Optimisations and undefined behaviour

Jeff Law law@redhat.com
Sun Nov 8 19:30:00 GMT 2015

On 11/08/2015 12:11 PM, Florian Weimer wrote:
> On 11/06/2015 01:32 PM, David Brown wrote:
>> How about this case:
>> int foo(int x) {
>> 	if (x > 1290) {
>> 		printf("X is wrong here %d, but we don't care\n", x);
>> 	}
>> 	return x*x*x;
>> }
>> The compiler can eliminate the check and the printf.
> I don't think the compiler can do that because printf has an externally
> visible effect, which is sequenced before the undefined behavior, so
> this program transformation would not be permitted under the as-if rule.
Right.  This is precisely the discussion we had when looking at this 
class of issues in the erroneous-path optimizer.  It doesn't currently 
try to handle overflows, but if it did, it'd probably do something like 
first transforming the code into:

if (x > 1290) {
     printf ("...");
     return x * x * x;
return x * x * x;

Note how the return statement has been duplicated into the THEN clause. 
  That allows us to transform the undefined behaviour into

if (x > 1290) {
     printf ("...");
     __builtin_trap ();
return x * x * x.

Note carefully that we don't use __builtin_unreachable, which has the 
undesirable effect of doing absolutely nothing.  Whereas __builtin_trap 
immediately terminates the program, thus never allowing the undefined 
behaviour to actually execute (and thus prevent any bad things  from 
happening from a security standpoint).


More information about the Gcc-help mailing list