> On Feb 20, 2015, at 12:01 PM, Jeff Law <l...@redhat.com> wrote: > > On 02/20/15 04:43, Jonathan Wakely wrote: >>> ... >> >> I'm inclined to agree. >> >> Most developers aren't aware of the preconditions on memcpy, but GCC >> optimizes aggressively based on those preconditions, so we have a >> large and potentially dangerous gap between what developers expect and >> what actually happens. > But that's always true -- this isn't any different than aliasing, arithmetic > overflow, etc. The standards define the contract between the > compiler/library implementors and the developers. Once the contract is > broken, all bets are off.
True. The unfortunate problem with C, and even more so with C++, is that the contract is so large and complex that few, if any, are skilled enough language lawyers to know what exactly it says. For that matter, the contract (the standard) is large and complex enough that it has bugs and ambiguities, so the contract is not in fact precisely defined. There’s a nice paper that drives this home: http://people.csail.mit.edu/akcheung/papers/apsys12.pdf For example, while most people know about the “no overlaps” rule of memcpy, stuff like aliasing are far more obscure. Or the exact meaning (if there is one) of “volatile”. It also doesn’t help that a large fraction of the contract is unenforced. You only find out about it when a new version of the compiler starts using a particular rule to make an optimization that suddenly breaks 10 year old code. I remember some heated debates between Linux folks and compiler builders when such things strike the Linux kernel. paul
