On Sun, Oct 27, 2013 at 01:50:14AM +0200, Hannes Frederic Sowa wrote: > On Sat, Oct 26, 2013 at 09:29:12PM +0200, Ondřej Bílka wrote: > > Hi, as I brainstormed how prevent possible overflows in memory allocation I > > came with heretic idea: > > > > For gcc -D_FORTIFY_SOURCE=2 we expand all multiplication with size_t > > type by one that checks for integer overflow and aborts on it. This > > would prevent most overflow at cost of breaking some legitimate > > applications that use multiplication in clever way. > > > > A less heretic way that is applicable for C++ would be write a class > > size_t overflow that would do arithmetic in saturating way and issue > > warnings when there is a size_t multiplication. > > I am afraid of the false-positive aborts which could result in DoS against > applications. I like the checked arithmetic builtins LLVM introduced in
How likely is code that uses size_t for something other than size calculation? I did not realized that this has opposite problem as lot of programs still use int for size calculations. > 3.4 (not yet released) where one can test for overflow manually and handle > the overflows appropriately. They also generate better code (e.g. they > use the overflow flag and get inlined on x86 compared to the ftrapv insn). > As a workaround you can on x64 implement them by macros with inline assembly. > So I would vote for fast checked arithmetic builtins first. > > Greetings, > > Hannes
