Linus Torvalds Over Flows On Overflows In C
Wednesday, 15 May 2024

You may think of Linus Torvalds as the Linux guru, but he is also a leading expert on C and often ignored and misunderstood in this role. A recent exchange on the Linux Kernel mailing list demonstrates just how big the gap can be. And, yes, it's an example of Linus at his explosive best!

We all know about arithmetic overflow and most of us think it's a bad thing - something to be avoided at all costs. We can point to horrendous examples of computations that failed because the original programmer chose too small a variable type to hold the result of an operation in all cases. So most programmers think that overflow should be tracked down and flagged by static analysers if at all possible. Except, of course, any reasonable C programmer who knows about bits and how things work, knows that overflow, or wrap-around in the unsigned case, is far from undesirable - it is a powerful tool and often used to achieve something perfectly sensible.

You could say that this understanding is a good test of whether or not a C programmer is a real C programmer or an escapee from a high level language.

The point is also that C is like this, not because it is a 50-year old throwback and a primitive language, but because it serves the purposes of  low-level programmers like Linus who know their bits.

linusbackincharge

So when Kees Cook, a Google programmer, started a discussion of how to deal with overflow in the kernel, you could have known that something was about to hit the fan. Cook suggested using a sanitizer to scan the code and flag possible overflow errors or to introduce operator overloading and explicitly allow the programmer to handle the error.

Linus responded quickly, pointing out that:

"The thing is, wrap-around is not only well-defined it's *common*, and *EXPECTED*."

He goes on to explain the sort of places it is used to good effect. In computing a hash value, for example, wrap-around is part of the computation. He also points out that wrap-around is actually used to detect overflow:

unsigned int a,b;
if (a+b<a)...

Compare this to the ludicrous situation we find ourselves in with the signed version of this program. In this case signed overflow is undefined behavior and this designation allows compiler writers to simply state that signed overflow cannot happen in a valid program - so they delete the test! This makes testing for signed overflow very difficult without resorting to compiler- or machine-specific tricks as you have to detect it before it happens.

Linus went on to say that

 "a tool that complains about wrap-around in the
above is absolutely broken sh*t and needs to be
ignored."

and

"Put another way the absolute first and fundamental thing you should look at is to make sure tools do  not complain about sane behavior."

This is getting to the heart of the matter. A real C programmer would find wrap-around perfectly sane behavior.

What might surprise you at this point is that from here the discussion becomes much more reasonable with Linus outlining some conditions in which things might go wrong in ways that are unexpected. He points out that sometimes we get unsigned arithmetic without realizing and that there are patterns which suggest unsafe wrap-around - for example when computing the size of something.

The real thing that Linus is trying to protect us from is:

"Don't think of wrap-around as some "global evil"
like you seem to do. Think of it as wrong in
_specific_ cases, and see if you can target
those cases."

Read the rest of the exchange. It neatly  illuminates the difference between C and other languages.

tuxicon

  • Mike James is currently working on a new book, Deep C Dives: Adventures in C Programming to be published by  I/O Press. In it he argues that C is all about bits and bit patterns and understanding the bits is what distinguishes a true C programmer. And, of course, he looks at aspects of C that make it a powerful language that is close to the metal.

More Information

[RFC] Mitigating unexpected arithmetic overflow

Related Articles

C++ In The Linux Kernel?

Linus Returns A Reformed Character

Linux Adopts New Code of Conduct; Linus Apologizes and Takes a Break

Linus On Linux And Strong Language 

GCC Gets An Award From ACM And A Blast From Linus        

Linus Torvalds Receives IEEE Computer Pioneer Award       

Linus Torvalds interview - the early years       

Linus Torvalds is now a US Citizen  

Linux To Move To C11

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Apache Lucene Improves Sparce Indexing
22/10/2024

Apache Lucene 10 has been released. The updated version adds a new IndexInput prefetch API, support for sparse indexing on doc values, and upgraded Snowball dictionaries resulting in improved tokeniza [ ... ]



Extend NGINX With The New JavaScript Module
28/10/2024

Inject middleware functionality into NGINX with the expressive power of Javascript. NGINX JavaScript or NJS for short is a dynamic module under which you can use scripting for hooking into the NGINX e [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 15 May 2024 )