Date: Sun, 24 Aug 2025 12:45:36 -0300
Why would the library take the ptr by reference if it doesn't intend to
delete it?
In your example, the library would still take the ptr by copy and delete
the copy, setting it to zero and having no effect on the outside whatsoever
Em dom., 24 de ago. de 2025, 09:53, organicoman via Std-Proposals <
std-proposals_at_[hidden]> escreveu:
>
>
>
>
> Sent from my Galaxy
>
>
>
>
> You need to explain how your proposal prevents non-trivial UaF that are
> not already trivially prevented (which literally *every* single one of your
> examples demonstrates - you cannot involved lexically bound lifetime), how
> it provides a better solution than simply using smart pointers, if not
> using smart pointers how you manage lifetime of the storage objects for
> these references, how it works with references and pointers to subobjects,
> how it works with pointer parameters without changing the source and
> compiled ABI.
>
> Ok, let me illustrate with a silly example:
> 1- let's take the current state of the 'delete expression as par the
> current pre-conditions, i.e, it doesn’t take by reference, and it doesn't
> null its argument.
>
> Expl:
> ----- begin snippet----
> {
> T* p = new T;
> Dll_fn_takes_by_Copy (p);
> delete p;
> }
> /// somwhere in a dll library
> void Dll_fn_takes_by_Copy(T* pt)
> {
> T* ptr = new T;
> // use ptr, and pt
> delete pt;
> }
> ----- end snippet-----
>
> The dll source is inaccessible to me, or my static analyzer.
>
> Can you catch the bug?
>
> I am pretty sure you did.
>
> Instead of deleting 'ptr', the dll deleted 'pt'.
> Just one character missed unintentionally.
>
> How can I guess, what happened in my code?
> Especially if the dll documentation says explicitly that they don't delete
> the passed pointer.
>
> I fall in double free bug.
>
> Now take the same example with the proposal.i.e. the delete expression
> takes a reference argument, and nulls out it + the guideline pass by
> reference.
>
> ----- begin snippet----
> {
> T* p = new T;
> Dll_fn_takes_by_ref (p);
> if(p)
> delete p;
> }
> /// somwhere in a dll library
> void Dll_fn_takes_by_ref(T* &pt)
> {
> T* ptr = new T;
> // use ptr, and pt
> delete pt;
> }
> ----- end snippet-----
>
> Here no matter what unintentional error happens in the dll, I can safe
> guard against it.
>
> Is my example clear?
>
> --
> Std-Proposals mailing list
> Std-Proposals_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/std-proposals
>
delete it?
In your example, the library would still take the ptr by copy and delete
the copy, setting it to zero and having no effect on the outside whatsoever
Em dom., 24 de ago. de 2025, 09:53, organicoman via Std-Proposals <
std-proposals_at_[hidden]> escreveu:
>
>
>
>
> Sent from my Galaxy
>
>
>
>
> You need to explain how your proposal prevents non-trivial UaF that are
> not already trivially prevented (which literally *every* single one of your
> examples demonstrates - you cannot involved lexically bound lifetime), how
> it provides a better solution than simply using smart pointers, if not
> using smart pointers how you manage lifetime of the storage objects for
> these references, how it works with references and pointers to subobjects,
> how it works with pointer parameters without changing the source and
> compiled ABI.
>
> Ok, let me illustrate with a silly example:
> 1- let's take the current state of the 'delete expression as par the
> current pre-conditions, i.e, it doesn’t take by reference, and it doesn't
> null its argument.
>
> Expl:
> ----- begin snippet----
> {
> T* p = new T;
> Dll_fn_takes_by_Copy (p);
> delete p;
> }
> /// somwhere in a dll library
> void Dll_fn_takes_by_Copy(T* pt)
> {
> T* ptr = new T;
> // use ptr, and pt
> delete pt;
> }
> ----- end snippet-----
>
> The dll source is inaccessible to me, or my static analyzer.
>
> Can you catch the bug?
>
> I am pretty sure you did.
>
> Instead of deleting 'ptr', the dll deleted 'pt'.
> Just one character missed unintentionally.
>
> How can I guess, what happened in my code?
> Especially if the dll documentation says explicitly that they don't delete
> the passed pointer.
>
> I fall in double free bug.
>
> Now take the same example with the proposal.i.e. the delete expression
> takes a reference argument, and nulls out it + the guideline pass by
> reference.
>
> ----- begin snippet----
> {
> T* p = new T;
> Dll_fn_takes_by_ref (p);
> if(p)
> delete p;
> }
> /// somwhere in a dll library
> void Dll_fn_takes_by_ref(T* &pt)
> {
> T* ptr = new T;
> // use ptr, and pt
> delete pt;
> }
> ----- end snippet-----
>
> Here no matter what unintentional error happens in the dll, I can safe
> guard against it.
>
> Is my example clear?
>
> --
> Std-Proposals mailing list
> Std-Proposals_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/std-proposals
>
Received on 2025-08-24 15:45:51