Sujet : Re: A Famous Security Bug
De : jameskuyper (at) *nospam* alumni.caltech.edu (James Kuyper)
Groupes : comp.lang.cDate : 22. Mar 2024, 19:05:49
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <utkdpd$311sb$3@dont-email.me>
References : 1 2 3 4 5 6
User-Agent : Mozilla Thunderbird
On 3/22/24 11:50, Kaz Kylheku wrote:
On 2024-03-21, Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:
...
Link time optimization is as valid as cross-function optimization *as
long as* it doesn't change the defined behavior of the program.
It always does; the interaction of a translation unit with another
is an externally visible aspect of the C program.
The standard makes no use of the concept of "externally visible aspects".
"The least requirements on a conforming implementation are:
— Volatile accesses to objects are evaluated strictly according to the
rules of the abstract machine.
— At program termination, all data written into files shall be identical
to the result that execution of the program according to the abstract
semantics would have produced.
— The input and output dynamics of interactive devices shall take place
as specified in 7.23.3.
The intent of these requirements is that unbuffered or line-buffered
output appear as soon as possible, to ensure that prompting messages
appear prior to a program waiting for input.
This is the observable behavior of the program." (5.1.2.3p6).
The term "observable behavior" is italicized, an ISO convention
indicating that the sentence in which that term is italicized
constitutes the official definition of that term. Note, in particular,
that the term does NOT mean "behavior which can be observed", which
would otherwise be closely connected to your concept of "externally
visible aspects".
Note that "observable behavior" does NOT include function calls, not
even calls to functions defined in different translation units.
The standard explicitly permits optimizations which violate the abstract
semantics, so long as they result in the same observable behavior as if
the abstract semantics had been obeyed. Being able to express that
concept is the only reason that the term "observable behavior" exists.
... (That can be inferred
from the rules which forbid semantic analysis across translation
units, only linkage.)
I see no wording forbidding such analysis. The section you cite permits
separate translation, but does not forbid whole-program translation.
...
If I have some translation unit in which there is a function foo, such
that when I call foo, it then calls an external function bar, that's
observable.
Not in the sense of "observable behavior" as that term is defined by the
C standard.
...
Since ISO C says that the semantic analysis has been done (that
unit having gone through phase 7),
A footnote makes it clear that the translation phases are purely
conceptual, identifying the precedence between the different semantic
rules that they specify. An implementation is not prohibited from
intermingling the translation phases, so long as it produces the same
observable behavior as if it had not intermingled them.
...
If you have LTO turned on, you might be programming in GNU C or Clang C
or whatever, not standard C.
True, but you also could be programming in standard C.
A Famous Security Bug
Re: A Famous Security Bug