[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

* Kees Cook <kees@debian.org> [130921 17:08]:
> In a theoretical sense, sure. In this particular case, why bother breaking
> it when it's a trivial 1 line fix? My original approach was to fix it in
> libc and do a mass bug filing. Everyone wins. If we want to reject the
> undefined behavior, we should modify the compiler to reject it. Seems to me
> it's a bug to even allow undefined behavior.

The whole point of undefined behaviour in C is that the compiler/implementor/...
does not have to care. Checking every time would make it slower,
requesting any specific behaviour would make it slower. (Some argue a
compiler might not even reject a program with only undefined behaviour,
but that the standard required some program as result, just making no
claim about what that program should do).
The compiler not warning against it is a shortcoming, but not a bug.
Writing a program that invokes undefined behaviour is a bug.

And even if the library was fixed, as long as the program has undefined
behaviour, every future gcc version is still free to give it any
behaviour it choses to.

        Bernhard R. Link

Reply to: