[cfe-dev] [EXTERNAL] Re: making -ftrivial-auto-var-init=zero a first-class option

JF Bastien via cfe-dev cfe-dev at lists.llvm.org
Wed Apr 22 13:50:52 PDT 2020



> On Apr 22, 2020, at 1:08 PM, Richard Smith via cfe-dev <cfe-dev at lists.llvm.org> wrote:
> 
> On Wed, 22 Apr 2020 at 10:49, Joe Bialek <jobialek at microsoft.com <mailto:jobialek at microsoft.com>> wrote:
> How are you going to efficiently check that something wasn't initialized at runtime? In a way that results in better codegen than just doing pattern initialization? I'm happy to see a solution but I don't see how this can be done in a way that doesn't involve metadata and checks. If you could do this at compile-time, you'd just issue a warning rather than let the issue hang around for someone to discover at runtime.
> 
> Consider a case such as:
> 
> int f(int &r) { return r; }
> int g() {
>   int n;
>   return f(n);
> }
> 
> We certainly won't warn on this during compilation, but it's easy for us to turn this into a trap after inlining.
>  
> Also not clear to me what the OS is expected to do with this trap. We have a number of information leak vulnerabilities where force initialization kills the bug silently.
> 
> Do you really mean "kills the bug"? I would certainly believe you have a number of information leak vulnerabilities where zero-init fixes the *vulnerability* (and we should definitely provide tools to harden programs against such vulnerabilities), but the program is still using an uninitialized value and still has a bug. The idea that this compiler change fixes or removes the bug is precisely the language dialect problem that I'm concerned about. Developers must still think that reading an uninitialized value is a bug (even if it's not a vulnerability any more) or they're writing a program in a language dialect where doing that is not a bug.

I think part of the disconnect comes from security and kernel folks having this something like this value scale:

  Correct code >> buggy but not vulnerable/leaky code >> crashy but not vulnerable/leaky code >> code with infoleak >> vulnerable code

Everyone agrees that we want to avoid infoleaks and vulnerable code, and this mitigation helps with both. Everyone agrees correct code is better.

Where there’s disagreement in this sub-thread seems to be whether it’s OK to have buggy code that doesn’t crash, versus buggy code that crashes.


> If you have a non-recoverable trap you are now turning these bugs in to kernel crashes which is sort of a crappy user experience compared to just silently fixing the bug and allowing the OS to work as normal. As it is right now, we can just ignore the issues because they have no security or reliability impact which is great because it saves us time and money not having to service things, and customers don't have to install a code update either.
> 
> Joe
> From: Kees Cook <keescook at chromium.org <mailto:keescook at chromium.org>>
> Sent: Wednesday, April 22, 2020 10:40 AM
> To: Richard Smith <richard at metafoo.co.uk <mailto:richard at metafoo.co.uk>>
> Cc: Arthur O'Dwyer <arthur.j.odwyer at gmail.com <mailto:arthur.j.odwyer at gmail.com>>; Joe Bialek <jobialek at microsoft.com <mailto:jobialek at microsoft.com>>; Clang Dev <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>>
> Subject: [EXTERNAL] Re: [cfe-dev] making -ftrivial-auto-var-init=zero a first-class option
>  
> On Tue, Apr 21, 2020 at 04:54:25PM -0700, Richard Smith wrote:
> > The existence of the
> > --long-ugly-flag-name-that-says-we'll-remove-the-feature is the way we
> > currently try to avoid introducing a language dialect. If we remove that
> > flag as is proposed, then we are effectively relitigating the question of
> > whether to have the feature at all.
> 
> What about renaming the enable flag so it doesn't imply that zero-init
> is going to be removed?
> 
> > And indeed it might even be OK if the initial behavior is that we *always*
> > zero-initialize (as Philip asked), so long as our documentation clearly
> > says that we do not guarantee that the value will be zero (only that we
> > guarantee that *if the program continues*, the value will be zero), and our
> > intent is that we may still produce traps or otherwise abort the
> > computation.
> 
> Right -- I would see adding a trap path as a nice improvement. I still
> think it'll be be too much overhead, though, given needing to check all
> corners of a struct: accessing any padding bytes would need to trap,
> etc.
> 
> -- 
> Kees Cook
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20200422/7dc3827f/attachment-0001.html>


More information about the cfe-dev mailing list