From: "Arsen Arsenović" <arsen@gentoo.org>
To: Xi Ruoyao <xry111@xry111.site>
Cc: Alejandro Colomar <alx@kernel.org>, libc-alpha@sourceware.org
Subject: Re: free(3) const void *
Date: Fri, 26 Jan 2024 21:07:08 +0100 [thread overview]
Message-ID: <87cytn2705.fsf@gentoo.org> (raw)
In-Reply-To: <c06ff063d5ab94573f50597279e586c3db630402.camel@xry111.site>
[-- Attachment #1: Type: text/plain, Size: 3328 bytes --]
Xi Ruoyao <xry111@xry111.site> writes:
> On Fri, 2024-01-26 at 18:22 +0100, Arsen Arsenović wrote:
>>
>> Alejandro Colomar <alx@kernel.org> writes:
>>
>> > [[PGP Signed Part:No public key for 9E8C1AFBBEFFDB32 created at 2024-01-26T16:35:04+0100 using RSA]]
>> > Hi Arsen,
>> >
>> > On Fri, Jan 26, 2024 at 03:24:29PM +0100, Arsen Arsenović wrote:
>> > > But, free() modifies the object passed to it (even if not its bit
>> > > representation) by freeing it. Freeing const-passed objects would also
>> > > violate the constness promise, so I disagree that free should take const
>> > > void*.
>> >
>> > This is an interesting interpretation. Is expiring the lifetime of an
>> > object a modification of the object? Possibly.
>> >
>> > But, the standard says:
>> >
>> > If an attempt is made to modify an object defined with a
>> > const-qualified type through use of an lvalue with
>> > non-const-qualified type, the behavior is undefined.
>> >
>> > Even if you consider expiring the lifetime of the object a modification
>> > of the object, the part that says "through use of an lvalue with
>> > non-const-qualified type" is not fulfilled, IMO. That would reqire
>> > dereferencing the pointer, to actually get the lvalue, which free(3)
>> > never does.
>>
>> What 'free' precisely does is outside the bounds of the standard,
>> though. We can assume it is permitted to so since nothing says
>> otherwise.
>>
>> But, besides that, what I mean by 'constness promise' is that an object
>> must be usable following a const usage of it as if that usage never
>> happened. This would certainly not be true of 'free', whether it
>> dereferences or not. I am not sure if this is a formalism of the
>> language definition, but it is something people (and AFAIK compilers)
>> rely on significantly.
>
> In C we (not sure about the people, but at least the compiler) cannot
> rely on it at all. It's perfectly legal to write something like
>
> void
> stupid (const char *c)
> {
> strcpy ((char *)c, "some bullshit");
> }
>
> int
> main (void)
> {
> char buf[100];
> stupid (buf);
> puts (buf);
> }
>
> Yes it's as stupid as the name of the function. But it does *not*
> invoke any undefined behavior, and so the compiler is not allowed to do
> any optimization assuming "stupid" won't change the content in buf.
>
> That's why GCC has invented __attribute__ ((access (read_only, ...))).
> The documentation of this attribute even says we cannot rely on the
> const qualifier:
>
> The read_only access mode specifies that the pointer to which it
> applies is used to read the referenced object but not write to it.
> Unless the argument specifying the size of the access denoted by
> size-index is zero, the referenced object must be initialized. The
> mode implies a stronger guarantee than the const qualifier which,
> when cast away from a pointer, does not prevent the pointed-to object
> from being modified. Examples of the use of the read_only access mode
> is the argument to the puts function, or the second and third
> arguments to the memcpy function.
Ah, another regrettable bit of C to remember. Thanks for sharing - I'll
keep this in mind.
Have a lovely night!
--
Arsen Arsenović
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 251 bytes --]
next prev parent reply other threads:[~2024-01-26 20:08 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 13:21 Alejandro Colomar
2024-01-26 14:24 ` Arsen Arsenović
2024-01-26 15:35 ` Alejandro Colomar
2024-01-26 17:22 ` Arsen Arsenović
2024-01-26 17:55 ` Xi Ruoyao
2024-01-26 18:11 ` Alejandro Colomar
2024-01-26 20:04 ` Arsen Arsenović
2024-01-26 20:07 ` Arsen Arsenović [this message]
2024-01-26 17:40 ` Andreas Schwab
2024-01-26 19:45 ` Florian Weimer
2024-01-26 15:13 ` Andreas Schwab
2024-01-26 15:33 ` Alejandro Colomar
2024-01-26 18:09 ` Russ Allbery
2024-01-26 18:23 ` Alejandro Colomar
2024-01-26 18:36 ` Xi Ruoyao
2024-01-26 18:40 ` Alejandro Colomar
2024-01-26 18:49 ` Xi Ruoyao
2024-01-26 18:57 ` Alejandro Colomar
2024-01-26 18:40 ` Russ Allbery
2024-01-26 18:45 ` Alejandro Colomar
2024-01-26 19:41 ` Florian Weimer
2024-01-26 18:39 ` [PATCH] Use [[gnu::access(none)]] on free(3) Alejandro Colomar
2024-01-26 18:41 ` Alejandro Colomar
2024-01-26 21:23 ` Paul Eggert
2024-01-26 23:19 ` Alejandro Colomar
2024-01-27 13:21 ` Cristian Rodríguez
2024-02-13 15:19 ` Gabriel Ravier
2024-02-13 15:28 ` Alejandro Colomar
2024-01-26 21:11 ` free(3) const void * DJ Delorie
2024-01-26 21:30 ` Andreas Schwab
2024-01-26 21:47 ` DJ Delorie
2024-01-26 22:07 ` Andreas Schwab
2024-01-26 23:25 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cytn2705.fsf@gentoo.org \
--to=arsen@gentoo.org \
--cc=alx@kernel.org \
--cc=libc-alpha@sourceware.org \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).