[Zlib-devel] To ASM or not to ASM?
Cosmin Truta
cosmin at cs.toronto.edu
Sat Oct 4 19:34:29 EDT 2003
On Sat, 4 Oct 2003, Mark Adler wrote:
> On Saturday, October 4, 2003, at 11:29 AM, Cosmin Truta wrote:
> > Think about the zlib-1.1.3 double-free bug, that existed for years and
> > resisted against countless uses, until 2002!
>
> Well, actually that bug was reported about three months after 1.1.3 was
> released and I immediately provided a patch to fix it. This was around
> June 1999. It was entirely my mistake that I didn't realize the import
> of the patch and release a new zlib right away. It wasn't until a CERT
> advisory on the bug almost three years later that we released a new
> version.
All right, but the CERT advisory was issued because someone reported a
crash in a PNG-processing application (wasn't it?) Why wasn't the crash
(and the advisory) issued a few years earlier? There was an earlier bug
report, all right, but how many times was zlib-1.1.3 used in the mean
time? To answer this question, one has to consider the total number of
times that all the users in this world decompressed deflate streams.
What I was trying to point out is the well-known, fundamental problem
raised by testing: presence of defects can be proven, but lack of
defects cannot. Hand-written ASM code poses a significantly increased
risk. The statement "we tested it" is by no means an assurance, unless
we devise a careful white-box test suite which covers all the possible
branches and scenarios that can occur in the deflation code.
If we are determined to do this, we can start by writing a suite of
deflate streams that satisfy a coverage test. The gcc/gcov pair can be
really helpful here.
Cosmin
More information about the Zlib-devel
mailing list