GCC Undefined Behavior Sanitizer

via Digitalmars-d digitalmars-d at puremagic.com
Sun Oct 19 04:24:04 PDT 2014 

On Sunday, 19 October 2014 at 10:22:37 UTC, monarch_dodra wrote:
> Speed: How so?

All kind of situations where you can prove that "expression1 > 
expression2" holds, but have no bounds on the variables.

> Portability: One issue to keep in mind is that C works on 
> *tons* of hardware. C allows hardware to follow either two's 
> complement, or one's complement. This means that, at best, 
> signed overflow can be implementation defined, but not defined 
> by spec. Unfortunately, it appears C decided to outright go the 
> undefined way.

I think you might be able to make it defined like this:

1. overlflow is illegal and should not limit reasoning about 
monoticity

2. after overflow accessing a derived result can lead to a value 
where the overflow either lead to a higher bit representation 
which was propagated or lead to a value which was truncated.

This is slightly different from "undefined".

:-)

> Correctness: IMO, I'm not even sure. Yeah, use int for numbers, 
> but stick to size_t for indexing. I've seen too many bugs on 
> x64 software when data becomes larger than 4G...

Sure, getting C types right and correct is tedious. The type 
system does not help you a whole lot. And D and C++ does not make 
it a lot better. Maybe the implicit conversions is a bad thing.

I machine language there is often no difference between a signed 
and unsigned instructions which can be handy, but the typedness 
of multiplication is actually  better than in C languages "u64 
mul(u32 a,u32 b)". Multiplication over int is dangerous!

Before compilers got good at optimization I viewed C as an 
annoying assembler. I assumed wrapping behaviour and wanted an 
easy way to reinterpret_cast between ints and uints (in C it gets 
rather ugly).

These days I take the view that programmers should be explicit 
about "bit-crushing" operations. Maybe even for multiplication. 
If you are forced to explicitly truncate() when the compiler 
fails to rule out overflow then the problem areas also become 
more visible in the source code:

"uint r = a*b/N" might overflow badly even if r is large enough 
to hold the result.

"uint r = truncate(a*b/N)" makes you aware that you are on thin 
ice.

More information about the Digitalmars-d mailing list