On 11/08/2015 12:11 PM, Florian Weimer wrote:
On 11/06/2015 01:32 PM, David Brown wrote:
How about this case:
int foo(int x) {
if (x > 1290) {
printf("X is wrong here %d, but we don't care\n", x);
}
return x*x*x;
}
The compiler can eliminate the check and the printf.
I don't think the compiler can do that because printf has an externally
visible effect, which is sequenced before the undefined behavior, so
this program transformation would not be permitted under the as-if rule.
Right. This is precisely the discussion we had when looking at this
class of issues in the erroneous-path optimizer. It doesn't currently
try to handle overflows, but if it did, it'd probably do something like
first transforming the code into:
if (x > 1290) {
printf ("...");
return x * x * x;
}
return x * x * x;
Note how the return statement has been duplicated into the THEN clause.
That allows us to transform the undefined behaviour into
if (x > 1290) {
printf ("...");
__builtin_trap ();
}
return x * x * x.
Note carefully that we don't use __builtin_unreachable, which has the
undesirable effect of doing absolutely nothing. Whereas __builtin_trap
immediately terminates the program, thus never allowing the undefined
behaviour to actually execute (and thus prevent any bad things from
happening from a security standpoint).
Jeff
