This is the mail archive of the
mailing list for the GCC project.
Re: [PATCH] Document arithmetic overflow semantics
- From: dewar at gnat dot com (Robert Dewar)
- To: kenner at vlsi1 dot ultra dot nyu dot edu, roger at www dot eyesopen dot com
- Cc: gcc-patches at gcc dot gnu dot org, gcc at gcc dot gnu dot org
- Date: Thu, 13 Feb 2003 13:15:19 -0500 (EST)
- Subject: Re: [PATCH] Document arithmetic overflow semantics
I very much dislike the idea of the optimizer making assumptions based
on undefined semantics. It's a very dangerous path to tread. Consider
the following Ada 83 code (you can get equivalent Ada 95 programs, but
Ada 95 has restricted erroneous behavior as much as possible to minimize
this kind of concern).
In Ada 83, referencing an undefined variable is erroneous
put_line ("system disk reformat requested: enter pass word");
Attempts : Natural; -- count of attempts at pass word entry
if password = masterpassword then
Attempts := Attempts + 1;
if Attempts > 4 then raise Hacker_Alert; end if;
put_line ("bad pass word, reenter");
Now the optimizer appears to be allowed to do the following.
If password /= masterpassword, then the program execution is errroneous.
That means the program can do anything it likes, e.g. call erase_system_disk.
Great, I can omit as useless the test password = masterpassword and still
provide a fully conformant as-if implementation.
It's really hard from a formal point of view to stop compilers doing this
sort of thing.
In the case of overflow, sure, I know you can construct examples where the
optimizer is helped but:
a) I very much doubt that it helps significantly in real life
b) I am afraid of optimizers running amok as in the above example
A single program malfunctioning in an unboundedly curious manner which
is difficult to detect or fix balances against a lot of very minor speedups
and probably these days, the curious malfunction wins unless there is a
really big, demonstratable gain.