On 08/04/2016 12:46 PM, Peter Maydell wrote: > I've upgraded to a more recent version of clang, which now produces > undefined-behaviour warnings for passing NULL pointers to some library > functions. One of the things it has shown up is that some of the > qtest tests ask for "memset" with size zero. In our current implementation > this results in qtest.c calling g_malloc(0), which returns NULL, and
I never understood why glib made that choice on g_malloc(0). I would much prefer it to ALWAYS return something, just as glibc malloc(0) does. > then calling memset(NULL, chr, 0), which is UB. Indeed, although I really wish POSIX could be loosened to say that the source pointer is untouched if the length is 0 (I've debated about filing a POSIX bug report to that effect, but have not done so yet), so that the UB only happens when passing NULL with a non-zero size. > > So should we: > (1) declare the qtest protocol commands 'memset', 'read', 'write' > etc which operate on a lump of guest memory of specified size to > support size == 0 as meaning "do nothing" My preference - even if we have to special case things to avoid UB at the lower level, presenting well-defined behavior at the upper level is easier to think about. > (2) declare that size == 0 is not valid and make it return a failure > code back down the qtest pipe (and fix the offending tests) Doable, but not as fun to audit, and not my preference. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
