Re: [PATCH] C undefined behavior fix

From: Joe Buck (jbuck@synopsys.COM)
Date: Thu Jan 03 2002 - 10:45:24 EST

> > There is already such a project under development: see
> >
> >
> >
> > This is a modification to gcc that implements pointers as triples.
> > While there is a performance penalty for doing this, it can completely
> > eliminate the problem of exploitable buffer overflows. However, programs
> > that violate the rules of ISO C by generating out-of-range pointers will
> > fail.
> What will it do if I cast a pointer to unsigned long? Or if I cast an
> unsigned long to a pointer? The kernel does both of these things, and
> in a lot of places.

Perhaps you need to reread a book like K&R, second edition, to find out
what the C language promises you and what it doesn't.

The bounded-pointer approach represents a C pointer as three machine
pointers. When you cast to unsigned long, it converts the "value"
pointer. When you cast an unsigned long to a pointer, you lose the range
information, so the pointer's extent is anywhere in memory. However,
if the compiler can determine by dataflow analysis where this value
came from it is entitled to put the original range information back.

> Part of my beef with what gcc-3 is doing is that I take a pointer,
> cast it to unsigned long, do something to it, cast it back to a
> pointer, and gcc _still_ thinks it's knows what I am doing. It
> doesn't.

The C language standard defines quite precisely what the compiler is
allowed to assume and what it is not allowed to assume. If you don't
like these rules, you will dislike *all* modern C compilers, especially
the expensive proprietary C compilers hardware vendors often use to
get good SPEC results.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Jan 07 2002 - 21:00:21 EST