GCC 4.3.0 Exposes a Kernel Bug

ohxten sends news from earlier this month that GCC 4.3.0's new behavior of not clearing the direction flag before a string operation on x86 systems poses problems with kernels — such as Linux and BSD — that do not clear the direction flag before a signal handler is called, despite the ABI specification.

Yep,

[EkriirkE]

That's what happens when you don't clear that STD...

Re:Yep,

[Creepy+Crawler]

---That's what happens when you don't clear that STD...

And the answer is to.... use condoms?

And I thought we were here discussing bugs between GCC and LK.

Re:Yep,

[EkriirkE]

Some CLD will clear that STD, silly!

Re:Yep,

[cralewyth]

All it really needs is some TLC.

so what

[Brian+Gordon]

OK so the kernel developers add a single line of code, the bugzilla ticket is closed, and we get on to real news?

Re:so what

[OverlordQ]

FTFA:

This problem has existed for 15 years; GCC has always emitted code that worked correctly on kernels that did not follow the ABI, until now.

Part of the problem is that there are an enormous number of installed kernels that are vulnerable to this problem, but only if GCC 4.3 is installed.

That's, quite literally a fuckton of systems. So simply patching new kernels isn't going to make the problem go away.

Re:so what

[Creepy+Crawler]

Over-reacting a bit, arent we?

This bugfix is easily regressed, and has already been done.

If somebody wants to stick with a buggy kernel, they can use an older version of GCC. It's not like older stable ones put out horrible binary or anything (we need to exempt RH using 2.96, cause that was ages ago).

Re:so what

[evanbd]

Unless, of course, it turns out to be a security hole. The sysadmin installed GCC isn't the only way code gets on to systems. Besides, a lot of packages are shipped as binaries built with modern GCC, whatever that may be. This is going to be a pain to fix, even though the fix is simple.

Re:so what

[William+Robinson]

OK so the kernel developers add a single line of code, the bugzilla ticket is closed, and we get on to real news? p>

Yes, Probably, a single line of code might fix it. (And I won't even call it a bug.)

But before getting over this, I want to say kudos to gcc developers who have taken care to warn about this.

Re:so what

[RML]

You have read incorrectly. The bug occurs when applications compiled with the brand new GCC 4.3 are run on old kernels, regardless of what compiler was used to compile the kernel.

Re:so what

[Profane+MuthaFucka]

I'm a consultant, and I'm wondering what the billing rate times a fuckton is going to total out to.

Re:so what

[serviscope_minor]

Is a fuckton more or less than a metric assload?

Re:so what

[und0]

Nope.

It's related on how the GCC assumes the kernel sets the state of a flag before calling a function (signal handler), and this happens for compiled applications in userland with newer GCC (4.3.0).

I don't recall the gory details, on Sid with the latest (of today) version of libc6, SBCL exposes the bug (crashes). There aren't big differences between libc 2.7-8 and 2.7-9, but the second was compiled with the newer GCC. Kudos to Aurelien Jarno, a Debian developer, who isolated the bug and pushed a patch upstream. http://lkml.org/lkml/2008/3/5/207

Re:so what

[Codifex+Maximus]

Ok, I read the article and alot of the comments.

Seems to me the easy and correct thing to do would be to use deprecation. i.e. keep the old functionality for a bit longer and also patch or make the new kernels properly set the flag right now. This way, we move in the right direction and when it's no longer an issue then we drop the functionality in the compiler and rely on the kernel setting the flag like it's supposed to do.

Now, I see why the kernels have not been setting the flag. Why should they when the compiler was doing it? Time to set things right though... in the interests of portability with other environments and compilers. Having the kernels setting the flag starting now would satisfy ABI compatibility with the other compilers AND having gcc continue to cover the flag, by default for a time, would prevent breakage of alot of existing code.

Seems like a no brainer to me. After all, isn't that what deprecation is for?

That's my take on it...

Re:so what

[torstenvl]

Actually - and I attribute this to good ol' BK - GCC *could* make the problem go away, by recognizing when it is compiling the kernel, and inserting the code itself.

Just sayin'.

Read this -- http://cm.bell-labs.com/who/ken/trust.html

Re:so what

[Vlad_the_Inhaler]

From what I saw of TFA, this is being done. An updated GCC is being pushed and I suppose that this reversion to the previous behaviour will be backed out again at some point.

