This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Signed int overflow behaviour in the security context

On Wed, Jan 24, 2007 at 07:51:21AM -0500, Richard Kenner wrote:
> > Your conclusion may well be correct.  The question for this group is:
> > what's the best that GCC can do to serve the community/society?
> 
> Do all it can to discourage people from writing safety- or
> security-critical code in a language they don't understand?  ;-)

The problem goes all the way back to the original Bell Labs crew.  They
put out a book saying that signed int overflow in C was undefined, and
then proceeded to write an OS and a set of utilities that was full of the
assumption that signed overflow wrapped.

Suddenly rejecting all that code, or making it generate a different
result, would not serve the community/society.

On the other hand, for loop unrolling, C compilers have long made
assumptions about ignoring overflows.  Refusing to do that, and
slowing things down, also would not serve the community/society.

The challenge, then, is to figure out some kind of compromise that
can be defined in a robust manner.  The current situation in C is that
according to the *real* definition that people code to, signed int
overflow wraps, except in certain cases where we assume that signed
int overflow does not occur, and we're fuzzy about just what those
cases are.
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]