Is it OK that gcc optimizes away overflow check?
Agner Fog
agner@agner.org
Sat Jul 23 20:14:00 GMT 2011
I have a program where I check for integer overflow. The program failed,
and I found that gcc has optimized away the overflow check. I filed a
bug report and got the answer:
> Integer overflow is undefined. You have to check before the fact, or compile
> > with -fwrapv.
( http://gcc.gnu.org/bugzilla/show_bug.cgi?id=49820 )
I disagree for several reasons:
1). It is often easier and more logical to check for overflow after it
happens than before. It can be quite complicated to write a code that
predicts an overflow before it happens, in a portable way that works
with all integer sizes. Checking for overflow after it happens is the
only way that is sure to work in a hypothetical system that uses
something else than 2's complement representation.
2). This is a security problem. It takes a very twisted mind to predict
that your code is not safe when you are actually checking for overflow.
3). I think that you are interpreting the C/C++ standard in an
over-pedantic way. There are good reasons why the standard says that the
behavior in case of integer overflow is undefined. 2's complement
wrap-around is not the only possible behavior in case of overflow. Other
possibilities are: saturate, signed-magnitude wrap-around, reserve a bit
pattern for overflow, throw an exception. If a future implementation
uses internal floating point representation for integers then an
overflow might variously cause loss of precision, INF, NAN, or throw an
exception. I guess this is what is meant when the standard says the
behavior is undefined. What the gcc compiler is doing is practically
denying the existence of overflow (
http://www.mail-archive.com/pgsql-hackers@postgresql.org/msg105239.html
) to the point where it can optimize away an explicit check for
overflow. I refuse to believe that this is what the standard-writers
intended. There must be a sensible compromize that allows the optimizer
to make certain assumptions that rely on overflow not occurring without
going to the extreme of optimizing away an overflow check.
4). The bug in my case disappears if I compile with -fwrapv or
-fno-strict-overflow or without -O2, but this is not my point. My point
is that gcc should be useful to a programmer with average skills.
5). I have tested many different C++ compilers, and gcc turned out to be
the one that optimizes best. You guys are doing a fantastic job! Gcc has
the potential to beat the expensive commercial compilers. But one
obstackle to its use is that it has a well-deserved reputation for being
over-pedantic.
More information about the Gcc-help
mailing list