Convert a pointer to an integer. Write the integer to a pipe, read it from the other end of the pipe and convert it back to a pointer. Dereferencing that pointer or even just doing any arithmetic on it is undefined and will even be broken by Clang / GCC optimization in practice.
Conversation
I see your sentiments, but the above is incorrect or glossing over something important. Pointer escaping via write() is no different from escaping via any other function. Note how this is different from e.g. obtaining a not-escaping pointer value with a debugger.
1
1
You're trying to reason about it as a logical system providing native semantics which it isn't. The compilers have knowledge about standard library functions and they don't simply act the way they're defined in the library. My example is just something they consider undefined.
1
A very easy example to demonstrate is strdup. It's considered to have __attribute__((malloc)) (whether or not the libc marks it as such like glibc does) which includes guaranteeing:
> no pointers to valid objects occur in any storage addressed by P.
which can clearly happen.
2
In order for a pointer converted from an integer to be valid, there has to be a 'valid' path leading to it from where it was originally converted from a pointer to an integer. It's worth looking at DR 260 and also the standard's wording.
open-std.org/jtc1/sc22/wg14
1
> are permitted to track the origins of a bit-pattern and treat those representing an indeterminate value as distinct from those representing a determined value. They may also treat pointers based on different origins as distinct even though they are bitwise identical.
1
No conversions from integer take place here. Rather it's a matter of effective type rules for allocated storage with memcpy-like char copying.
1
I'm not talking about the specific example that was presented but rather the response to it. They are likely to more formally define these things in C2X and some early drafts like cl.cam.ac.uk/~pes20/cerberu show what that could end up looking like.
3
1
Thanks for the link. That proposal is still a pile of overcomplicated nonsense. The problems are all trivially solved *without breaking anything* by giving all the hard cases "wildcard provenance".
1
Note that the proposed text breaks lots of important valuable use cases like xor lists.
2
Clang and GCC already consider that broken per the standard. It was also very explicitly made to be broken in C++ already, which tends to trickle back to the C standard since it's a lot of the same people making the decisions and they reference each other as justifications.
For GCC, I don't think so. I might believe it for clang, since they do a lot of nonsensical broken stuff. Do you have a reference for your claim that GCC does that?
open-std.org/jtc1/sc22/wg14 appears to be a more recent draft of what I linked earlier by the way. We'll see how they end up deciding to clarify it for C2X. My feeling is they will bend over backwards to permit / attempt to formalize existing real world compiler interpretations.
1
I'm not arguing that what Clang and GCC currently do is correct, but I am saying that they currently do it, and that it's likely to become officially correct *because* they want to it. Type-based alias analysis is similar. They tried to allow it, and will readjust it as needed.
1
1
Show replies