|
Message-ID: <20180213192131.GO1627@brightrain.aerifal.cx> Date: Tue, 13 Feb 2018 14:21:31 -0500 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: stdio review On Tue, Feb 13, 2018 at 11:59:53AM -0500, Rich Felker wrote: > __fopen_rb_ca.c: > __fopen_rb_ca: > [question] > Is it possible for this function to be called with a length less > than UNGET? No. Perhaps it should be checked, or perhaps we should just drop this function. Obviously it doesn't give new no-fail guarantees since open itself can fail for resource reasons. I think the original intent was just to make it possible to do DNS lookups without linking free; if that still works maybe it's worth keeping. > [comment] > I was unsure what the ca meant until finding a reference in a > deeply nested internal header that it was "caller allocated", > maybe emphasis that in the source file to make review easier. Yes, sounds good. > __lockfile.c: > __lockfile: [nothing] > __unlockfile: [nothing] > > __overflow.c: > __overflow: [question] > The interface contract of this function is it takes int and > returns int, yet the passed in character is truncated through > narrowing conversion to unsigned char for the purposes of > stdio, should that same narrowed conversion be returned or > should the unnarrowed result be returned? This function is actually part of glibc ABI-compat; using it internally too was probably a mistake, and will probably be changed in the future -- I think we can make getc/putc slightly more efficient by doing things in a different way. In any case since the argument _c is being used as a character unconditionally (not special-casing EOF or anything) I think it's clear that returning the value interpreted as a character (unsigned char) is the right thing. > __stdio_exit.c: > close_file: [question] > Function acquires lock on FILE but never unlocks it, this looks > intended since we're exiting stdio? If that's the case this > should probably be commented. It's documented by the macro name FFINALLOCK() instead of FLOCK(). > __stdio_exit: [question] > __stdio_exit_needed: [question] > [comment] > Function acquires lock via __ofl_lock but never calls > __ofl_unlock, this looks intended since we're exiting stdio? > If that's the case this should probably be commented. Yes it's intended, but I'm not sure why it's unclear. Of course if you ever unlock it the state could become inconsistent (new files needing flushing) after you already finished flushing, resulting in nonconforming behavior (their not being flushed). > __stdio_read.c: > __stdio_read: [style] > Tricky expression involving F_EOF/F_ERR and xor masks. Yes that's silly. > __stdio_write.c: > __stdio_write: [question] > Is it possible for len to be less than f->wpos-f->wbase? > > __stdout_write.c: > __stdout_write: [question] > Is it possible for len to be less than f->wpos-f->wbase? This question isn't meaningful; they're not comparable. I think this was a misunderstanding you raised on irc before due to overlooking the iov++. > __toread.c: > __toread: [comment] > It's sister function __towrite comments its' intent, maybe > this should as well for consistency. > > __towrite.c: > __towrite: [style] > What is the purpose of parenthesis around F_NOWR? does it imply > a missing flag in the list, looks suspicious. Good question. I think it comes from commit e3cd6c5c265cd481db6e0c5b529855d99f0bda30 where this code was derived from old code in __overflow that did: if (f->flags & (F_ERR|F_NOWR)) return EOF; > clearerr.c: > clearerr: [nothing] > clearerr_unlocked: [question] > An alias for clearerr but clearerr locks, is this correct? > or should clearerr_unlocked just remove EOF/ERR flags, and > clearerr hold a lock calling clearerr_unlocked? It's intentional; the nonstandard *_unlocked functions are just provided for compat purposes, and there is no reason that they have to omit locking to behave as specified. > dprintf.c: > dprintf: [nothing] > > ext.c: > __flushlbf: [nothing] > __fsetlocking: [nothing] > __fwriting: [nothing] > __freading: [nothing] > __freadable: [nothing] > __fwritable: [nothing] > __flbf: [nothing] > __fbufsize: [nothing] > __fpending: [nothing] > __fpurge: [bug] > fpurge: [bug] > The interface contract for this function is that it returns void > and not int, whereas fpurge returns int, the latter does not > even appear to be part of Linux yet musl aliases them to the > same. Should musl's return void? I'm not sure why we even have fpurge. I agree that these are mistakes but I'm not sure whether fixing them or leaving them is better. They don't seem to hurt anything as-is. > fclose.c: > fclose: [style] > Checking for null pointer before calling free for