just found this wonderful example of LLVM's optimisers taking non-constant-time cryptographic code in C and turning it into either non-constant-time assembly or—somewhat surprisingly—constant-time assembly depending on the specified optimisation level reparaz.net/oscar/misc/cmo
Conversation
Replying to
After finding out that clang turns while(1); into nothingness at -O2 and above (against spec), I really don't trust its optimizer to do the right thing.
1
Just curious, why do you say it is against spec? Both paper-written and formally-verified (i.e. CompCert) C specs allow that.
2
1
No, they don't. That's only the case for C++ with C++11 and later. C11 allowed assuming that loops without side effects terminate in some cases but it's not allowed when the loop condition is a constant expression and that wasn't permitted for previous standards.
1
1
LLVM also isn't only a C and C++ compiler. It's not only broken for C but also languages like Rust. In Rust, it breaks the memory safety guarantees, and it can encountered while trying to make code compile by using ! and satisfying it with something like loop {} which it breaks.



