Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jul 2017 12:23:53 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Documentation of memcpy and undefined behavior in memset

On Thu, Jul 06, 2017 at 02:15:25PM +0000, Pascal Cuoq wrote:
> Hello all,
> 
> when I started testing parts of musl with TIS Interpreter, I made
> sure to use TIS Interpreter versions of low-level functions such as
> memcpy and memset, while testing higher-level functions. Musl's
> functions can provide guarantees beyond the standard, and it is fair
> game to rely on these guarantees elsewhere in musl since musl's
> versions of these functions are called, but I thought it would be
> interesting to know that musl provides additional guarantees and
> relies on them.
> 
> That was informative. It turned out that musl's implementation of
> fwrite() can call memcpy() with a length of 0 and a pointer
> one-past, inside __fwritex:
> 
> https://git.musl-libc.org/cgit/musl/tree/src/stdio/fwrite.c?id=a08910fc2cc739f631b75b2d09b8d72a0d64d285#n23
> 
> It can be argued that C11 does not define the behavior of memcpy in
> this case:
> https://stackoverflow.com/questions/25390577/is-memcpya-1-b-1-0-defined-in-c11
> 
> For this reason, it may be worth documenting that musl's memcpy does
> not require valid pointers when invoked with a size of 0, and any
> future memcpy implementation (e.g. in assembly) should continue to
> do so.

FWIW, I think GCC may do aggressive optimization based on the
assumption that memcpy implies the pointer points to an object (of
size at least 1), and if so, we really are depending on -ffreestanding
here (i.e. disallowing the compiler to assume semantics of standard
functions). I'd probably rather, in the long term, avoid such calls to
memcpy, if for no other reason than encouraging correct usage by
example (also possibly helping people who reuse the code outside of
libc).

> Changing course and using musl's implementation of memcpy and memset
> to analyse higher-level functions, we found what I think is an
> undefined behavior in memset. The following line in the
> implementation of memset can be reached with n = 1:
> 
> 
> s[0] = s[n-1] = c;
> 
> https://git.musl-libc.org/cgit/musl/tree/src/string/memset.c?id=a08910fc2cc739f631b75b2d09b8d72a0d64d285#n14
> 
> I think this is undefined because i = i++;, which is equivalent to i
> = i = i + 1;, is the canonical example for the “unsequenced
> side-effect in expression” undefined behavior(*), and what makes
> this latter example undefined is the “i = i =” part, not the “i + 1”
> part. Musl's “s[0] = s[n-1] =” is identical to that when n == 1. The
> same problem occurs in the next lines of memset for other values of
> n.

I think you're correct, at least under a pessimistic interpretation of
the standard. I can't find where they actually define "modifies", and
you could argue that assignment of the same value twice "modifies" the
object at most once, but I don't like relying on that kind of
ambiguity and it's easy enough to fix just by adding a sequence point.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.