Re: Having fun with the following C code (UB)
On 2014-04-14 17:01:42 -0700, Russ Allbery wrote:
> Vincent Lefevre <vincent@vinc17.net> writes:
> > But what I mean is that it's pointless to emit such a warning when the
> > effect of the potential integer overflow is already visible, for
> > instance in printf below:
> 
> >   m = d * C;
> >   printf ("%d\n", m);
> >   return m >= 0;
> 
> > If there was an integer overflow, you will get an incorrect value output
> > by the printf. This means that it is very likely to be a false
> > positive. So, one doesn't want the warning.
> 
> It's not pointless because at least now you get a warning and may realize
> that the whole function is vulnerable when you go look at the warning
> site.
> 
> In other words, what you would (rightfully) like is a warning when you're
> invoking signed integer overflow, or at least the compiler can't prove
> you're not.  Unfortunately, the compiler isn't good enough to give you
> that warning.  Your options are a warning when the compiler can figure
> that out, which currently only triggers in some optimization paths, or no
> warning at all.
The cases "m = d * C" and "m >= 0" are mostly the same, i.e. with the
same false positives in practice. So, there's no reason to provide a
warning for the second one only. Actually there are already various
complaints concerning this warning:
http://gcc.gnu.org/bugzilla/buglist.cgi?quicksearch=Wstrict-overflow&list_id=87804
In particular for
  http://gcc.gnu.org/bugzilla/show_bug.cgi?id=34515
Andrew Pinski said: "For the first warning, even though the warning
is correct, I don't think we should warn here as the expressions are
split between two different statements.", which is more or less my
point here (the first overflow occurs before the "m >= 0").
-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: