This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Signed into overflow behavior in the security context

From: Georg Bauhaus <bauhaus at futureapps dot de>
To: Paul Schlie <schlie at comcast dot net>
Cc: GCC Development <gcc at gcc dot gnu dot org>
Date: Tue, 30 Jan 2007 16:19:42 +0100
Subject: Re: Signed into overflow behavior in the security context
References: <C1E49DF7.FB73%schlie@comcast.net>

On Tue, 2007-01-30 at 07:02 -0500, Paul Schlie wrote:

> > There is no license to reason about  how you think code is
> generated, any
> > compiled is allowed to generate code AS IF a trap representation
> were present.
> 
> - yes, and thereby inconsistent with reality, and thereby wrong.
>  (as may and may not are equivalent possibilities)

Now things get really undefined :-) I think there aren't even
sufficiently many GCC users who take the time to analyze their
realities in relation to all of C, object code, CPU, etc.
A difficult job, after all. Where and how can we attribute any
consistency here?

I don't think it is practical to have GCC implement a different
C language that happens to be consistent with a more or less
arbitrary set of expectations that some people share in some
cases but likely don't share in other cases. Do the writers
of GCC know that there is a shared expectation by its many users
that GCC should stop optimizing and provide some arbitrary rules
as to what values there will be, for cases involving C-undefined
variables? (There would be _many_ value combinations to choose
from ...)

John F. Woods, inventor of the nasal demons, says
http://odetocode.com/Blogs/scott/archive/2004/07/29/363.aspx#494

I suggest that the efforts spent in this discussion could be
transferred to a project improving a gcc based tool that finds
sore spots in C programs and gives hints.
If -O -Wextra or  splint -strict  don't do enough.

int main(void)
{
   signed int x;
   x = x;
   x ^= x;
   x = ((int (*)())x)();
   return x;
}

Splint 3.1.1 --- 06 Jan 2006

foo.c: (in function main)
foo.c:4:8: Variable x used before definition
  An rvalue is used that may not be initialized to a value on some
  execution path. (Use -usedef to inhibit warning)
foo.c:5:4: Left operand of ^= is not unsigned value (int): x ^= x
  An operand to a bitwise operator is not an unsigned values.  This
  may have unexpected results depending on the signed
  representations. (Use -bitwisesigned to inhibit warning)

gcc -Wextra -O foo.c
foo.c: In function 'main':
foo.c:4: warning: 'x' is used uninitialized in this function

./a.out
Segmentation fault

-- Georg Bauhaus

References:
- Re: Signed into overflow behavior in the security context
  - From: Paul Schlie

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]