Re: Having fun with the following C code (UB)

To: debian-devel@lists.debian.org
Subject: Re: Having fun with the following C code (UB)
From: Vincent Lefevre <vincent@vinc17.net>
Date: Mon, 14 Apr 2014 12:56:05 +0200
Message-id: <[🔎] 20140414105605.GA5354@ypig.lip.ens-lyon.fr>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87fvlk50gp.fsf@windlord.stanford.edu>
References: <CA+7wUsxcFAYzKJ-nTJviE_v5y_-2c9G79R4gL0GYEat0Db2E+w@mail.gmail.com> <[🔎] 20140410100321.GB18703@grep.be> <[🔎] 20140410102950.GA7517@jwilk.net> <[🔎] 20140410104203.GD18703@grep.be> <[🔎] 21318.32941.351261.72783@chiark.greenend.org.uk> <[🔎] Pine.BSM.4.64L.1404101147250.23837@herc.mirbsd.org> <[🔎] 20140410153409.GA32321@xvii.vinc17.org> <[🔎] 21318.56319.795404.108549@chiark.greenend.org.uk> <[🔎] 5346F981.9010802@debian.org> <[🔎] 87fvlk50gp.fsf@windlord.stanford.edu>

On 2014-04-10 14:38:46 -0700, Russ Allbery wrote:
> I don't want, necessarily, to have slower code to make handling
> corner cases easier. However, I am generally happy to have slower
> code in return for making the system more secure, as long as the
> speed hit isn't too substantial. Security is a much bigger problem
> than performance right now for most people.

I agree that security (in the hypothesis that bugs may remain in
the software) is preferable to speed, but assuming wrapped signed
arithmetic is the wrong thing to do, and using -fwrapv may reveal
bugs. For instance, you may have tests like:

  a + C1 > b + C2

where C1 and C2 are two constants such that C2 > C1 > 0. Without
-fwrapv, the compiler would typically rewrite the above test as:
a > b + C3, where C3 = C2 - C1. But with -fwrapv, you'll still get
the same test a + C1 > b + C2. If a + C1 overflows (which is a bug
in the code, but was hidden by the optimization), this will give a
different (and wrong) result.

The behavior without -fwrapv is closer to what the user would expect.
So, using -fwrapv gives a false sense of security.

IMHO, in general, for security, it is better to run code with a
sanitizer (such as "clang -fsanitize=undefined -fno-sanitize-recover",
assuming that the code does not use floating point), as long as
denial of service due to a crash from a bug is regarded as preferable
to uncontrolled behavior.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Having fun with the following C code (UB)
  - From: Jakub Wilk <jwilk@debian.org>

References:
- Re: Having fun with the following C code (UB)
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Having fun with the following C code (UB)
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Having fun with the following C code (UB)
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Having fun with the following C code (UB)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Having fun with the following C code (UB)
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: Having fun with the following C code (UB)
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Having fun with the following C code (UB)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Having fun with the following C code (UB)
  - From: Shachar Shemesh <shachar@debian.org>
- Re: Having fun with the following C code (UB)
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Fwd: Trilinos: to split or not to split
Next by Date: Re: Having fun with the following C code (UB)
Previous by thread: Re: Having fun with the following C code (UB)
Next by thread: Re: Having fun with the following C code (UB)
Index(es):
- Date
- Thread