Optimisations and undefined behaviour
Andrew Haley
aph@redhat.com
Fri Nov 6 15:48:00 GMT 2015
On 11/06/2015 02:44 PM, David Brown wrote:
> On 06/11/15 14:42, Andrew Haley wrote:
>> On 11/06/2015 12:32 PM, David Brown wrote:
>>
>>> Is it at least possible to put some restrictions or guarantees in
>>> how far the compiler will go in its optimisations, or how far it
>>> will go without warnings?
>>
>> AFAICS that is the intention of Appendix L. I don't know how to bound
>> undefined behaviour in the way it suggests; it may turn out to be
>> difficult.
>>
>>> I don't want to limit the generation of code, I want it to be harder
>>> for there to be a mismatch between what the compiler generates and
>>> what the programmer intended.
>>
>> I don't think you can have both.
>
> I think it is possible - warnings (especially enabled by -Wall,
> rather than needing explicit options) can warn when optimisation
> changes code in certain ways.
Not without adding a lot of false positives. The undefinedness of
integer overflow is used more than perhaps you think.
> But I can certainly see that minimising false positives and false
> negatives is extremely difficult.
Yes. That's why we added -fsanitize=undefined. It moves the
detection to runtime.
>>> And when there /is/ a mismatch, I want it to be easier to find -
>>> applying undefined behaviour backwards in the code can make it
>>> extremely difficult for the programmer to find the real problem.
>>
>> The undefinedness of integer overflow allows us to transform
>>
>> x*3/3 -> x
>>
>> It's not a bug, it's a feature.
>
> I agree. It is a useful feature, allowing such transforms.
>
> However, when it is also used to transform other code logically
> before the line with (potentially) undefined behaviour, the
> usefulness becomes less clear - and at the very least, warnings
> would help programmers get their code right.
You are contradicting yourself. If you allow that example, you
allow the same transformations to be used everywhere.
>> C is a particular language which has been specified in a particular
>> way in order to allow these kinds of optimizations. If people don't
>> want that kind of language there are plenty of others, most of which
>> don't have the same properties.
>>
>> I really think you are talking to the wrong people. If you want to
>> control what optimizations are allowed in a C implementation you
>> should appeal to the C standard technical committe, not compiler
>> writers. Appendix L is interesting, and perhaps is a way forward for
>> those who agree with you.
>
> I am not sure I want to /control/ the kind of optimisations allowed
> in C - it's more that I want to understand them, and in particular I
> want to understand how they may be implemented in future versions of
> real-world compilers (gcc in particular).
Anything not excluded by the standard may be implemented. There is no
other safe assumption. From time to time compiler writers choose not
to implement a particular optimization because it doesn't gain much
and it's too likely to break code. But speaking for myself, I'm happy
to fix UB bugs in my code and let the compiler optimize as much as
possible.
> There is no doubt that compilers have been getting smarter (for
> which the gcc developers deserve praise and thanks) - but it opens
> more possibilities for people to write code that they think is
> correct, but is actually wrong. So I believe I am talking to the
> correct people, although I might not be expressing myself very well
> - I am interested in the implementations of C here, rather than the
> standards. It is the implementations that have made more aggressive
> use of undefined behaviour in recent years - the standards haven't
> changed in this respect (except for Annex L).
But if you write in C you won't be affected at all. It's only people
writing undefined code who will be affected by the issues we have
discussed. And the correct solution to your problem, IMHO, would be
to redefine "undefined" in a way that excludes the behaviour that you
think people find unexpected. But again, I think you've got the wrong
language: there are other languages without these pitfalls.
> Incidentally, what do you think of the possibility of a "dont_care()"
> expression? I believe it would allow programmers to be clearer to the
> compiler that they are not interested in the exact results, but they
> don't want /undefined/ behaviour.
It would be interesting to see if such a thing can be defined in a
semantically rigorous way. And explained to "ordinary" programmers!
:-)
Andrew.
More information about the Gcc-help
mailing list