I just made the opposite point: that MTE works fine if the language is spec'd the way I'm proposing. It allows them to be used as designed by removing the notion of malloc from the language.
Conversation
It doesn't only impact malloc. It's designed to be usable for stack frames instead of stack canaries too. It also impacts usage of the pointers derived from what gets returned by malloc even in an implementation only using it for malloc. It doesn't only impact the malloc memory.
2
2
None of what I said relies on this being restricted to impacting malloc. You don't need UB in the language to say that stack canaries are a thing.
2
I'm talking about memory tagging as a replacement for stack canaries, not stack canaries. I'm not sure why you're responding about stack canaries. Memory tagging the stack frame makes it so that trying to use pointers to the stack frame to access memory outside it will trap.
1
1
Memory tagging works fine with the spec I'm proposing. So do stack canaries. I'm making the point that the security technologies that you are interested in (and that I'm also interested in) work fine if the language is more strongly specified.
1
Sure, and as I've stated many times in this conversation, I would like for C to be more strongly specified. However, defining something like signed integer overflow as guaranteed to wrap would be a step backwards for implementations that want to make it safer such as trapping.
2
2
But making it traps breaks real C code, so it can't be what the spec says.
Good specs respect their existing clients!
1
Forbidding trapping also breaks widely deployed existing implementations, so you can't do that either per your own rules, sorry.
1
1
This Tweet was deleted by the Tweet author. Learn more
It's always implemented in software via hardware features. The features vary in performance. Jump-on-overflow is a lot worse than architectures with support for enabling a trapping mode, whether it's strict or propagates a poison value that can never be accessed (since it traps).
1
1
Hardware doesn't implement C, so there isn't a standard behavior defined by hardware. It's up to the compiler to map C onto the hardware or the virtual machine. They get to choose how to handle each kind of undefined or implementation defined behavior, and everything else.
I think you're getting hung up on this idea that if the spec doesn't leave something undefined, then implementations can't *ever* deviate from what otherwise would be defined. It just means that they can't deviate by default. You can pass flags that change behavior.
1
No, that's not what I've been saying. I think it would be a serious regression to break compatibility with safe implementations by making it correct to be incompatible with them. You want to massively roll back safety and security, especially if you want to remove it by default.
2
1
Show replies
Clang could decide they want to implement a fully portable, well-defined behavior for overly long shifts. That could mean trapping, or it could mean choosing a common hardware behavior and matching it everywhere. They do a lot of this. They aren't just exposing hardware features.
1
Yeah, and I'm arguing for masking the shift amount.
1
Show replies