From owner-svn-src-all@FreeBSD.ORG Tue May 6 08:06:59 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 650E25EF; Tue, 6 May 2014 08:06:59 +0000 (UTC) Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cloud.theravensnest.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 26DFE191; Tue, 6 May 2014 08:06:59 +0000 (UTC) Received: from [192.168.0.7] (cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net [82.26.1.52]) (authenticated bits=0) by theravensnest.org (8.14.7/8.14.7) with ESMTP id s4686oSR039096 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 6 May 2014 08:06:52 GMT (envelope-from theraven@FreeBSD.org) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: svn commit: r265367 - head/lib/libc/regex From: David Chisnall In-Reply-To: <20140506135706.T1596@besplex.bde.org> Date: Tue, 6 May 2014 09:06:45 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <0FCEDD3C-A512-4B83-A8C8-5A1B7A33AAF2@FreeBSD.org> References: <201405051641.s45GfFje086423@svn.freebsd.org> <5367CD77.40909@freebsd.org> <5367EB54.1080109@FreeBSD.org> <3C7CFFB7-5C84-4AC1-9A81-C718D184E87B@FreeBSD.org> <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com> <536807D8.9000005@freebsd.org> <9349EAA9-F92C-4170-A1C0-2200FD490E5F@FreeBSD.org> <5368162A.9000002@freebsd.org> <20140506135706.T1596@besplex.bde.org> To: Bruce Evans X-Mailer: Apple Mail (2.1874) Cc: src-committers , Andrey Chernov , svn-src-all@freebsd.org, Pedro Giffuni , svn-src-head@freebsd.org, Warner Losh X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2014 08:06:59 -0000 Bruce, On 6 May 2014, at 05:46, Bruce Evans wrote: > The standard behaviour is undefined. It cannot be relied on. =46rom = C99 > (n869.txt): >=20 > % 7.20.3.1 The calloc function > % % Synopsis > % % [#1] > % % #include > % void *calloc(size_t nmemb, size_t size); > % % Description > % % [#2] The calloc function allocates space for an array = of > % nmemb objects, each of whose size is size. The space is > % initialized to all bits zero.238) >=20 > Oops, there is no object to begin with, so perhaps the behaviour is > defined after all. This is unclear. =20 You're missing off the next line: > =95 3 The calloc function returns either a null pointer or a = pointer to the allocated space. Clarifications from WG14 have indicated that this means that calloc() = *must* return either NULL or enough space for nmemb objects of size = size. The text of the standard was not changed in C11 because it seemed = to be the consensus of library authors that this is obvious from the = existing text. See the CERT report from my previous email - in 2002 it = was regarded as a security hole (and a lack of standards conformance) if = your calloc did not do this and all known calloc implementations that = did not were fixed. Now, you can argue that either: - In this case, we can statically prove that the multiplication won't = overflow so we don't need a check, or - It is better to do the overflow check on the caller side and increase = i-cache usage to save some memory zeroing. But please don't try to argue that it is permitted for calloc() to not = correctly handle integer overflow. It is both non-conformant and = dangerous for it to fail to do so. > It is also unclear if objects > can have size too large to represent as a size_t That is implementation defined, however if sizeof(ptrdiff_t) <=3D = sizeof(size_t) then they can not because you must be able to represent = the difference between any two pointers as a ptrdiff_t[1]. If you want = to be pedantic, _Static_assert(sizeof(ptrdiff_t) <=3D sizeof(size_t), = "Unsupported platform!") to make sure you catch it at compile time if = this might change. =20 David [1] This also means, on our platforms, that the maximum size of an = object must be one byte less than the total size of the address space, = as C only defines pointer comparisons between valid pointers to the same = object and allows pointers to be one element past the end of an array.