On Tue, Nov 08, 2022 at 07:15:39AM -0700, Jonathan Leffler via tz <tz@iana.org> wrote:

This makes a copy of the `const struct tm` that is the argument to strftime(), and passes that copy to mktime(), which reads a few fields and sets most fields. But since it is working on a copy of the argument to strftime(), I don't see a problem. Can you elaborate?

The argument is that some fields might have a trap representation, so copying the whole struct might not be safe. -- Marc Lehmann

On 11/8/22 06:28, Clive D.W. Feather via tz wrote:

You could replace the assignment by a memcpy. Assignment via unsigned chars (which is what memcpy does) are exempt from the undefined behaviour.

As I understand it, that exemption is for using memcpy to copy a trap representation. There's no similar exemption for using memcpy to copy uninitialized data; for example, the following function has undefined behavior: int y; void f(void) { int x; memcpy(&y, &x, sizeof y); } If I'm right, we can't get by simply by replacing the assignment with memcpy.

On 2022-11-08 23:02, Clive D.W. Feather wrote:

You're wrong, pure and simple. There's no such thing as uninitialized data in that sense.

OK, thanks, I stand corrected. However, the C standard is (dare i say it) *peculiar* in this area. And because some implementations don't follow this part of the standard, it's safer to avoid using memcpy on uninitialized data. For example, see the following behavior observed on Fedora 36 x86-64. Although the C standard says this program is OK, Valgrind says it's not. Because Valgrind's interpretation is more likely to be useful in practice (in that it's more likely to catch real bugs, something that's more important than exploiting this peculiarity of the standard), tzcode should be portable to Valgrind and should avoid using memcpy on uninitialized data. $ cat t.c #include <string.h> int x; int main (void) { int y; memcpy (&x, &y, sizeof x); return x ? 27 : 49; } $ gcc t.c $ valgrind ./a.out ==9532== Memcheck, a memory error detector ==9532== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==9532== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==9532== Command: ./a.out ==9532== ==9532== Conditional jump or move depends on uninitialised value(s) ==9532== at 0x40111B: main (in /home/eggert/junk/a.out) ...

I'm not sure what the standard says about struct copies, but I know that most compilers do struct copies by just copying the raw bytes for the size of the structure, and don't copy each field using the type of the field. so replacing the struct copy with a memcpy would not make a functional difference. John On 11/9/2022 12:25 PM, Tom Lane via tz wrote:

Paul Eggert via tz <tz@iana.org> writes:

...

For example, see the following behavior observed on Fedora 36 x86-64. Although the C standard says this program is OK, Valgrind says it's not. int main (void) { int y; memcpy (&x, &y, sizeof x); return x ? 27 : 49; } I think you are misinterpreting what Valgrind does, too. It does not complain about that memcpy. What it does during the memcpy is to copy its defined-ness status for the bytes of y to the bytes of x. Then it complains when you use the now-known-undefined value of x in the return statement. So in the case in strftime(), Valgrind would only complain if mktime() actually tried to use any fields that had not been initialized by the caller of strftime(). Which is just what one would want.

So AFAICS, both Valgrind and the letter of the C standard agree that using memcpy to copy the tm struct will be fine. With the additional datum that nobody has complained about this code in decades, I can't see an argument for writing longer and more fragile code as a substitute for a full-struct copy.

regards, tom lane

On Nov 9, 2022, at 3:07 PM, Clive D.W. Feather via tz <tz@iana.org> wrote:

trap representation.

Does the C specification allow for a C implementation on a hypothetical load-store architecture machine in which: a byte is 8 bits plus an "initialized bit"; the "uninitialize" instruction has a memory-location operand, and clears the initialized bit; a store instruction set the initialized bit on all bytes to which it stores; a load instruction traps if any of the bytes from which it's loading doesn't have the initialized bit set?

Guy Harris said:

...

trap representation.

Does the C specification allow for a C implementation on a hypothetical load-store architecture machine in which:

a byte is 8 bits plus an "initialized bit";

the "uninitialize" instruction has a memory-location operand, and clears the initialized bit;

a store instruction set the initialized bit on all bytes to which it stores;

a load instruction traps if any of the bytes from which it's loading doesn't have the initialized bit set?

