I quoted section 3.3 of ANSI C in response to your statementvvaltchev wrote:It appears that you don't agree with your own comments. Maybe you copy-pasted the wrong text?
which I interpret (specifically, the parts "aliasing limitations" and "really were introduced") as aliasing rules/restrictions/limitations appearing in C99, which is wrong because they already were in C89.vvaltchev wrote:I'm not talking about aliasing limitations which really were introduced in C99 with "restrict" etc.
First of all, restrict was introduced in C99:alexfru wrote:which I interpret (specifically, the parts "aliasing limitations" and "really were introduced") as aliasing rules/restrictions/limitations appearing in C99, which is wrong because they already were in C89.
Just a few hours ago. It doesn't make sense. Please, double check the conversation.alexfru wrote:No restrict yet, no explicit use of the word alias either.
Which looks like you agree with me, while saying I'm wrong. Man, please double check the conversation. There must be some simple misunderstanding going on here.alexfru wrote:No restrict yet, no explicit use of the word alias either.
Yes, I do.Korona wrote:Do you have any evidence for the quote above?vvaltchev wrote:Given the evidence in the legacy C source code, it looks like most of the people didn't write UB-safe code.
2. Type punning with casts (UB) has been traditionally used all the time in UNIX software and documentation. Consider the Berkeley sockets interface, which is mentioned in the wikipedia article about type punning: https://en.wikipedia.org/wiki/Type_punningLWN wrote: Andrew McGlashan raised the issue on the debian-security mailing list, expressing some surprise that the topic hadn't already come up. The paper specifically cites tests done on the Debian "Wheezy" (7.0) package repository, which found that 40% of 8500+ C/C++ packages have "optimization-unstable code" (or just "unstable code"). That does not mean that all of those are vulnerabilities, necessarily, but they are uses of undefined behavior—bugs, for the most part.
Now, type punning with casts is super dangerous UB and kind-of acceptable with unions in C (unspecified behavior), while in C++ is still UB. The new way to do it is by using memcpy() (or __builtin_memcpy()) and completely rely on the compiler to optimize. Again, we have to tell the compiler to COPY the stuff and rely of on the fact it won't do an actual copy. As you can see, the paradigm "do what I say" does not exist anymore in C, while it existed in the past for a very long time.Wikipedia wrote: One classic example of type punning is found in the Berkeley sockets interface. The function to bind an opened but uninitialized socket to an IP address is declared as follows:The bind function is usually called as follows:Code: Select all
int bind(int sockfd, struct sockaddr *my_addr, socklen_t addrlen);Code: Select all
struct sockaddr_in sa = {0}; int sockfd = ...; sa.sin_family = AF_INET; sa.sin_port = htons(port); bind(sockfd, (struct sockaddr *)&sa, sizeof sa);
Well, it wasn't clear at all that he was stating that.Korona wrote:alexfru is right here: the part of the standard that he quoted describes the aliasing rules (without using the word "alias" explicitly, but by stating that accessing an object through an unrelated type is illegal.).
But it was discussed already much earlier (noalias).vvaltchev wrote:First of all, restrict was introduced in C99:
https://en.wikipedia.org/wiki/Restrict
There's no point in further discussing this fact.
Fortran 77.Draft Proposal wrote:[This convention is] also consistent with the notions of objects and argument association in Fortran 77. Thus, in environments that support mixed-language programming, restricted pointer parameters can be used in C prototypes for functions defined in Fortran, and also in definitions of C functions that are called from Fortran.
So, you're ignoring the 2013 LWN article:Korona wrote:What you listed (Linux, GNOME etc.) is not really legacy software that became broken due to the introduction of UB.
And the fact that type punning with casts was THE DOCUMENTED way to use Berkley sockets?LWN wrote:40% of 8500+ C/C++ packages have "optimization-unstable code"
Such an option does not exist at the moment as I've shown in the WONTFIX GCC bug. So, it will be interesting to see what will happen in that case. I've tried opening a conversation about that on LKML, but they didn't seem to care enough.Korona wrote:The moment GCC breaks their unaligned access code, they will add a flag to disable that optimization.
