From: Peng Haitao <penght-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
To: Carlos O'Donell <carlos-v2tUB8YBRSi3e3T8WW9gsA@public.gmane.org>,
"Michael Kerrisk (man-pages)"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Alexandre Oliva <aoliva-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Torvald Riegel <triegel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: Differences between man-pages and libc manual safety markings
Date: Tue, 21 Oct 2014 16:53:42 +0800 [thread overview]
Message-ID: <54461F16.2080705@cn.fujitsu.com> (raw)
In-Reply-To: <CAE2sS1jbGRT4uvBBVAPJkX2Mi4gHG=ii_G713MHhQzyGxO4yyw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On 10/20/2014 11:47 PM, Carlos O'Donell wrote:
> On Fri, Oct 17, 2014 at 9:26 AM, Michael Kerrisk (man-pages)
> <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> I was comparing some of the MT-Safety markings in man-pages versus the glibc
>> manual (https://www.gnu.org/software/libc/manual/html_mono/libc.html)
>> I found four cases that seem to contradict. Are there errors in either
>> the man pages or in the glibc manual?
>
> What's missing here is detailed analysis notes.
>
> In glibc we added the detailed notes into the comments, and Alex did a
> great job maintaining those.
>
> Peng, if you have detailed notes, please provide them so we can
> compare to glibc's notes.
>
>> ==
>> ctermid.3 MT-Unsafe race:ctermid/!s
>> glibc: MT-Safe
>>
>> man-pages and glibc manual disagree (man-pages seems to be more
>> precise than glibc).
>
> IMO, Alex's original marking is correct.
>
POSIX said:
The ctermid() function need not be thread-safe if called with a NULL parameter.
The tmpnam() function need not be thread-safe if called with a NULL parameter.
In glibc manual,
tmpnam() is "MT-Unsafe race:tmpnam/!result"
ctermid() is "MT-Safe"
The code of tmpnam() is:
===
static char tmpnam_buffer[L_tmpnam];
char *tmpnam (char *s)
{
char tmpbufmem[L_tmpnam];
char *tmpbuf = s ?: tmpbufmem;
if (__builtin_expect (__path_search (tmpbuf, L_tmpnam, NULL, NULL, 0), 0))
return NULL;
if (__glibc_unlikely (__gen_tempname (tmpbuf, 0, 0, __GT_NOCREATE)))
return NULL;
if (s == NULL)
return (char *) memcpy (tmpnam_buffer, tmpbuf, L_tmpnam);
return s;
}
===
The codes of ctermid() and cuserid() are similar to tmpnam(),
so I think
ctermid() should be "MT-Unsafe race:ctermid/!s".
cuserid() should be "MT-Unsafe race:cuserid/!string locale".
Thanks.
--
Best Regards,
Peng
> The code in question is a POSIX stub:
> ===
> char *
> ctermid (s)
> char *s;
> {
> static char name[L_ctermid];
>
> if (s == NULL)
> s = name;
>
> return strcpy (s, "/dev/tty");
> }
> ===
>
> Threads could race to set `s` to point to `name` and it would be fine.
>
> Similarly threads could race to write to characters in `s` and it
> would also be fine.
>
> They all copy the same thing into the destination buffer.
>
> It is only unsafe if you can prove the intermediate results of a
> pointer copy or strcpy change bytes in the destination string in ways
> that make it invalid during the copying.
>
> Lastly, note that because `s` is not an opaque type, and the user
> controls it, and we never mark a function unsafe if it's a user
> controlled buffer. We expect the user to manage that buffer, otherwise
> tons of functions become unsafe.
>
>> ==
>> getcwd.3 MT-Safe env
>> glibc: MT-Safe
>>
>> man-pages and glibc manual disagree on "env" (man-pages seems
>> to be more precise than glibc).
>
> In this particular case I again think glibc's notation is correct. I
> don't see why `env` is involved in getcwd. Please provide more
> detailed rationale.
>
>> ==
>> getlogin.3 MT-Unsafe race:cuserid/!string locale
>> glibc: MT-Unsafe race:getlogin race:utent sig:ALRM timer locale
>>
>> man-pages and glibc manual disagree on "race:cuserid/!string" versus
>> "race:getlogin"
>
> Peng or others needs to provide more detailed rationale for why they
> arrived at this result.
