Optimisations and undefined behaviour
Jeff Law
law@redhat.com
Sun Nov 8 19:30:00 GMT 2015
On 11/08/2015 12:11 PM, Florian Weimer wrote:
> On 11/06/2015 01:32 PM, David Brown wrote:
>> How about this case:
>>
>> int foo(int x) {
>> if (x > 1290) {
>> printf("X is wrong here %d, but we don't care\n", x);
>> }
>> return x*x*x;
>> }
>>
>> The compiler can eliminate the check and the printf.
>
> I don't think the compiler can do that because printf has an externally
> visible effect, which is sequenced before the undefined behavior, so
> this program transformation would not be permitted under the as-if rule.
Right. This is precisely the discussion we had when looking at this
class of issues in the erroneous-path optimizer. It doesn't currently
try to handle overflows, but if it did, it'd probably do something like
first transforming the code into:
if (x > 1290) {
printf ("...");
return x * x * x;
}
return x * x * x;
Note how the return statement has been duplicated into the THEN clause.
That allows us to transform the undefined behaviour into
if (x > 1290) {
printf ("...");
__builtin_trap ();
}
return x * x * x.
Note carefully that we don't use __builtin_unreachable, which has the
undesirable effect of doing absolutely nothing. Whereas __builtin_trap
immediately terminates the program, thus never allowing the undefined
behaviour to actually execute (and thus prevent any bad things from
happening from a security standpoint).
Jeff
More information about the Gcc-help
mailing list