[PATCH][version 3]add -ftrivial-auto-var-init and variable attribute "uninitialized" to gcc

Richard Sandiford richard.sandiford@arm.com
Tue Jun 22 18:18:05 GMT 2021


Kees Cook <keescook@chromium.org> writes:
> On Tue, Jun 22, 2021 at 09:25:57AM +0100, Richard Sandiford wrote:
>> Kees Cook <keescook@chromium.org> writes:
>> > On Mon, Jun 21, 2021 at 03:39:45PM +0000, Qing Zhao wrote:
>> >> So, if “pattern value” is “0xFFFFFFFFFFFFFFFF”, then it’s a valid canonical virtual memory address.  However, for most OS, “0xFFFFFFFFFFFFFFFF” should be not in user space.
>> >> 
>> >> My question is, is “0xFFFFFFFFFFFFFFFFF” good for pointer? Or “0xAAAAAAAAAAAAAAAA” better?
>> >
>> > I think 0xFF repeating is fine for this version. Everything else is a
>> > "nice to have" for the pattern-init, IMO. :)
>> 
>> Sorry to be awkward, but 0xFF seems worse than 0xAA to me.
>> 
>> For integer types, all values are valid representations, and we're
>> relying on the pattern being “obviously” wrong in context.  0xAAAA…
>> is unlikely to be a correct integer but 0xFFFF… would instead be a
>> “nice” -1.  It would be difficult to tell in a debugger that a -1
>> came from pattern init rather than a deliberate choice.
>
> I can live with 0xAA. On x86_64, this puts it nicely in the middle of
> the middle of the non-canonical space:
>
> 0x800000000000 - 0xffff7fffffffffff
>
> The only trouble is with 32-bit, where the value 0xAAAAAAAA is a
> legitimate allocatable userspace address. If we want some kind-of middle
> ground, how about 0xFE? That'll be non-canonical on x86_64, and at the
> high end of the i386 kernel address space.

Sounds good to me FWIW.  That'd give float -1.694739530317379e+38
(suspiciously big even for astrophysics, I hope!) and would still
look unusual in an integer context.

>> I agree that, all other things being equal, it would be nice to use NaNs
>> for floats.  But relying on wrong numerical values for floats doesn't
>> seem worse than doing that for integers.
>> 
>> 0xAA… for float is (if I've got this right) -3.0316488252093987e-13,
>> which admittedly doesn't stand out as wrong.  But I'm not sure we
>> should sacrifice integer debugging for float debugging here.
>
> In some future version type-specific patterns would be a nice improvement,
> but I don't want that to block getting the zero-init portion landed. :)

Yeah.

Thanks,
Richard


More information about the Gcc-patches mailing list