Robert Dewar wrote:
The reason that we distinguish overflow checking from other kinds of
constraint checking is that a failure of an overflow check, unlike
for example the failure of a range check, can result in an incorrect
value, but cannot cause random memory destruction (like an out of range
subscript), or a wild jump (from an out of range case value). Overflow
checking is also quite expensive in time and space, since in general it
requires the use of double length arithmetic.
Just to be clear, although theoretically in Ada semantics, the program
execution is erroneous if an overflow check fails and -gnato is off, but
in practice with GNAT, the range of possible effects does not include
memory destruction or wild jumps. Similarly with GCC and C, the failure
of an overflow check is theoretically undefined and unlimited (just like
erroneous in Ada), but in practice the back end will not turn an
overflow into unexpected memory destruction or a wild jump, at least
not often :-)
