Date: Tue, 6 May 2014 09:06:45 +0100 From: David Chisnall <theraven@FreeBSD.org> To: Bruce Evans <brde@optusnet.com.au> Cc: src-committers <src-committers@freebsd.org>, Andrey Chernov <ache@freebsd.org>, svn-src-all@freebsd.org, Pedro Giffuni <pfg@freebsd.org>, svn-src-head@freebsd.org, Warner Losh <imp@bsdimp.com> Subject: Re: svn commit: r265367 - head/lib/libc/regex Message-ID: <0FCEDD3C-A512-4B83-A8C8-5A1B7A33AAF2@FreeBSD.org> In-Reply-To: <20140506135706.T1596@besplex.bde.org> References: <201405051641.s45GfFje086423@svn.freebsd.org> <5367CD77.40909@freebsd.org> <B11B5B25-8E05-4225-93D5-3A607332F19A@FreeBSD.org> <5367EB54.1080109@FreeBSD.org> <3C7CFFB7-5C84-4AC1-9A81-C718D184E87B@FreeBSD.org> <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com> <A4B5E0E8-93CB-4E80-9065-5D25A007B726@FreeBSD.org> <536807D8.9000005@freebsd.org> <9349EAA9-F92C-4170-A1C0-2200FD490E5F@FreeBSD.org> <5368162A.9000002@freebsd.org> <20140506135706.T1596@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce, On 6 May 2014, at 05:46, Bruce Evans <brde@optusnet.com.au> wrote: > The standard behaviour is undefined. It cannot be relied on. =46rom = C99 > (n869.txt): >=20 > % 7.20.3.1 The calloc function > % % Synopsis > % % [#1] > % % #include <stdlib.h> > % void *calloc(size_t nmemb, size_t size); > % % Description > % % [#2] The calloc function allocates space for an array = of > % nmemb objects, each of whose size is size. The space is > % initialized to all bits zero.238) >=20 > Oops, there is no object to begin with, so perhaps the behaviour is > defined after all. This is unclear. =20 You're missing off the next line: > =95 3 The calloc function returns either a null pointer or a = pointer to the allocated space. Clarifications from WG14 have indicated that this means that calloc() = *must* return either NULL or enough space for nmemb objects of size = size. The text of the standard was not changed in C11 because it seemed = to be the consensus of library authors that this is obvious from the = existing text. See the CERT report from my previous email - in 2002 it = was regarded as a security hole (and a lack of standards conformance) if = your calloc did not do this and all known calloc implementations that = did not were fixed. Now, you can argue that either: - In this case, we can statically prove that the multiplication won't = overflow so we don't need a check, or - It is better to do the overflow check on the caller side and increase = i-cache usage to save some memory zeroing. But please don't try to argue that it is permitted for calloc() to not = correctly handle integer overflow. It is both non-conformant and = dangerous for it to fail to do so. > It is also unclear if objects > can have size too large to represent as a size_t That is implementation defined, however if sizeof(ptrdiff_t) <=3D = sizeof(size_t) then they can not because you must be able to represent = the difference between any two pointers as a ptrdiff_t[1]. If you want = to be pedantic, _Static_assert(sizeof(ptrdiff_t) <=3D sizeof(size_t), = "Unsupported platform!") to make sure you catch it at compile time if = this might change. =20 David [1] This also means, on our platforms, that the maximum size of an = object must be one byte less than the total size of the address space, = as C only defines pointer comparisons between valid pointers to the same = object and allows pointers to be one element past the end of an array.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0FCEDD3C-A512-4B83-A8C8-5A1B7A33AAF2>