You’re still hung up on a false choice between a well defined spec and instrumentation/tools that alter behavior while giving you something good in return. A defined behavior for C wouldn’t stop those tools from existing.
Conversation
The defined behavior can be trapping, which makes more sense in 2019 with software safety / security / robustness as such important issues. Hardware can and is being designed to make it efficient to catch these issues too. It can also just permit safety without using 'undefined'.
2
1
That definition would make lots of real systems stop working, so that’s clearly the wrong direction for the spec. A good spec respects its customers.
1
2
This Tweet was deleted by the Tweet author. Learn more
It does exist. Existing hardware has lots of safety features in hardware that are being actively used to catch these kinds of issues. More of those features are shipping over time. Intel CET and ARM MTE (which is like the existing SPARC ADI) are major examples of new features.
1
1
There is nothing about Intel CET that requires UB from the language; as I said, the compiler/spec don't have to reveal how function calls work. In my C spec, a load/store would be said to either load/store or trap, depending on how the runtime/CPU did things. So ARM MTE is OK.
1
So, it's okay to trap when indexing from one object to another and then dereferencing, or when constructing a non-derived pointer to an object in any other way and dereferencing it? That's what memory tagging will cause, since it aims to have the tags not match in those cases.
2
No. Language says that there is no such thing as an object - it's all integer-addressed bytes. Language further acknowledges that virtual memory and trap-on-access exists. It's simple: you just write a spec of reality instead of playing silly games.
1
Okay, so you don't want SPARC ADI and ARM MTE to be used as designed in a standards compliant C implementation which the current C standard permits. It's not playing games. Having at least a weak approximation of memory safety like tagging and various other features is important.
1
1
I just made the opposite point: that MTE works fine if the language is spec'd the way I'm proposing. It allows them to be used as designed by removing the notion of malloc from the language.
1
It doesn't only impact malloc. It's designed to be usable for stack frames instead of stack canaries too. It also impacts usage of the pointers derived from what gets returned by malloc even in an implementation only using it for malloc. It doesn't only impact the malloc memory.
If you try to index a pointer returned from malloc into something else like a global variable or the stack, it's going to break. Compilers can also integrate it in a lot of ways for barely any cost. Tagging stack frames isn't free, but it'd replace canaries which aren't cheap.
None of what I said relies on this being restricted to impacting malloc. You don't need UB in the language to say that stack canaries are a thing.
2
ABI specs coexist with the C spec. They describe what happens on calls, so they could describe that trap-due-to-canary is a possibility.