Re: Use of size_t and ssize_t in mseek

mailing list of musl libc
 help / color / mirror / code / Atom feed

From: Matthew Fernandez <matthew.fernandez@nicta.com.au>
To: <musl@lists.openwall.com>
Cc: Rich Felker <dalias@aerifal.cx>
Subject: Re: Use of size_t and ssize_t in mseek
Date: Fri, 28 Jun 2013 11:34:23 +1000	[thread overview]
Message-ID: <51CCE81F.4000403@nicta.com.au> (raw)
In-Reply-To: <20130628012209.GD29800@brightrain.aerifal.cx>

On 28/06/13 11:22, Rich Felker wrote:
> On Fri, Jun 28, 2013 at 10:49:41AM +1000, Matthew Fernandez wrote:
>>> As a user of musl, what's your take on this?
>>
>> A check in fmemopen (and other affected functions) would be my preferred
>> solution, as an unwitting user like myself who doesn't check all the
>> assumptions would still be caught out by just documenting it as
>> undefined. I would be happy with just an assert-fail here if that's easiest..
>
> The easiest might just be making fmemopen so it doesn't care if the
> size is insanely large. As far as I can tell, the only place it's an
> issue is in mseek, and we could use off_t instead of ssize_t. On
> 32-bit systems, off_t is 64-bit, so all sizes fit. On 64-bit systems,
> there's no way (physically!) to have an object as large as 1UL<<63.

I suppose this is an option, but this just isolates the problem to
64-bit systems. On x86_64 I would still be able to naïvely call fmemopen
with SIZE_MAX and end up being unable to fseek. Not being able to
physically have an object of that size seems reasonable justification
for making it undefined behaviour, but not justification for eliding
checks. Regardless of the maximum size of a valid object, nothing stops
me casting UINT_MAX to a size_t. I completely agree that one should not
expect sensible behaviour when claiming to have an object that covers
all of memory, but I don't see the harm in warning the user early by
failing in fmemopen.

> Alternatively, I could adjust the arithmetic to just avoid working
> with signed values, and perhaps make it more obvious what it's doing
> in the process.

I would also be happy with this solution. The code in mseek could
definitely be clearer. Not that I don't enjoy switch statements written
as offsets into stack structs and reverse jumps ;)

________________________________

The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments.

next prev parent reply	other threads:[~2013-06-28  1:34 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-27  3:52 Matthew Fernandez
2013-06-27  4:10 ` Rich Felker
2013-06-27  4:16   ` Matthew Fernandez
2013-06-27  4:23     ` Rich Felker
2013-06-27  4:31       ` Matthew Fernandez
2013-06-27 15:34         ` Rich Felker
2013-06-28  0:49           ` Matthew Fernandez
2013-06-28  1:22             ` Rich Felker
2013-06-28  1:34               ` Matthew Fernandez [this message]
2013-06-28  1:48                 ` Rich Felker
2013-06-28  1:56                   ` Matthew Fernandez
2013-06-29  4:13                     ` Rich Felker
2013-06-29 13:38                       ` Matthew Fernandez
2013-06-29 14:17                         ` Rich Felker
2013-06-29 14:56                           ` Jens Gustedt
2013-06-29 15:48                             ` Rich Felker
2013-06-29 16:01                               ` Jens Gustedt
2013-06-29 16:13                                 ` Rich Felker
2013-06-29 16:39                                   ` Jens Gustedt
2013-07-04  1:28                                     ` Rich Felker
2013-07-04  6:11                                       ` Jens Gustedt
2013-07-04  6:37                                         ` Rich Felker
2013-07-04  7:11                                           ` Jens Gustedt
2013-07-04  8:12                                             ` Rich Felker
2013-07-04  8:45                                               ` Jens Gustedt
2013-07-04 15:24                                                 ` Rich Felker
2013-07-04 11:10                                               ` Szabolcs Nagy
2013-07-04 11:58                                                 ` Jens Gustedt
2013-07-04 15:26                                                 ` Rich Felker
2013-06-27 10:35       ` Szabolcs Nagy
2013-06-27 15:05         ` Rich Felker
2013-06-27 16:47       ` Rich Felker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51CCE81F.4000403@nicta.com.au \
    --to=matthew.fernandez@nicta.com.au \
    --cc=dalias@aerifal.cx \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).