On 02/20/2015 06:01 PM, Jeff Law wrote: > But that's always true -- this isn't any different than aliasing, > arithmetic overflow, etc. The standards define the contract between the > compiler/library implementors and the developers. Once the contract is > broken, all bets are off.
What I don't like about this case (std::vector<T>::data() returning nullptr vs memcpy/memcmp/qsort non-null assertions) is that it is internally non-composing in a totally non-obvious way. data() is explicitly intended to cover interoperability with these older C functions, and it fails. But you are right about overflows. I think we should give up and just enable -fwrapv by default in Fedora and downstream. This issue has been explicitly documented since 2002 at least (explicitly with security-related checks in mind), and programmers still write overflow checks which are only correct with -fwrapv, and it passes code review. I fear that's not going to change, ever. -- Florian Weimer / Red Hat Product Security
