[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Oct 30 21:29:41 EDT 2015 

Ray Dillinger <bear at sonic.net> writes:

>Am I wrong?

Oh, you're just assuming the gcc devs are following their usual "policy of
delivering the most useless possible conformance" :-).  Here's what the gcc
docs say for the annotation:

  The nonnull attribute specifies that some function parameters should be non-
  null pointers. For instance, the declaration:

          extern void *
          my_memcpy (void *dest, const void *src, size_t len)
          	__attribute__((nonnull (1, 2)));
     
  causes the compiler to check that, in calls to my_memcpy, arguments dest and
  src are non-null. If the compiler determines that a null pointer is passed
  in an argument slot marked as non-null, and the -Wnonnull option is enabled,
  a warning is issued. The compiler may also choose to make optimizations
  based on the knowledge that certain function arguments will not be null.

Here's what gcc actually does:

  The nonnull attribute specifies that some function parameters should be non-
  null pointers. For instance, the declaration [...] causes the compiler to
  silently remove any checks for null pointers in the code when compiling it.
  No warnings will be issued.

So it does pretty much the reverse of what the documentation says.  The reason
I asked for people's interpretations was because I wanted to see what the
average user would expect to happen based on what's documented.  So far my
data is mostly anecdotal, arising from discussions with people who had used
the annotation and thought it did what the docs implied, not what gcc actually
does.

I had an offline discussion with someone playing devil's advocate to try and
justify this behaviour, by pointing to the added-as-an-afterthought "The
compiler may also choose to make optimizations based on the knowledge that
certain function arguments will not be null".  So the question for this is,
why would you write code that carefully checks for null pointers, and then
annotate it to tell the compiler to ignore the code that checks for null
pointers?

(For people who are going to leap in with "but you've told the compiler that
the pointer is non-null", read the above paragraph again.  Why would you first
write code to carefully check for null pointers, then tell the compiler to
silently ignore that code?).

Peter.

More information about the cryptography mailing list