Re: [PING 2] [PATCH] c++/67942 - diagnose placement new buffer overflow

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: Jason Merrill <jason@redhat.com>
To: Martin Sebor <msebor@gmail.com>,
	Gcc Patch List <gcc-patches@gcc.gnu.org>
Subject: Re: [PING 2] [PATCH] c++/67942 - diagnose placement new buffer overflow
Date: Thu, 05 Nov 2015 15:27:00 -0000	[thread overview]
Message-ID: <563B7541.3010902@redhat.com> (raw)
In-Reply-To: <563B71F5.8030902@gmail.com>

On 11/05/2015 10:12 AM, Martin Sebor wrote:
> On 11/04/2015 09:27 PM, Jason Merrill wrote:
>> On 11/04/2015 07:15 PM, Martin Sebor wrote:
>>>> There was a lot of discussion of C++ aliasing rules at the recent
>>>> meeting; we really seem to be moving in the direction of being stricter
>>>> about which union member is active.  So I think we do want to diagnose
>>>> the new-expression above; the user should write new (&u) if that's what
>>>> they mean.
>>>
>>> Okay. I changed that in the latest patch.
>>>
>>>>> Adjust is negative when the offset to a buffer of known size is
>>>>> negative. For example:
>>>>>
>>>>>      char buf [sizeof (int)];
>>>>>      new (&buf [1] - 1) int;
>>>>
>>>> OK, so because we're looking at the expression from the outside in, we
>>>> first see the subtraction and adjust becomes -1, then we see the
>>>> array_ref and adjust returns to 0.  We still don't have a negative
>>>> adjust by the time we get to the quoted if/else.
>>>
>>> I think I see what you mean. I've changed the type of the variables
>>> and the computation to unsigned. That made it possible to eliminate
>>> the final else and do some other cleanup. Attached is an updated
>>> patch.
>>
>> Hmm, I was suggesting that bytes_avail change to unsigned, but I don't
>> think adjust should change; I believe that 0u - 1u is undefined due to
>> overflow even though (-1u) and (unsigned)-1 are well defined.  Sorry for
>> the muddled messages.  I think let's leave adjust signed and assert that
>> it ends up non-negative.
>
> No problem.
>
> Unsigned ints wrap around and don't overflow so the subtraction
> is well defined (0u - 1u is equal UINT_MAX).

I thought I had remembered that, but couldn't find anything in the 
standard to back it up.  Now I see that it's in 3.9.1 rather than clause 5.

> FWIW, I had the assert there for sanity testing when you first
> mentioned it to convince myself there really was no way for it
> become negative. A bootstrap went fine with it but it still made
> me just a teeny bit uneasy. I would hate for the code to change
> in the future and for the assert to then fire after it's released.

> In any case, I defer to your better judgment. Please let me know
> if you would still like to go with signed + assert.

If we use gcc_checking_assert it won't fire in release builds; let's go 
with that.

Jason

next prev parent reply	other threads:[~2015-11-05 15:27 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-13 17:23 Martin Sebor
2015-10-21  0:03 ` [PING] " Martin Sebor
2015-10-27  2:07   ` [PING 2] " Martin Sebor
2015-11-03  2:41     ` Jason Merrill
2015-11-04 17:12       ` Martin Sebor
2015-11-04 19:12         ` Jason Merrill
2015-11-05  0:15           ` Martin Sebor
2015-11-05  4:27             ` Jason Merrill
2015-11-05 15:13               ` Martin Sebor
2015-11-05 15:27                 ` Jason Merrill [this message]
2015-11-05 16:52                   ` Martin Sebor
2015-11-05 18:13                     ` Jason Merrill
2015-11-05 23:41                       ` Martin Sebor
2015-11-06  1:10                         ` Martin Sebor
2015-11-06 12:50                     ` Andreas Schwab
2015-11-08 18:10                       ` Martin Sebor
2015-11-06 12:55                     ` Rainer Orth
2015-11-06 15:28                       ` Martin Sebor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=563B7541.3010902@redhat.com \
    --to=jason@redhat.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=msebor@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).