This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Document arithmetic overflow semantics

From: Geert Bosch <bosch at gnat dot com>
To: Fergus Henderson <fjh at cs dot mu dot OZ dot AU>
Cc: Nathan Sidwell <nathan at codesourcery dot com>,Roger Sayle <roger at www dot eyesopen dot com>,Richard Kenner <kenner at vlsi1 dot ultra dot nyu dot edu>, gcc-patches at gcc dot gnu dot org,gcc at gcc dot gnu dot org
Date: Fri, 14 Feb 2003 08:29:59 -0500
Subject: Re: [PATCH] Document arithmetic overflow semantics

On Friday, Feb 14, 2003, at 02:12 America/New_York, Fergus Henderson wrote:

Even for C, it might make sense to have a compilation option in which
C operations were mapped to "op dont_care" rather than "op undef".
This would be useful for compiling security-critical software.
Perhaps it should even be the default.

Yes, it should be the default. Having the compiler reason from
undefined behavior really can be quite nasty, especially when
this information back-propagates (see Robert's password example).
This is indeed the reason that Ada 95 introduced bounded errors,
where the language allows the implementation to pick any value
in the base range of the type or raise an exception.

Essentially, this is what people expect when reading an
uninitialized variable. Even though a language standard
may not define a behavior at all, choosing a reasonable
set of possible outcomes becomes a quality of implementation
issue.

  -Geert

References:
- Re: [PATCH] Document arithmetic overflow semantics
  - From: Fergus Henderson

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]