Re: [PATCH][RFC] Enable -fstrict-overflow by default

[Martin Sebor <msebor@gmail.com>]

On 04/24/2017 05:25 AM, Richard Biener wrote:
>
> The following makes signed overflow undefined for all (non-)optimization
> levels.  The intent is to remove -fno-strict-overflow signed overflow
> behavior as that is not a sensible option to the user (it ends up
> with the worst of both -fwrapv and -fno-wrapv).  The implementation
> details need to be preserved for the forseeable future to not wreck
> UBSAN with either associating (-fwrapv behavior) or optimizing
> (-fno-wrapv behavior).
>
> The other choice would be to make -fwrapv the default for -O[01].
>
> A second patch in this series would unify -f[no-]wrapv, -f[no-]trapv
> and -f[no-]strict-overflow with a
> -fsigned-integer-overflow={undefined,wrapping,trapping[,sanitized]}
> option, making conflicts amongst the options explicit (and reduce
> the number of flag_ variables).  'sanitized' would essentially map
> to todays flag_strict_overflow = 0.  There's another sole user
> of flag_strict_overflow, POINTER_TYPE_OVERFLOW_UNDEFINED - not sure
> what to do about that, apart from exposing it as different flag
> alltogether.
>
> Further patches in the series would remove -Wstrict-overflow (and
> cleanup VRP for example).

Minimizing the differences between the guarantees provided at
different optimization levels is a good thing.  It will help
uncover bugs that would go undetected during development (with
-O0) and only manifest when building with optimization (which
may be less frequent).

I find the -Wstrict-overflow warning with all its levels over-
engineered but I'm not sure I'm in favor of completely eliminating
it.  It has helped illuminate the signed integer overflow problem
for many users who were otherwise completely unaware of it.  I'd
be concerned that by getting rid of it users might be lulled back
into assuming that it has the same wrapping semantics as common
hardware (or simply doesn't happen).  It sounds like you'd like
to get rid of it to simplify GCC code.  Would it make sense to
preserve it for at least the most egregious instances of overflow
(like in 'if (i + 1 < i)' and similar)?

Martin

>
> Anyway, most controversical part(?) below.
>
> Any comments on this particular patch (and the overall proposal)?
>
> Cleaning up the options is probably a no-brainer anyways.
>
> Thanks,
> Richard.
>
> 2017-04-24  Richard Biener  <rguenther@suse.de>
>
> 	* common.opt (fstrict-overflow): Enable by default.
> 	* opts.c (default_options_table): Remove OPT_fstrict_overflow entry.
>
> Index: gcc/common.opt
> ===================================================================
> --- gcc/common.opt	(revision 247091)
> +++ gcc/common.opt	(working copy)
> @@ -2342,7 +2342,7 @@ Common Report Var(flag_strict_aliasing)
>  Assume strict aliasing rules apply.
>
>  fstrict-overflow
> -Common Report Var(flag_strict_overflow) Optimization
> +Common Report Var(flag_strict_overflow) Init(1) Optimization
>  Treat signed overflow as undefined.
>
>  fsync-libcalls
> Index: gcc/opts.c
> ===================================================================
> --- gcc/opts.c	(revision 247091)
> +++ gcc/opts.c	(working copy)
> @@ -496,7 +496,6 @@ static const struct default_options defa
>      { OPT_LEVELS_2_PLUS, OPT_fschedule_insns2, NULL, 1 },
>  #endif
>      { OPT_LEVELS_2_PLUS, OPT_fstrict_aliasing, NULL, 1 },
> -    { OPT_LEVELS_2_PLUS, OPT_fstrict_overflow, NULL, 1 },
>      { OPT_LEVELS_2_PLUS_SPEED_ONLY, OPT_freorder_blocks_algorithm_, NULL,
>        REORDER_BLOCKS_ALGORITHM_STC },
>      { OPT_LEVELS_2_PLUS, OPT_freorder_functions, NULL, 1 },
>