Interesting was:

• GCC was the exception in this case - other C compilers always did it this way
• While it affects some programs running under Linux or BSD, this GCC update appears to nuke Hurd completely.

Re:so what

[qbwiz]

Of course, the security holes will only be in programs that were compiled with GCC 4.3.0. It's not as if some unprivileged user could cause problems merely by compiling something with a new version of GCC, but it will still be a problem if a trusted person uses GCC 4.3.0 to compile and run a program which would become exploitable.

Re:so what

[dargaud]

Maybe it needs an entry for us regular programmer...

Re:so what

[RupW]

now that GCC isn't turning out broken binaries, old kernels will be unable to run them GCC never turned out broken binaries. It turned out overly-conservative binaries that cleared the direction flag even when the ABI spec said it could assume the flag was already clear.

Re:so what

[petermgreen]

Well afaict the debian developers plan to modify gcc 4.3 so it behaves in the old way to reduce the risk of crashes when upgrading from one version of debian to the next. Dunno if gcc upstream will agree on that reasoning though. This isn't perfect though, even before gcc's behaviour changed there was still a risk that a signal handler would break the code that it interrupted.

Afaict this bug only affects a relatively small number of apps because little code messes with the direction flag in the first place

Re:so what

[larry+bagina]

at least nothing of value is affected.

Re:so what

[Eunuchswear]

You never use memmove(3)?

Re:so what

[xaxa]

It depends, the US Fuckton is less than a metric assload, but the Imperial Fuckton, previously used in the UK, was more.

NB The use of 'assload' without the 'metric' qualifier is discouraged, the customary US assload being a much greater mass.

Kernel bug

[Harmonious+Botch]

Better than a general fault.

Re:Kernel bug

[clickety6]

nut not as good as a major screw-up or even a private error

Re:GCC is wrong

"Rule #1: Don't break existing stuff"

The ABI wasn't being followed correctly, hence GCC, Linux and the BSD kernels were already broken.

"GCC breaks this cardinal rule. It should be reverted."

It is not a wise idea to revert corrections to long standing issues.

Re:GCC is wrong

[bkaul01]

So, are we going to get on GCC's case for enforcing standards compliance and thus breaking backwards compatibility while insisting that Microsoft should take the opposite approach with IE8?

Re:GCC is wrong

"Rule #1: Don't break existing stuff"

GCC is in the business of creating new and better optimizations. It is pretty much impossible to make optimizations without assuming things in the ABI. As more and more stuff from the ABI is assumed in the optimizations, people get away with less violations of the ABI, but without assuming more stuff, faster optimizations wouldn't happen.

Because the newest versions of GCC are necessary to improve the state of the art in C compiler optimizations in the open source world, the appropriate reaction to this is to have the compiler people follow the spec, and assume the spec, and if assuming the spec breaks something, the people affected by the breakage don't upgrade their compilers.

This is why there are still people using GCC versions from the stone age.

Re:GCC is wrong

[BadAnalogyGuy]

I suppose this might be a longstanding issue if Linux was Unix.

EVERYBODY PANIC!!!

GCC 4.3.0's new behavior of not clearing the direction flag before a string operation on x86 systems poses problems with kernels -- such as Linux and BSD -- that do not clear the direction flag before a signal handler is called, despite the ABI specification.

Oh my GOD! If this is true, that means- that means-- it... the-

Uh, what does it mean exactly?

Re:EVERYBODY PANIC!!!

[EkriirkE]

When scanning strings for, say, a null terminator the direction flag determines if the current memory register gets incremented or decremented after each byte check. It could mean strlen returns 0 if your strings are grouped together in a segment of memory, or it just plain return the wrong result. Also memory copy routines could copy the wrong part of memory to the wrong place and overwrite executable code (or just cause a page/segment fault).

Re:EVERYBODY PANIC!!!

I'm sorry, I'll need a car analogy on that one.

Re:EVERYBODY PANIC!!!

[EkriirkE]

In x86 (assumed from here on) assembly, there are some 'quick' operations to read, write, and test memory (LODS*, STOS*, SCAS* respectively - there are probably more). The CPU has registers, or variables that are counters, or hold the memory addresses in question - in these cases a source memory position and a destination memory position. When you performs these commands the memory registers either increment or decrement value (position) depending on how the direction flag is set. GCC is assuming the flag is clear and the pointers will increment - go forward after each call. If the direction flag is set incorrectly upon calling these string or memory functions, the pointers could go backwards and thus copy (or scan) the wrong chunk of memory to the wrong destination.

