Comment by eru

3 years ago

Oh, I didn't mean to imply that it would be practical. Only that it's possible and that the type system isn't the only thing you can rely on.

Instead of just assuming that 'x > x + 1' is always true (for signed integers), the compiler could also do the heavy lifting of static analysis (for cases where that's possible).

7 comments

eru

Reply
littlestymaar  3 years ago

But you talked about JavaScript, where the “heavy lifting” is in fact “assume that it's always true, and switch back a less optimized version if the assumption turns out to be false”. That's exactly the kind of things you cannot do in C, because people use C in contexts were JIT isn't an option.

  • eru  3 years ago

    Sorry, my general point and my example didn't perfectly match.

    For something better matching: have a look at things like Coverity for what you can recover with static analysis of existing C code.

Gibbon1  3 years ago

Frankly what I think it we should have a compramize.

Make overflow on a signed int defined. Create a new type called unsafe_int where it is not.

So then the compiler writers get to implement their pointless optimization pit traps. And everyone else can avoid those by banning unsafe_int.

  • astrange  3 years ago

    The signed integer overflow rule is extremely important for common optimizations, mostly related to loops like knowing if they're finite or rewriting their index directions.

    The way to start getting rid of it would be to add for...in... loops or something where the loop index can be a custom no-overflow type.

    And "defining" it is a lame approach to safety. If you make it wraparound, you now have silent wraparounds that can't be found by static analysis. You want unintended overflows to trap, not just be defined.

    • eru  3 years ago

      > And "defining" it is a lame approach to safety. If you make it wraparound, you now have silent wraparounds that can't be found by static analysis. You want unintended overflows to trap, not just be defined.

      Yes. But even the lame approach is better than UB, because it doesn't bring the whole program down.

      1 reply →

  • eru  3 years ago

    You can already compile with `-fno-strict-overflow` to get twos-complement overflow for signed integers.

    I meant to talk more abstractly about UB in general.