On Thu, Jan 30, 2020 at 6:09 PM Uecker, Martin <martin.uec...@med.uni-goettingen.de> wrote: > > Am Donnerstag, den 30.01.2020, 16:50 +0000 schrieb Michael Matz: > > Hi, > > > > On Thu, 30 Jan 2020, Uecker, Martin wrote: > > > > > > guarantees face serious implementation difficulties I think > > > > so the only alternative to PVNI (which I think is implementable > > > > but at a optimization opportunity cost) is one that makes > > > > two pointers with the same value always have the same > > > > provenance (and otherwise make the behavior undefined). > > > > > > This would need to come with precise rules about > > > when the occurance of two such pointers is UB, > > > e.g. comparisons of such pointers, or that > > > two such pointers are cast to int in the same > > > execution. > > > > > > The mere existance of such pointers should be > > > quite common and should not already be UB. > > > > > > But I am uncomfortable with the idea that > > > comparison of pointers is always allowed except > > > for some special case which then is UB. This > > > might cause are and very difficult to find bugs. > > > > As Richi said, the comparison itself wouldn't be UB, all comparisons would > > be allowed. But _if_ the pointers compare equal, they must have same (or > > overlapping) provenance (i.e. when they have not, then _that_ is UB). > > Sorry, I still don't get it. In the following example, > > int a[1]; > int b[1]; > > it is often the case that &a[1] and &b[0] compare equal > because they have the same address but the pointer > have different provenance. > > Or does there need to be an actual evaluation of a comparison > operations? In this case, I do not see the difference to what > I said.
I guess I wanted to say that if you do if (&a[1] == &b[0]) if (&a[1] != &b[0]) abort (); then the abort might happen. I'm using the term "undefined behavior" here. So whenever you create a value based on two pointers with the same value and different provenance you invoke undefined behavior. That allows the compiler to optimize int *q, *r; if (q == r) *r = 1; into if (q == r) *q = 1; which it is currently not allowed to do because of that dread one-after-the object equality compare, not because of PNVI, but similar cases obviously can be constructed with integers (and make our live difficult as we're tracking provenance through integers). Compilers fundamentally work with value-equivalences, the above example shows we may not. That's IMHO a defect in the standard. Richard. > > Best, > Martin > > > > > > Others proposed to make the result of the comparison unspecified, > > > > > but I think this does not help. > > > > > > > > Indeed. It's not unspecified, it's known to evaluate to false. I > > > > think there's existing wording in the standard that allows it to > > > > evaluate to true for pointers one-after-the-object, that would need to > > > > be changed of course. > > > > > > The problem is that if the comparison if not optimized > > > and the pointers have the same address, then it would > > > evaluate to true at run-time. If I understand correctly, > > > you somehow want to make this case be UB, but I haven't > > > quite understood how (if it is not the comparison of such > > > pointers that invokes UB). > > > > By saying something like "if two pointers compare equal they must have the > > same provenance, otherwise the behaviour is undefined". > > > (I don't know if this definition would or would not help with the problems > > PVNI poses to compilers). > > > > > > Ciao, > > Michael.