C return a++ - is it safe?

C

CBFalconer

Chris said:
Absolutely,.... For years I have been arguing there is no such
thing as a "safe" language. It is all down to the quality of the
implementation

Yes, no language is 'safe'. However, some are much safer than
others. For example, the presence of subtypes (such as Pascals
ranges) simply allows range checking everywhere. Whenever a
construct creates a value for that item that is known to be out of
range, the compiler complains. When a runtime operation exceeds
that range, the runtime complains. Similarly the accurate control
of pointers allows most misuse of pointer variables to be detected
_at compile time_. This is a great advantage over C.

Unfortunately Pascal seems to have largely disappeared as a major
language. We are left with its descendent, Ada, which is a larger,
safer, and tested language. And also available in gcc.
 
C

CBFalconer

Keith said:
Chris Hills said:
.... snip ...
On an implementation I happen to have handy at the moment,
`return getchar();' produces (reformatted for clarity)

return ( --(( &__iob[0]))->_cnt < 0
? __filbuf( (&__iob[0]) )
: (int) *(( &__iob[0]))->_ptr++ );

So, what's your verdict? Should `return getchar();'
be avoided in safety-critical software?

Personally I always prefer to just return a value.

I would
a = getchar();
return a;

Ok, that's fine -- but a compiler that mishandles ``return <expr>''
would be nearly as likely to mishandle ``a = <expr>''.

I just don't see that there's any significant need to worry more
about ``return a++;'' than about any other straightforward language
construct.

Any compiler that does any optimization should remove that 'a'
variable and simple create code for 'return getchar();'. Similarly
for 'return a++;', except that if a is local the optimizer can
eliminate the ++.
 
K

Kenneth Brody

Richard said:
Chris Hills said:
If you want certainty, you'll have to unplug your computer.

No, just turning it off may not be enough to be certain.

I have a few computers that will run for an hour or so after pulling
the plug. (At least, I think I do.)

--
+-------------------------+--------------------+-----------------------+
| Kenneth J. Brody | www.hvcomputer.com | #include |
| kenbrody/at\spamcop.net | www.fptech.com | <std_disclaimer.h> |
+-------------------------+--------------------+-----------------------+
Don't e-mail me at: <mailto:[email protected]>
 
C

Chris Hills

Keith Thompson said:
I'm not familiar with the gcc test suite, but since gcc attempts to
conform to C90 and/or C95 in certain modes, I would assume that the
test suite would, among other things, test that conformance.

The test suite will test for GCC not ISO C
 
C

CBFalconer

Chris said:
.... snip ...


The test suite will test for GCC not ISO C

Have you run it or are you just guessing? Did you find no ways to
avoid the 'gcc only' tests?
 
K

Keith Thompson

Chris Hills said:
The test suite will test for GCC not ISO C

If so, then it fails to test a significant part of the functionality
of gcc (i.e., gcc's ability to act as a more-or-less ISO C compiler
given certain command-line options).

Given only the phrase "gcc test suite" and what I know about gcc, I
would assume that a gcc test suite would include a number of tests for
ISO C conformance, and I would hope that those tests could be easily
separated. You appear to be asserting that this is not the case. Is
this assertion based on actual knowledge of the gcc test suite?

In any case, my assumption was a perfectly reasonable one, and Chuck
probably made the same assumption. Accusing Chuck of hypocricy for
suggesting it is needlessly insulting.
 
C

Chris Hills

ability to act as a more-or-less ISO C compiler
I
would assume that a gcc test suite
In any case, my assumption was a

More or less and two assumptions when discussing a test suite for
conformance to an ISO standard? No more need be said I think

When we do compiler validation there are no assumptions or more or less.
, and Chuck
probably made the same assumption.

Another probably and assumption. When testing or validating there is no
place for probably or assumptions

Accusing Chuck of hypocricy for
suggesting it is needlessly insulting.

Chuck is VERY pedantic and insulting to other in this NG. I was judging
him by his own standards.

Also he is being VERY hypocritical GCC is Not C but "C like" as he tells
everyone else about their compiler when discussing other compilers.

He can't have it both ways.
 
C

CBFalconer

Chris said:
.... snip ...


Chuck is VERY pedantic and insulting to other in this NG. I was
judging him by his own standards.

Also he is being VERY hypocritical GCC is Not C but "C like" as
he tells everyone else about their compiler when discussing
other compilers.

Oh? Don't recall anything of the sort. I have been known to
chastise some people who insist on posting off-topic material.

