This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH][4.3] Deprecate -ftrapv

Frank Ch. Eigler wrote:
Hi -

On Sun, Mar 02, 2008 at 09:30:25AM -0500, Robert Dewar wrote:

[...]  Safety-critical and security-critical software are two
totally different concepts. Be careful not to confuse them. In
safety-critical software, e.g. avionics system, it is not acceptable
for the system to crash.  In this context, the metaphorical "better
to die", becomes all too real!


(Off topic, but I'd expect that avionics software is engineered with
enough layers of protection, including catching traps, so that a
-ftrapv hit would not cause a deep impact.)


As I say, it is more usual in avionics software to rely on proving
or demonstrating during the certification process that the code
is correct. DER's do not look too kindly on code that says
"if something is wrong do bla", they want to be convinced
that nothing can go wrong.

And don't be sure about impact, as I mentioned the Ariane-5
disaster was caused by a run time exception not handled
properly, the rocket would have been fine if there had
been no overflow test in place. Non-critical wrong answers
are better than having to blow up the rocket some times :-)

[...] However, in practice, it is hard to imagine a
security-critical piece of software that would not take equal care
to avoid any possibility of exceptional conditions at run time.

Maybe, but we just don't live in that world. 

I am not sure who "we" is here, those of us who live in the
DO-178B and MILS worlds definitely do take that kind of care.

However, I would suspect that -ftrapv is likely to be viewed and
used only as a debugging aid in C, rather than something you
routinely deploy in delivered software to improve security.


I guess it depends on how robust (=> predictable to experts) the
mechanism becomes.  The glibc fortify widget (enabled by some robust
gcc extensions) has found lots of use.


Again, the issue is whether such things are for finding bugs during
development, or defending against bugs that make it through the
entire development process. Even in the Ada world, it is normal
to turn off exceptions in safety-critical code for the final
delivered software that runs on planes.

- FChE

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]