From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22829 invoked by alias); 20 Feb 2015 17:01:54 -0000 Mailing-List: contact gcc-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-owner@gcc.gnu.org Received: (qmail 22776 invoked by uid 89); 20 Feb 2015 17:01:53 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Fri, 20 Feb 2015 17:01:52 +0000 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t1KH1bOW027540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 20 Feb 2015 12:01:37 -0500 Received: from [10.3.113.20] (ovpn-113-20.phx2.redhat.com [10.3.113.20]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t1KH1aHO002246; Fri, 20 Feb 2015 12:01:36 -0500 Message-ID: <54E76870.2070502@redhat.com> Date: Fri, 20 Feb 2015 17:01:00 -0000 From: Jeff Law User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Jonathan Wakely , Florian Weimer CC: Sandra Loosemore , Jakub Jelinek , Jeff Prothero , "gcc@gcc.gnu.org" Subject: Re: Obscure crashes due to gcc 4.9 -O2 => -fisolate-erroneous-paths-dereference References: <20150218192943.GR1746@tucnak.redhat.com> <54E64DFF.8030100@codesourcery.com> <54E71534.8070805@redhat.com> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2015-02/txt/msg00197.txt.bz2 On 02/20/15 04:43, Jonathan Wakely wrote: > On 20 February 2015 at 11:06, Florian Weimer wrote: >> On 02/19/2015 09:56 PM, Sandra Loosemore wrote: >>> Hmmmm, Passing the additional option in user code would be one thing, >>> but what about library code? E.g., using memcpy (either explicitly or >>> implicitly for a structure copy)? >> >> The memcpy problem isn't restricted to embedded architectures. >> >> size_t size; >> const unsigned char *source; >> std::vector vec; >> … >> vec.resize(size); >> memcpy(vec.data(), source, size); >> >> std::vector::data() can return a null pointer if the vector is empty, >> which means that this code is invalid for empty inputs. >> >> I think the C standard is wrong here. We should extend it, as a QoI >> matter, and support null pointers for variable-length inputs and outputs >> if the size is 0. But I suspect this is still a minority view. > > I'm inclined to agree. > > Most developers aren't aware of the preconditions on memcpy, but GCC > optimizes aggressively based on those preconditions, so we have a > large and potentially dangerous gap between what developers expect and > what actually happens. But that's always true -- this isn't any different than aliasing, arithmetic overflow, etc. The standards define the contract between the compiler/library implementors and the developers. Once the contract is broken, all bets are off. jeff