From: Michael Matz <matz@suse.de>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: Jonathan Wakely <jwakely.gcc@gmail.com>,
Aaron Ballman <aaron@aaronballman.com>,
Zack Weinberg <zack@owlfolio.org>,
c-std-porting@lists.linux.dev, autoconf@gnu.org,
gcc@gcc.gnu.org, cfe-commits@lists.llvm.org,
Gnulib bugs <bug-gnulib@gnu.org>
Subject: Re: How can Autoconf help with the transition to stricter compilation defaults?
Date: Wed, 16 Nov 2022 14:26:52 +0000 (UTC) [thread overview]
Message-ID: <alpine.LSU.2.20.2211161418020.5466@wotan.suse.de> (raw)
In-Reply-To: <06a5d2cd-44eb-7404-17f3-ff64dd505427@cs.ucla.edu>
Hi,
On Tue, 15 Nov 2022, Paul Eggert wrote:
> On 2022-11-15 11:27, Jonathan Wakely wrote:
> > Another perspective is that autoconf shouldn't get in the way of
> > making the C and C++ toolchain more secure by default.
>
> Can you cite any examples of a real-world security flaw what would be
> found by Clang erroring out because 'char foo(void);' is the wrong
> prototype? Is it plausible that any such security flaw exists?
>
> On the contrary, it's more likely that Clang's erroring out here would
> *introduce* a security flaw, because it would cause 'configure' to
> incorrectly infer that an important security-relevant function is
> missing and that a flawed substitute needs to be used.
>
> Let's focus on real problems rather than worrying about imaginary ones.
I sympathize, and I would think a compiler emitting an error (not a
warning) in the situation at hand (in absence of -Werror) is overly
pedantic. But, could autoconf perhaps avoid the problem? AFAICS the
ac_fn_c_check_func really does only a link test to check for symbol
existence, and the perceived problem is that the call statement in main()
invokes UB. So, let's avoid the call then while retaining the access to
the symbol? Like:
-----
char foobar(void);
int main(void) {
return &foobar != 0;
}
-----
No call involved: no reason for compiler to complain. The prototype decl
itself will still be "wrong", but compilers complaining about that (in
absence of a pre-existing different prototype, which is avoided by
autoconf) seem unlikely.
Obviously this program will also say "foobar exists" if it's a data
symbol, but that's the same with the variant using the call on most
platforms (after all it's not run).
The idea is so obvious that I'm probably missing something, why autoconf
can't use that idiom instead. But perhaps the (historic?) reasons why it
couldn't be used are gone now?
Ciao,
Michael.
next prev parent reply other threads:[~2022-11-16 14:26 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-10 17:16 Zack Weinberg
2022-11-10 17:52 ` Nick Bowler
2022-11-10 17:58 ` Jonathan Wakely
2022-11-10 18:12 ` Jonathan Wakely
2022-11-10 18:44 ` Aaron Ballman
2022-11-12 2:56 ` Zack Weinberg
2022-11-10 18:05 ` Rich Felker
2022-11-10 21:44 ` Florian Weimer
2022-11-12 3:22 ` Zack Weinberg
2022-11-10 18:08 ` Florian Weimer
2022-11-12 3:40 ` Zack Weinberg
2022-11-12 3:43 ` Sam James
2022-11-12 14:27 ` Zack Weinberg
2022-11-12 3:45 ` Joseph Myers
2022-11-12 15:59 ` Wookey
2022-11-12 16:12 ` Zack Weinberg
2022-11-10 18:19 ` Aaron Ballman
2022-11-10 21:05 ` Paul Eggert
2022-11-11 15:11 ` Aaron Ballman
2022-11-13 0:43 ` Paul Eggert
2022-11-14 12:41 ` Aaron Ballman
2022-11-14 18:14 ` Paul Eggert
2022-11-14 18:30 ` Florian Weimer
2022-11-14 18:35 ` Aaron Ballman
2022-11-15 14:50 ` Jonathan Wakely
2022-11-15 19:08 ` Paul Eggert
2022-11-15 19:27 ` Jonathan Wakely
2022-11-15 20:27 ` Paul Eggert
2022-11-15 20:57 ` Aaron Ballman
2022-11-15 23:09 ` Paul Eggert
2022-11-15 23:43 ` Ben Boeckel
2022-11-16 14:26 ` Michael Matz [this message]
2022-11-16 14:40 ` Alexander Monakov
2022-11-16 15:01 ` Michael Matz
2022-11-16 15:27 ` Richard Biener
2022-11-16 15:35 ` Sam James
2022-11-16 15:59 ` Michael Matz
2022-11-16 16:20 ` Jonathan Wakely
2022-11-16 16:34 ` Michael Matz
2022-11-16 16:46 ` Jonathan Wakely
2022-11-16 18:17 ` Paul Eggert
2022-11-16 18:40 ` Jeffrey Walton
2022-11-17 18:45 ` Paul Eggert
2022-11-16 18:59 ` Zack Weinberg
2022-11-17 18:58 ` Paul Eggert
2022-11-17 21:35 ` Bruno Haible
2022-11-17 22:27 ` Paul Eggert
2022-11-17 13:30 ` Michael Matz
2022-11-15 20:36 ` Aaron Ballman
2022-11-15 5:03 ` Sam James
2022-11-15 13:30 ` Zack Weinberg
2022-11-15 13:34 ` Sam James
2022-11-16 0:08 ` Bob Friesenhahn
2022-11-13 0:43 ` Paul Eggert
2022-11-17 13:57 ` Jason Merrill
2022-11-10 20:19 ` Paul Eggert
[not found] ` <d785b19371e8419f5a5817d7cdb429db91614a3a.camel@orlitzky.com>
2022-11-11 3:08 ` Sam James
2022-11-11 3:33 ` Zack Weinberg
2022-11-11 8:40 ` Sam James
2022-11-11 9:02 ` Paul Eggert
2022-11-12 14:09 ` Zack Weinberg
2022-11-11 23:25 ` Sam James
2022-11-12 0:53 ` Paul Eggert
2022-11-12 4:00 ` Sam James
2022-11-11 9:15 ` Sam James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LSU.2.20.2211161418020.5466@wotan.suse.de \
--to=matz@suse.de \
--cc=aaron@aaronballman.com \
--cc=autoconf@gnu.org \
--cc=bug-gnulib@gnu.org \
--cc=c-std-porting@lists.linux.dev \
--cc=cfe-commits@lists.llvm.org \
--cc=eggert@cs.ucla.edu \
--cc=gcc@gcc.gnu.org \
--cc=jwakely.gcc@gmail.com \
--cc=zack@owlfolio.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).