BTW, "gcc -W -Wall -ansi -pedantic" is awfully close to a pure ISO
standard C compiler. That uses C95 standards, because that is what
the library on my system is compatible with, and it avoids the few
missing C99 features.
 
K

Keith Thompson

Chris Hills said:
More or less and two assumptions when discussing a test suite for
conformance to an ISO standard? No more need be said I think

When we do compiler validation there are no assumptions or more or less.


Another probably and assumption. When testing or validating there is
no place for probably or assumptions

Agreed. Anybody who wants to try using the gcc test suite to test a
non-gcc ISO C compiler obviously will have to investigate the suite to
determine whether it will suits his purposes. Maybe it will, maybe it
won't.
Chuck is VERY pedantic and insulting to other in this NG. I was
judging him by his own standards.

Also he is being VERY hypocritical GCC is Not C but "C like" as he
tells everyone else about their compiler when discussing other
compilers.

He can't have it both ways.

And neither can you.

I asked you whether you're actually familiar with the gcc test suite.
Though you didn't answer directly, your responses implied that you
haven't even looked at it.

The previous poster asked about C test suites. Suggesting the gcc
test suite is perfectly reasonable (with the proviso that it *may or
may not* be suitable). You, on the other hand, are accusing Chuck of
hypocricy -- and you *don't know what you're talking about*.

Next time, do a little research before you start flinging insults.
 
K

Keith Thompson

Chris Hills said:
Also he is being VERY hypocritical GCC is Not C but "C like" as he
tells everyone else about their compiler when discussing other
compilers.

As you should know, gcc can be used as a reasonably conforming C90 or
C95 compiler, and a partially conforming C99 compiler.

But we were talking about the gcc test suite, not about gcc itself.

See <http://pcc.ludd.ltu.se/standards_and_regression_testing/> and
<http://pcc.ludd.ltu.se/standards_and_regression_testing/gcc_testsuite/>
for information about using the gcc test suite on pcc, a a non-gcc C
compiler. Obviously any gcc-specific tests are expected to fail, but
it appears that the suite is still useful.

This was on the first page of Google results for "gcc test suite".
 
T

Tor Rustad

Chris said:
Tor Rustad said:
Kenneth Brody wrote:

[in addition, my response applies to Kuyper and Sosman]
Tor Rustad wrote:
[...]
However, in safety-critical SW, I wouldn't advocate using construct
like

return a++;

anyway.
Why not? If the compiler doesn't handle it right, then I wouldn't
trust it for the rest of the "safety-critical" program either.


First, I didn't agree with Chris Hills, because

1. I didn't find such a C compiler bug likely

"Likely" is not good enough. You have to be certain.

"Testing can show the presence of errors, but not their absence."
-E. W. Dijkstra
Absolutely.

The probability of such a fault passing through, the C compiler test
cases, a C compiler validation suit and program unit test cases, is very
low. There is a range of other potential faults, I would worry far more
about.

An extremely fault tolerant system/module, could perhaps have
independent software design teams and guard against compiler faults, one
team writing the module in C, another in Ada.

Interesting, what actions should be done in case there is a mismatch in
the results. How to choose which SW module is correct? It appears, you
really need three SW teams, using 3 different languages/compilers.

Still, there is a non-zero probability, that the same compiler fault can
hit all of them, e.g. via some common mode of failure.
 
B

Ben Bacarisse

James Harris said:
In any context other than a return statement
mov eax, a
{use eax}
inc eax

Not quite "any". In a function call, f(a++) the side-effects must
have happened by the time function is entered. Of course, if the "use
it" is "push it" and the function call follows the inc (and another
mov) we are OK, but the same could also be done for the return (the
"use it" being put into register used for return values).

One has to assume a very naive understanding of values, side-effects
and sequence points to suspect the code generated from the original
line.
 
R

RoS

In data Thu, 01 Nov 2007 09:56:28 -0500, CBFalconer scrisse:
Yes, no language is 'safe'. However, some are much safer than
others. For example, the presence of subtypes (such as Pascals
ranges) simply allows range checking everywhere. Whenever a
construct creates a value for that item that is known to be out of
range, the compiler complains. When a runtime operation exceeds
that range, the runtime complains. Similarly the accurate control
of pointers allows most misuse of pointer variables to be detected
_at compile time_. This is a great advantage over C.