f->getln_buf Agree, the free should be unconditional. > feof.c: [style] > There's two instances of feof involved, one provided by stdio_impl > that just checks flags without a lock held and this one which means > this file has to #undef. That just seems tricky to me, you could see > an feof somewhere that is using the macro definition where others > could be using a function (depending on includes and include order.) Include order is not an issue (stdio_impl.h includes stdio.h so there is only one possible order) but I agree this is problematic and could introduce bugs into files where stdio_impl.h has been included for an unrelated reason and a libc function calls feof() without the FILE lock already being held. It should be researched whether there are places that actually rely on having the macros to get reasonable/efficient code. If so we should probably rename the macros to feof_unlocked() and ferror_unlocked(). > feof: [nothing] > feof_unlocked: [question] > _IO_feof_unlocked: [question] > Similar to clearerr_unlocked, is this correct? The unlocked > variants are actually locked. Yes, same reason. If this one actually affects performance somewhere that matters we could change it. clearerr certainly should not. > ferror.c: [style] > There's two instances of ferror involved, one provided by stdio_impl > that just checks flags without a lock held and this one which means > this file has to #undef. That just seems tricky to me, you could see > an ferror somewhere that is using the macro definition where others > could be using a function (depending on includes and include oder.) Likewise. > ferror: [nothing] > ferror_unlocked: [question] > _IO_ferror_unlocked: [question] > Similar to clearerr_unlocked and feof_unlocked, is this correct? > The unlocked variants are actually locked. Likewise. > fgetpos.c: > fgetpos: [bug] > using *(off_t*) to write _Int64 data into fpos_t structure when > memcpy should be used, this breaks strict aliasing. Maybe add > an off_t to the fpos_t union? My leaning would be to add the off_t, but the type might not be exposed and thus we would need to find a matching type that is exposed. memcpy would be the nicest solution, but only if we had a way of allowing the compiler to use builtin memcpy; otherwise it's a gratuitous call. > [comment] > POSIX states this function shall fail if the data cannot be > stored in the fpos_t structure but the structure is 16-byte in > size and this is a narrowing conversion. Maybe just comment that > it can never fail. This came up in the test harness several > times. This is purely a matter of implementations that support 32-bit-off_t environments where a 32-bit process's fpos_t might be too small to store a large file offset. musl always uses 64-bit offsets and never has that type of error condition. > fgetwc.c: > __fgetwc_unlocked_internal: [question] > I don't understand the conditional if (l+1 >= 1), is that not > the same as just if (l) since the only time when l+1 >=1 is I don't see how you think it's the same as l, since 0 is false but 0+1>=1 is clearly true. But the real point is that l could be (size_t)-1, in which case l+1>=1 is false. It would be equivalent to if(l+1) or if(l!=(size_t)-1), though. > if l==0, even for overflow. In which case the l += !l part > in the body is even more concerning because !l will always > be false? No, l==0 is a true case; see above. Also see commit 4000b0107ddd7fe733fa31d4f078c6fcd35851d6. The old code used mbrtowc where both (size_t)-2 and (size_t)-1 were possibilities, so the unsigned change check here made more sense. Now there's only one possible exceptional value, not two, so it's not really needed. > fgetws.c: > fgetws: [nothing] > __fgetws_unlocked: [question] > Similar to clearerr_unlocked, feof_unlocked and ferror_unlocked > is this correct? The unlocked variants are actually locked. Again, it's intentional. In the past we got burned by factoring unlocked versions of complex functions -- see commits c002668eb0352e619ea7064e4940b397b4a6e68d and 670d6d01f53b4e85be6b333bf8a137e2be6d3fc3. So I've tried to avoid actually making separate unlocked entry points except for the functions where it could actually matter. > fileno.c: > fileno: [nothing] > fileno_unlocked: [question] > Similar to clearerr_unlocked, feof_unlocked, ferror_unlocked > and __fetws_unlocked is this correct? The unlocked variants are > actually locked. Similar. > fmemopen.c: > mseek: [style] > It does goto upwards. I guess you could call it that, but it's into a block with no path out, so I don't think I would. > Compound literal table to reference whence as a lookup table > as a single expression. I thought this was