* undefined behavior in builtin/am.c
@ 2022-07-01 17:03 Roland Illig
2022-07-01 17:53 ` Jeff King
2022-07-01 17:54 ` Phillip Wood
0 siblings, 2 replies; 4+ messages in thread
From: Roland Illig @ 2022-07-01 17:03 UTC (permalink / raw)
To: git
Hi,
builtin/am.c says:
> static int str_isspace(const char *str)
> {
> for (; *str; str++)
> if (!isspace(*str))
> return 0;
>
> return 1;
> }
The macro 'isspace' must only be called with an integer representable as
an 'unsigned char', or with the value of the macro EOF.
On platforms where plain 'char' is a signed integer type, any character
whose value is negative invokes undefined behavior (except for the one
character that by coincidence has the same value as the macro EOF).
To fix this, write '!isspace((unsigned char)*str)' instead.
I have no idea how to trigger this part of the code but for someone who
knows this part of Git, it should be easy. Depending on the platform,
this kind of error may be silently ignored or crash the program, as
always with undefined behavior.
Roland
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: undefined behavior in builtin/am.c
2022-07-01 17:03 undefined behavior in builtin/am.c Roland Illig
@ 2022-07-01 17:53 ` Jeff King
2022-07-01 18:58 ` Roland Illig
2022-07-01 17:54 ` Phillip Wood
1 sibling, 1 reply; 4+ messages in thread
From: Jeff King @ 2022-07-01 17:53 UTC (permalink / raw)
To: Roland Illig; +Cc: git
On Fri, Jul 01, 2022 at 07:03:18PM +0200, Roland Illig wrote:
> The macro 'isspace' must only be called with an integer representable as
> an 'unsigned char', or with the value of the macro EOF.
>
> On platforms where plain 'char' is a signed integer type, any character
> whose value is negative invokes undefined behavior (except for the one
> character that by coincidence has the same value as the macro EOF).
>
> To fix this, write '!isspace((unsigned char)*str)' instead.
>
> I have no idea how to trigger this part of the code but for someone who
> knows this part of Git, it should be easy. Depending on the platform,
> this kind of error may be silently ignored or crash the program, as
> always with undefined behavior.
We don't use the system isspace(), but instead our own macro wrappers in
git-compat-util.h. They do the cast to unsigned char themselves.
I won't be surprised if re-defining a system name as a macro is also
technically undefined behavior, but I don't think we've found a system
that has a problem with it in the past 17 years. :)
-Peff
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: undefined behavior in builtin/am.c
2022-07-01 17:53 ` Jeff King
@ 2022-07-01 18:58 ` Roland Illig
0 siblings, 0 replies; 4+ messages in thread
From: Roland Illig @ 2022-07-01 18:58 UTC (permalink / raw)
To: Jeff King; +Cc: git
Am 01.07.2022 um 19:53 schrieb Jeff King:
> On Fri, Jul 01, 2022 at 07:03:18PM +0200, Roland Illig wrote:
>
>> The macro 'isspace' must only be called with an integer representable as
>> an 'unsigned char', or with the value of the macro EOF.
>>
>> On platforms where plain 'char' is a signed integer type, any character
>> whose value is negative invokes undefined behavior (except for the one
>> character that by coincidence has the same value as the macro EOF).
>>
>> To fix this, write '!isspace((unsigned char)*str)' instead.
>>
>> I have no idea how to trigger this part of the code but for someone who
>> knows this part of Git, it should be easy. Depending on the platform,
>> this kind of error may be silently ignored or crash the program, as
>> always with undefined behavior.
>
> We don't use the system isspace(), but instead our own macro wrappers in
> git-compat-util.h. They do the cast to unsigned char themselves.
Thanks for the explanation, good to know that there's no problem. :)
Roland
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: undefined behavior in builtin/am.c
2022-07-01 17:03 undefined behavior in builtin/am.c Roland Illig
2022-07-01 17:53 ` Jeff King
@ 2022-07-01 17:54 ` Phillip Wood
1 sibling, 0 replies; 4+ messages in thread
From: Phillip Wood @ 2022-07-01 17:54 UTC (permalink / raw)
To: Roland Illig, git
Hi Roland
On 01/07/2022 18:03, Roland Illig wrote:
> Hi,
>
> builtin/am.c says:
> > static int str_isspace(const char *str)
> > {
> > for (; *str; str++)
> > if (!isspace(*str))
> > return 0;
> >
> > return 1;
> > }
>
> The macro 'isspace' must only be called with an integer representable as
> an 'unsigned char', or with the value of the macro EOF.
Thanks for reporting this. Git uses its own version of isspace() (see
git-compat-util.h & ctype.c) which does not suffer from this limitation
as it casts its argument to an unsigned char.
Best Wishes
Phillip
> On platforms where plain 'char' is a signed integer type, any character
> whose value is negative invokes undefined behavior (except for the one
> character that by coincidence has the same value as the macro EOF).
>
> To fix this, write '!isspace((unsigned char)*str)' instead.
>
> I have no idea how to trigger this part of the code but for someone who
> knows this part of Git, it should be easy. Depending on the platform,
> this kind of error may be silently ignored or crash the program, as
> always with undefined behavior.
>
> Roland
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-01 18:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-01 17:03 undefined behavior in builtin/am.c Roland Illig
2022-07-01 17:53 ` Jeff King
2022-07-01 18:58 ` Roland Illig
2022-07-01 17:54 ` Phillip Wood
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).