[tor-bugs] #17983 [Tor]: Build tor with -fwrapv by default

[Tor Bug Tracker & Wiki]

#17983: Build tor with -fwrapv by default
-------------------------+------------------------------------
 Reporter:  teor         |          Owner:
     Type:  enhancement  |         Status:  new
 Priority:  Medium       |      Milestone:  Tor: 0.2.8.x-final
Component:  Tor          |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+------------------------------------

Comment (by teor):

 Replying to [comment:6 nickm]:
 > I've just heard an alternative proposal: that we should build (most of?)
 Tor with -ftrapv rather than -fwrapv.
 >
 > Rationale: Chandler from the LLVM project looked at wrapping signed
 arithmetic in some really huge codebases, to see if there was much buggy
 code that assumed that wrapping would happen.  What he found instead: that
 in (nearly?) every case, no overflow behavior would have been correct: the
 code was buggy for any possible semantics of signed overflow.  In these
 cases, using -fwrapv turns buggy undefined behavior into other buggy (but
 defined) behavior, rather than making any code correct.
 >

 I think this is an excellent idea!

 In 0.2.6 and 0.2.7, I built with -ftrapv regularly, and reported the
 resulting integer overflow issues as they crashed my tor instances.

 However, -ftrapv might cause crashes in 0.2.8-stable if we don't test it
 well enough.

 It's also worth noting that --enable-gcc-hardening and the hardened Tor
 Browser series both build with -fwrapv. Maybe we should come up with a
 consistent approach?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17983#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online