From owner-svn-src-all@FreeBSD.ORG Fri Feb 13 13:55:36 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 250F5B43; Fri, 13 Feb 2015 13:55:36 +0000 (UTC) Received: from mail105.syd.optusnet.com.au (mail105.syd.optusnet.com.au [211.29.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id D692B217; Fri, 13 Feb 2015 13:55:35 +0000 (UTC) Received: from c211-30-166-197.carlnfd1.nsw.optusnet.com.au (c211-30-166-197.carlnfd1.nsw.optusnet.com.au [211.30.166.197]) by mail105.syd.optusnet.com.au (Postfix) with ESMTPS id 5DA8D1047985; Sat, 14 Feb 2015 00:55:31 +1100 (AEDT) Date: Sat, 14 Feb 2015 00:55:31 +1100 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Andrey Chernov Subject: Re: svn commit: r278634 - head/lib/libc/gen In-Reply-To: <54DDABF2.9000201@freebsd.org> Message-ID: <20150214000829.K2210@besplex.bde.org> References: <201502122107.t1CL7gaO004041@svn.freebsd.org> <54DD2A87.2050008@FreeBSD.org> <9A683D99-C1E9-4736-982C-69F583D3A40D@FreeBSD.org> <20150213172738.C1007@besplex.bde.org> <54DDABF2.9000201@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.1 cv=A5NVYcmG c=1 sm=1 tr=0 a=KA6XNC2GZCFrdESI5ZmdjQ==:117 a=PO7r1zJSAAAA:8 a=kj9zAlcOel0A:10 a=JzwRw_2MAAAA:8 a=tmheVFKbtrcjo9yeMgsA:9 a=CjuIK1q_8ugA:10 Cc: src-committers@freebsd.org, Pedro Giffuni , svn-src-all@freebsd.org, "Bjoern A. Zeeb" , Bruce Evans , svn-src-head@freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2015 13:55:36 -0000 On Fri, 13 Feb 2015, Andrey Chernov wrote: > On 13.02.2015 10:18, Bruce Evans wrote: >> if (arg > RLIM_INFINITY) >> err(...); > > Checking for RLIM_INFINITY is wrong here, since it is ulong long max, No, it is correct. rlim_t is neither unsigned not specificially ulong long. It is int64_t, which happens to be long long on some arches. I already explained that this doesn't conform to POSIX. More details: - POSIX reqires rlim_t to be an unsigned type. This would be uint64_t in FreeBSD if FreeBSD conformed. - POSIX doesn't seem to specify the type of RLIM_INFINITY. It may be much smaller than the max for the type, so its natural type might be smaller. FreeBSD uses the max for the type, then casts the value to the type. The cast does little or nothing except to break use of RLIM_INFINITY in cpp arithmetic. This is exactly what is not wanted here -- fixing the problem miight need #if expressions to comparing RLIM_INFINITY with LONG_MAX. - FreeBSD also doesn't implement POSIX's RLIM_SAVED_MAX and RLIM_SAVED_CUR. These are for handling unrepresentable values, and might be the best way to handle the unrepresentable values that can be asked for by ulimit(3) even more easily than by setrlimit(2). Note that POSIX allows almost any handling for unrepresentable values in ulimit(3). The values can be mapped to any garbage and returned. The attempted fixes are mainly to return the same garbage that is mapped to. > considering > arg = va_arg(ap, long); > and ulimit(3) stating that arg is always plain long. This is a broken as designed API, since long is logically different from rlim_t, and ulimit()'s ulimits are 512-blocks while rlim_t's units are bytes, so a scale factor is needed and there would be representability problems even if the types were the same. This gives unrepresentable values in 3 ways: - on amd64, the types are the same. LONG_MAX in 512-blocks is 512 too large to represent in bytes. But RLIM_INFINITY in bytes is easy to represent in 512-blocks. - on amd64, the garbage arg LONG_MIN in 512-blocks is also 512 times too large (in absolute value) to represent in bytes. So large negative values need special handling to preserve their garbageness until this can be classified. (Early versions of the fixed tried to push this to setrlimit(), since ulimit()'s bad API enourages converting garbage to garbage like setrlimit() will do instead of returning an error. I also want the handling of large negative garbage args to be not too different from the handling of small negative garbage args.) - on i386, rlim_t is larger. RLIM_INFINITY in bytes 2**23 times too large to represent in 512-blocks. (This case was already handled correctly.) > Proper check will be > > if (arg < 0) { > errno = EINVAL; > return (-1); > } No, this takes more code, and gives error handling that is not supported by ulimit(3). EINVAL for ulimit(3) is only specified or documented to mean that the command (the first arg) was invalid). > if (arg > LONG_MAX / 512) > arg = LONG_MAX / 512; This is wrong, since arg > LONG_MAX is not an error when rlim_t is much larger than long (as on amd64). Breaking this would break getting and setting the default limit of RLIM_INFINITY. This is already broken on i386 and slightly broken on amd64: - "get" using ulimit(3) cannot return RLIM_INFINITY since RLIM_INFINITY is not a multiple of 512. Rounding down is specified to occur, and does occur. Then: - on amd64, RLIM_INFINITY / 512 is returned - on i386, RLIM_INFINITY / 512 is unrepresentable as a long. The return value is explicitly unspecified. It can be any undocumented garbage. FreeBSD returns the undocumented clamped value LONG_MAX. - "set" of the value returned by "get" cannot restore the original value: - on amd64, it sets the value to RLIM_INFINITY / 512 * 512 = RLIM_INFINITY rounded down to a multiple of 512 - on i386, it sets the value to LONG_MAX * 512. This is about 2**23 times smaller than the original value. > That all. In pure theoretical case RLIM_INFINITY is less than LONG_MAX, > it is job of underlying setrlimit(2) to return error. No, this cannot be handled by setrlimit(2), since the LONG_MAX cannot even be passed to setrlimit() then (if RLIM_INFINITY is the max for its type and not artificially low). This case occurs in practice (except ulimit(3) should never be used, and its only known "users" are Coverity and programmers finding and fixing bugs in it. My (arg > RLIM_INFINITY) check is simplified to show a general problem with range checking. For ulimit(), we actually need to check (arg * 512 > RLIM_INFINITY), except we write this as arg > RLIM_INFINITY since the multiplication might overflow. The multiplication does overflow on amd64 when arg == LONG_MAX. The overflow case is precisely when we cannot pass the scaled arg to setrlimit(2). Bruce