This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Signed into overflow behavior in the security context
- From: Georg Bauhaus <bauhaus at futureapps dot de>
- To: Paul Schlie <schlie at comcast dot net>
- Cc: GCC Development <gcc at gcc dot gnu dot org>
- Date: Tue, 30 Jan 2007 16:19:42 +0100
- Subject: Re: Signed into overflow behavior in the security context
- References: <C1E49DF7.FB73%schlie@comcast.net>
On Tue, 2007-01-30 at 07:02 -0500, Paul Schlie wrote:
> > There is no license to reason about how you think code is
> generated, any
> > compiled is allowed to generate code AS IF a trap representation
> were present.
>
> - yes, and thereby inconsistent with reality, and thereby wrong.
> (as may and may not are equivalent possibilities)
Now things get really undefined :-) I think there aren't even
sufficiently many GCC users who take the time to analyze their
realities in relation to all of C, object code, CPU, etc.
A difficult job, after all. Where and how can we attribute any
consistency here?
I don't think it is practical to have GCC implement a different
C language that happens to be consistent with a more or less
arbitrary set of expectations that some people share in some
cases but likely don't share in other cases. Do the writers
of GCC know that there is a shared expectation by its many users
that GCC should stop optimizing and provide some arbitrary rules
as to what values there will be, for cases involving C-undefined
variables? (There would be _many_ value combinations to choose
from ...)
John F. Woods, inventor of the nasal demons, says
http://odetocode.com/Blogs/scott/archive/2004/07/29/363.aspx#494
I suggest that the efforts spent in this discussion could be
transferred to a project improving a gcc based tool that finds
sore spots in C programs and gives hints.
If -O -Wextra or splint -strict don't do enough.
int main(void)
{
signed int x;
x = x;
x ^= x;
x = ((int (*)())x)();
return x;
}
Splint 3.1.1 --- 06 Jan 2006
foo.c: (in function main)
foo.c:4:8: Variable x used before definition
An rvalue is used that may not be initialized to a value on some
execution path. (Use -usedef to inhibit warning)
foo.c:5:4: Left operand of ^= is not unsigned value (int): x ^= x
An operand to a bitwise operator is not an unsigned values. This
may have unexpected results depending on the signed
representations. (Use -bitwisesigned to inhibit warning)
gcc -Wextra -O foo.c
foo.c: In function 'main':
foo.c:4: warning: 'x' is used uninitialized in this function
./a.out
Segmentation fault
-- Georg Bauhaus