[ovs-dev] [RFC] treewide: undefined behavior, passing null in nonnull parameters

Lance Richardson lrichard at redhat.com
Tue Jun 13 12:21:23 UTC 2017 

> From: "Ben Pfaff" <blp at ovn.org>
> To: "Lance Richardson" <lrichard at redhat.com>
> Cc: dev at openvswitch.org
> Sent: Tuesday, 13 June, 2017 1:06:12 AM
> Subject: Re: [ovs-dev] [RFC] treewide: undefined behavior, passing null in nonnull parameters
> 
> On Mon, Jun 12, 2017 at 08:06:01PM -0400, Lance Richardson wrote:
> > Eliminate a number of instances of undefined behavior related to
> > passing NULL in parameters having "nonnull" annotations.
> > 
> > Found with gcc's undefined behavior sanitizer.
> > 
> > Signed-off-by: Lance Richardson <lrichard at redhat.com>
> > ---
> > 
> > Posting this as RFC because there is no apparent risk of
> > unwanted compiler optimizations related to undefined behavior
> > in existing code. The main value in fixing these issues is
> > in reducing noise to make it easier to find problematic
> > cases in the future.
> > 
> > Here is a small example of the type of unwanted optimization
> > to be concerned about:
> > 
> > test1a.c:
> > 
> >     #include <stdio.h>
> > 
> >     extern void foo(char*, size_t);
> > 
> >     int main(int argc, char **argv)
> >     {
> >         char x[128];
> > 
> >         foo(x, sizeof x);
> >         foo(NULL, 0);
> > 
> >         return 0;
> >     }
> > 
> > test1b.c:
> > 
> >     #include <stdio.h>
> >     #include <string.h>
> > 
> >     void foo(char *bar, size_t len)
> >     {
> >         memset(bar, 0, len);
> > 
> >         if (bar)
> >             printf("bar is non-null: %p\n", bar);
> >     }
> > 
> > Compile and run:
> >     gcc -o test -O2 test1a.c test1b.c
> >     ./test
> > 
> > Output (second line might be a bit of a surprise):
> >     bar is non-null: 0x7fff80f90d50
> >     bar is non-null: (nil)
> 
> Hmm.  That is surprising.
> 
> > diff --git a/lib/netlink.c b/lib/netlink.c
> > index 3da22a1..fcad884 100644
> > --- a/lib/netlink.c
> > +++ b/lib/netlink.c
> > @@ -241,7 +241,12 @@ void
> >  nl_msg_put_unspec(struct ofpbuf *msg, uint16_t type,
> >                    const void *data, size_t size)
> >  {
> > -    memcpy(nl_msg_put_unspec_uninit(msg, type, size), data, size);
> > +    void *ptr;
> > +
> > +    ptr = nl_msg_put_unspec_uninit(msg, type, size);
> > +    if (size) {
> > +        memcpy(ptr, data, size);
> > +    }
> >  }
> 
> I guess the above is above null 'data', since 'ptr' should always be
> nonnull.  In that case, it seems reasonable.
> 
> >  /* Appends a Netlink attribute of the given 'type' and no payload to
> >  'msg'.
> > diff --git a/lib/ofpbuf.c b/lib/ofpbuf.c
> > index 3019c4a..2e71fed 100644
> > --- a/lib/ofpbuf.c
> > +++ b/lib/ofpbuf.c
> > @@ -375,7 +375,9 @@ void *
> >  ofpbuf_put_zeros(struct ofpbuf *b, size_t size)
> >  {
> >      void *dst = ofpbuf_put_uninit(b, size);
> > -    memset(dst, 0, size);
> > +    if (size) {
> > +        memset(dst, 0, size);
> > +    }
> >      return dst;
> >  }
> 
> In the above, when is dst null?  It looks to me like ofpbuf_put_uninit()
> always returns nonnull.
> 

Looks like it could return NULL if called with b->data = NULL, b->size = 0, and
size = 0. Seems odd to want to append no zero bytes to an empty buffer, but it
apparently happens while running the unit tests.

> > diff --git a/lib/svec.c b/lib/svec.c
> > index aad04e3..297a60c 100644
> > --- a/lib/svec.c
> > +++ b/lib/svec.c
> > @@ -127,7 +127,9 @@ compare_strings(const void *a_, const void *b_)
> >  void
> >  svec_sort(struct svec *svec)
> >  {
> > -    qsort(svec->names, svec->n, sizeof *svec->names, compare_strings);
> > +    if (svec->n) {
> > +        qsort(svec->names, svec->n, sizeof *svec->names, compare_strings);
> > +    }
> >  }
> 
> This one in svec_sort() looks good to me.
> 
> >  void
> > diff --git a/lib/util.c b/lib/util.c
> > index b2a1f8a..ddf8546 100644
> > --- a/lib/util.c
> > +++ b/lib/util.c
> > @@ -132,7 +132,9 @@ void *
> >  xmemdup(const void *p_, size_t size)
> >  {
> >      void *p = xmalloc(size);
> > -    memcpy(p, p_, size);
> > +    if (size) {
> > +        memcpy(p, p_, size);
> > +    }
> >      return p;
> >  }
> 
> I guess that the above must be about a null 'p_' parameter?  xmalloc()
> never returns null.
> 
> Maybe we should invent a nullable_memcpy() helper:
> 
> /* The C standards say that neither the 'dst' nor 'src' argument to
>  * memcpy() may be null, even if 'n' is zero.  This wrapper tolerates
>  * the null case. */
> static inline void
> nullable_memcpy(void *dst, const void *src, size_t n)
> {
>     if (n) {
>         memcpy(dst, src, n);
>     }
> }
> 

Makes sense, ditto for a nullable_memset().

Thanks,

   Lance

More information about the dev mailing list