On Thu, Apr 25, 2024 at 11:28:12AM +0200, Peter Zijlstra wrote: > On Wed, Apr 24, 2024 at 04:30:50PM -0700, Kees Cook wrote: > > > > That is, anything that actively warns about signed overflow when build > > > with -fno-strict-overflow is a bug. If you want this warning you have to > > > explicitly mark things. > > > > This is confusing UB with "overflow detection". We're doing the latter. > > Well, all of this is confusing to me because it is not presented > coherently. > > The traditional 'must not let signed overflow' is because of the UB > nonsense, which we fixed. > > > > Signed overflow is not UB, is not a bug. > > > > > > Now, it might be unexpected in some places, but fundamentally we run on > > > 2s complement and expect 2s complement. If you want more, mark it so. > > > > Regular C never provided us with enough choice in types to be able to > > select the overflow resolution strategy. :( So we're stuck mixing > > expectations into our types. > > Traditionally C has explicit wrapping for unsigned and UB on signed. We > fixed the UB, so now expect wrapping for everything. > > You want to add overflow, so you should make that a special and preserve > semantics for existing code. > > Also I would very strongly suggest you add an overflow qualifier to the > type system and please provide sane means of qualifier manipulation -- > stripping qualifiers is painful :/ I agree that having an overflow/nooverflow qualifier that's separate from signed/unsigned would make more sense than inferring that from signed vs unsigned. Mark.
