[LLVMdev] PredicateSimplifier questions

Chris Lattner clattner at apple.com
Mon Feb 16 08:58:06 PST 2009


On Feb 16, 2009, at 8:00 AM, John Regehr wrote:
> Chris do you have a sense for how the definedness of signed overflow  
> in
> LLVM would play out in the context of bounds check elimination?   
> That is,
> would it cause lots of failure to eliminate checks that could be  
> seen to
> be unnecessary at the C level?

That is an interesting question, and there are several related  
issues.  The possibility of undefined behavior or behavior that  
programmer's don't expect in C code often leads to "security checks"  
that end up not doing anything.  For example, see things like:

http://www.kb.cert.org/vuls/id/162289
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8537
etc.

In general, I think that if you *really* care about code security in C  
that bounds checks are not enough.  You need to use various techniques  
to reduce the amount of undefined behavior in C, such as compiling  
with -fwrapv.

A project that I'd like to tackle eventually in Clang is to have  
direct support by this by emitting code that zero initializes  
variables by default, *automatically* inserts bound checks where it  
can, inserts code to check that shift amounts are in range, etc.

-Chris



More information about the llvm-dev mailing list