Say our source memory contains:

Address: 0123456789ABCDEFGHIJKLMNOPQRSTUV
Contents: XXXXXXXXA car is heavy.-XXXXXXXX

Let's pretend the hyphen is a null (the string terminator or "stop" in most languages and OS) If I want to perform a strlen on that string at position '8', it should return 15 characters because it found the null at 'N' If the direction flag is wrong, it will not scan 8, 9, A, ... but 8, 7, 6, ... until it finally finds that null or crashes with an access violation.

And with memory, I want to copy 5 bytes from '8' to position 'P' If that works correctly, we get this in memory:

Address: 0123456789ABCDEFGHIJKLMNOPQRSTUV
Contents: XXX-!@#$A car is heavy.-XA carXX

However, if the direction is wrong, we will get:

Address: 0123456789ABCDEFGHIJKLMNOPQRSTUV
Contents: XXX-!@#$A car is heav!@#$AXXXXXX

See how '8' copied to 'P' as expected, but decrementing we then get '7' to 'O', etc

We now have corrupt memory. If we so a strlen, strcat or other null-expecting function on that string located at '8' we will see garbage where the memory copy wrote the wrong data to the wrong position. For the nitpicks, this example used per-byte, there are 16, 32, 64 bit variants of the functions that would cause similar problems bit in 2, 4, 8 byte chunks.

Re:EVERYBODY PANIC!!!

[EkriirkE]

Oops, source memory was supposed to be (better aligned, too):

Address: 0123456789ABCDEFGHIJKLMNOPQRSTUV
Content: XXX-!@#$A car is heavy.-XXXXXXXX

Re:EVERYBODY PANIC!!!

[Neon+Spiral+Injector]

The rules of the road say that you should check that the car is in drive before setting out on your trip. The older version of GCC used to put the car into drive for you. But the new version lets you leave it in reverse if you don't check making you exit out the rear wall of your garage.

Re:EVERYBODY PANIC!!!

[faragon]

Some examples, actual bencharks (2 years old, but are pretty the same with K8 and Core2Duo):


REPNE SCASD: (look element into sequential dword vector)

Pentium II @300MHz: 133 MB/s (100MHz FSB, 100MHz SDRAM)
Pentium IV @3GHz: 2.3 GB/s (800MHz FSB, 400MHz DDR SDRAM)


256-bit uprolling: (process 8 elements in a row)

Pentium II @300MHz: 233MB/s (100MHz FSB, 100MHz SDRAM)
Pentium IV @3GHz: 3.3 GB/s (800MHz FSB, 400MHz DDR SDRAM)


256-bit uprolling w/ SSE2 prefetch to increase data cache hit: (process 8 elements in a row)

Pentium II @300MHz: -no SSE2- (100MHz FSB, 100MHz SDRAM)
Pentium IV @3GHz: 4.0 GB/s (800MHz FSB, 400MHz DDR SDRAM)



P.S. Both REP MOVSB and REP MOVSD are slow: the performance per clock is between 1/8 and 1/16 in the first and between 1/2 and 1/4 in the second. The is no reason for using the microcoded instructions other than backwards compatibility, but it seems nonsense to me to save 16KB to write unrolled and/or prefetched memcpy/memmove/scan variants.

Re:EVERYBODY PANIC!!!

[RupW]

The rules of the road say that you should check that the car is in drive before setting out on your trip. The older version of GCC used to put the car into drive for you. But the new version lets you leave it in reverse if you don't check making you exit out the rear wall of your garage. That's not quite right. In this case:

• the rules of the road say that you can assume you'll find your car in drive
• the old version of GCC used to always check anyway and put the car in drive for you; the new version just assumes the car is already in drive, because that's what the rules say.

The problem comes when an affected kernel temporarily hands your car over to a signal handler - let's say "parking valet". The valet now doesn't bother checking the car is in drive when he gets in, because the rules of the road say the kernel should have given him the car in drive. In the past GCC looked over his shoulder to make sure the kernel had really left the car in drive for him. But now no-one bothers checking for him and he might then accidentally crash your car.

What this really exposes...

