Given

#include <stdio.h>

char message[5] = "Hello";
char magic = 0;

int main(void)
{

if (message+5 == &magic)
printf("%d", message[5]);
return 0;
}

evaluation of the pointer expression "message+5" is defined behavior,
as is the comparison between that address and the address of magic. Even
if message+5 == &magic, however, that does not imply anything about the
behavior of evaluating message[5].

Consider the function

int test(int x)
{
if (magic) return magic;
message[x]++;
return magic;
}

In the event that message+5 == magic, should a compiler be required to
generate code which will return 1 if the above function is invoked with
magic==0 and x==5?

The point of my message was to remind people that this is NOT
necessarily the case - you can exploit UB by having a set A of
conditions that are sufficient to ensure that the optimization is valid,
and an additional set of conditions B that are consistent with A, and
render the behavior undefined. When A and B are both true, the
optimization is legal because the behavior is undefined. When A is true
and B is not true, the optimization is still legal, for different
reasons. All the compiler needs to determine is whether A is true, it
doesn't need to determine whether B applies, and therefore need NOT be
aware that the behavior is undefined.

In this case "signed_integer_expression < signed_integer_expression +
positive_constant_expression", where the two signed integer expressions
are guaranteed to have the same value, is condition A. That condition is
sufficient to justify the optimization of replacing that comparison
expression with 1. If signed_integer_expression +
positive_constant_expression overflows, that's condition B, and the
optimization is justified because the behavior is undefined. If it
doesn't overflow, the optimization is justified by the ordinary rules of
C arithmetic.

An implementation therefore never needs to check to whether overflow is
guaranteed to occur (as it is in this case), impossible (as it might be
with adequate error checking), or indeterminable (as it would be if
signed_integer has a value that comes from outside the same translation
unit. But it doesn't need to perform such a check - it's permitted to
perform the optimization regardless of which of the three applies.
That's good, because in general, determining which of the three applies
can be proven equivalent to solving the halting problem.

James Harris <***@gmail.com> writes:
[...]
The problem is that, as I understand it, it's impractical to do that.

I read an article a while ago from the authors of clang and/or llvm
discussing the issue. I'll post a link when/if I find it again.

On Sun, 30 Apr 2017 16:02:45 +0100, Ben Bacarisse
Perhaps a clearer, and more accurate, statement would be that we'd
expect an optimizing compiler to replace the call to foo() with
whatever the conversion of the parameter to int is.

Nice nit. Allow me to rephrase.

An optimizing compiler would replace foo(x) with (int)x

Regards.

That makes no sense.
That's not how multiplication and division are defined in C.
While true, that completely misses the point. The OP used a signed
integer for a reason. It's also different if the function took a
float (and assuming IEEE math), but again, he didn't do that. This is
an example of where the compiler taking advantage of undefined
behavior (signed integer overflow), can remove "undefined" behavior
when optimization is *enabled*. Leading to even more difficulty about
warning of such a thing.

Of course it doesn't, as you yourself point out below.
The foo operation on an unsigned int clears the top bit.

int imul(int n) { return n * 2 / 2; }
int umul(unsigned int n) { return n * 2 / 2; }

imul:
movl %edi, %eax
ret

umul:
movl %edi, %eax
andl $2147483647, %eax
ret

imul is the identity function, umul clears the top bit.
My point was showing one type of optimization enabled when
ignoring UB. Dealing with (signed) overflow or (unsigned)
wrap-around is a slightly different issue.

You often mention widening multiply; this is a code
pattern which GCC recognizes on supported platforms:

long long int lmul(int u, int v) { return (long long)u * v; }

lmul:
movslq %edi, %rax
movslq %esi, %rsi
imulq %rsi, %rax
ret

And the same is possible for 64x64 -> 128 multiply.

Regards.

Are you confusing IDB and UB?

Why would any compiler document the behavior of signed overflow?
Are you thinking of some extension?

Regards.

You certainly could. The C language designers felt it was useful to
define unsigned arithmetic as modulo arithmetic.

