2008/4/25 Prateek Saxena <[EMAIL PROTECTED]>: > On Thu, Apr 24, 2008 at 2:20 PM, Ralph Loader <[EMAIL PROTECTED]> wrote: > > > I am very interested in seeing how this optimization can remove > > > arithmetic overflows. > > > > int foo (char * buf, int n) > > { > > // buf+n may overflow of the programmer incorrectly passes > > // a large value of n. But recent versions of gcc optimise > > // to 'n < 100', removing the overflow. > > return buf + n < buf + 100; > > } > > This clearly is insecure coding. The optimization to replace "buf + n > < buf + 100" with "n < 100" assumes something about the value of buf. > I assume that the location of "buf", could change arbitrarily accross > platforms depending on the memory layout. > I ran foo as follows, getting different outputs : >
>From the algebra perspective "buf + n < buf + 100" should be the same as "n < 100". There should really be a feature in C to handle the special overflow/carry case in order to handle overflows and wrap arounds. This is probably a fundamental problem with C. If one takes the following: int a,b,c; a = b + c; How does one detect if there was a signed int overflow? Programmers are forced to jump all sorts of hoops to do this check. Fortunately there is a assembler instruction to do just this on most CPUs. e.g. jo, jc, js It would be nice to be able to write this sort of C code. int a,b,c; a = b + c; if (a overflowed) { handle_overflow(); } One cannot simply code a special function to test the carry/overflow flags as the compiler might reorder the previous instructions, and therefore the carry/overflow state gets messed up. Why has the C language lacked this sort of functionality for so long? James