Re: changing "configure" to default to "gcc -g -O2 -fwrapv ..."

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Bernd Schmidt on 12/30/2006 3:24 AM:
> Paul Eggert wrote:
>> That's great, but GCC has had many other hands stirring the pot.
>> I daresay a careful scan would come up with many other examples of
>> undefined behavior due to signed integer overflow.  (No doubt
>> you'll be appalled by them as well, but there they are.)
> 
> That's handwaving, not evidence.  Sorry, I'm unconvinced.

Here's an example from the intprops module of gnulib.  At least we have
identified the undefined behavior, but this set of macros is used in
production code (various coreutils, m4, ...) to check for overflow in
command line argument overflow.
http://cvs.savannah.gnu.org/viewcvs/gnulib/lib/intprops.h?rev=1.7&root=gnulib&view=auto

/* True if the arithmetic type T is an integer type.  bool counts as
   an integer.  */
#define TYPE_IS_INTEGER(t) ((t) 1.5 == 1)

/* True if negative values of the signed integer type T use two's
   complement, ones' complement, or signed magnitude representation,
   respectively.  Much GNU code assumes two's complement, but some
   people like to be portable to all possible C hosts.  */
#define TYPE_TWOS_COMPLEMENT(t) ((t) ~ (t) 0 == (t) -1)
#define TYPE_ONES_COMPLEMENT(t) ((t) ~ (t) 0 == 0)
#define TYPE_SIGNED_MAGNITUDE(t) ((t) ~ (t) 0 < (t) -1)

/* True if the arithmetic type T is signed.  */
#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1))

/* The maximum and minimum values for the integer type T.  These
   macros have undefined behavior if T is signed and has padding bits.
   If this is a problem for you, please let us know how to fix it for
   your host.  */
#define TYPE_MINIMUM(t) \
  ((t) (! TYPE_SIGNED (t) \
        ? (t) 0 \
        : TYPE_SIGNED_MAGNITUDE (t) \
        ? ~ (t) 0 \
        : ~ (t) 0 << (sizeof (t) * CHAR_BIT - 1)))
#define TYPE_MAXIMUM(t) \
  ((t) (! TYPE_SIGNED (t) \
        ? (t) -1 \
        : ~ (~ (t) 0 << (sizeof (t) * CHAR_BIT - 1))))


I would really like to see gcc be able to warn when it is exploiting
optimization opportunities based on undefined wrap semantics, so that code
can easily be made robust against overflow without having to rely on
tedious code audits.  In my opinion, the expectation of sane overflow
semantics is just too pervasive in existing code to be able to audit
without compiler assistance.

- --
Don't work too hard, make some time for fun as well!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFlnlT84KuGfSFAYARArTEAJ0XZHGg4ry9VCqNjYReplvfnOcWFwCdGeiq
eZeELW6hXlMZ9jXA7MeS3UI=
=+umQ
-----END PGP SIGNATURE-----