Hi Mark, > I guess the idea is that there could be an atoi implementation that > starts from the end of the string? But I think that is super unlikely > since atoi (and strtol) is defined on the initial portion of the > character array. The algorithm is described as working from the start > and once a valid digit is found any non-digit terminates the > algorithm, there seems to be no requirement that that char should be a > zero terminator. So I think that asan strict-string check is not > really correct.
The idea behind strict_string_checks is to just warn about functions expecting null-terminated strings that process (potentially) binary data and can in theory get past the end of the buffers because of that. It just looks for nulls and if they aren't there it complains. It's off by default because it tends to produce false positives. But I think it's useful sometimes because for example as far as I can remember it was able to find real heap-buffer-overflows in systemd at some point and it has been on on the CI there since "string" functions were replaced with functions receiving buffers and their lengths. Then again, I agree it doesn't seem to make much sense to make ASan happy here. Thanks, Evgeny Vereshchagin
