On 13/04/14 05:39, Russ Allbery wrote:
Then the answer is very simple. Write in Java.One can make a good argument that such checks are exactly what you should be doing. I am not a compiler writer, so I have no actual data. I suspect your common 20k line will yield about a thousand such warnings, the huge majority of which there will be nothing for you to do about.My understanding of things is that undefined behaviors are fairly common, and almost always benign. Look at the following code:int add( int a, int b ) { return a+b; }Do you really want to get a "Warning: signed integer overflow yields undefined behavior" on this function?I would certainly like to be able to enable such a thing. I write a lot of code where I'd love the compiler to double-check that I've established bounds checks on a and b before doing the addition that guarantee that it won't overflow. Also, it turns out gcc does have such an option. See http://www.airs.com/blog/archives/120. -Wstrict-overflow will let you know when the optimizer uses the assumption of no overflow to change other code. In most cases, you will overflow the packet long before you overflow the integer. If that's the case, the compiler won't help you. There is a good case to claim that the warning would be appropriate for the following code:Put a different way, the answer to your question is quite different if that function were instead: int compute_offset_into_network_packet( int a, int b ) { return a+b; } No? int compute_offset_into_network_packet( int a, int b ) { int offset = a+b; if( offset<0 || offset>PACKET_SIZE ) offset = 0; return offset; }But, then again, what should the warning be? Like I said before, if you don't like to deal with overflows, use Java and take Java's performance hit. In fact, most of the world is doing precisely that. Like I said before, I am not against the compilers warning about such cases. I just think that these warnings need to be done very carefully, or they become worse than useless. As such, if you see a case in which you feel gcc (or clang, or whatever) should warn, by all means open a bug for it. Just make sure you make it a "feature request" and not a "security hole" severity. In other words, don't get mad merely because the compiler author did not read your mind. I don't know whether -Wstrict-overflow is on for -Wall (or -Wextra). If it isn't, I do think it should be. Just checked, and it is on for -Wall, sort of. See http://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html. Shachar |