Sujet : Re: A Famous Security Bug
De : 433-929-6894 (at) *nospam* kylheku.com (Kaz Kylheku)
Groupes : comp.lang.cDate : 23. Mar 2024, 17:06:34
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <20240323085544.1@kylheku.com>
References : 1 2 3 4 5 6 7 8
User-Agent : slrn/pre1.0.4-9 (Linux)
On 2024-03-23, Richard Kettlewell <
invalid@invalid.invalid> wrote:
David Brown <david.brown@hesbynett.no> writes:
I have tried to explain the reality of what the C standards say in a
couple of posts (including one that I had not posted before you wrote
this one). I have tried to make things as clear as possible, and
hopefully you will see the point.
>
If not, then you must accept that you interpret the C standards in a
different manner from the main compile vendors, as well as some "big
names" in this group. That is, of course, not proof in itself - but
you must realise that for practical purposes you need to be aware of
how others interpret the standard, both for your own coding and for
the advice or recommendations you give to others.
>
Agreed that the ship has sailed on whether LTO is a valid optimization.
There is no question that LTO is a "valid" optimization for reasonable
definitions of valid.
But it’s understandable why someone might reach a different conclusion.
That alone is a problem.
- Phase 7 says the tokens are “semantically analyzed and translated as a
translation unit”.
>
- Phase 8 does not use either verb, “analyzed” or “translated”.
That adds up to requirements that are /obviously/ violated by LTO.
Someone might reach a different conclusion simply by reading the
black-and-white text, which obviously spells out what is required.
When reading the standard, you can't just ignore bits you think
are wrong.
It may be the case that a strictly conforming program cannot tell
whether these requirements are violated.
Strictly conforming programs are not the be all and end all of what is
important.
In the academic paradigm of a strictly conforming program, a security
problem of bytes not being nulled out (or any other such thing) does not
exist.
This would be very easy to address, by replacing “collected” with a word
or phrase that makes clear that further analysis and translation can
happen outside the “as a translation unit” context.
No, it's not that easy to address. The standard should make explicit
provisions for LTO. There should be an optional translation phase
between the current 7 and 8 in which translation units may be
partitioned into subsets, an then subject to semantic analysis
and further translation within the subsets, prior to linking.
The standard wouldn't describe how the partitioning is requested from
the implementation, since it is part of the manner in which a program is
presented to it. All implementations should support a translation mode
in which no partitioning into subsets takes place.
-- TXR Programming Language: http://nongnu.org/txrCygnal: Cygwin Native Application Library: http://kylheku.com/cygnalMastodon: @Kazinator@mstdn.ca
Re: A Famous Security Bug
Re: A Famous Security Bug