[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

On September 21, 2013 09:04:23 PM Bernhard R. Link wrote:
> * Kees Cook <kees@debian.org> [130921 17:08]:
> > In a theoretical sense, sure. In this particular case, why bother breaking
> > it when it's a trivial 1 line fix? My original approach was to fix it in
> > libc and do a mass bug filing. Everyone wins. If we want to reject the
> > undefined behavior, we should modify the compiler to reject it. Seems to
> > me
> > it's a bug to even allow undefined behavior.
> The whole point of undefined behaviour in C is that the
> compiler/implementor/... does not have to care. 

I strongly suspect the "whole point" of undefined behaviour is simply that at 
least two parties on the committee simply couldn't agree on "correct" 

> Checking every time would
> make it slower,

What are you referring to as "it"?  The compiler?  Checking that two arguments 
to a function are the same doesn't strike me as terribly expensive.  

> requesting any specific behaviour would make it slower.

Nonsense -- it has a specific behaviour now.  Since the standard says it is 
undefined, there's nothing stopping us from reverting back to its old behaviour 
which, arguably, better mached people's expectations -- else they wouldn't 
have written the "buggy" code.  Moreover, it is the same behaviour used when 
NOT compiled with _FORTIFY_SOURCE=2.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: