[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code

[Thierry Moreau]

Hi!

Now I am teaching programming subtleties to Peter ...

On 31/10/15 01:29 AM, Peter Gutmann wrote:
>
> Here's what the gcc
> docs say for the annotation:
>
>    The nonnull attribute specifies that some function parameters should be non-
>    null pointers. For instance, the declaration:
>
>            extern void *
>            my_memcpy (void *dest, const void *src, size_t len)
>            	__attribute__((nonnull (1, 2)));
>
>    causes the compiler to check that, in calls to my_memcpy, arguments dest and
>    src are non-null. If the compiler determines that a null pointer is passed
>    in an argument slot marked as non-null, and the -Wnonnull option is enabled,
>    a warning is issued.

This is a compile-time verification, a compile-time warning. It is 
obviously the case that compile-time "determinations" are limited, and a 
reasonable programmer would not expect a compile-time warning for a null 
pointer that can be "determined" only at run-time.

>    The compiler may also choose to make optimizations
>    based on the knowledge that certain function arguments will not be null.

These potential optimizations would typically be *within* the function 
definition.

>
> Here's what gcc actually does:
>
>    The nonnull attribute specifies that some function parameters should be non-
>    null pointers. For instance, the declaration [...] causes the compiler to
>    silently remove any checks for null pointers in the code when compiling it.
>    No warnings will be issued.
>

The avoided warning would be that the removed checks were optimized-away.

- Thierry