This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Obscure crashes due to gcc 4.9 -O2 => -fisolate-erroneous-paths-dereference
- From: Florian Weimer <fweimer at redhat dot com>
- To: Jeff Law <law at redhat dot com>, Jonathan Wakely <jwakely dot gcc at gmail dot com>
- Cc: Sandra Loosemore <sandra at codesourcery dot com>, Jakub Jelinek <jakub at redhat dot com>, Jeff Prothero <jprother at altera dot com>, "gcc at gcc dot gnu dot org" <gcc at gcc dot gnu dot org>
- Date: Fri, 20 Feb 2015 18:09:44 +0100
- Subject: Re: Obscure crashes due to gcc 4.9 -O2 => -fisolate-erroneous-paths-dereference
- Authentication-results: sourceware.org; auth=none
- References: <pdf61azt48b dot fsf at sj-interactive3 dot altera dot com> <20150218192943 dot GR1746 at tucnak dot redhat dot com> <54E64DFF dot 8030100 at codesourcery dot com> <54E71534 dot 8070805 at redhat dot com> <CAH6eHdT3jPVY-5n009r9xyRkhXUQkPkAN5cPGJEL+DREREO_+A at mail dot gmail dot com> <54E76870 dot 2070502 at redhat dot com>
On 02/20/2015 06:01 PM, Jeff Law wrote:
> But that's always true -- this isn't any different than aliasing,
> arithmetic overflow, etc. The standards define the contract between the
> compiler/library implementors and the developers. Once the contract is
> broken, all bets are off.
What I don't like about this case (std::vector<T>::data() returning
nullptr vs memcpy/memcmp/qsort non-null assertions) is that it is
internally non-composing in a totally non-obvious way. data() is
explicitly intended to cover interoperability with these older C
functions, and it fails.
But you are right about overflows. I think we should give up and just
enable -fwrapv by default in Fedora and downstream. This issue has been
explicitly documented since 2002 at least (explicitly with
security-related checks in mind), and programmers still write overflow
checks which are only correct with -fwrapv, and it passes code review.
I fear that's not going to change, ever.
--
Florian Weimer / Red Hat Product Security