[llvm-dev] Need help with code generation
Hal Finkel via llvm-dev
llvm-dev at lists.llvm.org
Tue Mar 22 12:02:49 PDT 2016
----- Original Message -----
> From: "Rafael EspĂndola" <rafael.espindola at gmail.com>
> To: "Hal Finkel" <hfinkel at anl.gov>
> Cc: "llvm-dev" <llvm-dev at lists.llvm.org>, "Bruce Hoult" <bruce at hoult.org>, "Mehdi Amini" <mehdi.amini at apple.com>
> Sent: Tuesday, March 22, 2016 1:43:54 PM
> Subject: Re: [llvm-dev] Need help with code generation
>
> >
> > This is a completely inappropriate comparison. LibreSSL is a
> > cryptographic library. Creating a high-quality cryptographic
> > library requires much more than eliminating buffer overruns
> > (etc.).
>
> What I don't get this what is the point of a "somewhat secure". Does
> it make a difference if takes 5 minutes of 5 hours to find a buffer
> overflow?
I don't want to get too far off track, but I feel that there should be no buffer overruns in LLVM. Period. Cryptographic libraries also need to be concerned about other issues, such as information leakage, that are much harder to verify.
>
> >> What allocator would you start with?
> >>
> >
> > We recently had a bunch of patches fixing issues found when fuzz
> > testing LLVM with ASAN, and I thought that was a very positive
> > development.
> >
>
> And today it is still way easier to crash llvm than lld. I posted two
> crashes with just what I noticed going on the list. No one even
> posted an ELF that would crash lld.
That's because we seem to be debating whether we'd actively reject a patch to fix such issues, not how important they are to us to fix.
Thanks again,
Hal
>
> It is really annoying how much people care about "security" to
> criticize my work, but never enough to send a patch. llvm.org/pr21466
> is open since Nov 2014. That is on the side of the project that
> should
> be handling broken files.
>
> Would it end this thread if I went that way? Just say that there are
> bugs in lld and just not fix them for over a year?
>
> Cheers,
> Rafael
>
--
Hal Finkel
Assistant Computational Scientist
Leadership Computing Facility
Argonne National Laboratory
More information about the llvm-dev
mailing list