This is the mail archive of the
mailing list for the GCC project.
Re: [PATCH] Document arithmetic overflow semantics
- From: Geert Bosch <bosch at gnat dot com>
- To: Fergus Henderson <fjh at cs dot mu dot OZ dot AU>
- Cc: Nathan Sidwell <nathan at codesourcery dot com>,Roger Sayle <roger at www dot eyesopen dot com>,Richard Kenner <kenner at vlsi1 dot ultra dot nyu dot edu>, gcc-patches at gcc dot gnu dot org,gcc at gcc dot gnu dot org
- Date: Fri, 14 Feb 2003 08:29:59 -0500
- Subject: Re: [PATCH] Document arithmetic overflow semantics
On Friday, Feb 14, 2003, at 02:12 America/New_York, Fergus Henderson
Even for C, it might make sense to have a compilation option in which
C operations were mapped to "op dont_care" rather than "op undef".
This would be useful for compiling security-critical software.
Perhaps it should even be the default.
Yes, it should be the default. Having the compiler reason from
undefined behavior really can be quite nasty, especially when
this information back-propagates (see Robert's password example).
This is indeed the reason that Ada 95 introduced bounded errors,
where the language allows the implementation to pick any value
in the base range of the type or raise an exception.
Essentially, this is what people expect when reading an
uninitialized variable. Even though a language standard
may not define a behavior at all, choosing a reasonable
set of possible outcomes becomes a quality of implementation