You’re not going to MAD_FREE on the stack. Duh.
Conversation
That's likely glibc what is going to be doing for their stack cache since MADV_DONTNEED is a significant performance cost for their implementation, and it doesn't become a non-issue if restricted to malloc since it still means that uninitialized memory can change between reads.
1
4
Reading uninit data being undefined instead of locking it to an unspecified value permits massive optimizations like MADV_FREE and more efficient register allocation/spilling. Similarly, other memory safety issues being undefined permits optimization / freedom of implementation.
1
5
Many programs have bugs where they read data that has just been freed, but handle it being an arbitrary value. The issue is often benign with common allocators. However, with other implementations the access will fault and they crash. It's good it's not required to let it work.
2
3
Also, signed overflow being undefined rather than defined as wrapping means that more secure implementations where it traps are permitted. Passing -fsanitize=signed-integer-overflow -fsanitize-trap=signed-integer-overflow is standards compliant and used for hardening in AOSP.
3
5
Similarly, lots of other UB that's easy to catch with simple branches at runtime (not most memory and type safety issues, but lots of other bugs) can be made to trap while remaining standards compliant, including enforcing not dereferencing outside many objects with object-size.
1
Implementations of memory safety for C via fat pointers, etc. also depend on these things being undefined. By making it acceptable to index from one object into another and dereference the pointer, you would be forbidding memory safe implementations of C which are very important.
1
If the fat pointers define new behavior then it’s ok for that definition to contradict “classic C”. C making it defined or not only enables you to “say” that a secure version of C is “compliant”. It’s not a bad thing if you had to say that it was non compliant to classic C.
1
They don't define any new behavior. They catch undefined behavior like out-of-bounds accesses and use-after-free. These things are already broken and non-portable. C is deliberately very portable and permits implementations that are memory safe. It even permits using a GC.
2
You keep saying what C *is* which isn't relevant to me, since I'm proposing what it *should be*. (More specifically, I think that like many folks, I want an -fno-bullshit, which turns off optimizations introduced by people who don't understand C.)
1
1
I think it's you that doesn't understand C. The whole point behind the C standard is that it's extremely portable and permits a broad range of implementation choices and aggressive optimization. You want a new variation of the language, which is fine, but I don't think it helps.
Millions of lines of C code uses things that the spec doesn’t allow and it works because compilers can’t really do all the things that the spec allows without breaking real code. That confirms my understanding, not yours.
1
Sure, and most C code is full of memory corruption bugs even including lots of latent memory corruption that occurs in regular usage rather than just edge cases (like an exploit). I'm well aware that real world C code is filled with lots of undefined behavior. It hinders my work.
1
Show replies
These issues are not the practical issues with it in the real world. Making all these little things well defined doesn't fix that C code is plagued by type and memory safety errors, which lead to software being extremely unsafe, unreliable and vulnerable. It's mostly academic.
1
All of those type safe systems are written in the C of my understanding. You can’t write a GC or malloc without “misusing” C. That’s a real problem. Separately, it’s interesting to explore how to make a secure C, but that would be a distinct language.