[suck_burners_rice]

What this really exposes is not a bug in any kernel. Indeed, the story states that the "bug" exists in both the BSD and Linux kernels. It really exposes something fascinating about the development process: Code is written based on certain assumptions and a working theory of how the code will function once put into use, but the only way to really know how well it works is to hand it over to the ultimate judge of code correctness--the computer--by running the code. If it works, case closed. Now it's entirely possible that the kernel developers never heard of this obscure nuance of the Intel processor. Then one day, the compiler changed, and with it, the assumptions changed. Mature code that has been declared good years ago seemingly breaks. Now it's easy to blame the code, but really this is a deletion of a feature from the compiler. Nevertheless, it exposes the fact that ultimately, no matter what tools we use and no matter how well we think our code through, you can only consider the code good once it runs and appears to do what it's supposed to.

Re:What this really exposes...

[HonIsCool]

Hehe, I'm going to try that approach the next time I'm assigned a bug: "No, it's not the code that's wrong, it's the specification."

Re:What this really exposes...

[Alex+Belits]

It really exposes something fascinating about the development process: Code is written based on certain assumptions and a working theory of how the code will function once put into use, but the only way to really know how well it works is to hand it over to the ultimate judge of code correctness--the computer--by running the code. If it works, case closed. Please don't ever again offer your great insight into software development process. If everything was stuffed into the kernel (or other software projects) once it compiles and runs, we would drown in unstable, crashing, insecure, impossible to debug code. Without any doubt, there are plenty of geniuses (some of them in Northwestern US) who develop in this manner, but I can assure you, neither Linux kernel, nor GCC, glibc or other major open source projects use this procedure. If you want to discuss this method further I recommend you to send your opinion to a friendly individual at djb@cr.yp.to .

Before anything is released, people have to LOOK AT THE CODE and make sure that the source gives them a reason to think, it will run correctly when used with interfaces that it is supposed to utilize or provide. There are plenty of things in the kernel that would require massive amount of testing to be verified with any certainty, so people write usable code not because they are testing it until their hardware breaks but because they know what they are doing.

Now it's entirely possible that the kernel developers never heard of this obscure nuance of the Intel processor. Then one day, the compiler changed, and with it, the assumptions changed. Mature code that has been declared good years ago seemingly breaks. Now it's easy to blame the code, but really this is a deletion of a feature from the compiler. Nevertheless, it exposes the fact that ultimately, no matter what tools we use and no matter how well we think our code through, you can only consider the code good once it runs and appears to do what it's supposed to. What the hell are you talking about?

Code generated by a C compiler remains consistent regardless of the version, unless you mix binaries built with different versions of GCC. When code that kernel uses to pass control to applications' signal handlers does not keep the direction flag as it is supposed to according to ABI, then userspace code -- ANY CODE THAT CONTAINS SIGNAL HANDLERS -- compiled by a new compiler will not work correctly. In other words, kernel provides an interface that is incompatible with binaries made by a new GCC, and since the standard is on the side of the new GCC behavior, it's kernel that has to be changed. That's all. Nothing else is involved -- some code compiled with a new compiler will not work on an old kernel. Code compiled with an old compiler remains usable with a new kernel, no sources except for five lines in the kernel have to be changed. It's not even something that a C programmer has any control over unless he writes pieces of his program in assembly -- and then he should know. I don't even believe, any for a C programmer who knows how to write a signal handler it's possible that he "never heard of this obscure nuance of the Intel processor" -- both are very rarely used directly -- however this is completely irrelevant, the only sources that have to be changed are five lines in the kernel, not in signal handlers.

The only real problem this "exposes" is that for some reason everyone who used x86 SysV ABI for anything that matters (Linux and BSD), decided to change the interface to exclude the requirement to clear the direction flag, even though that "official" standard said otherwise -- however it was known from the very beginning, and this is why older C compiler taken it into account in the first place. It's not a bug or someone's lack of knowledge, it's a violation of a standard, and GCC developers decided to get things back to the letter of a standard because the compiler's optimization benefits from it.

Re:GCC is wrong

Check the BSD mailing lists for yourself, they are affected. I'll give you one example below:

http://leaf.dragonflybsd.org/mailarchive/commits/2008-03/msg00072.html

Before flaming people next time, at least try and learn about what you're talking about.

