bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: avoid integer overflow in mktime.m4


From: Paul Eggert
Subject: Re: avoid integer overflow in mktime.m4
Date: Mon, 18 Dec 2006 18:06:52 -0800
User-agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (gnu/linux)

Ralf Wildenhues <address@hidden> writes:

> the newer GCC exploits at -O2 the fact that integer overflow
> produces undefined behavior

Wheeeoo!  That optimization is going to break a _lot_ of GNU
software.  (Silently.  Oh my.)

This is a major change.  Where is it documented and discussed?  I
don't see it listed at either
<http://gcc.gnu.org/gcc-4.2/changes.html> or
<http://gcc.gnu.org/gcc-4.3/changes.html>.

We tried to do that sort of optimization in the 1990s (back when I
was a GCC contributor), but ran into too many problems in
real-world software.  So the optimization got removed.  RMS
decided it was too disruptive.

How about if we report the problem again, and get the optimization
removed from -O2?  I don't mind having the optimization available
on request for people who prefer speedy to reliable software, but
it shouldn't be turned on with a mere -O2, as it breaks too much
real-world code like mktime.c, which says:

   /* The code also assumes that signed integer overflow silently wraps
      around, but this assumption can't be stated without causing a
      diagnostic on some hosts.  */

The optimization also breaks code that assumes LIA-1 (see Annex H
of the C99 standard).  To conform to LIA-1, if signed integer
arithmetic does not wrap around reliably, a signal must be
generated.

Surely the GCC guys care about LIA-1.  After all, gcc has an
-ftrapv option to enable reliable signal generation on signed
overflow.  But I'd rather not go the -ftrapv route, since that
will cause other problems.  I'd rather have signed integer
overflow silently wrap around, as this is the traditional behavior
and a lot of real-world code assumes this.  Is there an option to
the new GCC to specify this?

If not, is there any way to tell the new GCC to disable this
harmful optimization?  Maybe we can have 'configure' automatically
generate the appropriate flag to do that.  For example, we can
change Autoconf to default to -O1 instead of -O2.  I hope we don't
have to be this drastic, though; I'd rather just disable the
optimizations that cause GCC to depart from LIA-1 wraparound
arithmetic.

> The patch below fixes that.

Yes, but it assumes unsigned int is the same width as signed int,
and that isn't a portable assumption.  We can work around this
issue, but I'd rather fix the underlying problem with GCC.

> This test hangs,

Does the test hang forever?  It's supposed to have a 60-second
timeout.  And if it times out, 'configure' uses the supplied
mktime.c, which should be OK (even if it's not optimal).

Of course, the supplied mktime.c will have subtle bugs due to
integer wraparound issues with the GCC version in question, but
that's also true for lots of other gnulib and GNU application code
(it's certainly true of glibc proper) so it's in good company.
And if we can disable the problematic optimization, we'll kill all
these birds with one stone.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]