From owner-svn-src-all@freebsd.org Tue Oct 1 16:33:30 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3A01713A21E; Tue, 1 Oct 2019 16:33:30 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46jPw9198dz439Z; Tue, 1 Oct 2019 16:33:28 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id x91GXKSV026953 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 1 Oct 2019 19:33:23 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua x91GXKSV026953 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id x91GXKFO026952; Tue, 1 Oct 2019 19:33:20 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 1 Oct 2019 19:33:20 +0300 From: Konstantin Belousov To: Brooks Davis Cc: Warner Losh , Mateusz Guzik , Warner Losh , src-committers , svn-src-all , svn-src-head Subject: Re: svn commit: r352795 - head/lib/libc/sys Message-ID: <20191001163320.GX44691@kib.kiev.ua> References: <201909271611.x8RGBl0H036116@repo.freebsd.org> <20190927184623.GM44691@kib.kiev.ua> <20190928072548.GN44691@kib.kiev.ua> <20191001162305.GM93439@spindle.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191001162305.GM93439@spindle.one-eyed-alien.net> User-Agent: Mutt/1.12.2 (2019-09-21) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-Rspamd-Queue-Id: 46jPw9198dz439Z X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none); spf=softfail (mx1.freebsd.org: 2001:470:d5e7:1::1 is neither permitted nor denied by domain of kostikbel@gmail.com) smtp.mailfrom=kostikbel@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all:c]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_SEVEN(0.00)[7]; IP_SCORE(0.00)[ip: (-2.75), ipnet: 2001:470::/32(-4.52), asn: 6939(-3.33), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Oct 2019 16:33:30 -0000 On Tue, Oct 01, 2019 at 04:23:05PM +0000, Brooks Davis wrote: > On Sat, Sep 28, 2019 at 10:25:48AM +0300, Konstantin Belousov wrote: > > On Fri, Sep 27, 2019 at 03:19:59PM -0600, Warner Losh wrote: > > > On Fri, Sep 27, 2019 at 2:38 PM Mateusz Guzik wrote: > > > > > > > On 9/27/19, Konstantin Belousov wrote: > > > > > On Fri, Sep 27, 2019 at 08:32:20PM +0200, Mateusz Guzik wrote: > > > > >> On 9/27/19, Warner Losh wrote: > > > > >> > Document varadic args as int, since you can't have short varadic > > > > args > > > > >> > (they are > > > > >> > promoted to ints). > > > > >> > > > > > >> > - `mode_t` is `uint16_t` (`sys/sys/_types.h`) > > > > >> > - `openat` takes variadic args > > > > >> > - variadic args cannot be 16-bit, and indeed the code uses int > > > > >> > - the manpage currently kinda implies the argument is 16-bit by > > > > >> > saying > > > > >> > `mode_t` > > > > >> > > > > > >> But opengroup says it is mode_t. Perhaps it is mode_t which needs > > > > >> to be changed? > > > > > > > > > > Yes, users must pass mode_t, and the man page is written for users. > > > > > Implementation needs to be aware of the implicit promotion and handle > > > > > it accordingly. > > > > > > > > > > In theory, mode_t might be wider than int. > > > > > > > > > > > > > So I think the change should be reverted. Whatever workaround is being > > > > in place in rust should remain for the current codebase. > > > > > > > > > > Rust needs to understand that it's not C. It's mistake was assuming it was > > > just like C and this is a case where the languages differ because C is so > > > quirky. > > > > > > > > > > If anyone is to fixed the problem they should bump mode_t to uint32_t, > > > > to match Linux. This is ABI breakage, I don't know how that's handled. > > > > > > > > > > That's not going to happen. And there's no need. It would cause more > > > heartache than it's worth. > > > > > > > > > > I have no interest in handling any of this, but the change committed > > > > is definitely wrong. > > > > > > > > > > I tend to agree, but the manual was/is incomplete. The arg *IS* promoted to > > > an int, per normal C rules, so that part is right and there's no > > > type-checking against truncation or the wrong type being used as would be > > > the case if it weren't varadic (so don't pass a long here). > > > > > > However, type purity aside, that's not how things are implemented. Open is > > > expecting an int (as is openat): > > > > > > int > > > open(const char *path, int flags, ...) > > > { > > > va_list ap; > > > int mode; > > > > > > if ((flags & O_CREAT) != 0) { > > > va_start(ap, flags); > > > mode = va_arg(ap, int); > > > va_end(ap); > > > } else { > > > mode = 0; > > > } > > > return (((int (*)(int, const char *, int, ...)) > > > __libc_interposing[INTERPOS_openat])(fd, path, flags, mode)); > > > } > > > > > > so the change, from that perspective, actually documents the interface (so > > > isn't definitely wrong, and my guarded 'tend to agree'). So if you did > > > change the type of mode_t, the above code might be wrong afterwards (hence > > > my can of worms comment). And then we're passing it again through a varadic > > > function pointer... > > > > > > So while POSIX says one thing, we implement something else. Should we > > > document POSIX or what we implement? > > I do not see how did you come to this conclusion. > > > > > Or do we fix our implementation to > > > match the docs? For all programs that don't pass in a 'long' or a pointer, > > > the difference is zero, however. > > ... on all supported architectures. On 32bit it actually does not matter even > > for long or pointers. But this is irrelevant, because correct programs > > must only pass mode_t as the third arg, and then our libc does the right > > thing on all currently supported platforms. More, I do not expect that > > this fragment would need any revisions for future architectures. > > > > > > > > To be honest, though, quibbling over how it should be implemented aside, I > > > think we should actually do the following: > > > > > > diff --git a/lib/libc/sys/open.2 b/lib/libc/sys/open.2 > > > index a771461e2e49..aa912b797f74 100644 > > > --- a/lib/libc/sys/open.2 > > > +++ b/lib/libc/sys/open.2 > > > @@ -61,7 +61,7 @@ In this case > > > and > > > .Fn openat > > > require an additional argument > > > -.Fa "int mode" , > > > +.Fa "mode_t mode" , > > > and the file is created with mode > > > .Fa mode > > > as described in > > > @@ -615,3 +615,8 @@ permits searches. > > > The present implementation of the > > > .Fa openat > > > checks the current permissions of directory instead. > > > +.Pp > > > +The > > > +.Fa mode > > > +argument is varadic and may result in different calling conventions > > > +than might otherwise be expected. > > I do not see how this could be useful for a user trying to call open(2). > > I think it would be much easier to understand and use if you simply mention > > that 'on all supported arches, mode_t is promoted to int by C rules for > > implicit conversions of arguments for variadic functions'. And perhaps > > put it somewhere else, not in the BUGS section. > > I think this would be a good solution. > > > Note that the actual ABI constraint on variadic syscalls in FreeBSD is > that they have exactly the same calling convention as if the argument is > explicitly declared because we have on infrastructure to handle them any > other way. Specifically, calling a function of type: > > int open(const char *path, int flags, ...); > > with a mode_t as a variadic argument must be identical to calling a > function of type: > > int open(const char *path, int flags, mode_t mode); It is not quite true, surprisingly, on amd64. At least the ABI requires the caller to put the number of XMM registers used for param passing into %eax for variadic functions. I think both gcc and clang can live without this hint in modern times. > > This isn't true with CHERI and as a result I've moved the variadic > argument handling (except for syscall() and __syscall()) into libc. > > -- Brooks