No. My memory is that we agreed "no hidden bits" when writing that wording. I do recall that parity bits were discussed and we agreed that they weren't part of the representation of a value. Of course, an implementation could do what you suggested provided that there was a way of disabling it so as to produce a conforming implementation. -- Clive D.W. Feather | If you lie to the compiler, Email: clive@davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646

Ian Abbott said:

Uninitialized objects may be smaller than a byte, so this hypothetical machine would require one "initialized" flag per bit, not one per byte.

I left out the Standard text about bit-fields in this context, but it's there. -- Clive D.W. Feather | If you lie to the compiler, Email: clive@davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646

Hi, Le 10/11/2022 à 01:28, Paul Eggert via tz a écrit :

On 11/9/22 11:25, Tom Lane wrote:

...

So in the case in strftime(), Valgrind would only complain if mktime() actually tried to use any fields that had not been initialized by the caller of strftime().  Which is just what one would want.

True, and good point.  And I understand why Valgrind wants to delay checking here: it wants to avoid false alarms in some programs. Unfortunately Valgrind's delay in reporting is problematic, because Valgrind sometimes neglects to report behavior that the C standard says is undefined. For example:

   $ cat t.c    int main (void) { int a, b=a; return b; }    $ gcc t.c    $ valgrind ./a.out    [no error is reported]

Here I'm getting: $ valgrind ./a.out ==511562== Memcheck, a memory error detector ==511562== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==511562== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==511562== Command: ./a.out ==511562== ==511562== Syscall param exit_group(status) contains uninitialised byte(s) ==511562== at 0x4955DF1: _Exit (_exit.c:30) ==511562== by 0x48B1561: __run_exit_handlers (exit.c:136) ==511562== by 0x48B161F: exit (exit.c:143) ==511562== by 0x4896516: (below main) (libc_start_call_main.h:74) ==511562== ==511562== ==511562== HEAP SUMMARY: ==511562== in use at exit: 0 bytes in 0 blocks ==511562== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==511562== ==511562== All heap blocks were freed -- no leaks are possible ==511562== ==511562== Use --track-origins=yes to see where uninitialised values come from ==511562== For lists of detected and suppressed errors, rerun with: -s ==511562== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Conversely, as my previous email showed, Valgrind sometimes reports behavior that I think is a program failure that should be fixed, but the C standard says is well-defined behavior. Although Valgrind was pickier in that email than the C standard really allows, I wish Valgrind were a bit pickier still and reported each use of an uninitialized variable when it happens and not optionally later (by then, it may be difficult to debug), and I'd like tzcode to work with such a Valgrind-like system.

With --track-origins=yes : $ valgrind --track-origins=yes ./a.out ==511667== Memcheck, a memory error detector ==511667== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==511667== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==511667== Command: ./a.out ==511667== ==511667== Syscall param exit_group(status) contains uninitialised byte(s) ==511667== at 0x4955DF1: _Exit (_exit.c:30) ==511667== by 0x48B1561: __run_exit_handlers (exit.c:136) ==511667== by 0x48B161F: exit (exit.c:143) ==511667== by 0x4896516: (below main) (libc_start_call_main.h:74) ==511667== Uninitialised value was created by a stack allocation ==511667== at 0x109129: main (in /home/ydroneaud/src/test/a.out) ==511667== ==511667== ==511667== HEAP SUMMARY: ==511667== in use at exit: 0 bytes in 0 blocks ==511667== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==511667== ==511667== All heap blocks were freed -- no leaks are possible ==511667== ==511667== For lists of detected and suppressed errors, rerun with: -s ==511667== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Using UBSan and MSan (requires clang) instead of valgrind would catch this too: $ clang -fsanitize=undefined,memory -fsanitize-memory-track-origins=2 -g t.c $ ./a.out ==511862==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55a79df79b35 in main .../t.c:1:31 #1 0x7f686dc2350f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #2 0x7f686dc235c8 in __libc_start_main csu/../csu/libc-start.c:381:3 #3 0x55a79def3294 in _start (.../a.out+0x1e294) (BuildId: 576806214712a462122845f7fa09af26e1237aee) Uninitialized value was stored to memory at #0 0x55a79df79adf in main .../t.c:1:26 #1 0x7f686dc2350f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 Uninitialized value was created by an allocation of 'a' in the stack frame of function 'main' #0 0x55a79df799a0 in main .../t.c:1 SUMMARY: MemorySanitizer: use-of-uninitialized-value .../t.c:1:31 in main Exiting Regards. -- Yann Droneaud OPTEYA

On 11/10/22 02:17, Clive D.W. Feather wrote:

Implementations or tools like lint or valgrind? Are there implementations that can't copy an arbitrary byte of memory to another location?

