From: Jonathan Wakely <jwakely@redhat.com>
To: cauldwell.thomas@gmail.com
Cc: "libstdc++" <libstdc++@gcc.gnu.org>
Subject: Re: string::iterator should have more error checking
Date: Fri, 24 Jun 2022 11:28:43 +0100 [thread overview]
Message-ID: <CACb0b4k_aOruSMAzyWqaDLJMiApgor9xM7x4i_+wWYJDbKudZQ@mail.gmail.com> (raw)
In-Reply-To: <CALtZhhO5Hw=HhLMq1YpmS1y_N4VdC=vc7-qi8f=iB71XB3Wyow@mail.gmail.com>
On Fri, 24 Jun 2022 at 11:11, Frederick Virchanza Gotham
<cauldwell.thomas@gmail.com> wrote:
>
> On Fri, Jun 24, 2022 at 10:35 AM Jonathan Wakely <jwakely@redhat.com> wrote:
>
> > That's expected. The contents of the string_view are a string literal,
> > which is in the program image, not on the heap.
>
>
> Valgrind is the best tool for troubleshooting heap problems (although
> it's useless against non-heap problems).
>
>
> > AddressSanitizer
> > doesn't check access to such memory.
> > The byte after the string literal "brush" is uninitialized, but it
> > does exist in a valid memory page.
>
>
> Check out how "-fsanitize" flags the following invalid access to
> static-duration constexpr arrays:
>
> https://godbolt.org/z/fjnPTWj5P
>
> Having thought about this a little more, I realise that "brush" in memory is:
>
> char constexpr brush[6u] = { 'b', 'r', 'u', 's', 'h', '\0' };
>
> And so therefore it is perfectly valid to access the null terminator
> located at brush[5u], which is why the access is not flagged by
> "-fsanitize".
But &*(s2.cend() + 1u) accesses the byte after the null, doesn't it?
The issue is more that the compiler turns &*p into just p, and then
there is no further *p dereference that can be seen by ASan. It's
still undefined though.
>
> > And it's not detected by Debug Mode because string_view iterators are
> > just pointers.
>
>
> I understand that. I think there should be "<debug/string_view>" and
> that it should be optionally configurable to barf when it encounters a
> null terminator. (It must be optionally configurable because a null
> char is actually a valid char inside a string_view). Something like:
>
> #define _GLIBCXX_STRINGVIEW_DONT_ALLOW_NULL_CHAR
> #include <debug/string_view>
A debug string_view is unlikely to happen unless you do the work to add it.
I don't think that extra check is appropriate though. As you say, it's
entirely valid according to the standard, so if your application wants
to disallow that, checking for it belongs in your application.
next prev parent reply other threads:[~2022-06-24 10:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-23 21:05 Frederick Virchanza Gotham
2022-06-23 21:26 ` Jonathan Wakely
2022-06-23 22:01 ` Frederick Virchanza Gotham
2022-06-23 22:35 ` Jonathan Wakely
2022-06-24 9:06 ` Frederick Virchanza Gotham
2022-06-24 9:35 ` Jonathan Wakely
2022-06-24 10:10 ` Frederick Virchanza Gotham
2022-06-24 10:28 ` Jonathan Wakely [this message]
2022-06-24 11:14 ` Frederick Virchanza Gotham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACb0b4k_aOruSMAzyWqaDLJMiApgor9xM7x4i_+wWYJDbKudZQ@mail.gmail.com \
--to=jwakely@redhat.com \
--cc=cauldwell.thomas@gmail.com \
--cc=libstdc++@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).