[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code

Ray Dillinger bear at sonic.net
Sat Oct 31 14:41:53 EDT 2015



On 10/30/2015 06:29 PM, Peter Gutmann wrote:
> Ray Dillinger <bear at sonic.net> writes:
> 
>> Am I wrong?
> 
> Oh, you're just assuming the gcc devs are following their usual "policy of
> delivering the most useless possible conformance" :-).  Here's what the gcc
> docs say for the annotation:
> 
>   The nonnull attribute specifies that some function parameters should be non-
>   null pointers. For instance, the declaration:
> 
>           extern void *
>           my_memcpy (void *dest, const void *src, size_t len)
>           	__attribute__((nonnull (1, 2)));
>      
>   causes the compiler to check that, in calls to my_memcpy, arguments dest and
>   src are non-null. If the compiler determines that a null pointer is passed
>   in an argument slot marked as non-null, and the -Wnonnull option is enabled,
>   a warning is issued. The compiler may also choose to make optimizations
>   based on the knowledge that certain function arguments will not be null.
> 
> Here's what gcc actually does:
> 
>   The nonnull attribute specifies that some function parameters should be non-
>   null pointers. For instance, the declaration [...] causes the compiler to
>   silently remove any checks for null pointers in the code when compiling it.
>   No warnings will be issued.
> 
> So it does pretty much the reverse of what the documentation says.  

Well, you're right that I was assuming most useless possible
conformance.  I hadn't read that specific doc, but that's
exactly what I'd have seen it saying that gcc will do if I had,
even on the most straightforward reading.  I wouldn't have
been surprised, or even annoyed.  My reaction would be, "yep,
exactly what it says on the tin."

This conformance, as usual for gcc, is _technically_ correct.
"The compiler may choose to make optimizations based on the
knowledge that certain function arguments will be non-null... "
is EXACTLY what happened to your code.

A pragma like that is a promise you are making to the compiler
about the correctness of your code.  "Cool," gcc will say,
"this knowledge is something I get for free directly from the
programmer, I don't even have to prove it!"  It'll take it as
gospel, do optimizations based on it, and produce smaller,
faster code.

As a bonus it'll even warn you, as the doc mentions, if it
*happens* to prove that you're wrong.  But why would it attempt
such a proof?  It has your word on it, and the spec says it's
entitled to assume you're right. Otherwise it wouldn't be
allowed to do optimizations based on the knowledge.

Reasonable compilers given that pragma might make an honest
effort to prove what you said and issue a warning if they can't
prove that you're right.

But gcc isn't reasonable.  gcc is like the dev who follows your
order to "fix all the bugs you find" by playing minecraft all
day.  Hey, why would you complain?  He fixed all the bugs he
found!

				Bear

---
"The most likely way for the world to be destroyed, most experts
  agree, is by accident. That's where we come in. We're
  computer professionals. We cause accidents."
                - Nathaniel Borenstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151031/5e57c51f/attachment.sig>


More information about the cryptography mailing list