[charsii]

Crypto code should be written in assembly. Zero ambiguity, zero undefined behavior, 100% verifiable.

[woodruffw]

ISAs regularly leave all kinds of behavior undefined when they think it doesn’t matter (such as the state of the arithmetic flags after operations that shouldn’t need to the tested).

(But this is also irrelevant: assembly can be completely wrong and exploitable while also being perfectly well defined.)

[tromp]

Readability suffers though, with negative impacts on maintainability and even verifiability (fewer people able/willing to examine the source code).

[torstenvl]

goto fail wasn't caused by ambiguity or undefined behavior. C's rules here are crystal clear, and conditional branches in assembly also do not make the following instructions condition (unless you're using delay slots à la SPARC).

Heartbleed also wasn't caused by ambiguity or undefined behavior, if you believe compiler writers.

[otikik]

Wouldn’t the low readability make it easier to slip a vulnerability in by splicing it out into several changes?

[dickle]

There's plenty of undefined behaviour at that level, just look at Spectre and Meltdown vulnerabilities for example.