[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Oct 31 21:29:47 EDT 2015
Thierry Moreau <thierry.moreau at connotech.com> writes:
>Now I am teaching programming subtleties to Peter ...
Not really, if you know how gcc works then it happens because the warnings are
issued by the front-end before data flow analysis occurs (so cases of
inadvertent NULL pointer use are missed) but then the optimiser later applies
the annotation to mean that the value can never be NULL.
This is about as useful a response as saying "well, there's a race condition
where, if the operator is entering data as the counter overflows, the beam
spreader plate isn't rotated into place and therefore you get hit with X-rays
at 25MeV, that's why your uncle died. Quite straightforward really".
This is more or less the gcc developers' response, they explained in great
detail why gcc does what it does without making an attempt to fix it. When I
asked them to at least update the docs to reflect what would actually happen
when you used the annotation, they ignored the request.
The reason why I asked for other peoples' interpretations of what the
annotation did was because I wanted to see what the typical developer would
think happened when they used it. As I mentioned earlier, from the small
sample of people I've talked to about it, they were under the impression that
it would warn them about inadvertent use of NULL pointers. At least one major
OSS project discontinued use of the annotation after finding out what it
really did. I've defined it to a no-op in my code, it's literally worse than
useless, it has negative value.
(gcc is full of latent pathogens like this one).
Peter.
More information about the cryptography
mailing list