I know that those for loops are the reason that C/C++ compilers have adopted this contorted view of what UB means. I believe that that is solely for benchmark gaming because the supposed benefit seems extraordinarily hard to get to happen.

For the UB to be beneficial I have to have a function that will compile meaningfully differently with clang or gcc with -fwrapv vs -fno-wrapv. The only example I have found from existing posts justifying the “integer overflow should be UB” that has any real difference in codegen is a bzip comparison function iirc which I butchered thusly:

template <typename IntType>  __attribute__((noinline))  int
cmp(IntType i1, IntType i2, unsigned char *buf)
{
    for (;;) {
        int c1 = buf[i1];
        int c2 = buf[i2];
        if (c1 != c2)
            return c1 - c2;
        i1++;
        i2++;
    }
}

I can compile this with -fwrap or -fno-wrap and while there is some restricting (using indexed loads, etc) there is no performance difference.[*]

I firmly believe that keeping the “signed overflow is UB” nonsense is purely a benchmark game that does not offer actual performance wins in real world code, but has massive costs - both in terms of performance and security.

[*] There is a 2x difference in perf under rosetta 2, but assuming the same benchmarks being compiled then r2 may just have less work in the uncommon code you get from gcc and clang compiling x86_64 with -fwrapv.

Is there any situation where the user couldn’t recover the optimisation by rewriting their loops a little bit?

…Which is a good example of how C/C++ style signedness for integers is kinda bullshit. XD C-style for loops are a sneaky-good way to expose the problems with them; iterators or ranges are one possible way of making some of the problems go away. Use the right iterator and you know it will terminate.

Unsigned integer overflow is well-defined in C. Only signed integer overflow is undefined.

As I’ve said elsewhere, the only reason for this divergence is compiler benchmark games.

More over, even in the 70s and 80s integer overflow did not produce random output on any hardware, and so should be either unspecified or implementation defined. Neither of which allow the compiler to just assume they can’t happen and make backwards assumptions from there.

That said, there has not been any hardware not using 2’s complement now in a few decades, so any call to older hardware is kind of stupid, and the behavior should just be specified.

For what it’s worth, C/C++ have always embraced the idea of UB.

No, there is a vast difference between acknowledging that there are things the language allows you to do, that have unpredictable outcomes, and what blindly saying things are “undefined behavior means that the compiler can do whatever it wants”. The latter is a fairly contorted view of what the specification says that compiler devs started taking a few decades ago and immediately started introducing security vulnerabilities - specifically by removing overflow checks that had worked for decades, and worked on all systems.

The problem is only partially that C/C++ erroneously uses “UB” for behaviors that can be unspecified or implementation defined, a bigger part of the problem is that compiler writers have taken “what happens when you do an operation X that triggers UB places no requirements on the compiler” as meaning “pretend X never happens, and remove code paths in which it does”.

The only people with this expansive view of “Undefined Behavior” are the compiler authors. To get an idea of the absurdity:

int i = f();
if (i == 0) {
  logError("Whoops, we're dividing by zero\n");
}
int x = g() / i;

By the rules compiler vendors invented, you will never get a message logged, because the only program that can possibly get that message has i==0 and that makes g()/i UB, which is invalid so can’t happen. Therefore i can never be 0 so that if() statement can be dropped.

If you’re coming from a such a language, where you are used to the paradigm that everything is well-defined, I can imagine that seeing code deleted during optimization is probably a surreal experience.

Alternatively if you’re used to writing code in C and C++, and know how computers work you may be a bit miffed at compilers actively breaking decades old code based on a highly questionable definition of what they are permitted to do, which is an interpretation that clang and gcc introduced and have pushed only over the last 10-15 years.

We can acknowledge that the c and c++ compilers have taken this view, and write our code in the knowledge that c and c++ compilers are fundamentally an adversary, while continuing to be angry about said compilers making decisions that they know are against anything a developer has written.

Whether signed integer overflow should be undefined or implementation defined behavior seems like it was a judgment call, though I’m sure the original C standards committee had a valid rationale at the time for making it undefined behavior.

I’ve heard that at the time, some platforms went bananas upon signed integer overflow, so they made it undefined, perhaps without realising that compiler writers would eventually take that as a license to interpret that literally for all platforms, including the 2’s complement ones that comprise >99.999% of all computers.

I think there’s a disconnect between the spirit and the letter of “undefined” here. And now compiler writers won’t give up their pet optimisations.

You are technically correct, but I’m sure you understand that the consequences of such a policy means that pushed to the extreme we could have the situation where a 100k LoC codebase has a single little bug deep down somewhere, then crashing or executing random code straight at startup is an acceptable behavior.

