Creator of LLVM, Clang, and Swift Says To Not Write Security Critical Code In C/C++

via Digitalmars-d digitalmars-d at puremagic.com
Tue Jul 14 03:22:45 PDT 2015


Please also note that C is a low level language geared towards 
supporting all kinds of reasonable ALUs. A language like D or 
Rust cannot efficiently compile to a CPU that is hardwired to 
trap on overflow. C can. A language that requires detection of 
overflow cannot efficiently compile to an ALU that cannot detect 
overflow directly (like some SIMD instructions). C can.

In C undefined behaviour just means that overflow is defined as 
an illegal situation and is underspecified in order to allow 
efficient code gen for a wide variety of hardware (like trapping 
or spilling over into a different "simd" register). It does not 
mean that the compiler MUST do something weird, it means that the 
compiler isn't absolutely required to provide sensible output for 
incorrect programs.

You are free to use a C/C++ compiler that provides a switch where 
overflow leads either to an abitrary value (Rust semantics) or 
the wrap around (D code gen).

At the cost of performance or portability.

Making unpleasant choices for "undefined behaviour" is not a 
language feature. It is a compiler vendor customer-relation 
strategy or a RTFM issue...




More information about the Digitalmars-d mailing list