I have no problem with you believing that narrative. I honestly believe that I've shown plenty of evidence that a ton of well-established code, examples and documentation broke because of UB, over the years. No point in further insisting repeating the same things. Let's agree to disagree.Korona wrote:That leaves unaligned access as the only somewhat convincing example.
That's true, but it's not the only reason. Unaligned access is done using very natural expressions in C. What is unnatural is using memcpy() for that. Again, no matter what the standard technically says it's OK to do. Let's forget for a moment what is supposed to be "right" and what is supposed to be "wrong" and just observe what developers did: until compilers allowed something, they took advantage of it.Korona wrote:I think the reason that unaligned access is often found in the wild is that compilers traditionally cannot do a lot of optimizations based on aligned access
At runtime, many types of UB are trivial to detect. The problem is exploring all the code paths at runtime.Korona wrote:Unaligned access is also one of the types of UB that is trivial to detect by UBSAN (in contrast to data races, among others).
Yep, I totally agree that "noalias" was considered back in 1988 and that "restrict" is conceived as a "better noalias". The whole essay from Dennis Ritchie that I've mentioned in the very beginning was about how much he didn't want "noalias" in the standard because it was, in his eyes, an "abomination".Solar wrote:But it was discussed already much earlier (noalias).vvaltchev wrote:First of all, restrict was introduced in C99:
https://en.wikipedia.org/wiki/Restrict
There's no point in further discussing this fact.
For reference, here is the 1988 ANSI C draft proposal, which indeed was poorly conceived and didn't make it into C89. That is not because the idea was rejected, just that there were too many inconsistencies which had to be resolved first. In this 1994 draft proposal on "restrict" there is some reasoning involved. I quote, emphasis mine:
Fortran 77.Draft Proposal wrote:[This convention is] also consistent with the notions of objects and argument association in Fortran 77. Thus, in environments that support mixed-language programming, restricted pointer parameters can be used in C prototypes for functions defined in Fortran, and also in definitions of C functions that are called from Fortran.
(That draft also has an "Appendix: Comparison with noalias", which goes into some details of how "restrict" differs from "noalias". From this it should be obvious that "restrict" is conceived as a "better noalias", not a completely novel idea.)
You are entitled to your opinions. And I'm partially sympathetic because it's really a painful area of the language. But regardless of the opinions and feelings, the language standard says what should work correctly and what isn't guaranteed to. And that's the common denominator to live by. Unless your compiler can offer you a helping hand in defining the undefined or ignoring certain defects of your code.vvaltchev wrote:Unaligned access is done using very natural expressions in C. What is unnatural is using memcpy() for that.
Like I just said, we can be emotional about it, but the standard and its implementations don't exist in the emotional space.vvaltchev wrote:Again, no matter what the standard technically says it's OK to do.
My first response in the thread conveyed something very similar:vvaltchev wrote:Let's forget for a moment what is supposed to be "right" and what is supposed to be "wrong" and just observe what developers did: until compilers allowed something, they took advantage of it.
You seem to be echoing it...alexfru wrote: Early computers and compilers, though, couldn't do much in terms of code analysis and optimizations and therefore a lot of instances of UB seemed contained and rarely surprising. Technological progress contributed to said analysis and optimizations and made UB bleed, creep and spread further beyond simple operations causing it.
My position is that a lot of code is indeed nonconformant (almost all of it). And it has happened because people have been getting away with it.
I'm not sure which part of the aliasing rules is considered strict... But this is the point. Lots of bad code used to be disallowed de jure but allowed de facto (because the guard wasn't employed or born yet). And then gradually de facto started to line up with de jure.vvaltchev wrote:It's the same for type punning with casts: it's pretty natural to do that in C and people have been doing it for decades, before and after the ANSI C came out. People stopped doing that in the last decade, after the strict aliasing rule has been enforced.
