This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Signed int overflow behaviour in the security context

From: Andreas Bogk <andreas at andreas dot org>
To: gcc at gcc dot gnu dot org
Date: Sat, 27 Jan 2007 01:12:40 +0100
Subject: Re: Signed int overflow behaviour in the security context
References: <45B585D1.1080202@andreas.org> <45B64108.9020603@andreas.org> <m3ac097iy6.fsf@localhost.localdomain> <45B68F80.5080701@andreas.org> <10701240158.AA23895@vlsi1.ultra.nyu.edu> <ep70gd$ftg$1@sea.gmane.org> <10701241251.AA00849@vlsi1.ultra.nyu.edu> <20070124184618.GA6607@synopsys.com> <10701250009.AA16048@vlsi1.ultra.nyu.edu> <45B894F1.6000802@andreas.org> <571f6b510701250349l41c4fecby85fdd5486482c6d3@mail.gmail.com> <45B89E50.3040008@adacore.com> <45B92470.9050106@codesourcery.com> <45BA73CE.2090203@andreas.org> <45BA8D01.7070806@adacore.com>

Robert Dewar wrote:
>> Making a call here before knowing this is not sensible.  In fact,
>> I'm tempted to argue that it is generally a bad idea to do
>> optimizations that lead to the same expression being evaluated to
>> different results without making the user explicitly request them.
> People always say this, but they don't really realize what they are 
> saying. This would mean you could not put variables in registers, and
>  would essentially totally disable optimization.

I don't see why that demand would prevent register allocation.  Maybe
you can explain that to me.

My point essentially is that it's not a good idea to have "x-y" mean
something different in different parts of the code.  That's just too
hard for the user to understand and deal with properly.

> The -O2 flag is exactly a request to do optimizations that may cause
> wrong programs to generate different results.

Then maybe it shouldn't be the default in autoconf.  But wasn't -O3 the
set of optimizations considered potentially unsafe?

> Note by the way that formally safety-critical or security-critical 
> software is very unlikely to be compiled at -O2 anyway.

Oh, the last formally security-critical application I've been working on
(FIPS 140-2 certification pending) *was* compiled with -O2, because the
resources on the embedded target device were scarce.

But I'm talking about the security of your average desktop system anyways.

Andreas

Follow-Ups:
- Re: Signed int overflow behaviour in the security context
  - From: Robert Dewar
- Re: Signed int overflow behaviour in the security context
  - From: Ian Lance Taylor

References:
- Re: Signed int overflow behaviour in the security context
  - From: Andreas Bogk
- Re: Signed int overflow behaviour in the security context
  - From: Andreas Bogk
- Re: Signed int overflow behaviour in the security context
  - From: Ian Lance Taylor
- Re: Signed int overflow behaviour in the security context
  - From: Andreas Bogk
- Re: Signed int overflow behaviour in the security context
  - From: Richard Kenner
- Re: Signed int overflow behaviour in the security context
  - From: James Dennett
- Re: Signed int overflow behaviour in the security context
  - From: Richard Kenner
- Re: Signed int overflow behaviour in the security context
  - From: Joe Buck
- Re: Signed int overflow behaviour in the security context
  - From: Richard Kenner
- Re: Signed int overflow behaviour in the security context
  - From: Andreas Bogk
- Re: Signed int overflow behaviour in the security context
  - From: Steven Bosscher
- Re: Signed int overflow behaviour in the security context
  - From: Robert Dewar
- Re: Signed int overflow behaviour in the security context
  - From: Mark Mitchell
- Re: Signed int overflow behaviour in the security context
  - From: Andreas Bogk
- Re: Signed int overflow behaviour in the security context
  - From: Robert Dewar

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]