This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Dynamic growable arrays for internal use
- From: Paul Eggert <eggert at cs dot ucla dot edu>
- To: Florian Weimer <fweimer at redhat dot com>, Joseph Myers <joseph at codesourcery dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 5 May 2017 08:13:53 -0700
- Subject: Re: [PATCH] Dynamic growable arrays for internal use
- Authentication-results: sourceware.org; auth=none
- References: <edae68d6-998b-58a6-a8df-82703341da23@redhat.com> <alpine.DEB.2.20.1704241401140.28943@digraph.polyomino.org.uk> <373c24b0-4d73-cf0a-b264-8a958aff6f2b@redhat.com>
Florian Weimer wrote:
Does anyone have comments about the interface and implementation?
It suffers from a common problem: it can allocate objects containing more than
PTRDIFF_MAX bytes. Such objects do not work in C, because pointer subtraction
has undefined behavior (and in practice does not work even if the correct result
would be representable as ptrdiff_t).
At a minimum I suggest adding a ptrdiff_t overflow check to
__check_mul_overflow_size_t so that it reports overflow if the result exceeds
PTRDIFF_MAX.
In applications I am starting to take the lead of the GNU Emacs internals, and
to prefer ptrdiff_t to size_t when calculating sizes. This allows for better
automated checking of integer overflow in size calculations, since ptrdiff_t
overflow has undefined behavior and can be caught by -fsanitize=undefined. I
suggest doing this in this new module, and if it works well we should consider
doing it elsewhere in glibc.
Of course this problem affects other code in glibc, but one thing at a time.