[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

[Benjamin Kreuter]

On Tue, 2014-04-29 at 19:56 -0400, Arnold Reinhold wrote:
> The C standards committee, as far as I know, only said that signed
> integer overflow was undefined. They never required that code which
> could create such an overflow, and any code dependent on such an
> operation, be removed.

Maybe so, but it is also not prohibited to remove it.  I would want this
to be optimized by my compiler:

if(x > x + 1) { /* ... */ }

Yet someone might have been using "x > x + 1" as a way to check "x ==
INT_MAX", and such an optimization would cause a problem for them.

> It is every bit as irresponsible to silently remove safety checks
> placed in software by programmers who may not have understood all the
> implications of “undefined” or did not fully grasp the arcane
> techniques needed to write “legal” safety checks.

Perhaps a language that requires arcane techniques to write safe code
should not be used for anything security sensitive.

> In no context is it acceptable to knowingly remove or defeat someone
> else’s safety mechanisms without permission, much less without warning.

How do you know something is a safety check?  What you are really saying
here is that compilers should never silently optimize undefined
behavior.  This is probably not possible, so at best you will have a
compiler that warns about *common* undefined behaviors that are easy to
detect (which popular compilers already can do).

If optimizers were truly *forbidden* from relying on anything that might
be undefined behavior in C, almost no good optimization would be
possible.  It is reasonable and necessary for the optimizer to leave it
up to the programmer to prevent undefined behavior.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140429/fb9b8b00/attachment.pgp>