[Cryptography] GCC bug 30475

Bear bear at sonic.net
Fri Apr 25 22:36:13 EDT 2014


On Fri, 2014-04-25 at 09:24 -0700, Nemo wrote:

> GCC and Clang have done some work along these lines with
> "-fsanitize-undefined":
> 
>   http://stackoverflow.com/questions/20738232/
> 
> But (a) it will never be complete and (b) if it ever were complete, the
> performance cost would be so high that it would not be C anymore.

Hey, that's useful!  I have no idea why I had never spotted that 
in the compiler docs before.  So, I've added that to my default options 
list, we'll see if it catches anything!

Incidentally, in the hopes that this might be useful for others 
and in hopes that someone can give me a hint to add something 
security-relevant and useful, my default options lists for 
gcc are now....  

# I want warnings about essentially everything which can 
# produce a linguistic ambiguity under the standard or which 
# probably indicates bad coding style, if gcc can warn me.

# this is the compiler invocation for c++
# for c++ see also 'scan-build' options for static analyzer
g++ -fstrict-overflow -fmax-errors=10 -fno-nonansi-builtins
-fsanitize=undefined -fuse-cxa-atexit -Wall -Wextra -std=c++11
-Wpedantic -Wformat=2 -Wctor-dtor-privacy -Wmissing-include-dirs
-Wswitch-default -Wtrampolines Wfloat-equal -Wundef -Wswitch-enum
-Wstrict-overflow=4 -Wshadow -Wcast-qual -Wcast-align -Wconversion
-Wzero-as-null-pointer-constant -Wlogical-op -Wstrict-null-sentinel
-Wold-style-cast -Wnormalized=nfkc

# and this would be for C code.  
# for C, see also 'splint' options for static analyzer.
gcc -fstrict-overflow -fmax-errors=10 -fno-nonansi-builtins
-fsanitize=undefined -Wall -Wextra -std=c11 -Wpedantic -Wformat=2
-Winit-self -Wmissing-include-dirs -Wswitch-default -Wswitch-enum
-Wunused-local-typedefs -Wstrict-overflow=4 -Wtrampolines 
-Wfloat-equal -Wtraditional-conversion -Wundef -Wshadow
-Wbad-function-cast -Wc++-compat -Wcast-qual -Wcast-align
-Wwrite-strings -Wconversion -Wzero-as-null-pointer-constant
-Wlogical-op -Wold-style-definition -Wnormalized=nfkc
-Wlong-long

This elicits just about every warning that gcc knows how to 
give.  I get a few more from static analyzers.  I could have 
cranked up -Wstrict-overflow another level but the level-5 
warnings are pretty much all useless there.  

Now, in relation to the particular issue we've been discussing -- 
the first option, -fstrict-overflow - forces an exception on 
any signed overflow.  -Wstrict-overflow causes a warning when 
code is seen that is likely to cause an overflow (ie, if the 
compiler cannot prove that it won't).  

			Bear




More information about the cryptography mailing list