Originally posted by F.Ultra
View Post
Announcement
Collapse
No announcement yet.
Torvalds Voices Thoughts On Linux Mitigating Unexpected Arithmetic Overflows/Underflows
Collapse
X
-
- Likes 1
-
Originally posted by ssokolow View PostThat's an illusion.- The Linux kernel isn't written in ANSI C and never has been. It's written in GNU C and half the effort to compile Linux using LLVM Clang was extending LLVM Clang to implement the relevant portions of GNU C.
Originally posted by Jakobson View PostOkay... How should undefined behaviors be handled then?
Originally posted by Jakobson View PostThey are certainly not defined in the C standard.
If you access pointer variable p after calling free(p) different CPU architectures will behave differently -- on x86 you will be able to dereference p and read the memory it points to unless it was paged out in which case you will get access violation. On some other CPU architectures, even accessing p variable itself without dereferencing it to reach the memory it points to can trigger a trap.
C standard says that after call to free(p) the value of p itself is undefined exactly because it can't guarantee that p hasn't been changed into a magic value that will cause a trap when you try to read it.
Originally posted by Jakobson View PostHow can they be detected and prevented from being written into the OS?
Originally posted by darkonix View PostThe problem is that programmers don't need to pass an exam on the standard they use to be programmers.
Originally posted by darkonix View PostMy 12 years old nephew learned C on his own to program an arduino. I don't expect him to be accepted as a kernel programmer anytime soon but I don't expect him to know these rules.
Originally posted by darkonix View PostHaving rules may be good, but not enough. Isn't it better to automate repetitive, error prone work like ensuring that those rules are followed correctly?
- Likes 1
Comment
-
Originally posted by F.Ultra View Post
Actually there is, doing a proper check for if a signed integer would overflow in C is very complicated to write safely.
- Likes 1
Comment
-
Originally posted by Muddy View PostAs long as you are approaching this from a "this puts the onus on others", *YOU* are the problem.
Be the solution, not the problem.
Only people who creating barely working code/program with lots of "promises" that just empty placeholders, programs with lots and lots annoying bugs - only those people stay at job.
Comment
-
Linus sure got the issue in his crosshairs.
Almost seems as if Linus is saying legacy code works like this so we need to keep it that way.
Programming languages should adopt the best design, not do something a lot of legacy code has been written in.
Look at C's and C++'s adoption of operator precedence.
I'd prefer saturation arithmetic by default and some extra operators and math functions with wraparound integrated without primarily relying on separate helper functions or function overloading.
Some stuff that's compact and easy to mentally work with (low cognitive load).
Comment
-
[QUOTE=CmdrShepard;n1464171]
"C already has plenty of rules on hardening -- MISRA C being the most prominent. Following those is good enough (and has been good enough for medical, automotive, and aerospace industry where lives are at stake) -- the trouble is that young people don't want to read either the standard or the guidelines but instead want to change the standard to suit their narrative."
Truly, I say to you that all that Misra achieves is to highlight how problematic C is.
"All C programs contain undefined behaviour
Ex: 2-line program in Appendix I of MISRA C:2012
"
Last edited by kevlar700; 14 May 2024, 04:40 PM.
- Likes 1
Comment
-
Originally posted by F.Ultra View Post
Had Linux been written in Ada then Linux would have died on 25 August 1991. Half thinking that you are making some form of joke here considering that an unhandled exception due to an signed integer overflow was the reason for the Ariadne 5 crash resulting in a loss of more than $370M ($736M in today:s worth).
Ada is a better language for the Linux kernel than C or Rust will likely ever be. You can makeup whatever irrelevant arguments that you like.
Comment
-
Originally posted by carewolf View Post
Yeah, you can not check for overflow after the fact since it is undefined behavior and compilers are free to optimize based on the assumption that signed overflow never happens (and are thus also allowed to remove any checks you wrote for it, because they can never happen). So you have to detect it _before_ doing the operation that could overflow, without overflowing... Not very reasonable, so use unsigned integers, compiler extensions or write it in assembler.
Comment
-
Originally posted by kevlar700 View PostAda is a better language for the Linux kernel than C or Rust will likely ever be. You can makeup whatever irrelevant arguments that you like.
Having extensively used both Rust and Ada, I find it difficult to see them as overlapping or fighting for the same niche. The two languages/communities put focus on very different things:
[...]
Comment
-
Originally posted by ssokolow View Post
Honestly, he does not seem to know Ada very well at all. It is quite a terrible and misleading post. First Ada is not targeted at any niche at all but was specified by the D.O.D. to replace ALL of the over 450 languages that they had in use. Also, Ada was specified to be designed for embedded and hardware use and so is far better at doing so as well as at network protocols than C or Rust. Drowning in type information noise is simply nonsense. Ada has been demonstrated a number of times to meet it's other primary design goals of readability and maintainability with reduced project lifetime costs when compared to C and Java.
He doesn't even seem to understand that one option is the Ada light runtime which runs on basically any chip without effort and still provides for most of Adas features.Last edited by kevlar700; 14 May 2024, 08:19 PM.
Comment
Comment