[libcxx-commits] [libcxx] f4c1e87 - [libc++][hardening] Reclassify string_view(ptr, len)'s size assertion (#79297)

via libcxx-commits libcxx-commits at lists.llvm.org
Mon Mar 11 13:28:08 PDT 2024 

Author: David Benjamin
Date: 2024-03-11T16:28:05-04:00
New Revision: f4c1e8747b33815969e60a53cab3dac4d0f55f6c

URL: https://github.com/llvm/llvm-project/commit/f4c1e8747b33815969e60a53cab3dac4d0f55f6c
DIFF: https://github.com/llvm/llvm-project/commit/f4c1e8747b33815969e60a53cab3dac4d0f55f6c.diff

LOG: [libc++][hardening] Reclassify string_view(ptr, len)'s size assertion (#79297)

The comment makes this error condition sound less problematic than it
is. If the length does not match the pointer's bounds, all
bounds-checking in string_view goes wrong. A length over PTRDIFF_MAX
cannot possibly be a correct bounds and was mostly an underflowed
negative number cast to a size_t.

The documentation for _LIBCPP_ASSERT_VALID_INPUT_RANGE discusses ranges
being valid, including an iterator and a count, which seemed appropriate
here.

Added: 
    

Modified: 
    libcxx/include/string_view

Removed: 
    


################################################################################
diff  --git a/libcxx/include/string_view b/libcxx/include/string_view
index e0dd5c5b19ace0..e8584a69c1e1b3 100644
--- a/libcxx/include/string_view
+++ b/libcxx/include/string_view
@@ -310,9 +310,10 @@ public:
       : __data_(__s),
         __size_(__len) {
 #if _LIBCPP_STD_VER >= 14
-    // This will result in creating an invalid `string_view` object -- some calculations involving `size` would
-    // overflow, making it effectively truncated.
-    _LIBCPP_ASSERT_ARGUMENT_WITHIN_DOMAIN(
+    // Allocations must fit in `ptr
diff _t` for pointer arithmetic to work. If `__len` exceeds it, the input
+    // range could not have been valid. Most likely the caller underflowed some arithmetic and inadvertently
+    // passed in a negative length.
+    _LIBCPP_ASSERT_VALID_INPUT_RANGE(
         __len <= static_cast<size_type>(numeric_limits<
diff erence_type>::max()),
         "string_view::string_view(_CharT *, size_t): length does not fit in 
diff erence_type");
     _LIBCPP_ASSERT_NON_NULL(

More information about the libcxx-commits mailing list