Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
On Wed, 25 Sep 2013, Adam Borowski wrote:
> On Wed, Sep 25, 2013 at 09:38:18AM -0700, Russ Allbery wrote:
> > Thorsten Glaser <email@example.com> writes:
> > > Russ Allbery <rra <at> debian.org> writes:
> > Programs that don't check the return status of functions that they think
> > won't ever fail are a bit of a pet peeve of mine, in part because it would
> > make a lot of sense for localtime() to be able to fail when the question
> > it was asked is undefined. But no one ever checks the return status of
> > localtime() for much the same reason that you spell out for not checking
> > the return status of crypt(), which means that localtime() is required by
> > all this legacy code to return arbitrary nonsense instead of an error.
Too bad it won't work in this specific case, but one could use Coccinelle or
another static checker tool to track down crypt() calls without a subsequent
test for NULL.
That would still require a sweep on the source of the entire archive,
though, as well as periodic testing to make sure the braidamage doesn't find
its way back as new packages or new upstream versions.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot