Ian Lance Taylor wrote: > I just want to report that I have a working patch to generate warnings > every time gcc modifies code relying on the fact that signed overflow > is undefined, except for cases where signed loop indexes are assumed > to not wrap around. I plan to start submitting this patch soon.
Having that would be a useful tool for the scurity folks to have, to go out and assess the threat that really lurks in the code out there. My gut feeling is that we will find quite some problems, in fact so many that "secure by default" is an argument that will outweigh performance. I could be wrong though, maybe the number is so small that it is feasible fo fix them all for the major applications. Having numbers will hopefully keep the discussion reasonable. I have by now been sent performance figures, somebody measured about 2-4% slowdown for the SPEC suite, for whatever that means for real-world applications. This is more than I had expected, but I think could be improved upon. If I understand it correctly, people might already be working on performance improvements. > My current intention, subject of course to the opinions of other > maintainers, is to implement a -fstrict-overflow option, along the > lines of -fstrict-aliasing. This will be enabled by default at -O2, > as is the case for -fstrict-aliasing. -fno-strict-overflow will not > be the same as -fwrapv, but it will inhibit optimizations which are > only valid if signed overflow is undefined. The new -Wstrict-overflow > warning will issue warnings for each case where gcc assumes that > signed overflow is undefined. This sounds like a good approach. I will defer the argument about whether or not to make -fstrict-overflow the default to a time where we have more information about the scope of the threat. Regards, Andreas
