* Jakub Jelinek <ja...@redhat.com> wrote: > On Thu, Mar 03, 2016 at 02:24:34PM +0100, Ingo Molnar wrote: > > 6 hours of PeterZ time translates to quite a bit of code restructuring > > overhead to > > eliminate false positive warnings... > > I'll file a bugzilla enhancement request for this (with new attribute), > perhaps we could do it in FRE that is able to see through memory > stores/loads even in addressable structures in some cases. > Though, certainly GCC 7 material.
> And, in this particular case it couldn't do anything anyway, because > the sigfillset call is not inlined, and takes address of a field in the > structure. The compiler can't know if it doesn't cast it back to struct > sigaction and initialize the other fields. That's true - but I think in the typical case it's a pretty fragile pattern to go outside the bounds of a on-stack structure you get passed, so I wouldn't mind a (default-disabled) warning for it, even if it generates false positives that have to be annotated for the few cases where it's a legitimate technique. I am 99% sure that a fair number of security critical projects would migrate to the usage of such a warning, combined with -Werror. I'm 100% sure that perf would migrate to it. > BTW, valgrind should be able to detect this. Yes - assuming the uninitialized value gets used. Often they are in rarely used code and error paths, only triggered by exploits. It would be far better if GCC allowed a (non-default) C variant that makes it impossible to introduce uninitialized values via on-stack variables. The maintenance cost of the false positives is the price paid for that (very valuable) guarantee. Thanks, Ingo