The cost of a single mistake is very high, that’s the main point I’m trying to make.

Yeah but I don’t like that for 2 reasons:

• 2 lines instead of 1
• I can’t do const int x = … anymore (and I like to use const everywhere because it helps the developer mental model about non-mutability expectations)

My mistake, I meant “leap before you look”

Whole-function analysis can have an effect that seems like UB going back in time. For example, the compiler may analyze range of possible values of a variable by checking its every use and spotting 2 / x somewhere. Division by 0 is UB, so it can assume x != 0 and change or delete code earlier in the function based on this assumption, even if the code doesn’t have a chance to reach the 2 / x expression.

Avoiding the overflow requires a bounds check. I interpreted your earlier question being about why these bounds checks often create an overflow in order to perform the check (which is not a bug, it’s integral to the check.) There’s no standards compliant way to request overflow semantics specifically, so that option doesn’t really exist, and doing the check without an overflow is gross.

If the standard had provided a mechanism to request overflow semantics via different syntax, we probably wouldn’t have such intense discussion.

I agree but eliding the overflow checks can make a big difference for performance. My experience with Rust is that compiling anything that involves a lot of number-crunching in debug-mode results in it being painfully slow. Though it’s been a while since I’ve done this seriously, might be worth revisiting.

What’s really needed is better overflow checks, imo. Some architectures like Itanium and PowerPC have instructions for math operations that saturate the overflow/carry flag, rather than setting or clearing it. That way you can do a big long chain of operations, then check whether it overflowed anywhere inside the chain with one instruction. As far as I know x86_64 and RISC-V don’t have these; not sure about Arm/Aarch64.

In other words, “for which the Standard imposes no requirements” is part of the definition of UB, not of the handling of UB. Or: rather than “UB means the Standard doesn’t impose requirements on handling”, it’s “a thing is only UB if the Standard hasn’t imposed requirements for how to handle that thing”.

There are things that the standard specifically says is undefined behaviour. Eg the example from that very definition:

EXAMPLE An example of undefined behavior is the behavior on integer overflow.

The article you’ve linked uses that line of reasoning to somehow say that there is some behaviour mandated for integer overflow, despite it being right there in the example that it has undefined behaviour.

The behaviour mandated, according to Yodaiken’s article, is:

Possible undefined behavior ranges from ignoring the situation completely with unpredictable results, to behaving during translation or program execution in a documented manner characteristic of the environment (with or without the issuance of a diagnostic message), to terminating a translation or execution (with the issuance of a diagnostic message)

(The article argues that the original “permissible” had different semantics than the “possible” which replaced it, and that the “original” permissible was more correct, even though it was intentionally changed. I hope it’s clear why that’s a tenuous position to take). It’s right there in that text:

ignoring the situation completely with unpredictable results

That’s exactly what we’re seeing when integer overflow causes what the OP’s article calls “wild” behaviour - the compiler ignores the situation (that overflow happened) completely and optimises assuming it didn’t happen. Victor’s post twists this to mean that the compiler should “ignore” that the undefined behaviour was triggered and produce a result for the operation. He ignores the “unpredictable results” clause.

In other words, “for which the Standard imposes no requirements” is part of the definition of UB, not of the handling of UB

You can’t have one without the other. If it imposes requirements on the handling, then it imposes requirements. And then it would not be the case that it “imposes no requirements”.

In any case, there is more detailed explanation of what constitutes undefined behavior elsewhere in the text (chapter 4):

If a ‘‘shall’’ or ‘‘shall not’’ requirement that appears outside of a constraint is violated, the behavior is undefined. Undefined behavior is otherwise indicated in this International Standard by the words ‘‘undefined behavior’’ or by the omission of any explicit definition of behavior. There is no difference in emphasis among these three; they all describe ‘‘behavior that is undefined’’

So “undefined behaviour” also means “the behaviour is undefined”. It’s incredibly tenuous to claim that there are in fact requirements on the behaviour imposed, and that furthermore these requirements are stated only in the “definitions” section of the document (which in general does not specify requirements at all).

It’s also tenuous to claim that the “undefined behaviour” of integer overflow should just result in an implementation-defined value, despite the fact that there is also a defined term “implementation-defined value” which could have been used to describe that case.

I.e. your argument is that integer overflow is an example of undefined behaviour and so should have implementation-determined value, despite the fact that the standard makes it quite specific in other cases when a value is implementation-determined but does not do so for integer overflow.

getting to that interpretation requires torturing the plain English text.

I strongly disagree and would say the same about the interpretation you’re arguing for, with the evidence that I’ve stated.