Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Is GCC really wrongly optimizing code leading to several bugs and vulnerabilities?
2 views
Skip to first unread message
Thomas Goirand
Nov 24, 2013, 8:30:02 AM11/24/13
to
Hi,
I came across this paper:
http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf
>From this PDF:
"We implement this approach in a static checker called Stack, and use it
to show that unstable code is present in a wide range of systems
software, including the Linux kernel and the Postgres database. We
estimate that unstable code exists in 40% of the 8,575 Debian Wheezy
packages that contain C / C++ code."
So, they pretend that an estimated 3430 Debian packages in Wheezy
contain code which GCC optimize, resulting in unexpected behaviors,
leading to bugs and security vulnerabilities.
I haven't checked for these facts myself due to lack of time, which is
why I just post here. I think this paper is interesting anyway, and
worth sharing.
Thoughts anyone?
Cheers,
Thomas Goirand (zigo)
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/5291FD5F...@debian.org
I came across this paper:
http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf
>From this PDF:
"We implement this approach in a static checker called Stack, and use it
to show that unstable code is present in a wide range of systems
software, including the Linux kernel and the Postgres database. We
estimate that unstable code exists in 40% of the 8,575 Debian Wheezy
packages that contain C / C++ code."
So, they pretend that an estimated 3430 Debian packages in Wheezy
contain code which GCC optimize, resulting in unexpected behaviors,
leading to bugs and security vulnerabilities.
I haven't checked for these facts myself due to lack of time, which is
why I just post here. I think this paper is interesting anyway, and
worth sharing.
Thoughts anyone?
Cheers,
Thomas Goirand (zigo)
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/5291FD5F...@debian.org
Henrique de Moraes Holschuh
Nov 24, 2013, 8:50:01 AM11/24/13
to
On Sun, 24 Nov 2013, Thomas Goirand wrote:
> I haven't checked for these facts myself due to lack of time, which is
> why I just post here. I think this paper is interesting anyway, and
> worth sharing.
I read that paper sometime ago, and as far as I recall, it mostly deals with
> I haven't checked for these facts myself due to lack of time, which is
> why I just post here. I think this paper is interesting anyway, and
> worth sharing.
C code that has undefined behavior by the spec, so it is not about gcc doing
things wrong.
It is about C being an extremely hard language to get right, because it has
a ton of "undefined" situations way too many C coders are not aware of, nor
paying sufficient attention to.
Obviously, the results of a C statement depending on undefined behavior can
change when the compiler, compiler version, or optimization level changes.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Neil McGovern
Nov 24, 2013, 8:50:02 AM11/24/13
to
On Sun, Nov 24, 2013 at 09:21:35PM +0800, Thomas Goirand wrote:
> http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf
>
> Thoughts anyone?
>
See the thread on -security starting at
<52900522...@affinityvision.com.au>
Neil
--
> http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf
>
> Thoughts anyone?
>
See the thread on -security starting at
<52900522...@affinityvision.com.au>
Neil
--
intrigeri
Nov 24, 2013, 9:00:02 AM11/24/13
to
Hi,
FYI there's an ongoing discussion on the debian-security list
about this.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/85fvql2...@boum.org
FYI there's an ongoing discussion on the debian-security list
about this.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Thomas Goirand
Nov 24, 2013, 10:20:01 AM11/24/13
to
On 11/24/2013 09:52 PM, intrigeri wrote:
> Hi,
>
> FYI there's an ongoing discussion on the debian-security list
> about this.
Thanks for the pointer. Let's keep it there, rather than -devel.
> Hi,
>
> FYI there's an ongoing discussion on the debian-security list
> about this.
Thomas
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
0 new messages