) at the time. I did see a number of books ignoring the topic altogether and I didn't have access to the standard back then, so I couldn't know any better. And many others didn't either and very often their code "just worked". Where we are today is just as natural a consequence of those events of the past.I believe I've provided such evidence. Let's just agree to disagree. I see no point in continuing the argument with the same data.Korona wrote:However what you really need to provide evidence for is the claim that this situation fundamentally changed with more recent releases of the C standard.
At most, I can agree that some kinds of UB existed back then in C outside of the "paper", like "i++ + ++i", buffer overflow etc. It's not that UB didn't exist at all. Just, it existed in some very obvious forms. When I said that in the past "UB wasn't a thing" I didn't mean that it didn't exist at all (I'm sorry if that wasn't clear): I meant that it wasn't a thing to really worry about. Obviously, if you read/write outside of your buffer, you couldn't expect nice things to happen. Same thing if you divide by zero etc, de-reference a NULL pointer etc. But, as nullplan pointed out, generally compilers didn't assume that UB will never happen, as they do today. Also, type punning with casts was a non-portable, but mainstream practice. Again, see examples about how to use the Berkley sockets.Korona wrote:I claim that people also tried to avoid UB in the 80s and 90s and that the interpretation "once your program contains UB, anything can happen" is not new.
Wait a second. First of all, some of those programs did exist in '90s. Second, when C99 was released nothing really changed the day after. The first time some "modern UB" problems start to emerge was around 2006-2007, several years after C99 was released. But that was just a "slow start". Most of the UB bugs came out in the 2010s, more than 10 years after C99. That's why UBSAN has been introduced. Think about it: if UB was such a problem from the '80s, why we did have to wait 30-40 years for such a tool to be widely available? UB sanitizers were created about the same time (or a little later) after compilers started to aggressively take advantage of UB, in a way that has never been done before in C or C++. GCC was released with an UB sanitizer in version 4.9 (2014). Before that, I remember that I used to compile the same software with clang, just to be able to use its sanitizers, released a few years before that.Korona wrote:Your list of programs containing UB is not evidence for that claim, in fact, most of the programs that you listed did not even exist when C99 was developed.
.Wikipedia wrote:The use of this type qualifier allows C code to achieve the same performance as the same program written in Fortran
I partially answered to this in my previous answer to Korona's comments.Solar wrote:It wasn't the idea per se that Ritchie opposed, it was the way it was implemented. And that is only tangential to the topic.
I second Korona. UB existed, UB broke programs (with or without "help" by the compiler), and such programs were considered broken before C89, not to speak of C99. Points in case being made via Fortran 77, Jargon File, and other quite dated references.
Mostly, I felt attacked at the beginning so I needed to defend my position and better clarify in details what it is exactly that I believe. Also, I admit that my initial post was too much provocative and didn't fully reflect what I believe: it was some sort of gross simplification, a little rushed up.Solar wrote:Unfortunately, it seems you have bitten down hard on this one and refuse to budge even one little bit. Perhaps because you want to keep your pet peeve, perhaps because you are truly convinced you're a man on a mission here. But it makes it a bit tedious arguing the point with you.
That's an absolutely fair question. I'd say: show me (compiler name, version & code snippet) at least one mainstream C compiler in the '90s that did weird stuff, taking advantage of UB, in the case of:Solar wrote:Please state, if you can, what kind of "proof" would make you consent that this "exploitation of UB" is not something introduced by C99, C89, or even plain K&R C? Note that your claim that this is actually the case is tenuous at best, and not really accepted by all here, so it shouldn't take a sworn statement by Mr. Ritchie himself or something like that...
Code: Select all
int h(int *p, int *q){
*p = 1;
*q = 1;
return *p;
}Code: Select all
int foo(int x) {
return x+1 > x;
}Code: Select all
int foo(void) {
char *p = 0;
*p = 'a';
return 1;
}
Code: Select all
int foo(int x) {
return x/0;
}