This is the mail archive of the
mailing list for the GCC project.
Re: C as used/implemented in practice: analysis of responses
- From: Peter Sewell <Peter dot Sewell at cl dot cam dot ac dot uk>
- To: Joseph Myers <joseph at codesourcery dot com>
- Cc: "gcc at gcc dot gnu dot org" <gcc at gcc dot gnu dot org>, Kayvan Memarian <Kayvan dot Memarian at cl dot cam dot ac dot uk>
- Date: Fri, 26 Jun 2015 19:09:42 +0100
- Subject: Re: C as used/implemented in practice: analysis of responses
- Authentication-results: sourceware.org; auth=none
- References: <CAHWkzRQ4+-s6RJeAnCHFDqfQDNaPDATRYkz73xvpwxqP4O9JjA at mail dot gmail dot com> <alpine dot DEB dot 2 dot 10 dot 1506261702360 dot 7819 at digraph dot polyomino dot org dot uk>
- Reply-to: Peter dot Sewell at cl dot cam dot ac dot uk
On 26 June 2015 at 18:08, Joseph Myers <firstname.lastname@example.org> wrote:
> On Fri, 26 Jun 2015, Peter Sewell wrote:
>> **If you calculate an offset between two separately allocated C memory
>> objects (e.g. malloc'd regions or global or local variables) by
>> pointer subtraction, can you make a usable pointer to the second by
>> adding the offset to the address of the first?**
>> For GCC, one respondent writes the following, but doesn't give a reason:
>> - This is not safe in practice even if the alignment is sufficient
>> (and if the alignment of the type is less than its size, obviously
>> such a subtraction can't possibly work even with a naive compiler).
> It's s simple matter of points-to analysis. &foo + anything may be
> assumed (in practice) to point to something within foo (or just past the
> end) and not to alias anything accessed through a pointer based on &bar.
> If the compiler can see something like &foo + (&bar - &foo) there is no
> guarantee of whether it will assume it to point within foo or bar and that
> may not be consistent for different uses (so it may end up concluding the
> pointer compares unequal to itself).
Ok, that's fine in some (perhaps most) situations, but it's not
compatible with what seems to be a significant body of systems code
out there - people mentioned important usages in FreeBSD, Linux, QEMU,
and other places. How can these be reconciled? We imagine:
a) Compilation of that systems code could turn off this analysis (and
whatever optimisation depends on it) entirely. What's the cheapest
way to do that?
b) The analysis for a pointer subtraction could be made more
informative, e.g. recording that (&bar - &foo) gives an integer with a
provenance that lets one move between the two, or (more loosely) one
that lets one move to any other live object. This effectively turns
off the optimisations that depend on it in these specific cases. Is
c) One could argue that that all such code should be rewritten.
Maybe, but it seems likely to be difficult to make that actually
happen - is it a credible approach?