This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: [PATCH] C undefined behavior fix
- From: "Joseph S. Myers" <jsm28 at cam dot ac dot uk>
- To: <jkl at miacid dot net>
- Cc: Florian Weimer <fw at deneb dot enyo dot de>, <dewar at gnat dot com>, <Dautrevaux at microprocess dot com>, <paulus at samba dot org>, <Franz dot Sirl-kernel at lauterbach dot com>, <benh at kernel dot crashing dot org>, <gcc at gcc dot gnu dot org>, <jtv at xs4all dot nl>, <linux-kernel at vger dot kernel dot org>, <linuxppc-dev at lists dot linuxppc dot org>, <minyard at acm dot org>, <rth at redhat dot com>, <trini at kernel dot crashing dot org>, <velco at fadata dot bg>
- Date: Sat, 5 Jan 2002 21:42:57 +0000 (GMT)
- Subject: Re: [PATCH] C undefined behavior fix
On Sat, 5 Jan 2002 jkl@miacid.net wrote:
> I don't particularly like the interpretation stated in DR260, but that
> doesn't matter. It still doesn't give the compiler permission to make
> something "undefined behavior" that the standard says is "implementation
> defined". The standard says an arbitrary integer (arbitrary means there
> are no restrictions on how it was produced) can be converted to a pointer
> and that the implementation must define what the results of this are.
> All DR260 is saying is that the compiler can do certain sorts of deep
> analysis on the code to decide whether my pointer is valid. It doesn't
> apply to the case of casting to an integer, munging, then casting back
> because the the implementation is supposed to provide a rule for when
> such pointers are valid.
It says that a pointer is more than a sequence of bits, that the
provenance of a pointer determines whether it can be used to access an
object to which it points. (This notion is already explicit in the
standard for "restrict" - which has various confusing issues when you go
beyond its intended purpose of making code, to do the sort of things done
in Fortran 77, as fast as in Fortran 77, see
<URL:http://www.cbau.freeserve.co.uk/RestrictPointers.html>. Related are
the exact meaning of "effective type" (see also the question about
type-based aliasing rules in DR#236), and exactly how large the object
that can be accessed through a pointer is (we know that in accesses to a
multidimensional array, each index must be within its bounds, but there
are other problems). See Nick Maclaren's "What is an object?" discussion
- WG14 reflector sequence 9350, but I don't think it's been more widely
published.)
In the case of GCC, and casting integers to pointers, a rule has been
provided: the value of the pointer is determined by the bits, and the
provenance, determining what can be accessed, is derived from that of the
integer. This works fine with uses such as masking off a few bits to get
a more aligned pointer, since there we are still accessing the original
object. (I think the bounded pointers work also handles certain
cast-adjust-cast-back cases specially, to preserve the bounds when such
idioms are used rather than creating an unbounded pointer.) Simply
documenting the bits of the pointer, and not what it can access, would not
be sufficient documentation of the results of the cast, but the
documentation describes both.
--
Joseph S. Myers
jsm28@cam.ac.uk