On Wed, Apr 24, 2024 at 04:20:20PM -0700, Kees Cook wrote: > > This is arse-about-face. Signed stuff wraps per -fno-strict-overflow. > > We've been writing code for years under that assumption. > > Right, which is why this is going to take time to roll out. :) What we > were really doing with -fno-strict-overflow was getting rid of undefined > behavior. That was really really horrible; we don't need the compiler > hallucinating. Right, but that then got us well defined semantics for signed overflow. > > You want to mark the non-wrapping case. > > What we want is lack of ambiguity. Having done these kinds of things in > the kernel for a while now, I have strong evidence that we get much better > results with the "fail safe" approach, but start by making it non-fatal. > That way we get full coverage, but we don't melt the world for anyone > that doesn't want it, and we can shake things out over a few years. For > example, it has worked well for CONFIG_FORTIFY, CONFIG_UBSAN_BOUNDS, > KCFI, etc. The non-fatal argument doesn't have bearing on the mark warp or mark non-wrap argument though. > The riskier condition is having something wrap when it wasn't expected > (e.g. allocations, pointer offsets, etc), so we start by defining our > regular types as non-wrapping, and annotate the wrapping types (or > specific calculations or functions). But but most of those you mention are unsigned. Are you saying you're making all unsigned variables non-wrap by default too? That's bloody insane. > For signed types in particular, wrapping is overwhelmingly the > uncommon case, so from a purely "how much annotations is needed" > perspective, marking wrapping is also easiest. Yes, there are cases of > expected wrapping, but we'll track them all down and get them marked > unambiguously. But I am confused now, because above you seem to imply you're making unsigned non-wrap too, and there wrapping is *far* more common, and I must say I hate this wrapping_add() thing with a passion. > One thing on the short list is atomics, so here we are. :) Well, there are wrapping and non-wrapping users of atomic. If only C had generics etc.. (and yeah, _Generic doesn't really count).
