Okay. Now, I believe that we agreed on the following:
For this current patch: 1. Use byte-repeatable pattern for pattern-initialization; 2. Use one pattern for all types; 3. Use “0xFE” for the byte pattern value. Possible future improvement: 1. Type specific patterns if needed; 2. User-specified pattern if needed; (add a new option for user to change the patterns). 3. Make the code generation part a target hook if needed. Let me know if I miss anything. Thanks. Qing > On Jun 22, 2021, at 1:18 PM, Richard Sandiford <richard.sandif...@arm.com> > wrote: > > Kees Cook <keesc...@chromium.org> writes: >> On Tue, Jun 22, 2021 at 09:25:57AM +0100, Richard Sandiford wrote: >>> Kees Cook <keesc...@chromium.org> writes: >>>> On Mon, Jun 21, 2021 at 03:39:45PM +0000, Qing Zhao wrote: >>>>> So, if “pattern value” is “0xFFFFFFFFFFFFFFFF”, then it’s a valid >>>>> canonical virtual memory address. However, for most OS, >>>>> “0xFFFFFFFFFFFFFFFF” should be not in user space. >>>>> >>>>> My question is, is “0xFFFFFFFFFFFFFFFFF” good for pointer? Or >>>>> “0xAAAAAAAAAAAAAAAA” better? >>>> >>>> I think 0xFF repeating is fine for this version. Everything else is a >>>> "nice to have" for the pattern-init, IMO. :) >>> >>> Sorry to be awkward, but 0xFF seems worse than 0xAA to me. >>> >>> For integer types, all values are valid representations, and we're >>> relying on the pattern being “obviously” wrong in context. 0xAAAA… >>> is unlikely to be a correct integer but 0xFFFF… would instead be a >>> “nice” -1. It would be difficult to tell in a debugger that a -1 >>> came from pattern init rather than a deliberate choice. >> >> I can live with 0xAA. On x86_64, this puts it nicely in the middle of >> the middle of the non-canonical space: >> >> 0x800000000000 - 0xffff7fffffffffff >> >> The only trouble is with 32-bit, where the value 0xAAAAAAAA is a >> legitimate allocatable userspace address. If we want some kind-of middle >> ground, how about 0xFE? That'll be non-canonical on x86_64, and at the >> high end of the i386 kernel address space. > > Sounds good to me FWIW. That'd give float -1.694739530317379e+38 > (suspiciously big even for astrophysics, I hope!) and would still > look unusual in an integer context. > >>> I agree that, all other things being equal, it would be nice to use NaNs >>> for floats. But relying on wrong numerical values for floats doesn't >>> seem worse than doing that for integers. >>> >>> 0xAA… for float is (if I've got this right) -3.0316488252093987e-13, >>> which admittedly doesn't stand out as wrong. But I'm not sure we >>> should sacrifice integer debugging for float debugging here. >> >> In some future version type-specific patterns would be a nice improvement, >> but I don't want that to block getting the zero-init portion landed. :) > > Yeah. > > Thanks, > Richard