linux-toolchains.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alexander Potapenko <glider@google.com>
To: Segher Boessenkool <segher@kernel.crashing.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Evgenii Stepanov <eugenis@google.com>,
	Kees Cook <keescook@chromium.org>, Marco Elver <elver@google.com>,
	Nathan Chancellor <nathan@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Vitaly Buka <vitalybuka@google.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	linux-toolchains <linux-toolchains@vger.kernel.org>
Subject: Re: [PATCH] [RFC] Initialization of unused function parameters
Date: Wed, 15 Jun 2022 10:30:17 +0200	[thread overview]
Message-ID: <CAG_fn=UPyoySbzbLQnJkgbfcSkyCD11M=e+W4-T_WoQCXEPFGA@mail.gmail.com> (raw)
In-Reply-To: <20220614214039.GA25951@gate.crashing.org>

On Tue, Jun 14, 2022 at 11:45 PM Segher Boessenkool
<segher@kernel.crashing.org> wrote:
>
> Hi!
>
> On Tue, Jun 14, 2022 at 10:19:53PM +0200, Alexander Potapenko wrote:
> > ================
> > char *kmalloc(int size);
> >
> > char *kmalloc_or_not(int flag, int size, char *p) {
> >   if (flag)
> >     return kmalloc(size);
> >   else
> >     return p;
> > }
> >
> > char global[16];
> >
> > char *p(int flag) {
> >   char *c;
> >   int size;
> >   if (flag)
> >     return kmalloc_or_not(1, 4, c);
> >   else
> >     return kmalloc_or_not(0, size, global);
> > }
> > ================
>
> Since C11, lvalue conversion of an automatic variable that does not have
> its address taken is explicitly undefined behaviour (6.3.2.1/2).  So in
> function "p", both where "c" and where "size" are passed causes UB (so
> that executing "p" always causes UB btw).

Thanks for this reference to the standard. I've received another one
off-list, which lets the variables be address-taken:

6.2.4/6: "If an initialization is specified for the object, it is
performed each time the declaration or compound literal is reached in
the execution of the block; otherwise, the value becomes indeterminate
each time the declaration is reached."
3.19.2/1: "indeterminate value: either an unspecified value or a trap
representation"
6.2.6.1/5: "Certain object representations need not represent a value
of the object type. If the stored value of an object has such a
representation and is read by an lvalue expression that does not have
character type, the behavior is undefined. If such a representation is
produced by a side effect that modifies all or any part of the object
by an lvalue expression that does not have character type, the
behavior is undefined. [Footnote: Thus, an automatic variable can be
initialized to a trap representation without causing undefined
behavior, but the value of the variable cannot be used until a proper
value is stored in it.] Such a representation is called a trap
representation."


> > In this example `size` is passed into kmalloc_or_not() initialized,
> > however it is never used, so the code probably has defined behavior.
>
> No such luck: the passing itself already causes UB.

Looks like I've been missing this fact all the time.

> GCC does not warn, it has already optimised the code to what you expect
> by the time this warning is done.  If you use -fno-inline it does warn
> for both "c" and "size" (via -Wmaybe-uninitialized).
>
> But it is still UB!  All bets are off, no compiler can do any correct
> translation of your program, since there *is none*.

Then it makes sense for us to report non-trivial cases where
uninitialized values are actually passed to functions.
As Evgenii mentions, trivial inlinable cases are optimized away before
KMSAN instrumentation kicks in, so we won't be reporting them.

>
> Segher



-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise
erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes
weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich
bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.


This e-mail is confidential. If you received this communication by
mistake, please don't forward it to anyone else, please erase all
copies and attachments, and please let me know that it has gone to the
wrong person.

  parent reply	other threads:[~2022-06-15  8:31 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-14 14:48 [PATCH] [RFC] Initialization of unused function parameters Alexander Potapenko
2022-06-14 16:48 ` Linus Torvalds
2022-06-14 17:11   ` Nick Desaulniers
2022-06-14 17:24     ` Linus Torvalds
2022-06-14 18:08       ` Nick Desaulniers
2022-06-14 22:27         ` Peter Zijlstra
2022-06-14 18:07   ` Alexander Potapenko
2022-06-14 18:30     ` Linus Torvalds
2022-06-14 20:19       ` Alexander Potapenko
2022-06-14 20:43         ` Linus Torvalds
2022-06-14 21:40         ` Segher Boessenkool
2022-06-14 22:08           ` Evgenii Stepanov
2022-06-15  8:30           ` Alexander Potapenko [this message]
2022-06-15 16:46             ` Segher Boessenkool

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAG_fn=UPyoySbzbLQnJkgbfcSkyCD11M=e+W4-T_WoQCXEPFGA@mail.gmail.com' \
    --to=glider@google.com \
    --cc=elver@google.com \
    --cc=eugenis@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-toolchains@vger.kernel.org \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=segher@kernel.crashing.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=vitalybuka@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).