It would be entirely reasonable for a language designer to say that
signed integer overflow used two's complement wraparound. But the point
is, that the /C/ designers did not do so - they specifically and
explicitly made it undefined behaviour. It would be entirely reasonable
for a language designer to make unsigned overflow undefined behaviour -
again, the /C/ designers did not do so. They could also have made it
implementation defined, but chose not to. (Though an implementation is
always free to define the behaviour if it wants to.)

When designing your own language, you can make the choices /you/ want
here. Some languages use the same system as C. Others make different
decisions. Given that /any/ behaviour on overflow (signed or unsigned)
is going to be wrong in many circumstances, but some behaviours might be
useful in some cases, a language designer has plenty of options here.
He picks one, documents it, and makes that the behaviour for his
language. For different languages, the "best" choice may well be different.

So the C language designers decided on undefined behaviour for signed
overflow, and wraparound behaviour for unsigned overflow. That gives
programmers a useful set of features, it gives compilers opportunities
for some good optimisations, and it can be easily implemented on a wide
range of hardware (which in the early days of C included some machines
that would have a lot of inconvenience with any of the possible choices).


I am not trying to say that making signed integer overflow undefined
behaviour is the "right" choice (though I agree with the C designers in
this case). I am just trying to explain to you that that is how C
works. If you want to program in C, or make C tools, then you need to
understand the language as it really is - you can't just pretend it is
something else or works in a different way, just because you might have
preferred some differences. You can make these changes when you are
inventing the Bart-C variation of C - but not when you are writing /real/ C.
That may well have been a major consideration of the original C language
designers.
You misunderstand. The compiler will not "break" your code if you
assume that signed integers use two's complement wrap-around. Your code
is /already/ broken. It is incorrect C code - it is a sequence of
letters and symbols without a valid definition in C. The compiler does
not "break" it by assuming your signed integers don't overflow - your
signed integers are not allowed to overflow in C. The compiler does not
produce "correct" or "working" code when the relevant optimisations are
disabled - your C code has /no/ defined behaviour, and therefore /no/
generated code can be said to be "correct". It is a case of "garbage
in, garbage out" - depending on compiler options, you may get different
varieties of garbage out.

As the father of computing, Charles Babbage, puts it:

On two occasions I have been asked, 'Pray, Mr. Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not
able rightly to apprehend the kind of confusion of ideas that could
provoke such a question.
No, it is a problem with /you/. You don't understand what C is - that
is /your/ problem.

You are not alone in having such problems with C - not everyone is able
to grasp how C works. But most people either learn C properly in the
end, or give up and either use a different programming language, or stop
programming. I cannot comprehend why you have such a stubborn
resistance to making this choice.
That is fine, as long as "X" is not the C programming language (or any
other language that does not guarantee such overflow behaviour).
It is not a problem in the slightest. If you are writing a translator
from language X in which signed overflow is defined, into C in which it
is not defined, then you have three choices:

1. Make it a requirement that the resulting C is treated as "C with
defined signed integer overflow" - insist on compilation with "-fwrapv"
flag in gcc and clang, and disallow compilers that do not have
/documented guarantees/ of this type of behaviour.

2. Make it a requirement that the resulting C is compiled on machines
with two's complement signed integers, and use unions or casts to
convert between signed integers and unsigned integers as necessary to
get the required behaviour. This will result in ugly C intermediary
code, but that should be of no relevance. It is likely that the code
will compile optimally on most compilers.

3. Generate the code in a manner that avoids signed integer overflow.
This might be a little fiddly, and certainly a bit messy in the
generated code - but it is intermediary code, and it is /allowed/ to be
messy.

What you don't get to do, is moan that C doesn't work the way you think
it ought to work, and claim it is C's problem. /You/ are defining
language X. /You/ are making the X-to-C compiler. It is /your/ problem.

On Mon, 2017-04-24, bartc wrote:
...
Depends on what kind of mathematics. This kind says 0:

https://en.wikipedia.org/wiki/Group_%28mathematics%29#Modular_arithmetic

/Jorgen

No. C as it existed at that time did not have the concept of undefined
behavior. It was not what we now call "standard C".

For a modern implementation, it would not be a mistake if the author
knows how the implementation happens to behave; since printf is part of
the implementation, the only requirement is that it works as specified.

[...]

No, because printf() is an implementation library function, and the
implementation itself need not be written in Standard C in the first
place. Much of it cannot.

Richard