Date: Sun, 24 Aug 2025 17:12:09 +0100
Sent from my Galaxy
Why would the library take the ptr by reference if it doesn't intend to delete it?That's a guideline that comes with proposal. In a way, it's a promise from the library functions to not delete any resources managed by that pointer, and if so, the caller can double check, by inspecting the returned pointer.In your example, the library would still take the ptr by copy and delete the copy, setting it to zero and having no effect on the outside whatsoever Em dom., 24 de ago. de 2025, 09:53, organicoman via Std-Proposals <std-proposals_at_[hidden]> escreveu:Sent from my GalaxyYou need to explain how your proposal prevents non-trivial UaF that are not already trivially prevented (which literally *every* single one of your examples demonstrates - you cannot involved lexically bound lifetime), how it provides a better solution than simply using smart pointers, if not using smart pointers how you manage lifetime of the storage objects for these references, how it works with references and pointers to subobjects, how it works with pointer parameters without changing the source and compiled ABI.Ok, let me illustrate with a silly example:1- let's take the current state of the 'delete expression as par the current pre-conditions, i.e, it doesn’t take by reference, and it doesn't null its argument. Expl:----- begin snippet----{ T* p = new T; Dll_fn_takes_by_Copy (p); delete p;}/// somwhere in a dll libraryvoid Dll_fn_takes_by_Copy(T* pt){ T* ptr = new T; // use ptr, and pt delete pt;}----- end snippet-----The dll source is inaccessible to me, or my static analyzer. Can you catch the bug?I am pretty sure you did.Instead of deleting 'ptr', the dll deleted 'pt'.Just one character missed unintentionally. How can I guess, what happened in my code?Especially if the dll documentation says explicitly that they don't delete the passed pointer.I fall in double free bug.Now take the same example with the proposal.i.e. the delete expression takes a reference argument, and nulls out it + the guideline pass by reference. ----- begin snippet----{ T* p = new T; Dll_fn_takes_by_ref (p); if(p) delete p;}/// somwhere in a dll libraryvoid Dll_fn_takes_by_ref(T* &pt){ T* ptr = new T; // use ptr, and pt delete pt;}----- end snippet-----Here no matter what unintentional error happens in the dll, I can safe guard against it.Is my example clear? --
Std-Proposals mailing list
Std-Proposals_at_[hidden]
https://lists.isocpp.org/mailman/listinfo.cgi/std-proposals
Why would the library take the ptr by reference if it doesn't intend to delete it?That's a guideline that comes with proposal. In a way, it's a promise from the library functions to not delete any resources managed by that pointer, and if so, the caller can double check, by inspecting the returned pointer.In your example, the library would still take the ptr by copy and delete the copy, setting it to zero and having no effect on the outside whatsoever Em dom., 24 de ago. de 2025, 09:53, organicoman via Std-Proposals <std-proposals_at_[hidden]> escreveu:Sent from my GalaxyYou need to explain how your proposal prevents non-trivial UaF that are not already trivially prevented (which literally *every* single one of your examples demonstrates - you cannot involved lexically bound lifetime), how it provides a better solution than simply using smart pointers, if not using smart pointers how you manage lifetime of the storage objects for these references, how it works with references and pointers to subobjects, how it works with pointer parameters without changing the source and compiled ABI.Ok, let me illustrate with a silly example:1- let's take the current state of the 'delete expression as par the current pre-conditions, i.e, it doesn’t take by reference, and it doesn't null its argument. Expl:----- begin snippet----{ T* p = new T; Dll_fn_takes_by_Copy (p); delete p;}/// somwhere in a dll libraryvoid Dll_fn_takes_by_Copy(T* pt){ T* ptr = new T; // use ptr, and pt delete pt;}----- end snippet-----The dll source is inaccessible to me, or my static analyzer. Can you catch the bug?I am pretty sure you did.Instead of deleting 'ptr', the dll deleted 'pt'.Just one character missed unintentionally. How can I guess, what happened in my code?Especially if the dll documentation says explicitly that they don't delete the passed pointer.I fall in double free bug.Now take the same example with the proposal.i.e. the delete expression takes a reference argument, and nulls out it + the guideline pass by reference. ----- begin snippet----{ T* p = new T; Dll_fn_takes_by_ref (p); if(p) delete p;}/// somwhere in a dll libraryvoid Dll_fn_takes_by_ref(T* &pt){ T* ptr = new T; // use ptr, and pt delete pt;}----- end snippet-----Here no matter what unintentional error happens in the dll, I can safe guard against it.Is my example clear? --
Std-Proposals mailing list
Std-Proposals_at_[hidden]
https://lists.isocpp.org/mailman/listinfo.cgi/std-proposals
Received on 2025-08-24 16:12:30