Ask HN: “undefined behavior” or “target machine behavior”?

1 points by jpegqs ↗ HN
I have encountered a bug in GCC that can lead to security vulnerabilities in software, but the GCC developers refuse to consider this a bug.

So I ask for your opinion on this matter.

Here's the URL: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98168

Copied the text below.

Here GCC thinks that if both signed integers are positive, then the sum of these integers is also positive. And removes the next bounds check for the negative values (it could be written different, but this is the common way).

  int test(int a, int b, int *buf) {
    if (a >= 0 && b >= 0) {
      a += b;
      // let's check that we are not reading outside the buffer
      if (a >= 0 && a < 8) return buf[a];
    }
    return -1;
  }
So this code supposed to read the element A+B from a buffer of 8 values. And if the sum is out of the buffer, then return -1. But when compiling with GCC -O2/O3 on x86/x86_64 (and possibly others), you can pass A=0x7fffffff, B=0x7fffffff and access buf[-2] (as with any negative value except -1).

Thus, optimizations that falsely assume that the target machine is performing signed integer saturation when it is not - should be considered dangerous.

In my opinion, UB in C has a different purpose, it exists because C is a low-level language and in most cases can use a single machine instruction for a general operation. So for compilers it should be "target machine behavior", not "we can do anything". And compilers must maintain this behavior while removing some operations when optimizing the code.

9 comments

[ 3.2 ms ] story [ 30.7 ms ] thread
The standard is clear about this: It's undefined behavior, and the compiler is allowed to make this assumption. The part that does the optimization might not even be aware what the target platform is or does, and doesn't need to be. (And the discussion specifically about integer addition is probably decades-old, so it's unlikely you're going to change any compiler maintainers view on this now)
Ok, but isn't that the same as saying that if the manufacturer guarantees that the product you purchased will work for two years, then it may break immediately two years after purchase, and you cannot complain about that, because this behavior is completely legal.
Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
I know, but the point is to make the compiler more predictable, and therefore better. For example, CLANG doesn't have this issue.

And this is related to a possible security vulnerability, so it should be taken more seriously.

and clang could any day introduce this behavior if it happened as a consequence of a newly added optimization or something like this. Most "weird" cases like this are in the end consequences of optimizations (that people really want and expect of C) combining in a way that causes them. It's not like compiler authors add those issues for fun.

C isn't friendly when it comes to this, UB is dangerous, but given the overall attitude of the ecosystem it's pretty pointless to complain about it.

Yeah the only way this will ever be fixed if if the standard commit members get forced out and the standard fixed to stop this insanity.
Undefined behavior is undefined behavior. Signed integer has been undefined behavior since 1989. If you want wrapping arithmetic, using a library or langauge with those primitives built in.

If you want to use GCC for example,

-fwrapv This option instructs the compiler to assume that signed arithmetic overflow of addition, subtraction and multiplication wraps around using twos-complement representation. This flag enables some optimizations and disables others. The options -ftrapv and -fwrapv override each other, so using -ftrapv -fwrapv on the command-line results in -fwrapv being effective. Note that only active options override, so using -ftrapv -fwrapv -fno-wrapv on the command-line results in -ftrapv being effective.

Thank you, I didn't know about this compiler option.

Checked that the code works as expected with this option.

The better way to check for buffer overflow here is "((unsigned T)i < n)".

But the "(i >= 0 && i < n)" way that I used in this example - I have seen many times.

So hackers can scan open source software compiled with GCC for such issue and can exploit this vulnerability, since GCC developers will not fix it.