It depends on what one means by "implementation". There are combinations of compilers and runtimes that operate that way. Valgrind is one example, and as Yann reports Clang is another if you use certain options. I don't know of any platform that cannot copy uninitialized bytes no matter what: valgrind is optional, and clang's -fsanitize option is optional, and you can run your program without these options. Still, I don't understand why the C committee required implementations to support copying from uninitialized memory. Such copying is not that useful in practice, and since it's quite useful to treat it to be an error, why force implementations to support it? I'm curious about this partly because the C standard's wording in this area is (a) so obscure that I didn't know about it despite long experience reading the standard, and (b) so buggy that the committee had to change the wording again in C23, because the wording in C17 was so unclear that it was misinterpreted. (And this is a tricky business: the wording was changed multiple times in the drafting process for C23.) The C committee has evidently gone to some length to require support for the obscure and troublesome feature of copying uninitialized data, for reasons that escape me.

Robert Elz via tz said:

| The | C committee has evidently gone to some length to require support for the | obscure and troublesome feature of copying uninitialized data, for | reasons that escape me.

I assume it is so portable code, which because of that cannot touch any implementation extension fields, has a way to copy a struct, based just upon its size (and a pointer to one of course), with the copy copying all fields (including non-standard extras) - because of that, copying field by field is out, and struct copy is out, because any uninit'd fields (probably extensions that the application doesn't know about either) might cause a trap.

As I said, I don't recall why we did it, but that's a good use case. Struct copy is allowed to use (at least) memcpy or member-by-member assignment, so it is allowed to trap on an uninitialized member.

sizeof(struct whatever) always works to get the size, no matter how many extra fields might have been added, but also includes any padding that might exist, which is unlikely to be initialised unless the application has seen a need to memset() the whole thing.

Right. However, the contents of padding does not affect whether the structure (or union) as a whole is a trap representation or not. In other words, if all the members are initialized, you can safely copy the structure without worrying about the padding. Also note that all padding bytes become unspecified every time anything in the structure changes; they're not required to stay constant. (This is all C99 wording, of course.)

So a means is needed to copy that uninitialised (potentially trapping) memory safely.

Yes, but see above.

Kind of a pity they chose to make individual byte reads never trap (especially for architectures with no byte fetch from RAM instruction, where all fetches less than the word size need to be fetch/shift/mask type sequences) and so where if a word fetch generates a trap, the trap handler has to look at the code sequence that was going to be executed next, and hide the trap if just a byte was being accessed, but apparently, that's what would be required.

A byte is supposed to be individually addressable and accessible. So the word fetch shouldn't be trapping. On the XAP2, the minimum addressable and accessible object is 16 bits, so at least on our implementation that was a byte (i.e. CHAR_BITS == 16). If you wanted to get one or the other octet out of it, you had to do a fetch/shift/mask. -- Clive D.W. Feather | If you lie to the compiler, Email: clive@davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646

On 2022-11-11 03:55, Clive D.W. Feather wrote:

int x; int y = x;

is undefined behaviour because it might assign a trap representation to y.

It's undefined even on implementations that don't have trap representations. Draft C23 6.3.2.1 "Lvalues, arrays, and function designators" says, "If the lvalue designates an object of automatic storage duration that could have been declared with the register storage class (never had its address taken), and that object is uninitialized (not declared with an initializer and no assignment to it has been performed prior to use), the behavior is undefined." Hence, in the typical case where there are no trap representations, this code: time_t x, y = x; return !y; has undefined behavior, whereas this code: time_t x, y = x; return time(&x) == (time_t)-1 ? !y : !!y; must return 0 or 1 and the implementation cannot reject the first line's use of the uninitialized variable x. This part of the standard is strange indeed, and I can't imagine debugging implementation wanting to conform to the standard as written.