From: Eli Zaretskii <eliz@gnu.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: lekktu@gmail.com, 8545@debbugs.gnu.org
Subject: bug#8545: issues with recent doprnt-related changes
Date: Thu, 28 Apr 2011 01:15:28 -0400 [thread overview]
Message-ID: <E1QFJZY-0007Sr-8c@fencepost.gnu.org> (raw)
In-Reply-To: <4DB8DAF8.7070408@cs.ucla.edu> (message from Paul Eggert on Wed, 27 Apr 2011 20:11:52 -0700)
> Date: Wed, 27 Apr 2011 20:11:52 -0700
> From: Paul Eggert <eggert@cs.ucla.edu>
> CC: Eli Zaretskii <eliz@gnu.org>, 8545@debbugs.gnu.org
>
> On 04/27/11 18:32, Juanma Barranquero wrote:
>
> > A cursory look suggests that fmt == format_end + 1 is possible
>
> Thanks, I had missed that possibility. (Evidently your cursory looks
> are better than mine. :-) A possible patch is below.
I strenuously object to that patch, see below. Please don't install
it.
> > would it be undefined behavior,
> > as long as the pointer has not been dereferenced?
>
> Yes. A portable C program is not allowed to create a pointer that
> doesn't point to an object, with the two exceptions of a null pointer
> and a pointer to the address immediately after an object. On
> some architectures, attempting to point to random addresses can cause
> exceptions or other undefined behavior.
As I explain in another message, we _can_ dereference this invalid
pointer. Which is why that test was added in the first place.
> - size_t n = *fmt - '0';
> - while (fmt < format_end
> - && '0' <= fmt[1] && fmt[1] <= '9')
> + size_t n = *fmt++ - '0';
> + while (fmt < format_end && '0' <= *fmt && *fmt <= '9')
> {
> if (n >= SIZE_MAX / 10
> || n * 10 > SIZE_MAX - (fmt[1] - '0'))
> error ("Format width or precision too large");
> - n = n * 10 + fmt[1] - '0';
> - *string++ = *++fmt;
> + n = n * 10 + *fmt - '0';
> + *string++ = *fmt++;
> }
>
> if (size_bound < n)
> size_bound = n;
> }
> else if (*fmt == '-' || *fmt == ' ' || *fmt == '.' || *fmt == '+')
> - ;
> + fmt++;
> else if (*fmt == 'l')
> {
> long_flag = 1 + (fmt + 1 < format_end && fmt[1] == 'l');
> @@ -218,10 +217,7 @@ doprnt (char *buffer, register size_t bu
> }
> else
> break;
> - fmt++;
> }
> - if (fmt > format_end)
> - fmt = format_end;
I don't see how this is a better idea. Instead of a simple two-liner,
which could be commented if its intent isn't clear enough, and which
makes the code 100% verifiable to not dereference anything beyond
format_end, how is it better to sprinkle weird post-increments in
several places? This totally obfuscates the intent, does NOT allow to
comment it in any reasonable way (because the increments are no longer
in a single place, and serve more than one purpose), makes the code
much harder to grasp and analyze, and makes it almost impossible to
convince ourselves that it will never get past format_end without
unduly complicated analysis. All that for getting rid of a simple and
clearly correct line?? No, thanks!
next prev parent reply other threads:[~2011-04-28 5:15 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-25 5:46 bug#8545: issues with recent doprnt-related changes Paul Eggert
2011-04-25 9:00 ` Eli Zaretskii
2011-04-25 13:37 ` Stefan Monnier
2011-04-26 20:25 ` Paul Eggert
2011-04-27 1:14 ` Stefan Monnier
2011-04-26 6:02 ` Paul Eggert
2011-04-27 19:34 ` Eli Zaretskii
2011-04-27 23:51 ` Paul Eggert
2011-04-28 1:32 ` Juanma Barranquero
2011-04-28 3:11 ` Paul Eggert
2011-04-28 3:42 ` Juanma Barranquero
2011-04-28 5:06 ` Paul Eggert
2011-04-28 5:15 ` Eli Zaretskii [this message]
2011-04-28 5:29 ` Paul Eggert
2011-04-28 6:10 ` Eli Zaretskii
2011-04-28 6:42 ` Paul Eggert
2011-04-28 7:26 ` Eli Zaretskii
2011-04-28 7:54 ` Paul Eggert
2011-04-28 11:14 ` Eli Zaretskii
2011-04-29 12:28 ` Richard Stallman
2011-04-29 19:56 ` Eli Zaretskii
2011-04-29 23:49 ` Paul Eggert
2011-04-30 21:03 ` Richard Stallman
2011-05-01 5:41 ` Paul Eggert
2011-05-01 23:59 ` Richard Stallman
2011-05-02 0:23 ` Paul Eggert
[not found] ` <E1QH37h-0001yM-HR@fencepost.gnu.org>
2011-05-03 20:24 ` Paul Eggert
2011-05-01 4:25 ` Jason Rumney
2011-05-01 5:56 ` Paul Eggert
2011-05-01 8:12 ` Jason Rumney
2011-05-01 11:02 ` Andreas Schwab
2011-04-28 5:02 ` Eli Zaretskii
2011-04-28 5:50 ` Eli Zaretskii
[not found] ` <4DB9146D.2040702@cs.ucla.edu>
[not found] ` <E1QFQVO-0004Dq-6o@fencepost.gnu.org>
[not found] ` <4DB9E5FF.9020506@cs.ucla.edu>
2011-04-29 11:16 ` Eli Zaretskii
2011-04-29 14:41 ` Paul Eggert
2011-04-29 19:35 ` Eli Zaretskii
2011-04-29 20:32 ` Paul Eggert
2011-04-30 8:59 ` Eli Zaretskii
2011-05-04 7:28 ` Paul Eggert
2011-05-04 9:52 ` Eli Zaretskii
2011-05-04 14:56 ` Paul Eggert
2011-05-04 14:56 ` Paul Eggert
2011-05-05 20:36 ` Eli Zaretskii
2011-05-06 13:33 ` Stefan Monnier
2011-05-06 14:41 ` bug#8545: " Paul Eggert
2011-05-06 14:41 ` Paul Eggert
2011-05-06 15:03 ` bug#8545: " Eli Zaretskii
2011-05-06 15:03 ` Eli Zaretskii
2011-05-06 17:13 ` Stefan Monnier
2011-05-06 19:57 ` Eli Zaretskii
2011-05-07 3:18 ` bug#8545: " Stefan Monnier
2011-05-07 3:18 ` Stefan Monnier
2011-05-07 7:55 ` Eli Zaretskii
2011-05-07 7:55 ` bug#8545: " Eli Zaretskii
2011-05-06 19:57 ` Eli Zaretskii
2011-05-06 17:13 ` Stefan Monnier
2011-05-06 13:33 ` Stefan Monnier
2011-05-05 20:36 ` Eli Zaretskii
-- strict thread matches above, loose matches on Subject: below --
2011-05-01 18:19 bug#8601: * 2 -> * 4 typo fix in detect_coding_charset Paul Eggert
2011-05-01 19:06 ` Andreas Schwab
2011-05-01 19:25 ` Paul Eggert
2011-05-06 7:29 ` bug#8601: Merged fixes for 8600, 8601, 8602, and (partially) for 8545 Paul Eggert
2020-09-14 12:37 ` bug#8545: " Lars Ingebrigtsen
2020-09-14 18:41 ` Eli Zaretskii
2020-09-16 2:01 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1QFJZY-0007Sr-8c@fencepost.gnu.org \
--to=eliz@gnu.org \
--cc=8545@debbugs.gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=lekktu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.