From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id D26BA3958C0A; Mon, 19 Apr 2021 05:43:50 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D26BA3958C0A
From: "muecker at gwdg dot de" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/99797] accessing uninitialized automatic variables
Date: Mon, 19 Apr 2021 05:43:50 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: middle-end
X-Bugzilla-Version: 11.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: muecker at gwdg dot de
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-99797-4-Q7i7PfDFOJ@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-99797-4@http.gcc.gnu.org/bugzilla/>
References: <bug-99797-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 05:43:50 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99797

--- Comment #9 from Martin Uecker <muecker at gwdg dot de> ---

The behavior of GCC is dangerous as the example in comment #1 show. You can=
 not
reason at all about the generated code. It is not just that the uninitializ=
ed
value causes some random choice but it creates situation where seemingly
impossible things can happen. Assume this propagates into another security
relevant function which when analyzed independently appears completely safe,
i.e. maintains some important property by carefully checking its inputs. But
just having an uninitialized read somewhere else compromises the integrity =
of
the whole program.

Of course, if this is UB than this is technically allowed from the standard=
's
point of view.  But what the standard allows is one question. What a good
compiler should do in case of undefined behavior is a completely different =
one.

The "optimize based on the assumption that UB can not happen" philosophy
amplifies even minor programming errors into something dangerous. This, of
course, also applies to other UB (in varying degrees). For signed overflow =
we
have -fsanitize=3Dsigned-integer-overflow which can help detect and mitigat=
e such
errors, e.g. by trapping at run-time. And also this is allowed by UB.=20

In case of UB the choice of what to do lies with the compiler, but I think =
it
is a bug if this choice is unreasonable and does not serve its users well.=