Re: Ada front-end depends on signed overflow

[Geert Bosch <bosch at gnat dot com>]

On Jun 3, 2005, at 09:02, Florian Weimer wrote:
> It probably makes sense to turn on -fwrapv for Ada because even
> without -gnato, the behavior is not really undefined:
>
> | The reason that we distinguish overflow checking from other kinds of
> | range constraint checking is that a failure of an overflow check can
> | generate an incorrect value, but cannot cause erroneous behavior.
>
> <http://gcc.gnu.org/onlinedocs/gcc-4.0.0/gnat_ugn_unw/Run_002dTime- 
> Checks.html>
>
> (Without -fwrapv, integer overflow is undefined, and subsequent range
> checks can be optimized away, so that it might cause erroneous
> behavior.)


This is the strongest argument I have seen so far for defaulting
to either -ftrapv or -fwrapv.

Both the example Victor Skinner sent, and range checking in Ada
are cases of reasonable code where reasoning from undefined
behavior breaks code in unexpected ways. Essentially a class of
programs that checks for errors and would not otherwise be able
to cause a SIGSEGV or similar with previous versions of GCC,
would now be able to cause arbitrary mayhem.

Integer expressions such as X + Y - Z will give the correct
mathematical result, as long as that result is a representable
integer. Without wrap-around semantics however, one would have
to prove no intermediate result may overflow. Also, addition
and subtraction are no longer associative.

So, from a quality-of-implementation point of view, I believe
we should always default to -fwrapv.

For Ada, I propose we make the following changes:
  - by default, enable overflow checks using -ftrapv
    (jay, we should be able to get rid of -gnato finally!)
  - with checks suppressed, use -fwrapv.