[LWN subscriber-only content]

[Chris+Pimlott]

This article is not yet public for non-subscribers. The link given is supposed to be for a subscriber to forward to a friend; putting it up on Slashdot goes against the intended spirit and does not help support Linux Weekly News, which deserves the community's support.

Re:[LWN subscriber-only content]

[totally+bogus+dude]

Alternatively it's a good way to get additional exposure for LWN, as clearly this article is of some value. Maybe 0.0001% of slashdot readers will subscribe because of this.

Besides, we're all friends here, aren't we?

Re:[LWN subscriber-only content]

[gambolt]

Information wants to be free. Bandwidth wants to cost money.

Re:[LWN subscriber-only content]

[martin-boundary]

They could have waited another day: the article becomes freely available on March 20.

Bloody northern hemisphere drongos! Some of us have the shrimps on the barbie a day earlier than the rest of youse insensitive clods!

Re:[LWN subscriber-only content]

[Cro+Magnon]

Well, they could always link again in the dupe.

Re:[LWN subscriber-only content]

[Corbet]

FWIW, I originally posted the subscriber link in question to reddit yesterday. I'm surprised to see it show up here, but I also don't mind that it has happened. I'd just as soon not see all LWN content on Slashdot as subscriber links (Slashdot readers probably agree), but this one has brought some attention and, I think, some subscribers. And that's where LWN content comes from in the first place.

Re:GCC is wrong

[SeaFox]

Rule #1: Don't break existing stuff
GCC breaks this cardinal rule. It should be reverted.

Using that logic Microsoft shouldn't try to improve security in Windows since it breaks many third party applications that depend on exploits and other silly behavior to function.

History repeating

[Brett+Johnson]

I seem to recall the MS-DOS 2.x suffered this same problem with either the Int 21 or Int 13 interfaces. (Hey it was 20 years ago, I don't remember the details.) If you made certain BDOS calls with the direction flag set, the message "A evird rorre etirw daeR" ("Read write error drive A" backwards) would be displayed on the console. It wasn't fixed for years. I remember we rigorously enforced the "Clear the direction flag before calling into MS-DOS" rule.

That's no GNU'd!

[lumbercartel.ca]

Most experienced assembler programmers know better than to assume the direction flag will be set or cleared unless this is specifically documented.

Re:GCC is wrong

[evanbd]

Silly question time...

If this managed to affect both Linux and BSD despite no relevant common code, is Windows affected? I'm guessing OSX is, thanks to its BSD heritage. Has anyone tested either of them, though? How about other OSes?

Re:GCC is wrong

[Vlad_the_Inhaler]

It is not quite as bad as that. It causes problems between two threads, but both threads have to be from the same program. If someone has such a specially crafted program running on their system, they have been breached already.

No privilege escalation, only DOS.

I fixed this bug in 1989 too

[flyingfsck]

I fixed this bug in 1989 in an Intel C compiler. That was some years before the GCC project was started. Some people never learn...

Re:I fixed this bug in 1989 too

[X3J11]

I fixed this bug in 1989 in an Intel C compiler. That was some years before the GCC project was started. Some people never learn...

From http://en.wikipedia.org/wiki/GNU_Compiler_Collection:

Originally named the GNU C Compiler, because it only handled the C programming language, GCC 1.0 was released in 1987, and the compiler was extended to compile C++ in December of that year.

Perhaps the error in your assertion is a side effect of an uncleared direction flag.

Re:GCC is wrong

[badfish99]

On the other hand: the instructions affected by this aren't used very much, so if you want optimizations, a good candidate would be to not clear the flag unless it is needed. If the ABI were simply changed to allow this, no existing code would break (obviously), and future code could both conform to the new ABI *and* avoid the overhead of unnecessary instructions to clear the flag when it is not being used.

I suppose the only barrier to this optimization would be the political effort needed to get everyone to agreee to change the ABI.

Assembler code

[hemanhedman]

Does this mean that you could hand-craft some assembler code that exploits virtually all Linux and BSD-kernels out there?

Re:GCC is wrong

[WK2]

1) Nobody is getting on gcc's case. As I understand it, they are doing the right thing, and reverting to the older, safer, although slightly slower, behavior.

2) Perhaps you haven't gotten the news, but IE8 is doing the right thing too, by using their "less broken" mode by default. This is a switch from what they announced earlier, where you would have to opt-in to better standards compliance.

