Reading uninit data being undefined instead of locking it to an unspecified value permits massive optimizations like MADV_FREE and more efficient register allocation/spilling. Similarly, other memory safety issues being undefined permits optimization / freedom of implementation.
Conversation
Many programs have bugs where they read data that has just been freed, but handle it being an arbitrary value. The issue is often benign with common allocators. However, with other implementations the access will fault and they crash. It's good it's not required to let it work.
2
3
Also, signed overflow being undefined rather than defined as wrapping means that more secure implementations where it traps are permitted. Passing -fsanitize=signed-integer-overflow -fsanitize-trap=signed-integer-overflow is standards compliant and used for hardening in AOSP.
3
5
Trapping on overflow breaks lots of code that does it on purpose. Code that can’t run is more secure than code that doesn’t only in a meaningless sense.
1
That code can be fixed and the fixes are clear cut bug fixes. High quality C code is tested with ASan, TSan, UBSan, etc. and many of these issues are already being caught and fixed over time. Portable and safe C code needs to avoid relying on undefined behavior like this.
2
5
You say overflow is undefined. I say it’s defined. As a bonus CPUs say I’m right. The world needs a language that just does what the CPU does. If you don’t want that, don’t program in C.
4
2
2
C isn't defined as that language, and you're not in a position where you get to define the language. In the real world, C is deployed with various safety features taking advantage of many things being undefined and reducing portability / compatibility with those wouldn't be good.
2
5
This Tweet was deleted by the Tweet author. Learn more
The Linux kernel chooses to use a superset of standard C. It doesn't ignore the rules that it isn't disabling via those switches but rather is actively tested with ASan and UBSan, with people working to address the cases that are not permitted, usually by fixing the kernel bugs.
2
1
This Tweet was deleted by the Tweet author. Learn more
I think most people can agree that violations of type and memory safety are clearly bugs. I also think people can agree that integer overflow is usually a bug, and that it makes sense for a language to require marking intended overflow where it shouldn't be allowed to trap.
I'm not making a circular argument at all. I don't understand why you folks feel the need to keep insulting me and making false claims about what I've been stating. You can disagree with people without debating dishonesting or attacking them as people.