I think it's you that doesn't understand C. The whole point behind the C standard is that it's extremely portable and permits a broad range of implementation choices and aggressive optimization. You want a new variation of the language, which is fine, but I don't think it helps.
Conversation
These issues are not the practical issues with it in the real world. Making all these little things well defined doesn't fix that C code is plagued by type and memory safety errors, which lead to software being extremely unsafe, unreliable and vulnerable. It's mostly academic.
1
This Tweet was deleted by the Tweet author. Learn more
I'm not the one with a fundamental misunderstanding of how C is supposed to work. You're making an extreme misinterpretation of what I've been stating. Making C much more permissive forbids optimizations, safety improvements, portability, alternate implementation approaches, etc.
1
1
The fact that C makes type and memory safety issues along with other classes of bugs undefined is what makes it permitted to make a much more secure implementation where temporal and inter-object spatial memory safety issues are partially or even fully detected at runtime, etc.
1
1
Permitting trapping on signed integer overflow is another good example of that. If it defined signed integer overflow as guaranteed to wrap, it would disallow more secure implementations where it traps. Even saying it either wraps or strictly traps would be a safety regression.
1
Since it should permit implementations that do more efficient lazy trapping, as that's more likely to be widely adopted due to significantly better performance, especially with hardware support. It's how some next generation hardware approaches handling overflow by default.
1
i.e. hardware support for poison values, where you can still use them to perform more arithmetic (resulting in more poison values) but as soon as you actually read them in order to depend on them in some other way, it will trap.
1
Redefining C to forbid lots of important real world safety features even including extreme basics like type-based CFI, _FORTIFY_SOURCE and -fsanitize=object-size would be horrible. I think you need to think over what making it more permissive would do to safety / portability.
1
Replacing 'undefined' with stricter definitions could often be a good thing, but simply making the language more permissive and forbidding memory / type safe implementations is not a good way to do that. I'm glad the people involved in making the standard are smarter than that.
2
We have enough problems with software safety / security without rolling back lots of the progress that has been made. It's far easier to introduce signed overflow checking than unsigned *because* it's undefined, considered a bug and detected by static and dynamic analysis tools.
And really, in 2019, if you are going to define it as doing something on overflow, it should be trapping. I doubt many people would want that due to performance, but there's no way that they should forbid implementations from doing that. It would be a safety regression for them.
You can still add that if you want and say that you're violating the spec by doing so. That would be more honest, since you *are* breaking lots of code if you do that.
1
Except it's not violating the specification, and it's the code breaking type and memory safety that's clearly defined and acknowledged as buggy. The specification of C agrees with those safer implementations, not with people who want the language to be more permissive.
1
Show replies