Date: Sun, 25 Feb 2018 12:28:37 +1100 (EST) From: Bruce Evans <brde@optusnet.com.au> To: Warner Losh <imp@bsdimp.com> Cc: "Conrad E. Meyer" <cem@freebsd.org>, FreeBSD Standards <freebsd-standards@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Marking select(2) as restrict Message-ID: <20180225112627.B976@besplex.bde.org> In-Reply-To: <CANCZdfpmB2KEfORKhsC9=AK0KP2z2_A=LC0YeZrFZv-8MEgT=g@mail.gmail.com> References: <20180221032247.GA81670@ns.kevlo.org> <CAF6rxg=WwqeBnmJzfOZgtwrYesXPfvJFeaVmQwtTa_89_sxaJg@mail.gmail.com> <CANCZdfo46bhfaRpbqOmJjk4%2B=1R2c5kvmrJPENaxNgK==5M4kg@mail.gmail.com> <CAF6rxg=wNVgDUF9o744ngmzPNeHB3hqdrLufy=yS3D4osczxFQ@mail.gmail.com> <20180221104400.GU94212@kib.kiev.ua> <23181.46427.671514.319710@khavrinen.csail.mit.edu> <20180221185920.GA94212@kib.kiev.ua> <23181.50488.186767.579361@khavrinen.csail.mit.edu> <20180221201002.GC94212@kib.kiev.ua> <23181.54825.511195.393054@khavrinen.csail.mit.edu> <20180222212746.GB58772@stack.nl> <CAF6rxgkW=Fgh4%2B1-aJG=VUCYso9gcKnER17UOiBy8GtTMsJNYQ@mail.gmail.com> <CAF6rxg=-nBz8caa1Wn1Labn3DydpEO6B8W9PaLhNKYFwGvuZxw@mail.gmail.com> <CAG6CVpV-YBfGsh5zDRuB7N43N4FW5X69BDyi_XF21fs7tOr5JQ@mail.gmail.com> <CANCZdfpmB2KEfORKhsC9=AK0KP2z2_A=LC0YeZrFZv-8MEgT=g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 24 Feb 2018, Warner Losh wrote:
> On Sat, Feb 24, 2018 at 11:55 AM, Conrad Meyer <cem@freebsd.org> wrote:
>
>> On Sat, Feb 24, 2018 at 10:35 AM, Eitan Adler <lists@eitanadler.com>
>> wrote:
>>> After this entire thread here is the summary. If I've misrepresented
>>> you here please let me know.
>>> ...
>>>
>>> kib@ - no benefit; concerned fallout could be hard to observe
>>> cem@ - concerned about warnings
>>
>> Consider me a +1 to kib@. I did not voice those concerns explicitly
>> in earlier email because kib did already and I didn't anticipate you
>> would ignore him.
>
> So there's no benefit to the change (we won't optimize better). It's hard
> to observe breakage. No answer about how we'd even know if something broke
> because a exp run sure as hell isn't going to tell us.
>
> All that militates against the change rather strongly. Your exp run will
> change no minds because it is useless.
Why not remove restrict from other APIs to be consistent with select()? If
might break their callers just as much. Start with pselect(). sigaction()
is interesting too. Without restrict for sigaction(), there is nothing (in
old FreeBSD man pages) to prevent callers passing the same pointer for 'act'
and 'oact'. This might be a good hack. 'act' is const, but will be
overwritten on copyout if it is the same as 'oact'. The kernel could
reasonably copyout to 'oact' before reading 'act'. This clobbers the input
arg.
I grepped all man pages in libc/sys for APIs taking 2 pointer args and not
having restrict:
_umtx_op()
abort2()
adjtime()
aio_suspend()
aio_waitcomplete()
clock_nanosleep(), nanosleep() (most interesting. One pointer arg is
const. It is unclear if that prevents aliasing, but the API is
similar to that of sigaction() and POSIX added restrict for the
latter only)
execve()
extattr_*() (at least 8 functions in man page with too many functions)
fexecve()
fhopen()
fhstat()
fhstatfs()
fstatat()
futimensat()
getdirentries()
getfh()
getresgid()
getresuid()
gettimeofday()
kenv()
kevent()
lgetfh()
link()
linkat()
lio_listio()
mincore()
mount()
mq_receive()
mq_timedreceive()
mq_timedsend()
ppoll() (this obfuscates its first pointer arg using [] instead of *,
and is missing restrict for that arg only. ppoll() is similar to
pselect() except for these bugs)
quotactl()
rctl_*() (all 5 functions in another unsplit man page)
rename()
renameat()
sctp_generic_recvmsg()
sctp_generic_sendmsg()
sctp_generic_sendmsg_iov()
select()
settimeofday()
setitimer() (like select(). Fixed in POSIX in 2001, but not in FreeBSD)
sendfile()
sendto()
statfs()
symlink()
symlinkat()
utimensat()
These are mostly BSD APIs. POSIX fixed almost all of the POSIX APIs in
2001.
In a few cases like readlink(), there is no problem since all of the
pointer args are const. Almost all of the POSIX APIs in the above list
are of this type.
In a few cases like statfs(), there is probably no problem because the
pointer arg types are different and none of them is void *. In statfs(),
one of them is also const.
Most other cases are broken. E.g., POSIX added restrict to recvmsg() and
sendmsg() in 2001, but the related newer sctp APIs haven't caught up with
thus yet. Most FreeBSD timer APIs are missing restrict even when they
are also in POSIX and not missing restrict there.
sendmmsg() only has 1 pointer arg, but this is input-output which causes
similar problems. It is declared as restrict. I don't know if that fixes
the problems (the constraint on the implementation's ordering and restrict
in the API doesn't give that AFAIK).
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180225112627.B976>