From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/11677 Path: news.gmane.org!.POSTED!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: Documentation of memcpy and undefined behavior in memset Date: Thu, 6 Jul 2017 12:23:53 -0400 Message-ID: <20170706162353.GC1627@brightrain.aerifal.cx> References: <0F9B48AD-C5B3-44B6-8D82-0985CF8604A0@trust-in-soft.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1499358249 12009 195.159.176.226 (6 Jul 2017 16:24:09 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 6 Jul 2017 16:24:09 +0000 (UTC) User-Agent: Mutt/1.5.21 (2010-09-15) To: musl@lists.openwall.com Original-X-From: musl-return-11690-gllmg-musl=m.gmane.org@lists.openwall.com Thu Jul 06 18:24:04 2017 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1dT9ZU-0002pD-4k for gllmg-musl@m.gmane.org; Thu, 06 Jul 2017 18:24:04 +0200 Original-Received: (qmail 7901 invoked by uid 550); 6 Jul 2017 16:24:06 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 7874 invoked from network); 6 Jul 2017 16:24:05 -0000 Content-Disposition: inline In-Reply-To: <0F9B48AD-C5B3-44B6-8D82-0985CF8604A0@trust-in-soft.com> Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:11677 Archived-At: On Thu, Jul 06, 2017 at 02:15:25PM +0000, Pascal Cuoq wrote: > Hello all, > > when I started testing parts of musl with TIS Interpreter, I made > sure to use TIS Interpreter versions of low-level functions such as > memcpy and memset, while testing higher-level functions. Musl's > functions can provide guarantees beyond the standard, and it is fair > game to rely on these guarantees elsewhere in musl since musl's > versions of these functions are called, but I thought it would be > interesting to know that musl provides additional guarantees and > relies on them. > > That was informative. It turned out that musl's implementation of > fwrite() can call memcpy() with a length of 0 and a pointer > one-past, inside __fwritex: > > https://git.musl-libc.org/cgit/musl/tree/src/stdio/fwrite.c?id=a08910fc2cc739f631b75b2d09b8d72a0d64d285#n23 > > It can be argued that C11 does not define the behavior of memcpy in > this case: > https://stackoverflow.com/questions/25390577/is-memcpya-1-b-1-0-defined-in-c11 > > For this reason, it may be worth documenting that musl's memcpy does > not require valid pointers when invoked with a size of 0, and any > future memcpy implementation (e.g. in assembly) should continue to > do so. FWIW, I think GCC may do aggressive optimization based on the assumption that memcpy implies the pointer points to an object (of size at least 1), and if so, we really are depending on -ffreestanding here (i.e. disallowing the compiler to assume semantics of standard functions). I'd probably rather, in the long term, avoid such calls to memcpy, if for no other reason than encouraging correct usage by example (also possibly helping people who reuse the code outside of libc). > Changing course and using musl's implementation of memcpy and memset > to analyse higher-level functions, we found what I think is an > undefined behavior in memset. The following line in the > implementation of memset can be reached with n = 1: > > > s[0] = s[n-1] = c; > > https://git.musl-libc.org/cgit/musl/tree/src/string/memset.c?id=a08910fc2cc739f631b75b2d09b8d72a0d64d285#n14 > > I think this is undefined because i = i++;, which is equivalent to i > = i = i + 1;, is the canonical example for the “unsequenced > side-effect in expression” undefined behavior(*), and what makes > this latter example undefined is the “i = i =” part, not the “i + 1” > part. Musl's “s[0] = s[n-1] =” is identical to that when n == 1. The > same problem occurs in the next lines of memset for other values of > n. I think you're correct, at least under a pessimistic interpretation of the standard. I can't find where they actually define "modifies", and you could argue that assignment of the same value twice "modifies" the object at most once, but I don't like relying on that kind of ambiguity and it's easy enough to fix just by adding a sequence point. Rich