svn commit: r330602 - head/sys/compat/cloudabi

Bruce Evans brde at optusnet.com.au
Wed Mar 7 20:42:46 UTC 2018


On Wed, 7 Mar 2018, Benjamin Kaduk wrote:

> On Wed, Mar 7, 2018 at 9:44 AM, Ed Maste <emaste at freebsd.org> wrote:
>
>> On 7 March 2018 at 09:47, Eitan Adler <eadler at freebsd.org> wrote:
>>> ...
>>> Log:
>>>   sys/cloudabi: Avoid relying on GNU specific extensions
>>>
>>>   An empty initializer list is not technically valid C grammar.
>>>
>>>   MFC After:    1 week
>>>
>>> -       cloudabi_fdstat_t fsb = {};
>>> +       cloudabi_fdstat_t fsb = {0};
>>
>> In practice it appears initializing via { 0 } also zeros any padding
>> in the struct, but I do not believe it's required by the C standard.
>> Perhaps a language lawyer can weigh in?
>>
>> Commenting on this commit just because it's highlighted by this
>> change; I do not believe there's a difference between the GNU
>> extension { } and { 0 } here.

It is also a style bug to initialize variables in declarations.

It is interesting that this style bug gives other bugs that are more
serious than when the style rule was new:
- locking is often needed before complicated initializations.  It would
   be an even larger style bug to write the lock acquisition in initializers,
   and C doesn't have finalizers so it is impossible to obfuscate the lock
   release by writing it in finalizers
- this problem of initializing padding.

Auto initializers also used to be good for pessimizations.  Use them instead
of static initializers for constant values.  This asks the compiler to
initialize them on every entry to the function.  It was a typical
implementation to keep the values in an unnamed static object and copy this
to the stack at runtime.  Now compilers are more likely to optimize away
the copying, so the pessimization doesn't work so well.  Copying from a
static object tends to give zero padding, but optimizated variants should
only give zero padding if that is optimal.


> The C spec says that if an incomplete initializer is given, then all other
> fields
> of the structure are initialized to zero.  The state of padding is
> unspecified,
> whether a complete or incomplete initializer is given.

This seems to apply to static objects too.  So initializing dynamic objects
by copying them from static objects is insecure even if you copy using
memcpy() (copying using struct assignment might skip the padding so
shouldn't be used).  A malicious compiler could initialize the padding with
security-related info.  non-malicious compiler might initialize the padding
with stack garbage that happens to be security-related.

Bruce


More information about the svn-src-all mailing list