On Sat, Oct 26, 2013 at 09:29:12PM +0200, Ondřej Bílka wrote: > Hi, as I brainstormed how prevent possible overflows in memory allocation I > came with heretic idea: > > For gcc -D_FORTIFY_SOURCE=2 we expand all multiplication with size_t > type by one that checks for integer overflow and aborts on it. This > would prevent most overflow at cost of breaking some legitimate > applications that use multiplication in clever way. > > A less heretic way that is applicable for C++ would be write a class > size_t overflow that would do arithmetic in saturating way and issue > warnings when there is a size_t multiplication.
I am afraid of the false-positive aborts which could result in DoS against applications. I like the checked arithmetic builtins LLVM introduced in 3.4 (not yet released) where one can test for overflow manually and handle the overflows appropriately. They also generate better code (e.g. they use the overflow flag and get inlined on x86 compared to the ftrapv insn). So I would vote for fast checked arithmetic builtins first. Greetings, Hannes
