Re: A Famous Security Bug

David Brown <david.brown@hesbynett.no> writes:

I have tried to explain the reality of what the C standards say in a
couple of posts (including one that I had not posted before you wrote
this one).  I have tried to make things as clear as possible, and
hopefully you will see the point.
>
If not, then you must accept that you interpret the C standards in a
different manner from the main compile vendors, as well as some "big
names" in this group.  That is, of course, not proof in itself - but
you must realise that for practical purposes you need to be aware of
how others interpret the standard, both for your own coding and for
the advice or recommendations you give to others.

Agreed that the ship has sailed on whether LTO is a valid optimization.
But it’s understandable why someone might reach a different conclusion.

- Phase 7 says the tokens are “semantically analyzed and translated as a
  translation unit”.

- Phase 8 does not use either verb, “analyzed” or “translated”.

- At least two steps (in the abstract, as-if model) are explicitly
  happening in the “as a translation unit” level but not in any wider
  context.

- The result of those two steps (“translator output”) is than
  “collected”.

- Unless you somehow understand that “collected” implicitly includes
  further analysis and translation, it’s does not seem unnatural to
  conclude that many of the whole-program optimizations done by LTO
  implementations would be outside the spec.

This would be very easy to address, by replacing “collected” with a word
or phrase that makes clear that further analysis and translation can
happen outside the “as a translation unit” context.

Obviously this would violate the principle from the rationale that
existing code (that uses TU boundaries to get memset to “work”) is
important and existing implementations (LTO) are not, but C
standardization has never actually behaved as if that is true anyway.

--
https://www.greenend.org.uk/rjk/