From: Jason Merrill <jason@redhat.com>
To: Martin Sebor <msebor@gmail.com>,
Gcc Patch List <gcc-patches@gcc.gnu.org>
Subject: Re: [PING 2] [PATCH] c++/67942 - diagnose placement new buffer overflow
Date: Thu, 05 Nov 2015 15:27:00 -0000 [thread overview]
Message-ID: <563B7541.3010902@redhat.com> (raw)
In-Reply-To: <563B71F5.8030902@gmail.com>
On 11/05/2015 10:12 AM, Martin Sebor wrote:
> On 11/04/2015 09:27 PM, Jason Merrill wrote:
>> On 11/04/2015 07:15 PM, Martin Sebor wrote:
>>>> There was a lot of discussion of C++ aliasing rules at the recent
>>>> meeting; we really seem to be moving in the direction of being stricter
>>>> about which union member is active. So I think we do want to diagnose
>>>> the new-expression above; the user should write new (&u) if that's what
>>>> they mean.
>>>
>>> Okay. I changed that in the latest patch.
>>>
>>>>> Adjust is negative when the offset to a buffer of known size is
>>>>> negative. For example:
>>>>>
>>>>> char buf [sizeof (int)];
>>>>> new (&buf [1] - 1) int;
>>>>
>>>> OK, so because we're looking at the expression from the outside in, we
>>>> first see the subtraction and adjust becomes -1, then we see the
>>>> array_ref and adjust returns to 0. We still don't have a negative
>>>> adjust by the time we get to the quoted if/else.
>>>
>>> I think I see what you mean. I've changed the type of the variables
>>> and the computation to unsigned. That made it possible to eliminate
>>> the final else and do some other cleanup. Attached is an updated
>>> patch.
>>
>> Hmm, I was suggesting that bytes_avail change to unsigned, but I don't
>> think adjust should change; I believe that 0u - 1u is undefined due to
>> overflow even though (-1u) and (unsigned)-1 are well defined. Sorry for
>> the muddled messages. I think let's leave adjust signed and assert that
>> it ends up non-negative.
>
> No problem.
>
> Unsigned ints wrap around and don't overflow so the subtraction
> is well defined (0u - 1u is equal UINT_MAX).
I thought I had remembered that, but couldn't find anything in the
standard to back it up. Now I see that it's in 3.9.1 rather than clause 5.
> FWIW, I had the assert there for sanity testing when you first
> mentioned it to convince myself there really was no way for it
> become negative. A bootstrap went fine with it but it still made
> me just a teeny bit uneasy. I would hate for the code to change
> in the future and for the assert to then fire after it's released.
> In any case, I defer to your better judgment. Please let me know
> if you would still like to go with signed + assert.
If we use gcc_checking_assert it won't fire in release builds; let's go
with that.
Jason
next prev parent reply other threads:[~2015-11-05 15:27 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-13 17:23 Martin Sebor
2015-10-21 0:03 ` [PING] " Martin Sebor
2015-10-27 2:07 ` [PING 2] " Martin Sebor
2015-11-03 2:41 ` Jason Merrill
2015-11-04 17:12 ` Martin Sebor
2015-11-04 19:12 ` Jason Merrill
2015-11-05 0:15 ` Martin Sebor
2015-11-05 4:27 ` Jason Merrill
2015-11-05 15:13 ` Martin Sebor
2015-11-05 15:27 ` Jason Merrill [this message]
2015-11-05 16:52 ` Martin Sebor
2015-11-05 18:13 ` Jason Merrill
2015-11-05 23:41 ` Martin Sebor
2015-11-06 1:10 ` Martin Sebor
2015-11-06 12:50 ` Andreas Schwab
2015-11-08 18:10 ` Martin Sebor
2015-11-06 12:55 ` Rainer Orth
2015-11-06 15:28 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=563B7541.3010902@redhat.com \
--to=jason@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=msebor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).