This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Super Lint (was: Unexecutable Stack / Buffer Overflow Exploits...)
- To: Joe Buck <jbuck at synopsys dot COM>
- Subject: Re: Super Lint (was: Unexecutable Stack / Buffer Overflow Exploits...)
- From: Oliver Xymoron <oxymoron at waste dot org>
- Date: Tue, 4 Jan 2000 12:19:18 -0600
- cc: gcc at gcc dot gnu dot org
On Tue, 4 Jan 2000, Joe Buck wrote:
> Undecidability simply means that any correct program that attempts to
> do certain kinds of analysis must return a three-valued answer: yes,
> no, or "I can't tell". gcc is already full of code that attempts to
> solve undecidable problems: warning about code that will never be
> reached, or warning about using variables before they are initialized,
> is one obvious example:
>
> CODE;
> STATEMENT;
>
> STATEMENT is reached iff CODE halts, so we must solve the halting problem
> to tell, in general, which statements can be reached. If STATEMENT uses a
> variable that is not set, then we can't write a perfect -Winitialized
> without solving the halting problem.
>
> Yet we have a useful -Winitialized anyway; it warns in the "I can't tell"
> cases as well as in the "yes" cases.
But writing a -Wsecure is harder. Whereas it's easy for a programmer to
fix a "can't tell" initialization in a way that static analysis can figure
out that it's been done, the same is not true for tracking security.
Consider:
void foo(int i)
{
int j, k;
if(k=hardtocompute(i)) // always true?
{
j=k;
}
use(j);
}
vs
void foo(int i)
{
int j,k;
if(k=lookup_uid(i)) // always true?
{
j=k;
}
setuid(j);
}
In the first case, we can simply set j to some useful value to shut up the
warning, but in the second what we're actually concerned about is
validating lookup_uid. A system that punts and gives a warning when
lookup_uid isn't transparent isn't really helping.
Your example about unreachable code is telling: we certainly wouldn't want
the compiler to complain whenever it couldn't figure out when code was
reachable. If we want to statically detect things like potential buffer
overflows (ie what we were originally talking about), it means we'll have
to forecast through the loops that index said buffers, more than likely
including global analysis of input variable domains, etc. The compiler now
takes three years and 10 gig of memory to build itself, assuming it's not
treating warnings as errors...
--
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."