cute. > mread: [nothing] > mwrite: [nothing] > fmemopen: [bug] > The size check for fmemopen cookie to report ENOMEM is incorrect > with the calloc below. Yes, already fixed in a commit pending push. > [style] > The cookie allocation handling can be greatly simplified with a > nother structure that embeds everything and using the sizeof > that structure instead. Agreed. I want to convert it to that style later. > fopencookie.c: > fopencookie: [bug] > Several other functions which utilize __ofl_add do the following > if (!libc.threaded) f->lock = -1; However this one does not. This was discussed when it was implemented. I think I might have requested a comment added there that got overlooked. The issue is that it's not clear that was can safely omit locks for "cookie" FILEs in a single-threaded process, since it's not clear that the process will still be single-threaded when the cookie callback returns. > freopen.c: > freopen: [bug] > In the case of no filename and the F_SETFL system call failing, > and also __dup3 failing, the file is still locked. On failure, freopen closes the FILE. Yes this an awful design flaw that makes freopen essentially always-unsafe to use, and especially unsafe if there may be concurrent operations from other threads. Anyway, yes, the file is still locked going into fclose, and then its lifetime ends in fclose. > fsetpos.c: > fsetpos: [bug] > off_t is written into here incorrectly and also read incorrectly > as this breaks strict aliasing. Maybe consider putting off_t in > the fpos_t union and referencing it that way to avoid memcpy? Yes this needs to be fixed. Not sure of the best way; see above with fgetpos. > ftell.c: > __ftello_unlocked: [style] > The whole thing is formatted in a confusing to read manner. Would you have preferred the whence expression be written out in a temp var? Or something else? > fwrite.c: > fwrite: [question] > Should there be a check for size*nmemb overflow? This is actually a complicated topic. Formally, I think the C standard reads such that it would be valid for size*nmemb to exceed the size of the data object to be written if you somehow know you'll hit a write error before that happens. However real world implementations don't work like that. In particular, the kernel will error out with EFAULT if the buffer length extends past the valid userspace address range, even if the writes would never happen; the only way to avoid this would be to break longer-than-page writes down into separate page-sized writes. So I think for practical purposes, we have to interpret the standard as requiring that size*nmemb actually reflect the size of the object passed in, and in that case, the multiplication necessarily does not overflow. If there's an interpretation from WG14 contrary to this, we'll have to revisit it. See also https://sourceware.org/bugzilla/show_bug.cgi?id=19165 > getdelim.c: [style] > The MIN macro is never used in this translation unit. Good catch. It was actually never used, even in old revisions, so its use must predate the original check-in... > gets.c: > gets: [optimize] > The length of the string is calculated twice to strip the > newline character off it. Why not rewrite it as: > if (ret) { size_t i = strlen(s)-1; if (s[i] == '\n') s[i] = 0; } Seriously, this is gets. It's always unsafe, deprecated, removed from the current C standard. If it's gratuitously slow too, great. :-) > open_memstream.c: > ms_seek: [style] > It does goto upwards. > > Compound literal table to reference whence as a lookup table > as a single expression. > > The function would be less tricky if just rewritten. See replies on fmemopen. > ms_write: [nothing] > ms_close: [nothing] > open_memstream: [question] > Why does this allocate a 1 byte buffer? That seems small. This? if (!(buf=malloc(sizeof *buf))) { It needs to be at least 1 to be valid. The way size tracking is done, I'm not sure it would help to allocate larger now, since realloc will get called anyway on the first write. > [style] > This is also doing the weird arithmetic as well for the cookie > This function can be rewritten much nicer. There are a lot of awful requirements on open_memstream, and we meet most but not all of them. It probably does need to be rewritten, but I'm doubtful that the result will be very simple. > setvbuf.c: > setvbuf: [bug] > No locks are ever held on the file when changing fields of it. "The setvbuf function may be used only after the stream pointed to by stream has been associated with an open file and before any other operation (other than an unsuccessful call to setvbuf) is performed on the stream." (7.21.5.6, ΒΆ 2) If there are other concurrent calls on the FILE