[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)|
From: Florian Weimer <fw () deneb ! enyo ! de>
Date: 2019-11-08 19:20:55
Message-ID: 87woca41k8.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]
* Russ Allbery:
> The C standard says this shouldn't be the default, but software that cares
> about avoiding undefined behavior should consider adding -fwrapv, or
> carefully writing the check to avoid overflow (something that, sadly, one
> needs to become expert in to use C relatively safely).
The C standard doesn't *require* a particular behavior (for non-atomic
integers). Each time this comes up in the committees, more strict
requirements do not make it into the text. For example, the recent
P0907R4 for C++, "Signed Integers are Two's Complement"
<http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2018/p0907r4.html>
does not require it, either:
| /Status-quo/ If a signed operation would naturally produce a value
| that is not within the range of the result type, the behavior is
| undefined.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic