* Joe Buck:
> You appear to mistakenly believe that wrapping around on overflow is
> a more secure option. It might be, but it usually is not. There
> are many CERT security flaws involving integer overflow; the fact
> that they are security bugs has nothing to do with the way gcc
> generates code, as the "wrapv" output is insecure.
These flaws are typically fixed by post-overflow checking. A more
recent example from PCRE:
| /* Read the minimum value and do a paranoid check: a negative value indicates
| an integer overflow. */
|
| while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
| if (min < 0 || min > 65535)
| {
| *errorcodeptr = ERR5;
| return p;
| }
Philip Hazel is quite a diligent programmer, and if he gets it wrong
(and the OpenSSL and Apache developers, who are supposed to do code
review on their own, not relying on random external input), maybe this
should tell us something.
Of course, it might be possible that the performance gains are worth
reintroducing security bugs into object code (where previously,
testing and perhaps even manual code inspection has shown they have
been fixed). It's not true that -fwrapv magically makes security
defects involving integer overflow disappear (which is quite unlikely,
as you point out). It's the fixes which require -fwrapv semantics
that concern me.
