On 07/01/19 13:02, Laszlo Ersek wrote: > On 06/28/19 05:57, Gao, Zhichao wrote:
> (2a) SourceLength has nothing to do with Destination. The comment should > be updated -- making sure that (Source + SourceLength) do not overflow > MAX_ADDRESS is worthwhile, but the comment is misleading. Let me re-state that. Usually, when you expect the caller to provide an array of bytes, identified by base address and size, the burden to provide an *actual array* is on the caller. If the caller does not conform to the function specification, the behavior is undefined, and it's on the caller. Therefore, checking MAX_ADDRESS overflows is *generally* dubious, in my opinion, because a valid array can never overflow MAX_ADDRESS. If we want to be paranoid about this, I guess we can keep implement MAX_ADDRESS checks, but then we should both document and implement them correctly. Second, it is usually good to specify whether overlap between input and output is permitted. If we want to be paranoid, we can check that explicitly again. I don't necessarily suggest that we implement an overlap check, but we should likely specify in the leading comment that overlap is not permitted. (This is similar to the "restrict" keyword from C99.) Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#43118): https://edk2.groups.io/g/devel/message/43118 Mute This Topic: https://groups.io/mt/32238987/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
