| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Feb 2007 14:03:06 -0800 (PST)
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: J.A. Magallón <jamagallon@....com>
cc: Jan Engelhardt <jengelh@...ux01.gwdg.de>,
Jeff Garzik <jeff@...zik.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: somebody dropped a (warning) bomb
On Thu, 8 Feb 2007, Linus Torvalds wrote:
>
> But THE CALLER CANNOT AND MUST NOT CARE! Because the sign of "char" is
> implementation-defined, so if you call "strcmp()", you are already
> basically saying: I don't care (and I _cannot_ care) what sign you are
> using.
Let me explain it another way.
Say you use
signed char *myname, *yourname;
if (strcmp(myname,yourname) < 0)
printf("Ha, I win!\n")
and you compile this on an architecture where "char" is signed even
without the explicit "signed".
What should happen?
Should you get a warning? The types really *are* the same, so getting a
warning sounds obviously insane. But on the other hand, if you really care
about the sign that strcmp() uses internally, the code is wrong *anyway*,
because with another compiler, or with the *same* compiler on another
architecture or some other compiler flags, the very same code is buggy.
In other words, either you should get a warning *regardless* of whether
the sign actually matches or not, or you shouldn't get a warning at all
for the above code. Either it's buggy code, or it isn't.
Warning only when the sign doesn't _happen_ to match is crap. In that
case, it's not a warning about bad code, it's a warning about a bad
*compiler*.
My suggestion is that if you *really* care about the sign so much that you
want the sign warning, make it really obvious to the compiler. Don't ever
call functions that have implicit signs. Make even "int" arguments (which
is well-defined in its sign) use "signed int", and then you can make the
compiler warn if anybody ever passes it an "unsigned int".
Never mind even a pointer - if somebody actually took the time and effort
to spell out "signed int" in a function prototype, and you pass that
function an unsigned integer, maybe a warning is perfectly fine. Clearly
the programmer really cared, and if he didn't care about the sign that
much, he could have used just "int".
Conversely, if somebody has a function with a "unsigned int" prototype,
and you pass it a regular "int", a compiler shouldn't complain, because an
"int" will just silently promote to unsigned. But perhaps the programmer
passes it something that he had _explicitly_ marked with "signed int".
Would it make sense to warn then? Makes sense to me.
And no, none of this is about "strict C standards". All of it is about
"what makes sense". It simply doesn't make sense to complain about the
sign of "char", because it's not something that has a very hard
definition. Similarly, you shouldn't complain about regular "int"
conversions, because they are normal, and the standard defines them, but
maybe you can take a hint when the programmer gives you a hint by doing
something that is "obviously unnecessary", like explicitly saying that
"signed int" thing.
Just an idea.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists