This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] string: Add tests for zero length string inputs
- From: Richard Earnshaw <rearnsha at arm dot com>
- To: Paul Eggert <eggert at cs dot ucla dot edu>, Will Newton <will dot newton at linaro dot org>, Ondr(ej Bílka <neleai at seznam dot cz>
- Cc: libc-alpha <libc-alpha at sourceware dot org>
- Date: Tue, 23 Sep 2014 13:53:31 +0100
- Subject: Re: [PATCH] string: Add tests for zero length string inputs
- Authentication-results: sourceware.org; auth=none
- References: <1410910830-20900-1-git-send-email-will dot newton at linaro dot org> <20140919112302 dot GA2912 at domone> <CANu=Dmgn75GZU8my6fcCp1AyJRw8jEJVhaGTD+5mjOrXB_ENGw at mail dot gmail dot com> <542049A4 dot 1070409 at arm dot com> <54206104 dot 7020607 at cs dot ucla dot edu>
On 22/09/14 18:48, Paul Eggert wrote:
> On 09/22/2014 09:09 AM, Richard Earnshaw wrote:
>> Valid pointers is more than just non-NULL. In particular, it implies
>> that is safe to dereference the addressed byte in a source operand even
>> when the length parameter is zero.
> I just reread C99 7.1.4 clause 1 and 7.21.2 clause 2, and I don't see
> that implication. For example, the following program appears to be
> strictly conforming:
> #include <string.h>
> char src;
> char dst;
> main (void)
> memcpy (dst, src + 1, 0);
> return 0;
> Here, src + 1 is a valid pointer even though one cannot safely
> dereference it. So it appears to be reasonable to check that memcpy
> doesn't dereference the source when the size is zero.
Read clause 1 of 7.1.4 again. "If an argument to a function has an
invalid value ... or a pointer outside of the address space of the
program... the behaviour is undefined."
Ergo, if src+1 can point outside of the address space of the program,
it's undefined behaviour. And by corollary, it must be safe to
dereference the precise location passed as the argument (but obviously,
not necessarily bytes either side of it).
My reading of those sections also leads me to believe that memcpy could
legitimately expect to perform "*(char*)dst = *(char*)dst", even if the
length is zero.