Re: optimization/8537: Optimizer Removes Code Necessary forSecurity

[Florian Weimer <fw at deneb dot enyo dot de>]

"Joseph D. Wagner" <wagnerjd@prodigy.net> writes:

> Direct quote from:
> http://gcc.gnu.org/onlinedocs/gcc-3.2/gcc/Bug-Criteria.html
>
> "If the compiler produces valid assembly code that does not correctly
> execute the input source code, that is a compiler bug."

In this case, "correctly" means "correctly according to ISO 9899 and
the GCC documentation", not just "as expected".

> So to all you naysayers out there who claim this is a programming error
> or poor coding, YES, IT IS A BUG!

It would be a bug if GCC would implement Joseph D. Wagner's
Imaginative Version Of C, but the GNU C compiler implements a
different programming language, I'm afraid.

Just because it's unexpected to you and a few others, it's not a bug
automatically.

>> The problem is the standard gives wide latitude in what the optimizer
>> can optimize
>
> Isn't this also the solution?

Solution to which problem?  Of course you can special-case this
particular instance in the optimizer, but this isn't a good idea.
There's already enough bloat in GCC.

>  Can't the optimizer check to see if the function is memset(), and
> if so check to see if the value is 0 or NULL, and if so leave it in?

This only solves one particular incarnation of the more general
problem.  Currently, when you have scrubbing requirements, you have to
inspect the object code anyway, even if any of the changes to GCC
suggested so far were made.  There is no way to tell the compiler,
"this data is critical, don't make any copies of it".

Anyway, correct scrubbing is only a very weak form of protection and
prone to race conditions in multi-tasking environments.  Although one
of the most widely used operating systems doesn't do any scrubbing on
the operating system level, this is hardly a problem we want to and
can fix in GCC.