From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29561 invoked by alias); 6 May 2012 04:11:58 -0000 Received: (qmail 29194 invoked by uid 22791); 6 May 2012 04:11:57 -0000 X-SWARE-Spam-Status: No, hits=-4.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,KHOP_THREADED X-Spam-Check-By: sourceware.org Received: from localhost (HELO gcc.gnu.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sun, 06 May 2012 04:11:44 +0000 From: "bugdal at aerifal dot cx" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/27214] The C frontend introduces undefined pointer overflow Date: Sun, 06 May 2012 04:23:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bugdal at aerifal dot cx X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: CC Message-ID: In-Reply-To: References: X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org X-SW-Source: 2012-05/txt/msg00610.txt.bz2 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27214 Rich Felker changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugdal at aerifal dot cx --- Comment #11 from Rich Felker 2012-05-06 04:11:03 UTC --- I would lean towards marking this one invalid. Under normal circumstances (and I would argue, under ALL conditions, on a high-quality implementation), objects cannot be larger than SIZE_MAX/2. This is because ptrdiff_t has been chosen to be the signed type corresponding to size_t, and if objects larger than SIZE_MAX/2 were allowed, valid pointer subtractions would overflow the signed ptrdiff_t and result in undefined behavior. There are three ways of addressing this issue; either: (1) you say "subtracting pointers is unsafe unless the application makes an effort to ensure that no huge objects exist" even though that's hard to do in any portable way; OR (2) you disallow objects sufficiently large that ptrdiff_t would overflow; OR (3) you make ptrdiff_t a larger type (e.g. 64-bit on 32-bit systems). But this is not an option since you're always dealing with an already-defined ABI. If you take option (1), large objects (>SIZE_MAX/2) are already extremely dangerous and so the additional wrapping issue in GCC's internal representation is a really small matter in comparison. If you take option (2), offsets can always be interpreted as the signed type.