This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH][4.3] Deprecate -ftrapv


Hi -

On Sun, Mar 02, 2008 at 10:20:30AM -0500, Robert Dewar wrote:
> [...]
> >(Off topic, but I'd expect that avionics software is engineered with
> >enough layers of protection, including catching traps, so that a
> >-ftrapv hit would not cause a deep impact.)
> 
> As I say, it is more usual in avionics software to rely on proving
> or demonstrating during the certification process that the code
> is correct. [... and exception trapping is sometimes disabled on
> deployed code ...]

Wow.  This gives one the impression of eschewing of defense in depth,
but I suppose the overall record (positive and negative) speaks for
itself.


> >>[...] However, in practice, it is hard to imagine a
> >>security-critical piece of software that would not take equal care
> >>to avoid any possibility of exceptional conditions at run time.
> >
> >Maybe, but we just don't live in that world. 
> 
> I am not sure who "we" is here, those of us who live in the
> DO-178B and MILS worlds definitely do take that kind of care.

If you're saying that security-related software written by people
working in DO-178B workflows tends to be as well cared-for as
saftery-related software, OK.  But most security-related software we
normal folks use is not written by such people / processes.


> [...]  Again, the issue is whether such things are for finding bugs
> during development, or defending against bugs that make it through
> the entire development process.

Those decisions may be made by separate people or even organizations.
An OS distributor can decide to use different compiler flags than the
code author - whether that be for extra trustworthiness, speed,
portability, compatibility.  Ideally, protective measures should be
usable for either subject.


> Even in the Ada world, it is normal to turn off exceptions in
> safety-critical code for the final delivered software that runs on
> planes.

(Drifting farther off topic onto my personal curiosity: are exception
handling paths just not considered powerful & robust enough to design
in and rely on?  Do these machines have e.g. watchdog timers?  Run -O2
vs. -O0 code?)


- FChE


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]