This is the mail archive of the
mailing list for the GCC project.
Re: Comments on the suggestion to use infinite precision math for wide int.
- From: Florian Weimer <fweimer at redhat dot com>
- To: Kenneth Zadeck <zadeck at naturalbridge dot com>
- Cc: Richard Biener <richard dot guenther at gmail dot com>, Mike Stump <mikestump at comcast dot net>, gcc-patches <gcc-patches at gcc dot gnu dot org>, Lawrence Crowl <crowl at google dot com>, rdsandiford at googlemail dot com, Ian Lance Taylor <iant at google dot com>
- Date: Mon, 08 Apr 2013 10:56:40 +0200
- Subject: Re: Comments on the suggestion to use infinite precision math for wide int.
- References: <506C72C7 dot 7090207 at naturalbridge dot com> <87y5im3orb dot fsf at sandifor-thinkpad dot stglab dot manchester dot uk dot ibm dot com> <CAFiYyc2buJtu8RMKnLnvvb-A2=aYwopO+RBLPO6iJ3gKnq-hvg at mail dot gmail dot com> <87pq3y3kyk dot fsf at sandifor-thinkpad dot stglab dot manchester dot uk dot ibm dot com> <CAFiYyc3NjOxpQ-Y9GDrQOET+dc3LXWuiuM=DxqmyASE8urRoWw at mail dot gmail dot com> <50912D85 dot 1070002 at naturalbridge dot com> <CAFiYyc2Q2UQPmkhExi2c8f-BSGLv+Rq1rOy4NdPQmTqSRE1A0A at mail dot gmail dot com> <5091331C dot 3030504 at naturalbridge dot com> <CAFiYyc1L6zuehE75dEfd_fB1-81F1fDHpL3kS=tbk6qAK3Texg at mail dot gmail dot com> <512D686B dot 90000 at naturalbridge dot com> <CAFiYyc3fXewAW2dU6-RHLiTQ-ZiLgdWmfwdFF6k1VqxPsrvZbQ at mail dot gmail dot com> <515B16EB dot 5020303 at naturalbridge dot com> <CAFiYyc2qWwDcqzCMpMSiQ72w5ry=a3ZpxkFkiK7OvvBA0h4eGw at mail dot gmail dot com> <515C1AFB dot 3080105 at naturalbridge dot com> <CAFiYyc12qGj92j+5yCUEpghOZXqjjAgOzS_H6QJpKvd-dyfU0A at mail dot gmail dot com> <515C55D7 dot 7020003 at naturalbridge dot com> <CAFiYyc0sp1wbq1J+FXoJWcb9UcsOWiwjJ_KaQkbbgCnddxhVzA at mail dot gmail dot com> <5161AA07 dot 7090706 at naturalbridge dot com>
On 04/07/2013 07:16 PM, Kenneth Zadeck wrote:
The poster child for operations that do not belong to a ring is division.
For my example, I am using 4 bit integers because it makes the
examples easy, but similar examples exist for any fixed precision.
Consider 8 * 10 / 4
in an infinite precision world the result is 20, but in a 4 bit
precision world the answer is 0.
I think you mean "4" instead of "20".
another example is to ask if
-10 * 10 is less than 0?
again you get a different answer with infinite precision.
Actually, for C/C++ ,you don't—because of undefined signed overflow
(at least with default compiler flags). But similar examples with
unsigned types exist, so this point isn't too relevant.
I would argue
that if i declare a variable of type uint32 and scale my examples i have
the right to expect the compiler to produce the same result as the
In my very, very limited experience, the signed/unsigned mismatch is
more confusing. With infinite precision, this confusion would not arise
(but adjustment would be needed to get limited-precision results, as you
write). With finite precision, you either need separate types for
signed/unsigned, or separate operations.
While C and C++ may have enough wiggle room in their standards so that
this is just an unexpected, but legal, result as opposed to being wrong,
everyone will hate you (us) if we do this. Furthermore, Java explicitly
not allow this (not that anyone actually uses gcj). I do not know
enough about go,
Go specified two's-complement signed arithmetic and does not
automatically promote to int (i.e., it performs arithmetic in the type,
and mixed arguments are not supported).
Go constant arithmetic is infinite precision.
> ada and fortran to say how it would effect them.
Ada requires trapping arithmetic for signed integers. Currently, this
is implemented in the front end. Arithmetic happens in the base range
of a type (which is symmetric around zero and chosen to correspond to a
machine type). Ada allows omitting intermediate overflow checks as long
as you produce the infinite precision result (or raise an overflow
I think this applies to Ada constant arithmetic as well.
(GNAT has a mode where comparisons are computed with infinite precision,
which is extremely useful for writing bounds checking code.)
Considering the range of different arithmetic operations we need to
support, I'm not convinced that the ring model is appropriate.
Florian Weimer / Red Hat Product Security Team