>
>> ==
>> regex.3 MT-Safe env
>> glibc: MT-Safe locale
>>
>> man-pages and glibc manual disagree on "env" versus "locale"
>
> All of the functions in regex touch locales, and therefore we mark
> this function `MT-Safe locale` because the `locale` annotations are
> defined as being useful to note that MT-Safety is at risk if locale is
> modified. Again, functions that modify locales are marked MT-Unsafe
> const:locale to indicate that using them would break these functions.
>
> Why is this marked `env`? Is it because the initialization of the
> localization information might depend on the environment settings for
> the locale? If you can prove that then it might be `MT-Safe env
> locale`, but I the initialization is done via setlocale() and
> therefore that function has the appropriate markings (not this one).
>
> Cheers,
> Carlos.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-man" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> .
>
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-10-21 8:53 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-17 13:26 Differences between man-pages and libc manual safety markings Michael Kerrisk (man-pages)
[not found] ` <544118FA.3070003-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-10-20 15:47 ` Carlos O'Donell
[not found] ` <CAE2sS1jbGRT4uvBBVAPJkX2Mi4gHG=ii_G713MHhQzyGxO4yyw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-21 8:53 ` Peng Haitao [this message]
[not found] ` <54461F16.2080705-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2014-10-23 6:16 ` Alexandre Oliva
[not found] ` <oroat3wbsl.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-10-23 9:29 ` Torvald Riegel
[not found] ` <1414056576.8483.79.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-10-24 11:48 ` Alexandre Oliva
[not found] ` <or38adofh9.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-10-24 12:12 ` Torvald Riegel
[not found] ` <1414152747.18538.26.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-10-24 16:31 ` Alexandre Oliva
[not found] ` <orioj9bfaa.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-10-24 19:15 ` Torvald Riegel
[not found] ` <1414178101.18538.53.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-10-30 18:24 ` Alexandre Oliva
[not found] ` <orbnottnzb.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-10-30 19:01 ` Torvald Riegel
[not found] ` <1414695671.10085.180.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-01 8:48 ` Alexandre Oliva
[not found] ` <ora94b8fxl.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-11-01 10:47 ` Torvald Riegel
[not found] ` <1414838867.10085.431.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-01 18:32 ` Alexandre Oliva
[not found] ` <orwq7e22n2.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-11-01 18:58 ` Torvald Riegel
[not found] ` <1414868298.10085.488.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-03 5:13 ` Alexandre Oliva
[not found] ` <or4mug27f7.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-11-03 16:10 ` Torvald Riegel
[not found] ` <1415031006.4531.44.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-04 0:18 ` Alexandre Oliva
2014-10-27 20:46 ` Mark Thompson
[not found] ` <544EAF20.8050509-W77v16wj1OVeoWH0uzbU5w@public.gmane.org>
2014-10-29 8:55 ` Alexandre Oliva
[not found] ` <ork33jqmqe.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-10-29 9:12 ` Torvald Riegel
[not found] ` <1414573935.18538.74.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-10-30 18:00 ` Alexandre Oliva
[not found] ` <orfve5tp3e.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-10-30 18:41 ` Torvald Riegel
[not found] ` <1414694486.10085.165.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-01 8:24 ` Alexandre Oliva
[not found] ` <oregtn8h23.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-11-01 12:40 ` Torvald Riegel
[not found] ` <1414845631.10085.474.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-01 18:22 ` Alexandre Oliva
[not found] ` <or1tpm3hn5.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-11-01 19:54 ` Torvald Riegel
[not found] ` <1414871691.10085.529.camel-I2ZjUw8blINjztcc/or7kQ@public.gmane.org>
2014-11-03 5:43 ` Alexandre Oliva
[not found] ` <orzjc8zvn6.fsf-pcXFJVXz+5uzQB+pC5nmwQ@public.gmane.org>
2014-11-03 13:07 ` Mark Thompson
[not found] ` <54577E17.7000109-W77v16wj1OVeoWH0uzbU5w@public.gmane.org>
2014-11-19 0:26 ` Alexandre Oliva
2014-11-03 15:55 ` Torvald Riegel
2014-10-24 12:14 ` Torvald Riegel
2014-10-21 8:31 ` Peng Haitao
2015-01-07 6:12 ` Michael Kerrisk (man-pages)
2015-01-07 6:16 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54461F16.2080705@cn.fujitsu.com \
--to=penght-bthxqxjhjhxqfuhtdcdx3a@public.gmane.org \
--cc=aoliva-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=carlos-v2tUB8YBRSi3e3T8WW9gsA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=triegel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).