From: Kevin Bracey <kevin@bracey.fi>
To: "René Scharfe" <l.s.r@web.de>
Cc: GIT Mailing-list <git@vger.kernel.org>
Subject: Re: [PATCH 1/3] add QSORT
Date: Wed, 05 Oct 2016 18:00:07 +0300 [thread overview]
Message-ID: <57F51577.10709@bracey.fi> (raw)
In-Reply-To: <29d3dde0-c527-3ab8-914c-6fbdc5e81e1c@web.de>
On 04/10/2016 23:31, René Scharfe wrote:
>
> So let's summarize; here's the effect of a raw qsort(3) call:
>
> array == NULL nmemb bug QSORT following NULL check
> ------------- ----- --- ----- --------------------
> 0 0 no qsort is skipped
> 0 >0 no qsort is skipped
> 1 0 no qsort is skipped (bad!) ******
> 1 >0 yes qsort is skipped ******
>
Right - row 3 may not be a bug from the point of view of your internals,
but it means you violate the API of qsort.Therefore a fix is required.
> With the micro-optimization removed (nmemb > 0) the matrix gets simpler:
>
> array == NULL nmemb bug QSORT following NULL check
> ------------- ----- --- ----- --------------------
> 0 0 no noop is executed
> 0 >0 no qsort is skipped
> 1 0 no noop is executed
> 1 >0 yes qsort is skipped ******
>
> And with your NULL check (array != NULL) we'd get:
>
> array == NULL nmemb bug QSORT following NULL check
> ------------- ----- --- ----- --------------------
> 0 0 no qsort reuses check result
> 0 >0 no qsort reuses check result
> 1 0 no noop reuses check result
> 1 >0 yes noop reuses check result
>
> Did I get it right? AFAICS all variants (except raw qsort) are safe
> -- no useful NULL checks are removed, and buggy code should be noticed
> by segfaults in code accessing the sorted array.
I think your tables are correct.
But I disagree that you could ever call invoking the "****" lines safe.
Unless you have documentation on what limit GCC (and your other
compilers) are prepared to put on the undefined behaviour of violating
that "non-null" constraint.
Up to now dereferencing a null pointer has been implicitly (or
explicitly?) defined as simply generating SIGSEGV. And that has
naturally extended into NULL passed to library implementations. But
that's no longer true - it seems bets are somewhat off.
But, as long as you are confident you never invoke that line without a
program bug - ie an API precondition of your own QSORT is that NULL is
legal iff nmemb is zero, then I guess it's fine. Behaviour is defined,
as long as you don't violate your internal preconditions.
Kevin
prev parent reply other threads:[~2016-10-05 16:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-29 15:23 [PATCH 1/3] add QSORT René Scharfe
2016-09-29 15:27 ` [PATCH 2/3] use QSORT René Scharfe
2016-09-29 15:29 ` [PATCH 3/3] remove unnecessary check before QSORT René Scharfe
2016-09-29 22:36 ` [PATCH 1/3] add QSORT Junio C Hamano
2016-09-29 23:21 ` René Scharfe
2016-09-29 23:40 ` René Scharfe
2016-10-01 16:19 ` René Scharfe
2016-10-03 16:46 ` Kevin Bracey
2016-10-03 17:09 ` Kevin Bracey
2016-10-03 22:00 ` René Scharfe
2016-10-04 5:28 ` Kevin Bracey
2016-10-04 20:31 ` René Scharfe
2016-10-05 15:00 ` Kevin Bracey [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57F51577.10709@bracey.fi \
--to=kevin@bracey.fi \
--cc=git@vger.kernel.org \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.