[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

Benjamin Kreuter brk7bx at virginia.edu
Wed Apr 30 22:39:55 EDT 2014


On Wed, 2014-04-30 at 10:11 -0700, Dennis E. Hamilton wrote:
> 
>     -----Original Message-----
>     From: Benjamin Kreuter
>     Sent: Tuesday, April 29, 2014 20:21
>     To: Arnold Reinhold
>     On Tue, 2014-04-29 at 19:56 -0400, Arnold Reinhold wrote:
>     > The C standards committee, as far as I know, only said that signed
>     > integer overflow was undefined. They never required that code which
>     > could create such an overflow, and any code dependent on such an
>     > operation, be removed.
> 
>     Maybe so, but it is also not prohibited to remove it.  
>     I would want this to be optimized by my compiler:
> 
>         if(x > x + 1) { /* ... */ }
> 
>     Yet someone might have been using "x > x + 1" as a way to check
>     "x == INT_MAX", and such an optimization would cause a problem 
>     for them.
> 
> The problem is that, if you are expecting that optimization, you are
> assuming that it is correct to assume the values of x with respect to >
> and + are equivalent to mathematical entities and operations there-upon
> when that is not actually the case.

Actually the assumption holds for all defined behavior; it may fail for
undefined behavior.  Undefined behavior is undefined; the optimizer can
safely ignore it and focus only on defined behavior.

> All manner of bugs arise because of the assumption that the computer
> representation is an interpretation of standard mathematical entities.

Right, but that is not what we are talking about here.  We are talking
about bugs that arise because of the assumption that undefined behavior
is defined in some particular way.

> They are, but not *those* mathematical entities.  In the case of a
> proper implementation of C Language as a system language, that
> optimization is entirely inappropriate.  

There is no "proper" implementation of undefined behavior in any
language.  It is your job as a programmer to ensure that your program's
behavior is not undefined.

Undefined behavior is not just a problem for optimization.  A change in
the code generation strategy might change undefined behavior.  A change
to the register allocator could do it.  The environment variables that
are set when your program is executed might change undefined behavior.
Undefined behavior should always be considered a bug.

> I am not surprised that the specification waves this off, nor am I
> surprised that compilers are set up to over-optimize.

You call it "over-optimizing," but I call it "textbook."  Eliminating
the "if" statement in my example would happen with basic optimization
techniques that you can read about in a typical compilers text.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140430/898a744d/attachment.pgp>


More information about the cryptography mailing list