This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v8] Implement strlcpy and strlcat [BZ #178]
- From: Paul Eggert <eggert at cs dot ucla dot edu>
- To: Alexander Cherepanov <cherepan at mccme dot ru>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Sun, 10 Jan 2016 22:22:09 -0800
- Subject: Re: [PATCH v8] Implement strlcpy and strlcat [BZ #178]
- Authentication-results: sourceware.org; auth=none
- References: <56902FA4 dot 7070002 at redhat dot com> <5692F08E dot 6060101 at mccme dot ru>
Alexander Cherepanov wrote:
+ /* The sum cannot wrap around because both strings would be larger
+ than half of the address space, which is not possible due to
+ the restrict qualifier. */
+ _Static_assert (sizeof (uintptr_t) == sizeof (size_t),
+ "theoretical maximum object size covers address space");
+ return dest_length + src_length;
+}
First, I don't think the last comment is fully accurate -- both strings are not
required to be larger than half of the address space each, 1.5GB and 3GB are
enough for wrapping with 32-bit size_t.
Yes, the comment could be changed to something like this:
/* The API for this function says behavior is undefined if the source string
and destination array overlap. The following sanity check succeeds
on conventional architectures with flat address spaces, where the sum
of the two lengths cannot wrap around when there is no overlap. */
If you permit @var{to} to be non-null-terminated the situation is worse
Yes, it's one more nail in that particular coffin.