From owner-freebsd-standards@freebsd.org Sun Feb 25 01:28:50 2018 Return-Path: Delivered-To: freebsd-standards@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E726DF33D2A; Sun, 25 Feb 2018 01:28:49 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from mail108.syd.optusnet.com.au (mail108.syd.optusnet.com.au [211.29.132.59]) by mx1.freebsd.org (Postfix) with ESMTP id 3435B81D4B; Sun, 25 Feb 2018 01:28:48 +0000 (UTC) (envelope-from brde@optusnet.com.au) Received: from [192.168.0.102] (c110-21-101-228.carlnfd1.nsw.optusnet.com.au [110.21.101.228]) by mail108.syd.optusnet.com.au (Postfix) with ESMTPS id D610A1A47E3; Sun, 25 Feb 2018 12:28:38 +1100 (AEDT) Date: Sun, 25 Feb 2018 12:28:37 +1100 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Warner Losh cc: "Conrad E. Meyer" , FreeBSD Standards , FreeBSD Hackers Subject: Re: Marking select(2) as restrict In-Reply-To: Message-ID: <20180225112627.B976@besplex.bde.org> References: <20180221032247.GA81670@ns.kevlo.org> <20180221104400.GU94212@kib.kiev.ua> <23181.46427.671514.319710@khavrinen.csail.mit.edu> <20180221185920.GA94212@kib.kiev.ua> <23181.50488.186767.579361@khavrinen.csail.mit.edu> <20180221201002.GC94212@kib.kiev.ua> <23181.54825.511195.393054@khavrinen.csail.mit.edu> <20180222212746.GB58772@stack.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.2 cv=cIaQihWN c=1 sm=1 tr=0 a=PalzARQSbocsUSjMRkwAPg==:117 a=PalzARQSbocsUSjMRkwAPg==:17 a=kj9zAlcOel0A:10 a=6I5d2MoRAAAA:8 a=uyavkMrdAAAA:8 a=5jWAyVIvSIEuDVK_DRoA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=j2_G595jqNHTxQgNwHU2:22 X-BeenThere: freebsd-standards@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Standards compliance List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2018 01:28:50 -0000 On Sat, 24 Feb 2018, Warner Losh wrote: > On Sat, Feb 24, 2018 at 11:55 AM, Conrad Meyer wrote: > >> On Sat, Feb 24, 2018 at 10:35 AM, Eitan Adler >> wrote: >>> After this entire thread here is the summary. If I've misrepresented >>> you here please let me know. >>> ... >>> >>> kib@ - no benefit; concerned fallout could be hard to observe >>> cem@ - concerned about warnings >> >> Consider me a +1 to kib@. I did not voice those concerns explicitly >> in earlier email because kib did already and I didn't anticipate you >> would ignore him. > > So there's no benefit to the change (we won't optimize better). It's hard > to observe breakage. No answer about how we'd even know if something broke > because a exp run sure as hell isn't going to tell us. > > All that militates against the change rather strongly. Your exp run will > change no minds because it is useless. Why not remove restrict from other APIs to be consistent with select()? If might break their callers just as much. Start with pselect(). sigaction() is interesting too. Without restrict for sigaction(), there is nothing (in old FreeBSD man pages) to prevent callers passing the same pointer for 'act' and 'oact'. This might be a good hack. 'act' is const, but will be overwritten on copyout if it is the same as 'oact'. The kernel could reasonably copyout to 'oact' before reading 'act'. This clobbers the input arg. I grepped all man pages in libc/sys for APIs taking 2 pointer args and not having restrict: _umtx_op() abort2() adjtime() aio_suspend() aio_waitcomplete() clock_nanosleep(), nanosleep() (most interesting. One pointer arg is const. It is unclear if that prevents aliasing, but the API is similar to that of sigaction() and POSIX added restrict for the latter only) execve() extattr_*() (at least 8 functions in man page with too many functions) fexecve() fhopen() fhstat() fhstatfs() fstatat() futimensat() getdirentries() getfh() getresgid() getresuid() gettimeofday() kenv() kevent() lgetfh() link() linkat() lio_listio() mincore() mount() mq_receive() mq_timedreceive() mq_timedsend() ppoll() (this obfuscates its first pointer arg using [] instead of *, and is missing restrict for that arg only. ppoll() is similar to pselect() except for these bugs) quotactl() rctl_*() (all 5 functions in another unsplit man page) rename() renameat() sctp_generic_recvmsg() sctp_generic_sendmsg() sctp_generic_sendmsg_iov() select() settimeofday() setitimer() (like select(). Fixed in POSIX in 2001, but not in FreeBSD) sendfile() sendto() statfs() symlink() symlinkat() utimensat() These are mostly BSD APIs. POSIX fixed almost all of the POSIX APIs in 2001. In a few cases like readlink(), there is no problem since all of the pointer args are const. Almost all of the POSIX APIs in the above list are of this type. In a few cases like statfs(), there is probably no problem because the pointer arg types are different and none of them is void *. In statfs(), one of them is also const. Most other cases are broken. E.g., POSIX added restrict to recvmsg() and sendmsg() in 2001, but the related newer sctp APIs haven't caught up with thus yet. Most FreeBSD timer APIs are missing restrict even when they are also in POSIX and not missing restrict there. sendmmsg() only has 1 pointer arg, but this is input-output which causes similar problems. It is declared as restrict. I don't know if that fixes the problems (the constraint on the implementation's ordering and restrict in the API doesn't give that AFAIK). Bruce