from TLS and
> > calls the original comparison function with the context pointer. This
> > is valid assuming qsort does not run the comparisons in new threads.
> 
> sure, but for an execution of qsort_s this would have a lot of
> indirections and a call to TLS for every comparison. For performance
> sensible functions like this, this doesn't sound very attractive.

If it's inside musl, the TLS dereference is very cheap on most archs:
it's just a constant offset from the thread pointer. Same if the code
were static linked in the main program. Otherwise, if it's a dynamic
library, then yes it would be fairly costly, like you say.

> (In P99 I do that with inlining and gcc shows to be able to expand all
> comparisons in place and to optimize that smoothly.)

Nice. I'll have to take a look -- I've always wanted to see a fully
inlined qsort that could be compared to the C++ template-based sorts
to demonstrate that inline functions in C can do just as good or
better, inlining the comparison callback... :)

> > TLS is not guaranteed to exist when these functions are called;
> > programs not using any multi-threaded functionality are supposed to
> > "basically work" on Linux 2.4. I don't mind having the Annex K
> > functions depend on TLS, since only new programs will use them anyway,
> > but I don't want to break existing programs.
> 
> My guess would be that you can alias the TLS variable that would
> control that behavior to a simple global variable in the case of
> absence of threads.

Yes, that can be done, but I'd probably rather just use the FILE...

> > What I was saying is that, in library code, you can't rely on this.
> > The application may have installed a handler that causes the functions
> > to just return an error, or the default implementation-defined handler
> > might do so.
> 
> sure, but I don't see any problem in this. continuing execution is
> one of the permitted path that a constraint handler may take. these
> are user interfaces, not meant to be used internally by the C library,
> I think.

I was thinking of third-party libraries that aim to be proper library
code, not use in the standard library.

> I think there are some of these interfaces that are not too bad, from
> a user perspective these interfaces are relatively simple to use.

I find the str/mem functions rather confusing, with their redundant
size arguments and all.

> Especially qsort_s is nice

I agree. IMO it's a shame it was done as part of Annex K and not the
base standard. Unlike most of Annex K, it serves a real purpose.

> and I also see advantages in being able to
> inhibit certain dangerous printf or scanf formats.

For printf, there's nothing dangerous about %n. This is a
misconception based on knee-jerk reactions to format string bugs. The
only thing that's dangerous is passing non-format-strings as the
format-string argument to printf.

For scanf, having size limits on strings to be read is useful. I was
under the mistaken impression that exceeding the limit was a runtime
constraint violation, which would have made scanf_s useless, but it's
specified to be a matching failure. Still, the same can be achieved
with plain scanf and a field width specifier. And if you need the
width to vary at runtime, you can generate the format string with
snprintf... So scanf_s buys you a little bit of convenience, but not
much more.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.