This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Obscure crashes due to gcc 4.9 -O2 => -fisolate-erroneous-paths-dereference
- From: Jonathan Wakely <jwakely dot gcc at gmail dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: Sandra Loosemore <sandra at codesourcery dot com>, Jakub Jelinek <jakub at redhat dot com>, Jeff Prothero <jprother at altera dot com>, "gcc at gcc dot gnu dot org" <gcc at gcc dot gnu dot org>
- Date: Fri, 20 Feb 2015 11:43:25 +0000
- Subject: Re: Obscure crashes due to gcc 4.9 -O2 => -fisolate-erroneous-paths-dereference
- Authentication-results: sourceware.org; auth=none
- References: <pdf61azt48b dot fsf at sj-interactive3 dot altera dot com> <20150218192943 dot GR1746 at tucnak dot redhat dot com> <54E64DFF dot 8030100 at codesourcery dot com> <54E71534 dot 8070805 at redhat dot com>
On 20 February 2015 at 11:06, Florian Weimer wrote:
> On 02/19/2015 09:56 PM, Sandra Loosemore wrote:
>> Hmmmm, Passing the additional option in user code would be one thing,
>> but what about library code? E.g., using memcpy (either explicitly or
>> implicitly for a structure copy)?
>
> The memcpy problem isn't restricted to embedded architectures.
>
> size_t size;
> const unsigned char *source;
> std::vector<char> vec;
> â
> vec.resize(size);
> memcpy(vec.data(), source, size);
>
> std::vector<T>::data() can return a null pointer if the vector is empty,
> which means that this code is invalid for empty inputs.
>
> I think the C standard is wrong here. We should extend it, as a QoI
> matter, and support null pointers for variable-length inputs and outputs
> if the size is 0. But I suspect this is still a minority view.
I'm inclined to agree.
Most developers aren't aware of the preconditions on memcpy, but GCC
optimizes aggressively based on those preconditions, so we have a
large and potentially dangerous gap between what developers expect and
what actually happens.