Obscure crashes due to gcc 4.9 -O2 => -fisolate-erroneous-paths-dereference

Jeff Law law@redhat.com
Fri Feb 20 17:01:00 GMT 2015


On 02/20/15 04:43, Jonathan Wakely wrote:
> On 20 February 2015 at 11:06, Florian Weimer wrote:
>> On 02/19/2015 09:56 PM, Sandra Loosemore wrote:
>>> Hmmmm,  Passing the additional option in user code would be one thing,
>>> but what about library code?  E.g., using memcpy (either explicitly or
>>> implicitly for a structure copy)?
>>
>> The memcpy problem isn't restricted to embedded architectures.
>>
>>    size_t size;
>>    const unsigned char *source;
>>    std::vector<char> vec;
>>    …
>>    vec.resize(size);
>>    memcpy(vec.data(), source, size);
>>
>> std::vector<T>::data() can return a null pointer if the vector is empty,
>> which means that this code is invalid for empty inputs.
>>
>> I think the C standard is wrong here.  We should extend it, as a QoI
>> matter, and support null pointers for variable-length inputs and outputs
>> if the size is 0.  But I suspect this is still a minority view.
>
> I'm inclined to agree.
>
> Most developers aren't aware of the preconditions on memcpy, but GCC
> optimizes aggressively based on those preconditions, so we have a
> large and potentially dangerous gap between what developers expect and
> what actually happens.
But that's always true -- this isn't any different than aliasing, 
arithmetic overflow, etc.  The standards define the contract between 
the compiler/library implementors and the developers.  Once the contract 
is broken, all bets are off.


jeff



More information about the Gcc mailing list