This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Signed int overflow behaviour in the security context

Daniel Berlin wrote:
> And you think that somehow defining it (which the definition people
> seem to favor would be to make it wrapping) ameliorates any of these
> concerns?

Yes, absolutely.  There is a difference between well-defined and
understood semantics on one hand, and undefined and probably dangerous
behaviour on the other hand.  It's the difference between security
audits of C software being hard and completely hopeless.

To be more precise, the LIA-1 definition is the one people have burned
deeply into their neurons.  It's the one that should be used by default.
 Sun cc does that, by the way.

> User parameters can't be trusted no matter whether signed overflow is
> defined  or not.

But what if the compiler subtly breaks your tests in ways you wouldn't
expect?

> Making it defined and wrapping doesn't help at all. It just means you
> write different checks, not less of them.

You have just seen somebody who can be considered an expert in matters
of writing C sofware come up with a check that looks correct, but is
broken under current gcc semantics.  That should make you think.

Andreas
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]