Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932211AbcCCOFG (ORCPT <rfc822;w@1wt.eu>);
	Thu, 3 Mar 2016 09:05:06 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:36191 "EHLO
	mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751002AbcCCOFD (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 3 Mar 2016 09:05:03 -0500
Date: Thu, 3 Mar 2016 15:04:59 +0100
From: Ingo Molnar <mingo@kernel.org>
To: Jakub Jelinek <jakub@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Colin King <colin.king@canonical.com>, Ingo Molnar <mingo@redhat.com>,
        linux-kernel@vger.kernel.org, Richard Henderson <rth@twiddle.net>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: Re: Q: why didn't GCC warn about this uninitialized variable? (was:
 Re: [PATCH] perf tests: initialize sa.sa_flags)
Message-ID: <20160303140459.GA10386@gmail.com>
References: <1456923322-29697-1-git-send-email-colin.king@canonical.com>
 <20160302125901.GF6356@twins.programming.kicks-ass.net>
 <20160302130350.GO3604@kernel.org>
 <20160302132127.GG6356@twins.programming.kicks-ass.net>
 <20160302132323.GP3604@kernel.org>
 <20160303121944.GB2484@gmail.com>
 <20160303125542.GD3017@tucnak.redhat.com>
 <20160303132433.GA9460@gmail.com>
 <20160303134625.GF3017@tucnak.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160303134625.GF3017@tucnak.redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1685
Lines: 39


* Jakub Jelinek <jakub@redhat.com> wrote:

> On Thu, Mar 03, 2016 at 02:24:34PM +0100, Ingo Molnar wrote:
> > 6 hours of PeterZ time translates to quite a bit of code restructuring overhead to 
> > eliminate false positive warnings...
> 
> I'll file a bugzilla enhancement request for this (with new attribute),
> perhaps we could do it in FRE that is able to see through memory
> stores/loads even in addressable structures in some cases.
> Though, certainly GCC 7 material.

> And, in this particular case it couldn't do anything anyway, because
> the sigfillset call is not inlined, and takes address of a field in the
> structure.  The compiler can't know if it doesn't cast it back to struct
> sigaction and initialize the other fields.

That's true - but I think in the typical case it's a pretty fragile pattern to go 
outside the bounds of a on-stack structure you get passed, so I wouldn't mind a 
(default-disabled) warning for it, even if it generates false positives that have 
to be annotated for the few cases where it's a legitimate technique.

I am 99% sure that a fair number of security critical projects would migrate to 
the usage of such a warning, combined with -Werror. I'm 100% sure that perf would 
migrate to it.

> BTW, valgrind should be able to detect this.

Yes - assuming the uninitialized value gets used. Often they are in rarely used 
code and error paths, only triggered by exploits.

It would be far better if GCC allowed a (non-default) C variant that makes it 
impossible to introduce uninitialized values via on-stack variables. The 
maintenance cost of the false positives is the price paid for that (very valuable) 
guarantee.

Thanks,

	Ingo