On Fri, Nov 10, 2017 at 2:09 PM, Jorge Almeida <jjalme...@gmail.com> wrote:
> On Fri, Nov 10, 2017 at 4:25 PM, R0b0t1 <r03...@gmail.com> wrote:
>> Hello,
>>
>
>>
>> I'm having trouble finding the article again, but these functions look
>> very similar to Microsoft's extensions to the C standard. There is a
>> good case to be made that they are counterproductive.
>
> Yes, it looks like it. No wonder, if it's MS inspired. But what I care
> about is the fact that it's not optimized away, not the boundaries
> checking stuff. It's hard to believe that it is practically impossible
> to clean up a buffer, unless one is willing to forego all
> optimizations:
>
> http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
>
I really think there is a deeper issue here then, which is that the
compiler takes a lot of liberties when translating a program
description into machine code. There have been suggestions made that
this makes very nearly all compilers unsuitable for high reliability
purposes. Cryptographic or user security code is likely a candidate
for the label "high reliability."
To further explain why the additions are counterproductive: the
programmer still has to remember to use them. It is just as likely
that the programmer will forget to use memset_s properly as any of the
other functions in string.h (possibly by forgetting to sanitize input
i.e. the memory segment boundaries).
>
>>> Of course, what would really solve the optimize-into-oblivion problem
>>> is a pragma that when invoked on a particular block of code (maybe
>>> only a function definition) would tell the compiler to do what the
>>> programmer says rather than viewing a function as a kind of black box.
>>>
>>
>> This would probably be useful. It may be wise to reimplement important
>> functionality.
>>
> No idea how difficult it would be to implement, of course. There might
> even exist a C keyword for that. After all, the C standard states the
> "as-if" rule, it might as well establish such an exception.
>
Sorry, I misrepresented what I meant. I meant to suggest
reimplementing, apart from a standard library, any critical code. This
is generally recommended against but unless there is a hand-tuned
version that has been guaranteed to work around quirks in your
compiler, you are now the person who has to write and maintain that
hand-tuned version.
If you don't mind I might post this concern to the GCC mailing list,
or you can take it up if you want.
Cheers,
R0b0t1
