Re: [PATCH] more out of bounds checking improvements

[Martin Sebor <msebor@gmail.com>]

On 10/26/20 9:41 AM, Florian Weimer wrote:
> * Martin Sebor via Libc-alpha:
> 
>> Besides attribute access, the change adds attribute nonnull to
>> the readv and writev functions in misc/sys/uio.h.  The functions
>> don't necessarily access the array elements when their count is
>> zero but neither POSIX nor the Linux manual document this so it
>> seems appropriate to warn.
> 
> This change is questionable because it breaks interoperability with
> abstract data types such as std::vector, where the base pointer can be
> null when the array is empty.  The kernel does not return EFAULT in this
> case, as expected.

Let me separate this out from the main patch if it isn't
straightforward.  Although POSIX doesn't require the functions to
fail, it does suggest, albeit obliquely, they may fail when the iov
pointer is null:

   The iovcnt argument is valid if greater than 0 and less than or
   equal to {IOV_MAX}, as defined in <limits.h>.

   The writev() function may fail and set errno to:

   [EINVAL]
     The iovcnt argument was less than or equal to 0, or greater than
     {IOV_MAX}.

Passing the functions a null iov pointer is only realistic when
iovcnt is zero.  The former is nonconforming and undefined under
any conditions (null isn't a valid argument to any library
function unless specified otherwise), and the latter may cause
the function to fail.  A warning for it seems to me both
appropriate and helpful, certainly in the absence of the Glibc
or Linux man pages documenting the behavior under these
conditions.

Martin

> I think we need a special case for this.
> 
> Thanks,
> Florian
>