<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 5/24/12 4:43 AM, Kostya Serebryany wrote:
<blockquote
cite="mid:CAN=P9phxQvzh9pLa=SWMAwOR0Yh_vuhS5k1Nyf8ZvDnNmFzqsw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi Nuno,
<div><br>
</div>
<div>I noticed your commits related to -fbounds-checking and have
some questions. </div>
<div>The functionality of this new phase seems
to (partially?) overlap with AddressSanitizer and SAFECode,</div>
<div>so I am curious how would you compare the two existing tools
with the new one. <br>
</div>
</blockquote>
<br>
Nuno's original goal (described in our first set of email exchanges
on llvm-commits) was to provide lightweight security checks to
programs compiled by clang by using the -fbounds-checking option. I
believe the goal is to protect applications at run-time.<br>
<br>
Nuno, is this correct, or did I misinterpret what you wrote?<br>
<br>
<blockquote
cite="mid:CAN=P9phxQvzh9pLa=SWMAwOR0Yh_vuhS5k1Nyf8ZvDnNmFzqsw@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>Earlier you wrote: </div>
<div><span style="">>> So the main idea of this new flag is
not for debugging, but rather for </span><span style="">production.</span></div>
<div><span style="">>> This means that we won't be able to
perform as many checks as</span><br style="">
<span style="">>> AddressSanitizer, </span></div>
<div><span style=""><br>
</span></div>
<div>
<div><font color="#222222" face="arial, sans-serif">From the
code (lib/Transforms/Scalar/BoundsChecking.cpp</font><span
style="color:rgb(34,34,34);font-family:arial,sans-serif">) I
can conclude that you add checks only if you can </span></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif">deduct
the array boundaries, either from constants or from malloc()
parameter. </span></div>
</div>
<div><span style="">How many run-time checks does </span><font
color="#222222" face="arial, sans-serif">-fbounds-checking
create? Do you have such statistics?</font></div>
<div><span style="">Do you also have performance numbers? </span></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif"><br>
</span></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif">Are
there any bugs that </span><span
style="color:rgb(34,34,34);font-family:arial,sans-serif">-fbounds-checking
can find but </span><font color="#222222" face="arial,
sans-serif">{SAFECode,ASan} can not? </font></div>
<div><font color="#222222" face="arial, sans-serif"><br>
</font></div>
<div><span style="">>> but the performance is supposed to be
acceptable for</span><br style="">
<span style="">>> binaries that are shipped for
production.</span></div>
<div><font color="#222222" face="arial, sans-serif"><br>
</font></div>
<div><span style="">Btw, </span><span style="">AddressSanitizer's
performance *is* </span><span style="">acceptable for
production in many circumstances. </span></div>
<div><span style=""><br>
</span></div>
<div><span style="">Why do you route all run-time checks to a
single trap BB? </span></div>
<div><span style="">I understand this as a code-side optimization,
but it makes analyzing the failure almost entirely
impossible. </span></div>
<div><font color="#222222" face="arial, sans-serif">Even if you
use different traps, what is the expected user experience once
he/she receives the trap? <br>
</font></div>
</blockquote>
<br>
I don't think Nuno is trying to make a tool that helps diagnose
memory safety problems. Instead, he's trying to build a tool that
prevents exploitation of code at run-time. A single trap block is
the correct approach for that goal.<br>
<br>
-- John T.<br>
<br>
</body>
</html>