3) The difference between IE, and gcc is IE is broken, and gcc is not. Clearing the DF does not break standards in any way. In fact, according to the ABI, it needed to be done anyway (although the kernel is supposed to do it). Guess what happens when you clear the DF twice?

Re:GCC is wrong

[Lonewolf666]

Enforcing standards compliance will be a pain in the short run, but pay off in the long run. Because you can get away with accommodating old bugs (or bad designs, but that gets offtopic) for a while, but eventually the difficulty in maintaining all the quirks grows to a point where it is no longer doable.

I think Windows Vista is a good example of what happens when you try to maintain backwards compatibility to the assorted bugs and mis-designs of decades. See the various Vista articles on /. on how that worked out ;-)

If Microsoft takes the opposite approach with IE8, I consider that a good move and a sign that they are capable of learning.

Re:GCC is wrong

[Eponymous+Bastard]

Windows does not have signal handlers natively. (or actually, only a few now that I google it:SIGABRT, SIGFPE, SIGILL, SIGINT, SIGSEGV, SIGTERM) There is the whole SEH C-language exceptions which take over some of the uses, but no other signals natively. So you won't write a signal handler that gets called on a timer.

Full signals for GCC-compiled programs would be implemented by Cygwin which should give you timer signals and so on. Since the standard way to upgrade GCC under cygwin is to use the cygwin upgrade/package manager, they can just make the new GCC package depend on an updated cygwin DLL which could set the correct flag for you in a thunk before passing on the signal.

Don't bother trying to compile GCC yourself under cygwin, it's quite painful. Or at least time-consuming, the slower process spawning makes configure take an hour or more last time I tried it a few years ago. And then you have to wait for make bootstrap to finish.

Then again, MS isn't notorious for following standards. If this does show up under windows (say when starting an SEH handler) they'll just say that that's the windows ABI and ignore it.

Hell, it might even be different under win98/XP/Vista, as they are different kernel.

Re:GCC is wrong

[bytesex]

You lose one CPU cycle ?

Re:Let us blame the correct entity here...

[LanceUppercut]

You don't get it either. In a signal-enabled environment there can't be any policy that would ensure the deterministic state of the flag, even if you set it explicitly before each flag-dependent operation. The only way to fix the problem is to make sure that the signal-routing environment meticulously stores and restores the value when handling interruptions. This was not done. This is the the problem in question. It was there all along and it is not related to any compilers. The current version of GCC was simply more likely to reveal it (and it did reveal it), but the problem itself was there since the beginning of time and can lead to problems with any version of GCC, or any other compiler.

Oh No

[fluffykitty1234]

I just heard that this has seriously set back the release date of Duke Nukem Forever!

Re:GCC is wrong

[ultranova]

It is not quite as bad as that. It causes problems between two threads, but both threads have to be from the same program.

Actually, no. Two threads will work just fine, because the state of the CPU in its entirety (all flags) is saved and restored at when switching between them - indeed, if it wasn't, simply clearing the flag before using it wouldn't help any, because a task switch can occur between any two instructions, including the one clearing the flag and the one immediately following, which makes use of the now-cleared flag.

No, the problem is in signal handlers, which are the software-level equivalent of interrupts. When a thread receives an signal, and a handler has been registered, it immediately interrupts what it was doing and executes the handler function - or, more precisely, the kernel switches the point of execution to the start of that function. Now, the problem is that the spec says that a certain flag should be cleared whenever a function starts, and he kernel doesn't make sure it is. It didn't matter previously, because the GCC generated code to clear it anyway; however, this is redundant according to the spec, so it was dropped.

So, to sum it up: this has nothing to do with threading and can affect single-threaded programs just fine.

No privilege escalation, only DOS.

This bug could conceivably cause parts of a program's memory be overwritten by the contents of a string. It isn't unthinkable that this might cause foreign code execution attack in the program.

Altought it does seem pretty unlikely that anyone would do string copying in a signal handler...

Career Aptitude Test

[Software+Geek]

Please choose the statement that best describes you:
      A) I want to develop programs that are, theoretically, infinitesimally faster, even though they crash whenever I run them in practice.
      B) I want to force those annoying kernel developer fucktards to follow the damn specification.
      C) I want my software to work reliably, even though it means sacrificing performance and putting up with fucktards.

If you chose A, academia might be right for you.
If you chose B, consider the public sector.
If you chose C, you might be suitable for a career in software development.