From: Kevin Bracey <kevin@bracey.fi>
To: "René Scharfe" <l.s.r@web.de>
Cc: GIT Mailing-list <git@vger.kernel.org>
Subject: Re: [PATCH 1/3] add QSORT
Date: Wed, 05 Oct 2016 18:00:07 +0300 [thread overview]
Message-ID: <57F51577.10709@bracey.fi> (raw)
In-Reply-To: <29d3dde0-c527-3ab8-914c-6fbdc5e81e1c@web.de>
On 04/10/2016 23:31, René Scharfe wrote:
>
> So let's summarize; here's the effect of a raw qsort(3) call:
>
> array == NULL nmemb bug QSORT following NULL check
> ------------- ----- --- ----- --------------------
> 0 0 no qsort is skipped
> 0 >0 no qsort is skipped
> 1 0 no qsort is skipped (bad!) ******
> 1 >0 yes qsort is skipped ******
>
Right - row 3 may not be a bug from the point of view of your internals,
but it means you violate the API of qsort.Therefore a fix is required.
> With the micro-optimization removed (nmemb > 0) the matrix gets simpler:
>
> array == NULL nmemb bug QSORT following NULL check
> ------------- ----- --- ----- --------------------
> 0 0 no noop is executed
> 0 >0 no qsort is skipped
> 1 0 no noop is executed
> 1 >0 yes qsort is skipped ******
>
> And with your NULL check (array != NULL) we'd get:
>
> array == NULL nmemb bug QSORT following NULL check
> ------------- ----- --- ----- --------------------
> 0 0 no qsort reuses check result
> 0 >0 no qsort reuses check result
> 1 0 no noop reuses check result
> 1 >0 yes noop reuses check result
>
> Did I get it right? AFAICS all variants (except raw qsort) are safe
> -- no useful NULL checks are removed, and buggy code should be noticed
> by segfaults in code accessing the sorted array.
I think your tables are correct.
But I disagree that you could ever call invoking the "****" lines safe.
Unless you have documentation on what limit GCC (and your other
compilers) are prepared to put on the undefined behaviour of violating
that "non-null" constraint.
Up to now dereferencing a null pointer has been implicitly (or
explicitly?) defined as simply generating SIGSEGV. And that has
naturally extended into NULL passed to library implementations. But
that's no longer true - it seems bets are somewhat off.
But, as long as you are confident you never invoke that line without a
program bug - ie an API precondition of your own QSORT is that NULL is
legal iff nmemb is zero, then I guess it's fine. Behaviour is defined,
as long as you don't violate your internal preconditions.
Kevin
prev parent reply other threads:[~2016-10-05 16:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-29 15:23 [PATCH 1/3] add QSORT René Scharfe
2016-09-29 15:27 ` [PATCH 2/3] use QSORT René Scharfe
2016-09-29 15:29 ` [PATCH 3/3] remove unnecessary check before QSORT René Scharfe
2016-09-29 22:36 ` [PATCH 1/3] add QSORT Junio C Hamano
2016-09-29 23:21 ` René Scharfe
2016-09-29 23:40 ` René Scharfe
2016-10-01 16:19 ` René Scharfe
2016-10-03 16:46 ` Kevin Bracey
2016-10-03 17:09 ` Kevin Bracey
2016-10-03 22:00 ` René Scharfe
2016-10-04 5:28 ` Kevin Bracey
2016-10-04 20:31 ` René Scharfe
2016-10-05 15:00 ` Kevin Bracey [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57F51577.10709@bracey.fi \
--to=kevin@bracey.fi \
--cc=git@vger.kernel.org \
--cc=l.s.r@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).