PATCH RFC: Warn about pointer wraparound with -Wstrict-overflow

Mark Mitchell mark@codesourcery.com
Tue Apr 8 18:59:00 GMT 2008 

Ian Lance Taylor wrote:
> I'm testing this patch as a response to
>     http://www.kb.cert.org/vuls/id/162289

Thank you for working on this; comments below.

First, I agree with you that this is a feature we want.  There is a 
class of users that do really need these kinds of warnings.  They have 
lots of code, used in environments where reliability requirements are 
high, and they want every warning they can get.  They are willing to 
modify their code base if necessary to avoid warnings -- even spurious 
ones.  I've worked with people who ran code through multiple compilers 
-- just to see if they could get more warnings.

And, clearly, from a PR point of view, this helps with the CERT issue.

> +This option also allows the compiler to assume strict pointer
> +semantics: given a pointer to an object, if adding an offset to that
> +pointer does not produce a pointer to the same object, the addition is
> +undefined.  This permits the compiler to conclude that @code{p + i >
> +p} is always true for a pointer @code{p} and integer @code{i}.  This
> +assumption is only valid if pointer wraparound is undefined, as the
> +expression is false if @code{p + i} overflows.

This is only true for non-negative integers "i".  I'm sure that's what 
the compiler does, but I think the documentation should say that.  I 
also think you say when pointer wraparound is undefined; otherwise, the 
reader doesn't know whether the condition in the last sentence applies.

As to the other issues:

* I think -fwrapv/-ftrapv should affect pointers as well as integers. 
Many people think of them the same, and I see no downside here.  Using 
-ftrapv says "break my code loudly if I do something weird with 
overflow".  Using -fwrapv says "make my code work if I do something 
weird with overflow, even at expense of speed".  I think treating these 
as applying to both pointers and integers makes sense.  If someone wants 
to create -fwrapv=int and -fwrapv=pointer options, that's fine with me, 
but I don't think we need to do it now.

* I think Richard's right that this is a new feature for 4.2, which 
means we would have to bend the rules to put it in.  But, the patch 
seems very safe by its construction, since flag_strict_overflow is 
usually false.  So, I think it should be in 4.2.  Jakub, Joseph, what 
say you?

In any case, this is OK for mainline and 4.3.

Thanks,

-- 
Mark Mitchell
CodeSourcery
mark@codesourcery.com
(650) 331-3385 x713

More information about the Gcc-patches mailing list