This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH][4.3] Deprecate -ftrapv


Frank Ch. Eigler wrote:
Hi -

On Sun, Mar 02, 2008 at 09:30:25AM -0500, Robert Dewar wrote:

[...]  Safety-critical and security-critical software are two
totally different concepts. Be careful not to confuse them. In
safety-critical software, e.g. avionics system, it is not acceptable
for the system to crash.  In this context, the metaphorical "better
to die", becomes all too real!

(Off topic, but I'd expect that avionics software is engineered with enough layers of protection, including catching traps, so that a -ftrapv hit would not cause a deep impact.)

As I say, it is more usual in avionics software to rely on proving or demonstrating during the certification process that the code is correct. DER's do not look too kindly on code that says "if something is wrong do bla", they want to be convinced that nothing can go wrong.

And don't be sure about impact, as I mentioned the Ariane-5
disaster was caused by a run time exception not handled
properly, the rocket would have been fine if there had
been no overflow test in place. Non-critical wrong answers
are better than having to blow up the rocket some times :-)

[...] However, in practice, it is hard to imagine a
security-critical piece of software that would not take equal care
to avoid any possibility of exceptional conditions at run time.

Maybe, but we just don't live in that world.

I am not sure who "we" is here, those of us who live in the DO-178B and MILS worlds definitely do take that kind of care.

However, I would suspect that -ftrapv is likely to be viewed and
used only as a debugging aid in C, rather than something you
routinely deploy in delivered software to improve security.

I guess it depends on how robust (=> predictable to experts) the mechanism becomes. The glibc fortify widget (enabled by some robust gcc extensions) has found lots of use.

Again, the issue is whether such things are for finding bugs during development, or defending against bugs that make it through the entire development process. Even in the Ada world, it is normal to turn off exceptions in safety-critical code for the final delivered software that runs on planes.

- FChE


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]