Re: Q: why didn't GCC warn about this uninitialized variable? (was: Re: [PATCH] perf tests: initialize sa.sa_flags)

From: Jakub Jelinek
Date: Thu Mar 03 2016 - 07:55:55 EST

Next message: Alex Williamson: "[GIT PULL] VFIO fixes for v4.5-rc7"
Previous message: Romain Izard: "Re: [PATCH v1] watchdog: sama5d4_wdt: Reset delay on start"
In reply to: Joe Perches: "Re: Q: why didn't GCC warn about this uninitialized variable?"
Next in thread: Ingo Molnar: "Re: Q: why didn't GCC warn about this uninitialized variable? (was: Re: [PATCH] perf tests: initialize sa.sa_flags)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 03, 2016 at 01:19:44PM +0100, Ingo Molnar wrote:
> struct sigaction sa;
>
> ...
>
> sigfillset(&sa.sa_mask);
> sa.sa_sigaction = segfault_handler;
> sigaction(SIGSEGV, &sa, NULL);
>
> ... which uninitialized sa.sa_flags field GCC merrily accepted as proper C code,
> despite us turning on essentially _all_ GCC warnings for the perf build that exist
> under the sun:

GCC -W{,maybe-}uninitialized warning works only on SSA form, so in order to
get that warning, either it needs to be some scalar that is uninitialized,
or Scalar Replacement of Aggregates needs to be able to turn the structure
into independent scalars. Neither is the case here, as you take address of
the struct when passing its address to sigaction, and that call can't be
inlined nor is in any other way visible to the compiler, so that it could
optimize both the caller and sigaction itself at the same time.

Even if GCC added infrastructure for tracking which bits/bytes in
aggregates are or might be uninitialized at which point, generally,
struct XYZ abc;
foo (&abc);
is so common pattern that warning here that the fields are uninitialized
would have extremely high false positive ratio.
Even if as somebody mentioned that the argument is const struct sigaction *
rather than struct sigaction *, that doesn't change really anything,
you can cast away the constness and still write into it in the other
function.
Furthermore, in many APIs, only a subset of fields need to be initialized
unconditionally, and other fields might need to be initialized only
conditionally, depending on those always initialized fields, other
parameters to functions, etc.
So, in order to warn here, we'd need some assurance (new attribute on
sigaction function?) that when it is called, it has to have all named fields in
the pointed to structures initialized (perhaps attribute like nonnull, which
can either apply to all pointer arguments, or selected ones) at the entry of
the function and not initializing them all is a bug.
So, this really isn't as trivial as you might think it is.

Jakub

Next message: Alex Williamson: "[GIT PULL] VFIO fixes for v4.5-rc7"
Previous message: Romain Izard: "Re: [PATCH v1] watchdog: sama5d4_wdt: Reset delay on start"
In reply to: Joe Perches: "Re: Q: why didn't GCC warn about this uninitialized variable?"
Next in thread: Ingo Molnar: "Re: Q: why didn't GCC warn about this uninitialized variable? (was: Re: [PATCH] perf tests: initialize sa.sa_flags)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]