possible, the above requirement has been violated and the program has undefined behavior. > ungetwc.c: > ungetwc: [style] > Ignoring the overly long if statement, the non-ascii route below > does memcpy(f->rpos -= l, mbc, l) and that is just odd since I > read that as f->rpos - l initially which almost looks correct > but failing to update rpos which is when I noticed it actually > does -=. It's analogous to the *-- in the line immediately above. > vfprintf.c: > out: [nothing] > pad: [nothing] > fmt_x: [nothing] > fmt_o: [nothing] > fmt_u: [nothing] > fmt_fp: [question] > getint: [bug] > This function overflows on INT_MIN for the else case. I don't understand. Where does INT_MIN come from? It's reading nonnegative values. > printf_core: [style] > if (0) cutting into switch statements specified in a very smart > order to make for really tiny code. This whole function is > impossible to audit. I tried, I really did. Things like this: > *(a=z-(p=1))=arg.i; are really tricky. > vfprintf: [nothing] Yes. It's known that there's a good deal of ugly style, but also that simple changes to it just make the code gratuitously larger without making it perform better or have any other better properties aside from "less ugly". So it's hard to justify spending effort making and testing changes that end up outwardly looking like "pure size regressions". > vfscanf.c: > store_int: [nothing] > arg_n: [nothing] > vfscanf: [bug] > __isoc99_vfscanf: > Calculating width using the same 10*n+*c-'0' trick can overflow > on INT_MIN. I don't understand this either. > [style] > This function gets really difficult to audit further down. It's > just very dense and should be split up somehow. Yes, maybe so. Similar issues to printf. > vswprintf.c: > sw_write: [nothing] > vswprintf: [style] > sizeof(FILE) should be sizeof f Rather memset shouldn't be used here anyway. > compound initializer should be used for file instead of what > ever is done here, every other function that creates local FILE > struct does it as FILE f = { .member = value, ... }, is this > different because of the memset? is the memset even needed? Exactly. > ======================================================================== > src/internal > ======================================================================== > > stdio_impl.h: [style] > FUNLOCK macro has a trailing else which prompted me to look at every > single instance of FUNLOCK to make sure all of them contained a > semicolon. This is just dangerous, why not use the more common > idiom of do { } while (0). Indeed that should be fine. > [comment] > The _IO_FILE is ABI compat with glibc but this isn't documented any > where in the header which makes members like mustbezero_{1,2} really > confusion and the layout of members within the structure as well, > since the size of a FILE can be made much smaller just by sorting > the members which is something someone may want to do. I don't see how it would be smaller by sorting. There are only a few gaps. int fields come in pairs (relevant on 64-bit) and the signed char fields have some padding around them but not much. Of course it still would be nice to add a comment that the layout is ABI if glibc compat is desired. > [style] > feof/ferror macros which are unlocked, this requires that code > inside src/stdio actually #undef them when implementing and anything > inside there that requires these _must_ avoid including stdio.h over > this to ensure it uses the right ones. I would just call these > something else like __feof_ui/__ferror_ui (unlocked internal) then > no weird #undef is needed and the intent is clear. See comments on them above. > shgetc.h: [comment] > Maybe document this is the "scan helper" interface because it was > not obvious what the naming was. Agreed. > intscan.h: [style] > It isn't apparent for why <stdio.h> needs to be included. Should > just forward declare struct FILE; here instead. That would not work, because it's *not* struct FILE, it's FILE, which happens to be defined as "struct _IO_FILE", but that's an implementation detail. Including <stdio.h> is the clean way to have that. > floatscan.h: [style] > It isn't apparent for why <stdio.h> needs to be included. Should > just forward declare struct FILE; here instead. Same. I think that covers almost everything; I omitted all the [nothing] findings to make this email less dense. Some of the above are things I can start improving right away after getting a release out; others require more thought on how to do them without making things worse in some aspect or another. Thanks for taking the time to do this and posting your findings. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.