[LLVMdev] PredicateSimplifier questions
Chris Lattner
clattner at apple.com
Mon Feb 16 08:58:06 PST 2009
On Feb 16, 2009, at 8:00 AM, John Regehr wrote:
> Chris do you have a sense for how the definedness of signed overflow
> in
> LLVM would play out in the context of bounds check elimination?
> That is,
> would it cause lots of failure to eliminate checks that could be
> seen to
> be unnecessary at the C level?
That is an interesting question, and there are several related
issues. The possibility of undefined behavior or behavior that
programmer's don't expect in C code often leads to "security checks"
that end up not doing anything. For example, see things like:
http://www.kb.cert.org/vuls/id/162289
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8537
etc.
In general, I think that if you *really* care about code security in C
that bounds checks are not enough. You need to use various techniques
to reduce the amount of undefined behavior in C, such as compiling
with -fwrapv.
A project that I'd like to tackle eventually in Clang is to have
direct support by this by emitting code that zero initializes
variables by default, *automatically* inserts bound checks where it
can, inserts code to check that shift amounts are in range, etc.
-Chris
More information about the llvm-dev
mailing list