From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14635 invoked by alias); 2 Jul 2005 16:48:43 -0000 Mailing-List: contact gcc-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: Sender: gcc-owner@gcc.gnu.org Received: (qmail 14414 invoked by uid 22791); 2 Jul 2005 16:48:27 -0000 Received: from s-utl01-lopop.stsn.net (HELO s-utl01-lopop.stsn.com) (217.118.122.13) by sourceware.org (qpsmtpd/0.30-dev) with SMTP; Sat, 02 Jul 2005 16:48:27 +0000 Received: from s-utl01-lopop.stsn.net ([127.0.0.1]) by s-utl01-lopop.stsn.com (SMSSMTP 4.0.0.59) with SMTP id M2005070217482019205 ; Sat, 02 Jul 2005 17:48:20 +0100 Received: from [127.0.0.1] ([10.27.171.155]) by s-utl01-lopop.stsn.net; Sat, 2 Jul 2005 17:48:20 +0100 Message-ID: <42C6C558.9050003@adacore.com> Date: Sat, 02 Jul 2005 16:48:00 -0000 From: Robert Dewar User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) MIME-Version: 1.0 To: Paul Schlie CC: Joe Buck , Gabriel Dos Reis , gcc@gcc.gnu.org Subject: Re: Should GCC publish a general rule/warning due to it's default presumption of undefined signed integer overflow semantics? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2005-07/txt/msg00065.txt.bz2 Paul Schlie wrote: > My primary concern is about predictability, and could live with undefined > integer overflow if it were likely reasonably possible to verify that in > the general case an overflow would not occur, as otherwise an undefined > behavior may result. (which I can't believe is acceptable to anyone). Well bugs in programs in general are not acceptable. This is just one example of a bug. > > Although I recognize and accept that most trivial uses of signed arithmetic > can likely be verified as being constrained or not; it seems pretty clear > to me that it's very difficult and often strictly impossible in the general > case to do so; implying that signed integer arithmetic needs to be avoided > in the general case by either specifying signed integers as being unsigned > and convert them as required post-fact (which may also be undefined), and/or > utilize floats if one wants to produce a program which has a reasonable > chance of predictable behavior. Actually in the safety critical world, people all the time go through procedures to verify that their program is free of bugs, including unexpected overflow.