Malcolm: The state of static analysis in the GCC 12 compiler
source link: https://lwn.net/Articles/891062/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Malcolm: The state of static analysis in the GCC 12 compiler
Some other languages, such as Perl, can track input and flag any variable that should not be trusted because it was read from an outside source such as a web form. Flagging variables in this manner is called tainting. After a program runs the variable through a check, the variable can be untainted, a process called sanitization.
Our GCC analyzer's taint mode is activated by -fanalyzer-checker=taint (which should be specified in addition to -fanalyzer). Taint mode attempts to track attacker-controlled values entering the program and to warn if they are used without sanitization.
(Log in to post comments)
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 14:03 UTC (Tue) by IanKelling (subscriber, #89418) [Link]
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 14:12 UTC (Tue) by dave_malcolm (subscriber, #15013) [Link]
FWIW, I've written up a much more barebones version of the material for the GCC 12 release notes here:
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 14:44 UTC (Tue) by IanKelling (subscriber, #89418) [Link]
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 14:17 UTC (Tue) by Paf (subscriber, #91811) [Link]
Why is there this religious objection to the idea that *someone else’s* proprietary code might execute on your CPU while you’re looking at their website? But heck, even granting that, do you also disable CSS? HTML5 + CSS can and is used to program quite complex web apps and they’re not any more open source than your average blob of JavaScript.
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 14:41 UTC (Tue) by IanKelling (subscriber, #89418) [Link]
It is not religious. As the link I posted explains the objection in the first 2 sentences:
In the free software community, the idea that [any nonfree program mistreats its users]( https://www.gnu.org/philosophy/free-software-even-more-im... ) is familiar. Some of us defend our freedom by rejecting all proprietary software on our computers.
> HTML5 + CSS can and is used to program quite complex web apps
I'm not aware of that happening. Can you point to an example?
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 15:59 UTC (Tue) by excors (subscriber, #95769) [Link]
>
> I'm not aware of that happening. Can you point to an example?
As a slightly silly example, there's a JS-free playable version of Minesweeper at https://codepen.io/bali_balo/pen/BLJONZ . (It uses some server-side scripting to generate the HTML and CSS code, and it looks like the clickable squares are <label>s linked to checkboxes to store the state of your clicks, then the rest is using CSS selectors to render the scene based on that state. That seems easily generalisable to many kinds of interactive applications.)
Malcolm: The state of static analysis in the GCC 12 compiler
Posted Apr 12, 2022 15:47 UTC (Tue) by brunowolff (guest, #71160) [Link]
For that page the restriction was silly. Disabling style for the page made it display reasonably, so it doesn't appear that javascript support should have been tested for.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK