Losing the magic
Losing the magic
Posted Dec 7, 2022 18:48 UTC (Wed) by khim (subscriber, #9252)In reply to: Losing the magic by Wol
Parent article: Losing the magic
> All I want is for the C spec to declare them equivalent.
If that's really your desire then you sure found a funny way to achieve it.
But I'm not putting you with O_PONIES crowd. It seems you are acting out of ignorance not malice.
John Regehr tried to do what you are proposing to do — and failed spectacularly, of course.
But look here: My paper does not propose a tightening of the C standard. Instead, it tells C compiler maintainers how they can change their compilers without breaking existing, working, tested programs. Such programs may be compiler-specific and architecture-specific (so beyond anything that a standard tries to address), but that's no reason to break them on the next version of the same compiler on the same architecture.
Basically O_PONIES lovers position is the following: if language M (machine code) have UBs then it's Ok for L to have UB in that place, but if M doesn't have UB then it should be permitted to violate rules of L and still produce working program.
But yeah, that's probably problem with me understanding English or you having trouble explaining things.
> What I'm unhappy with is SchrodinUB where the EXACT SAME CODE may, or may not, exhibit UB depending on situations outside the control of the programmerHow is that compatible with this:
> khim is determined to drag in features that are on their face insane, like double frees and the like. I'm quite happy for the compiler to optimise on the basis of "this code is insane, I'm going to assume it can't happen (because it's a bug EVERYWHERE).I don't see why do you say that this feature is insane. Let's consider concrete example:
On beta versions of Windows 95, SimCity wasn’t working in testing. Microsoft tracked down the bug and added specific code to Windows 95 that looks for SimCity. If it finds SimCity running, it runs the memory allocator in a special mode that doesn’t free memory right away.
It looks as if your approach the EXACT SAME CODE may, or may not, exhibit UB depending on situations outside the control of the programmer very much does cover double free, dangling pointers and other such things. It's even possible to make it work if you have enough billions in bank and obsession with backward compatibility.
The question: are these a well-spent billion? Should we have a dedicated team which cooks up such patches for the clang and/or gcc? Who would pay for it?
Without changing spec (which people like Anton Ertl or Victor Yodaiken very explicitly say not what they want) this would be the only alternative, I'm afraid.
> But SchrodinUB should always be opt IN.Why? It's not part of the C standard, why should it affect good programs which are not abusing C?
> And actually, I get the impression Rust is like that - bounds checks and all that sort of thing are suppressed in runtime code I think I heard some people say.Only integer overflow checks are disabled. If you would try to divide by zero you would still get check and panic if divisor is zero.
But if you violate some other thing (e.g. if you program would try to access undefined variable) all bets are still off.
Let's consider the following example:
bool to_be_or_not_to_be() {
int be;
return be == 0 || be != 0;
}
With Rust you need to jump through the hoops to use uninitialized variable but with unsafe it's possible:
pub fn to_be_or_not_to_be() -> bool {
let be: i32 = unsafe { MaybeUninit::uninit().assume_init() };
return be == 0 || be != 0;
}
You may argue that what Rust is doing (removing the code which follows to_be_or_not_to_be call and replacing it with unconditional crash) is, somehow, better then what C is doing (claiming that value of the be == 0 || be != 0 is false).
But that would hard sell to O_PONIES lover who was counting on getting true from it (like Rust did only few weeks ago).
Yes, Rust is better-defined language, no doubt about it. It has smaller number of UBs and they are more sane. But C and Rust are cast in the same mold!
You either avoid UBs and have a predictable result or not's avoid them and end up with something strange… and there are absolutely no guarantee that program which works today would continue to work tomorrow… you have to ensure you program doesn't trigger UB to cash on that promise.