On September 21, 2013 09:04:23 PM Bernhard R. Link wrote: > * Kees Cook <kees@debian.org> [130921 17:08]: > > In a theoretical sense, sure. In this particular case, why bother breaking > > it when it's a trivial 1 line fix? My original approach was to fix it in > > libc and do a mass bug filing. Everyone wins. If we want to reject the > > undefined behavior, we should modify the compiler to reject it. Seems to > > me > > it's a bug to even allow undefined behavior. > > The whole point of undefined behaviour in C is that the > compiler/implementor/... does not have to care. I strongly suspect the "whole point" of undefined behaviour is simply that at least two parties on the committee simply couldn't agree on "correct" behaviour. > Checking every time would > make it slower, What are you referring to as "it"? The compiler? Checking that two arguments to a function are the same doesn't strike me as terribly expensive. > requesting any specific behaviour would make it slower. Nonsense -- it has a specific behaviour now. Since the standard says it is undefined, there's nothing stopping us from reverting back to its old behaviour which, arguably, better mached people's expectations -- else they wouldn't have written the "buggy" code. Moreover, it is the same behaviour used when NOT compiled with _FORTIFY_SOURCE=2. -Steve
Attachment:
signature.asc
Description: This is a digitally signed message part.