i think i'm in your kill file so don't read what i write;

the same for very pedands ones

-----------------------------------------------------------------
------------------------------------------------------------------
you and other seems not understand the esistance of variables that
*can not* overflow e.g. size_t; or
int, unsigned, float, double etc in financial calculis etc etc

if some of that variables has an overflow it has to rappresent an
error number (eg: INT_MAX for +overflow and INT_MIN for -overflow)
so detect errors in run time is more easy

for an unsigned thype the aritimetic is very easy

0..UMAX

a+b = (a==UMAX || b==UMAX || oveflow(a+b)? UMAX : sum(a, b);
a-b = (a==UMAX || b==UMAX || a<b || oveflow(a-b)? UMAX : sum(a, b);

some like above for -*/

0..UMAX-1 is ok
UMAX is an error
Unfortunately Pascal seems to have largely disappeared as a major
language. We are left with its descendent, Ada, which is a larger,
safer, and tested language. And also available in gcc.
 
S

santosh

RoS wrote:

you and other seems not understand the esistance of variables that
*can not* overflow e.g. size_t; or
int, unsigned, float, double etc in financial calculis etc etc

No. Signed types can overflow.
if some of that variables has an overflow it has to rappresent an
error number (eg: INT_MAX for +overflow and INT_MIN for -overflow)
so detect errors in run time is more easy

INT_MAX and INT_MIN are valid values. Using them to represent overflow
is, IMHO, not wise.
for an unsigned thype the aritimetic is very easy

0..UMAX ....
0..UMAX-1 is ok
UMAX is an error

No. Uxxx_MAX is a valid value of that type.
 
C

Chris Hills

Keith Thompson said:
As you should know, gcc can be used as a reasonably conforming C90 or
C95 compiler, and a partially conforming C99 compiler.

But we were talking about the gcc test suite, not about gcc itself.

See <http://pcc.ludd.ltu.se/standards_and_regression_testing/> and
<http://pcc.ludd.ltu.se/standards_and_regression_testing/gcc_testsuite/>
for information about using the gcc test suite on pcc, a a non-gcc C
compiler. Obviously any gcc-specific tests are expected to fail, but
it appears that the suite is still useful.

This was on the first page of Google results for "gcc test suite".

CBF gets VERY pedantic about ANYTHING non standard. As far as his logic
goes for any other compiler is that it is not a C compiler but a
compiler for a C like language.

Therefore the GCC compiler and it's test suite are not for C but a C
like language.

Now you understand what pisses off almost everyone else in this NG when
a few of you shout OT for everything that is not pure ISO-C You can't
expect to have it both ways.

However for testing a non gcc compiler the GCC test suite is not really
much use. (I asked some one who does do compiler validation for the
safety critical world and who has looked at the gcc test suite)

BTW the link you gave misses out one of the main C compiler test suits.
 
C

Chris Hills

Keith Thompson said:
Agreed. Anybody who wants to try using the gcc test suite to test a
non-gcc ISO C compiler obviously will have to investigate the suite to
determine whether it will suits his purposes. Maybe it will, maybe it
won't.

There is a lot more to validation than that. I doubt it will be of any
real use.
And neither can you.

I agree but just for once I am having a go at CBF with his own logic. He
doesn't like it.
I asked you whether you're actually familiar with the gcc test suite.
Though you didn't answer directly, your responses implied that you
haven't even looked at it.

Correct. I asked some one else who had.
The previous poster asked about C test suites. Suggesting the gcc
test suite is perfectly reasonable

No it is not. The GCC test suite is for GCC not ISO-C
(with the proviso that it *may or
may not* be suitable). You, on the other hand, are accusing Chuck of
hypocricy -- and you *don't know what you're talking about*.

He is hypocritical. Given his usual stance on anything not PURE ISO C
the Gcc test suite falls down on his own logic.

This is something I and others have complained about that a small group
of you scream OT on anything you don't like but do not apply the same
rules to yourselves.

I could have suggested any number of test suites that (according to CBF
previously) are for compilers of a "c-like" language. When these
compilers are far more ISO -c that GCC.

CBF can't have it both ways. The GCC test suite is not an ISO C test
suite it is a GCC test suite. gcc is a "C like" language. Simple as
that.

Now you see how annoying it gets to the rest of use with al this OT
crap.

When it comes to compiler validation it is one of the few areas where
you have to be very precise and CBF wants to be approximate, maybe.

Anyway the good news I I will not be bothering you for a week as I am
off on a trip. Ironically it has to do with compiler validation...
 
K

Keith Thompson

RoS said:
i think i'm in your kill file so don't read what i write;

If you deliberately evade killfiles by changing your name, don't
complain about people reading what you write.

Better yet, stop changing your name.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top