lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 11 Feb 2019 09:21:20 -0700
From:   Martin Sebor <>
To:     Miguel Ojeda <>,
        Ard Biesheuvel <>
Cc:     Linux Kernel Mailing List <>,
        Laura Abbott <>,
        Arnd Bergmann <>,
        Martin Sebor <>,
        Herbert Xu <>,
        Krzysztof Kozlowski <>,
        Catalin Marinas <>,
        Nick Desaulniers <>,
        Luc Van Oostenryck <>,
        Andrey Konovalov <>,
        Kees Cook <>,
        Sean Christopherson <>,
        Jessica Yu <>,
        Masahiro Yamada <>,
        James Morris <>,
        Mathieu Desnoyers <>,
        Borislav Petkov <>, Matt Mullins <>,
        Vincent Whitchurch <>,
        WANG Chao <>
Subject: Re: [PATCH 0/3] Clean the new GCC 9 -Wmissing-attributes warnings

On 2/9/19 5:31 AM, Miguel Ojeda wrote:
> On Sat, Feb 9, 2019 at 12:26 PM Ard Biesheuvel
> <> wrote:
>> On Sat, 9 Feb 2019 at 12:19, Miguel Ojeda
>> <> wrote:
>>> It also affects the optimizer in two different ways AFAIK:
>>>    * For the function itself, it gets optimized for size instead of speed.
>>>    * For callers, the paths that lead to the calls are treated as unlikely.
>> That seems reasonable, but that still does not mean it is necessarily
>> a problem if you apply 'cold' to one but not the other.
> Indeed. As I said, it is likely that you missed the attribute, not a
> sure thing (i.e. that you didn't do it explicitly).
>>> So GCC reports it because you would be (likely) missing the
>>> optimizations you expected if you are using the alias instead of the
>>> target.
>> I see how that could be reasonable for extern declarations that do not
>> match the definition, since in that case, it is assumed that there is
>> only one instance of the function. For function pointers, I don't
>> think this assumption is valid.
> It sounds reasonable to have another warning for
> declarations-definition attribute mismatches too. However, I don't see
> why you would warn differently. Even if you have one instance of the
> function, you may also be using the declaration to explicitly avoid
> the unlikely treatment.
> Now, whether the warning is worth or not or at which "level", it
> depends. I guess the rationale behind having it under -Wall is that
> they expect people to have missed copying the attributes, rather than
> they are using aliases specifically to avoid a cold/... attribute.
>>> In our case in patch 3, we do not want the optimization for callers,
>>> which is why we don't mark the extern declaration as __cold (see the
>>> commit message).
>> You did not cc me on the whole set, so I don't have the patch. But in
>> any case, GCC 9 has not been released so we should still have time to
>> talk sense into the GCC guys.
> I only CC'd people on the relevant patches according to
> get_maintainers (but yeah, 2 & 3 are related, I could have merged
> those lists). Anyway, using the server makes it easy
> to see an entire series when you have already one:
> As for GCC, Martin (the author of the features) is CC'd, so he can
> chime in (and I am sure he appreciates the feedback :-)

I do very much, thank you.  I think you've fielded all the GCC
questions here so I don't have much to add.  Just a comment regarding
aliases with different sets of attributes than their targets: it is
possible to come up with use cases not just with attribute cold but
others as well, including mutually exclusive pairs such as const and
pure.  But the uses cases that drove the design of the warning were
those where the set of attributes is meant to be the same, and we
are yet to to come across the others in practice.  If it turns out
that there are others in common use we can tweak the warning logic.

Regarding function pointers, attribute cold only applies to function
declarations (and labels) and is ignored on pointers, so calls to
a cold function through a pointer are not necessarily subject to
the same effects as direct calls to the cold function.  (This is
inconsistent with other attributes such as const and pure which can
be applied to function pointers, so I wouldn't recommend relying on
cold not changing to match the others.)


PS For reference, the built-ins that GCC implicitly declares cold
are __builtin_abort, __builtin_trap and __builtin_unreachable.

Powered by blists - more mailing lists