Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932211AbcCCOFG (ORCPT ); Thu, 3 Mar 2016 09:05:06 -0500 Received: from mail-wm0-f67.google.com ([74.125.82.67]:36191 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751002AbcCCOFD (ORCPT ); Thu, 3 Mar 2016 09:05:03 -0500 Date: Thu, 3 Mar 2016 15:04:59 +0100 From: Ingo Molnar To: Jakub Jelinek Cc: Arnaldo Carvalho de Melo , Peter Zijlstra , Colin King , Ingo Molnar , linux-kernel@vger.kernel.org, Richard Henderson , Dan Carpenter , Linus Torvalds , Andrew Morton Subject: Re: Q: why didn't GCC warn about this uninitialized variable? (was: Re: [PATCH] perf tests: initialize sa.sa_flags) Message-ID: <20160303140459.GA10386@gmail.com> References: <1456923322-29697-1-git-send-email-colin.king@canonical.com> <20160302125901.GF6356@twins.programming.kicks-ass.net> <20160302130350.GO3604@kernel.org> <20160302132127.GG6356@twins.programming.kicks-ass.net> <20160302132323.GP3604@kernel.org> <20160303121944.GB2484@gmail.com> <20160303125542.GD3017@tucnak.redhat.com> <20160303132433.GA9460@gmail.com> <20160303134625.GF3017@tucnak.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160303134625.GF3017@tucnak.redhat.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1685 Lines: 39 * Jakub Jelinek wrote: > On Thu, Mar 03, 2016 at 02:24:34PM +0100, Ingo Molnar wrote: > > 6 hours of PeterZ time translates to quite a bit of code restructuring overhead to > > eliminate false positive warnings... > > I'll file a bugzilla enhancement request for this (with new attribute), > perhaps we could do it in FRE that is able to see through memory > stores/loads even in addressable structures in some cases. > Though, certainly GCC 7 material. > And, in this particular case it couldn't do anything anyway, because > the sigfillset call is not inlined, and takes address of a field in the > structure. The compiler can't know if it doesn't cast it back to struct > sigaction and initialize the other fields. That's true - but I think in the typical case it's a pretty fragile pattern to go outside the bounds of a on-stack structure you get passed, so I wouldn't mind a (default-disabled) warning for it, even if it generates false positives that have to be annotated for the few cases where it's a legitimate technique. I am 99% sure that a fair number of security critical projects would migrate to the usage of such a warning, combined with -Werror. I'm 100% sure that perf would migrate to it. > BTW, valgrind should be able to detect this. Yes - assuming the uninitialized value gets used. Often they are in rarely used code and error paths, only triggered by exploits. It would be far better if GCC allowed a (non-default) C variant that makes it impossible to introduce uninitialized values via on-stack variables. The maintenance cost of the false positives is the price paid for that (very valuable) guarantee. Thanks, Ingo