You're trying to reason about it as a logical system providing native semantics which it isn't. The compilers have knowledge about standard library functions and they don't simply act the way they're defined in the library. My example is just something they consider undefined.
Conversation
A very easy example to demonstrate is strdup. It's considered to have __attribute__((malloc)) (whether or not the libc marks it as such like glibc does) which includes guaranteeing:
> no pointers to valid objects occur in any storage addressed by P.
which can clearly happen.
2
In order for a pointer converted from an integer to be valid, there has to be a 'valid' path leading to it from where it was originally converted from a pointer to an integer. It's worth looking at DR 260 and also the standard's wording.
open-std.org/jtc1/sc22/wg14
1
> are permitted to track the origins of a bit-pattern and treat those representing an indeterminate value as distinct from those representing a determined value. They may also treat pointers based on different origins as distinct even though they are bitwise identical.
1
No conversions from integer take place here. Rather it's a matter of effective type rules for allocated storage with memcpy-like char copying.
1
I'm not talking about the specific example that was presented but rather the response to it. They are likely to more formally define these things in C2X and some early drafts like cl.cam.ac.uk/~pes20/cerberu show what that could end up looking like.
3
1
Thanks for the link. That proposal is still a pile of overcomplicated nonsense. The problems are all trivially solved *without breaking anything* by giving all the hard cases "wildcard provenance".
1
Note that the proposed text breaks lots of important valuable use cases like xor lists.
2
Clang and GCC already consider that broken per the standard. It was also very explicitly made to be broken in C++ already, which tends to trickle back to the C standard since it's a lot of the same people making the decisions and they reference each other as justifications.
2
open-std.org/jtc1/sc22/wg14 appears to be a more recent draft of what I linked earlier by the way. We'll see how they end up deciding to clarify it for C2X. My feeling is they will bend over backwards to permit / attempt to formalize existing real world compiler interpretations.
1
I'm not arguing that what Clang and GCC currently do is correct, but I am saying that they currently do it, and that it's likely to become officially correct *because* they want to it. Type-based alias analysis is similar. They tried to allow it, and will readjust it as needed.
Type-based alias analysis is possible to specify consistently, and has clear reasons you want to do it. This provenance stuff has absolutely no motivation, because deriving pointers from ints/reprs is rare, and when you do it, you actually mean it.
2
1
The motivation for it isn't to optimize cases where the conversions are used but rather cases where they're not by being able to assume that the information isn't subtly leaked out and then used to construct an aliasing pointer somewhere else that the compiler doesn't know about.
1
Show replies