[cfe-commits] StringRef: undefined behavior issues with null pointers
Argyrios Kyrtzidis
kyrtzidis at apple.com
Fri May 20 12:30:42 PDT 2011
On May 20, 2011, at 11:49 AM, Matthieu Monrocq wrote:
> 2011/5/20 Argyrios Kyrtzidis <kyrtzidis at apple.com>
> (cc'ing cfe-commits)
>
> On May 20, 2011, at 11:04 AM, Matthieu Monrocq wrote:
>
>> Hello,
>>
>> here is a second iteration of the patch
>>
>> 2011/5/19 Argyrios Kyrtzidis <kyrtzidis at apple.com>
>> (moved to cfe-commits)
>>
>>> /// Construct a string ref from a cstring.
>>> /*implicit*/ StringRef(const char *Str)
>>> - : Data(Str), Length(::strlen(Str)) {}
>>> + : Data(Str), Length() {
>>> + assert(Str && "StringRef cannot be built from a NULL argument");
>>> + Length = ::strlen(Str); // invoking strlen(NULL) is undefined behavior
>>> + }
>>>
>>
>>
>> "Length()" is not necessary.
>> Could you also add an assert in the StringRef(const char *data, size_t length) constructor asserting that data is not null or length is 0 ?
>>
>>
>> Removed and Done.
>>> +
>>> + // Workaround memcmp issue with null pointers (undefined behavior)
>>> + // by providing a specialized version
>>> + static int memcmp(const char *Lhs, const char *Rhs, size_t Length) {
>>> + if (Length == 0) { return 0; }
>>> + assert(Lhs && "memcmp - Lhs should be non-null when Length is not 0");
>>> + assert(Rhs && "memcmp - Rhs should be non-null when Length is not 0");
>>> + return ::memcmp(Lhs,Rhs,Length);
>>> + }
>>> +
>>
>>
>> Is this really necessary ? With the 2 asserts in the constructors we are making sure that StringRefs point to non-null or their length is zero, and calling memcmp with zero length is defined, no ?
>>
>>
>> I removed the two asserts since we now guarantee that Length is 0 if Data is null.
>>
>> I am afraid the check might be necessary, from n869 (a Draft of C99)
>>
>> > [7.21.1 String function conventions]
>> > [#2] [...] Unless explicitly stated otherwise in the description of a particular function in this subclause, pointer arguments on such a call shall still have valid values, as described in 7.1.4. [...]
>>
>> [7.21.4.1 The memcmp function] does not state otherwise in any of its subclauses.
>>
>> I've hit the bug on Suse with the memcpy function (on a memcpy(NULL, NULL, 0) call) and am now paranoid about it.
>
> Ugh, that is good know.
> But could you please rename 'memcmp' to something else (e.g. 'compareMemory') ? I understand it was the choice with the least amount of changes, but it is confusing, in general, to have member functions with the same name as standard library functions.
>
> -Argyrios
>
> Done!
>
> There were only 4 call sites so not too invasive.
Committed in r131747, thanks!
-Argyrios
>
> -- Matthieu
> <llvm_stringref_undefined_behavior.diff>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20110520/ac73702a/attachment.html>
More information about the cfe-commits
mailing list