[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)|
From:       Florian Weimer <fw () deneb ! enyo ! de>
Date:       2019-11-08 19:20:55
Message-ID: 87woca41k8.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]

* Russ Allbery:

> The C standard says this shouldn't be the default, but software that cares
> about avoiding undefined behavior should consider adding -fwrapv, or
> carefully writing the check to avoid overflow (something that, sadly, one
> needs to become expert in to use C relatively safely).

The C standard doesn't *require* a particular behavior (for non-atomic
integers).  Each time this comes up in the committees, more strict
requirements do not make it into the text.  For example, the recent
P0907R4 for C++, "Signed Integers are Two's Complement"
<http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2018/p0907r4.html>
does not require it, either:

| /Status-quo/ If a signed operation would naturally produce a value
| that is not within the range of the result type, the behavior is
| undefined.
[prev in list] [next in list] [prev in thread] [next in thread]