On Mon, Jan 22, 2007 at 06:48:16PM -0500, Andreas Bogk wrote: > Ian Lance Taylor wrote: > > I just want to report that I have a working patch to generate warnings > > every time gcc modifies code relying on the fact that signed overflow > > is undefined, except for cases where signed loop indexes are assumed > > to not wrap around. I plan to start submitting this patch soon. > > Having that would be a useful tool for the scurity folks to have, to go > out and assess the threat that really lurks in the code out there. My > gut feeling is that we will find quite some problems, in fact so many > that "secure by default" is an argument that will outweigh performance.
You appear to mistakenly believe that wrapping around on overflow is a more secure option. It might be, but it usually is not. There are many CERT security flaws involving integer overflow; the fact that they are security bugs has nothing to do with the way gcc generates code, as the "wrapv" output is insecure. AFAIK, "overflow doesn't occur" assumptions occur in currently shipping compilers mainly in expression simplification (see previous examples in this thread) and loop unrolling, and in either case application codes are almost always written with a blithe assumption that overflow does not occur. Recent proposed changes to make value range propagation more aggressive do look like they have the potential to tweak bugs, and it looks like those changes aren't going to be enabled by default.
