On Wed, May 15, 2013 at 11:12 AM, Florian Weimer <fwei...@redhat.com> wrote: > On 05/15/2013 11:01 AM, Richard Biener wrote: >> >> Now - if there would ever be an architecture where special call-site >> preparation >> is required for a callee to write to global memory then marking a function >> 'const' >> when it does in fact write to global memory then GCC may choose to >> optimize >> the call site to not do that call-site preparation. At least that >> would be valid according to the current documentation. > > > That's a good point. > > The more immediate concern is that the compiler could apply the const > attribute to the function definition itself and deduct that code paths with > global memory references are unreachable. Apparently, this is something > that Clang does in some cases.
We don't do that. The only attribute I am aware of that does this is the nonnull attribute annotating function parameters. But yes, probably a detail that should be documented as well (the current documentation does not prohibit GCC from replacing all global memory accesses in const functions with __builtin_unreachable (), nor does it prohibit GCC to derive 'const' attributes for all called functions in a 'const' function, even if the calls may not be executed at runtime) Richard. > >> Which means, annotating a function as const / pure in the way you mean to >> is safe currently, but to make it safe in the future can you try to >> formulate >> an amendmend to the documentation that defines such annotations as valid? > > > I'll think about it. It's not something I can extemporize, > > > -- > Florian Weimer / Red Hat Product Security Team
