US-CERT Vulnerability Note VU#162289
Andrew Haley
aph@redhat.com
Thu Apr 24 16:11:00 GMT 2008
Robert C. Seacord wrote:
> Neil,
>
> I'm not sure I understand what you mean by the following:
>
>> A program that does not satisfy this constraint is erroneous, and many
>> compilers take advantage of this constraint to optimize code more
>> effectively.
> Just because a program contains undefined behavior, does not mean that
> it erroneous.
This is the crux of our disagreement. To me, and I imagine almost
everyone else on the gcc list, any program that contains undefined
behaviour is *by definition* erroneous.
It is erroneous because there is no way to determine what the program
should do. The program is, quite literally, meaningless.
Certainly, a compiler writer can extend the language to give a compiler-
specific definition to that behaviour, in which case it's no longer
undefined. But that is not true in this particular case.
> One possibility is that GCC could handle these constructs in a
> consistent manner. That is, GCC clearly implements modwrap semantics.
> Given this, I think the behavior exhibited in this case is inconsistent.
> If, on the other hand, GCC implemented saturation semantics, it
> would make perfect sense to optimize out this check.
gcc implements ISO C semantics, with some extensions. We could
extend the language in the way you suggest, but it would be very
difficult formally to specify such an extension. I don't think
it's something we should do.
Andrew.
More information about the Gcc
mailing list