On Pá, 2016-02-19 at 15:19 +0100, Thorsten Kukuk wrote:
Hi,
On Fri, Feb 19, Tomas Mraz wrote:
> Apparently our usage of __nonnull__ attribute is not completely
> aligned
> with what gcc developers mean with it. Use of the attribute
> declares
> that the parameter can never be NULL which means that the checks in
> the
> IF_NO_PAMH for example can be removed by the compiler during the
> optimization. We would need to remove the __nonnull__ attribute or
> at
> least add -fno-delete-null-pointer-checks to the default CFLAGS.
>
> I'd prefer removing the __nonnull__.
>
> What do you think?
From Linux-PAM code:
#if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE)
# define PAM_NONNULL(params) __attribute__((__nonnull__ params))
#else
# define PAM_NONNULL(params)
#endif
We don't use it for libpam itself, I fixed that already 10 years
ago.
The problem is well known, from the GCC documentation:
"causes the compiler to check that, in calls to my_memcpy, arguments
dest and src are non-null. If the compiler determines that a null
pointer is passed in an argument slot marked as non-null, and the
-Wnonnull option is enabled, a warning is issued. The compiler may
also choose to make optimizations based on the knowledge that
certain
function arguments will not be null. "
So our usage of the nonnull attribute is matching exactly what
was documented for GCC: the calling code should get a warning
from the compiler, if it is using NULL as argument, and the
called functions in libpam are not compiled with this attribute,
so that the checks are not removed.
I think we only need to check, if we haven't make changes to the
code, so that the nonnull attribute is also used for to be called
code.
Ah, OK, I overlooked the !defined(LIBPAM_COMPILE) condition. So yes,
our use of the attribute should be correct.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)