On Mon, 5 Aug 2019 at 18:23, Andrew Lutomirski <luto@xxxxxxx> wrote: > > On Sun, Aug 4, 2019 at 6:16 AM Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > > > > Georg Sauthoff writes: > > > > > > I ended up tweaking my code to avoid the assertions, rather than disabling > > > > them. For this particular situation, my original change was to try > > > > > > > > std::copy(&foo[0], &foo[0]+foo.size(), std::back_insert_iterator{bar}); > > > > > > > > But that still tripped the assertion when the foo vector was empty, so I > > > had > > > > wrap this inside an if(). > > > > > > But why don't you use the idiomatic > > > > > > copy(foo.begin(), foo.end(), back_inserter(bar)); > > > > > > ? > > > > > > No need to wrap it into an extra if statement. > > > > I'm well aware of the alternatives. That's not the point. > > > > The point is that there's nothing wrong with this specific form of existing > > code that now throws exceptions when the hardened build gets turned on. > > There is no buffer overruns, and nothing to exploit. > > > > IIRC, the hardened build did find one real bug in the upstream package that > > was the original subject matter here, but all of the rest were these kinds > > of false positives. Now you have a situation when the existing code is known > > to be working, but needs changing in order to use a hardened build. There's > > some level of risk of regression in any change, and that gets weighed > > against the benefits of having a hardened build. > > > > The above was just a basic example of this. It is not true that exceptions > > from hardened code are always evidence of potentially exploitable problem. > > Sometimes/most of the time, but sometimes they are false positives. > > > > > > I filed an upstream bug: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91357 > > Depending on the resolution of that bug, I suggest that Fedora > consider dropping _GLIBCXX_ASSERTIONS from the default hardened build > options. IMO Fedora's default RPM build options should not cause > crashes on valid, if less-than-stylistically-great, code. I don't > think that package maintainers should need to update package source to > use C++ in a more polite way. Upstream response has been quick: "It's UB, no question. The table of "Optional sequence container operations" says a[n] is equivalent to *(a.begin() + n) so when n==a.size() you dereference the past-the-end iterator, which is UB." "The assertion is entirely correct. Calling operator[] with an invalid value is UB, it doesn't matter what you do (or don't do) with the result." Iñaki _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx