public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed
From: Xi Ruoyao <xry111@xry111.site>
To: "Arsen Arsenovi�0�4" <arsen@gentoo.org>,
	"Alejandro Colomar" <alx@kernel.org>
Cc: libc-alpha@sourceware.org
Subject: Re: free(3) const void *
Date: Sat, 27 Jan 2024 01:55:48 +0800	[thread overview]
Message-ID: <c06ff063d5ab94573f50597279e586c3db630402.camel@xry111.site> (raw)
In-Reply-To: <87fryk2ehc.fsf@gentoo.org>

On Fri, 2024-01-26 at 18:22 +0100, Arsen Arsenović wrote:
> 
> Alejandro Colomar <alx@kernel.org> writes:
> 
> > [[PGP Signed Part:No public key for 9E8C1AFBBEFFDB32 created at 2024-01-26T16:35:04+0100 using RSA]]
> > Hi Arsen,
> > 
> > On Fri, Jan 26, 2024 at 03:24:29PM +0100, Arsen Arsenović wrote:
> > > But, free() modifies the object passed to it (even if not its bit
> > > representation) by freeing it.  Freeing const-passed objects would also
> > > violate the constness promise, so I disagree that free should take const
> > > void*.
> > 
> > This is an interesting interpretation.  Is expiring the lifetime of an
> > object a modification of the object?  Possibly.
> > 
> > But, the standard says:
> > 
> > 	If an attempt is made to modify an object defined with a
> > 	const-qualified type through use of an lvalue with
> > 	non-const-qualified type, the behavior is undefined.
> > 
> > Even if you consider expiring the lifetime of the object a modification
> > of the object, the part that says "through use of an lvalue with
> > non-const-qualified type" is not fulfilled, IMO.  That would reqire
> > dereferencing the pointer, to actually get the lvalue, which free(3)
> > never does.
> 
> What 'free' precisely does is outside the bounds of the standard,
> though.  We can assume it is permitted to so since nothing says
> otherwise.
> 
> But, besides that, what I mean by 'constness promise' is that an object
> must be usable following a const usage of it as if that usage never
> happened.  This would certainly not be true of 'free', whether it
> dereferences or not.  I am not sure if this is a formalism of the
> language definition, but it is something people (and AFAIK compilers)
> rely on significantly.

In C we (not sure about the people, but at least the compiler) cannot
rely on it at all.  It's perfectly legal to write something like

void
stupid (const char *c)
{
  strcpy ((char *)c, "some bullshit");
}

int
main (void)
{
  char buf[100];
  stupid (buf);
  puts (buf);
}

Yes it's as stupid as the name of the function.  But it does *not*
invoke any undefined behavior, and so the compiler is not allowed to do
any optimization assuming "stupid" won't change the content in buf.

That's why GCC has invented __attribute__ ((access (read_only, ...))). 
The documentation of this attribute even says we cannot rely on the
const qualifier:

   The read_only access mode specifies that the pointer to which it
   applies is used to read the referenced object but not write to it.
   Unless the argument specifying the size of the access denoted by
   size-index is zero, the referenced object must be initialized. The
   mode implies a stronger guarantee than the const qualifier which,
   when cast away from a pointer, does not prevent the pointed-to object
   from being modified. Examples of the use of the read_only access mode
   is the argument to the puts function, or the second and third
   arguments to the memcpy function.

-- 
Xi Ruoyao <xry111@xry111.site>
School of Aerospace Science and Technology, Xidian University

  reply	other threads:[~2024-01-26 17:56 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-26 13:21 Alejandro Colomar
2024-01-26 14:24 ` Arsen Arsenović
2024-01-26 15:35   ` Alejandro Colomar
2024-01-26 17:22     ` Arsen Arsenović
2024-01-26 17:55       ` Xi Ruoyao [this message]
2024-01-26 18:11         ` Alejandro Colomar
2024-01-26 20:04           ` Arsen Arsenović
2024-01-26 20:07         ` Arsen Arsenović
2024-01-26 17:40     ` Andreas Schwab
2024-01-26 19:45     ` Florian Weimer
2024-01-26 15:13 ` Andreas Schwab
2024-01-26 15:33   ` Alejandro Colomar
2024-01-26 18:09 ` Russ Allbery
2024-01-26 18:23   ` Alejandro Colomar
2024-01-26 18:36     ` Xi Ruoyao
2024-01-26 18:40       ` Alejandro Colomar
2024-01-26 18:49         ` Xi Ruoyao
2024-01-26 18:57           ` Alejandro Colomar
2024-01-26 18:40     ` Russ Allbery
2024-01-26 18:45       ` Alejandro Colomar
2024-01-26 19:41   ` Florian Weimer
2024-01-26 18:39 ` [PATCH] Use [[gnu::access(none)]] on free(3) Alejandro Colomar
2024-01-26 18:41   ` Alejandro Colomar
2024-01-26 21:23     ` Paul Eggert
2024-01-26 23:19       ` Alejandro Colomar
2024-01-27 13:21       ` Cristian Rodríguez
2024-02-13 15:19         ` Gabriel Ravier
2024-02-13 15:28           ` Alejandro Colomar
2024-01-26 21:11 ` free(3) const void * DJ Delorie
2024-01-26 21:30   ` Andreas Schwab
2024-01-26 21:47     ` DJ Delorie
2024-01-26 22:07       ` Andreas Schwab
2024-01-26 23:25       ` Alejandro Colomar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c06ff063d5ab94573f50597279e586c3db630402.camel@xry111.site \
    --to=xry111@xry111.site \
    --cc=alx@kernel.org \
    --cc=arsen@gentoo.org \
    --cc=libc-alpha@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).