[SystemSafety] Critical systems Linux

Olwen Morgan olwen at phaedsys.com
Fri Nov 23 19:01:40 CET 2018 

So it is. MEA CULPA! Just goes to show how even experienced people (25 
years with C) can fluff things in this area. Such are the delights of 
ageing memory and of having to use 300-page long (for C99) language 
standards.

C's implementation-specific categories are pretty unhelpful here. 
Several of the things categorised as undefined could more sensibly be 
categorised as implementation-defined. Multiple modifications between 
sequence points are a case in point. The simplest thing for an 
implementor to do is to choose some order for the sequence points and 
leave it at that - there's no point in bombing out with an error if you 
don't have to. IMO there should be no latitude for abnormal termination 
where it's unnecessary. I still think that the developers of gcc do not 
actually intend the behaviour that my test elicits and that it is due to 
over-aggressive optimisation. It is, as you say, strictly-speaking not 
wrong but if it is what the gcc developers intend, then IMO it is 
exceptionally perverse.

As regards the categorisation of implementation-specific behaviours, C 
and the C-derived languages do, IMO, a worse job than the Pascal-derived 
languages. The original Pascal standard had the categories of;

1.    Implementation-defined - meaning not defined by the standard but 
defined in every implementation.

2.    Implementation-dependent - meaning not defined by the standard and 
not necessarily defined in every implementation.

3.    Errors.

AFAI recall, Ada does something similar (?????) ... anyway, these 
categories are rather easier to work with when trying to produce tests 
of implementation-specific characteristics. When trying to diagnose C's 
implementation-specific behaviours, one tries AFAP to exploit behaviours 
that are implementation-defined or unspecified rather than undefined. 
Leaving undefined things that would more sensibly be made 
implementation-defined or unspecified is, IMO, one of the C standard's 
worst own-goals. The whole point of standardisation is to limit 
*unnecessary* variation. Alas, politics drives standards-making. It 
becomes a chaotic democracy on occasions when it would do better to be 
authoritarian. (I said before that I'm becoming a Stalinist in my old age.)

Nevertheless, what you say actually reinforces my point about the 
unhelpfully wide latitude left to C implementors and why subsets for 
critical applications do well to be ultra-strict - if only to mitigate 
the effects of buggy optimisation AFAI can see, the way forward for 
analysis of C programs is to emulate SPARK Ada. It's a two-stage 
approach whereby (possibly draconian) subset checkers flag up usages 
that make life unnecessarily hard for proof tools and then the proof 
tools get to work on code that is, hopefully, more tractable to analyse.

And as regards compiling Ada to C, I can only suggest that Ada compilers 
that use other C compilers as back ends start migrating to using back 
ends based on (possibly subsetted) LLVM or something similar as soon as 
they become available for the target hardware. C has served us 
undeservedly well as a compiler target language but its weaknesses 
should, IMO, now be left behind in the quest for high-integrity software.


Olwen


On 23/11/2018 15:30, Olivier Andrieu wrote:
>
> On Fri, Nov 23, 2018 at 4:05 PM Olwen Morgan olwen at phaedsys.com 
> <http://mailto:olwen@phaedsys.com> wrote:
>
>
>     On 23/11/2018 12:33, Olivier Andrieu wrote:
>>
>>     I’m not sure why you’re making this about the compilers. This
>>     program has unequivocally an undefined behavior, so, whatever a
>>     compiler does, it’s not wrong.
>>
>>     Clang doesn’t even require an explicit warning option to point it
>>     out:
>>
>>     |$ clang se.c se.c:14:19: warning: multiple unsequenced
>>     modifications to 'i' [-Wunsequenced] PrintEvalOrder((++i), (++i),
>>     (++i)); ^ ~~ 1 warning generated. |
>
>     gcc gives a similar warning but still gets the compiled code
>     wrong, AFAI can infer, by being gung-ho with optimisation.
>
>     As regards behaviour, AFAI can see it's not "undefined" but is
>     covered by "unspecified" or "implementation-defined" behaviour
>     (Derek Jones may correct me here.)
>
> It’s undefined, it corresponds to this case from the ‘Portability 
> issues’ annex of C99:
> /« Between two sequence points, an object is modified more than once, 
> or is modified and the prior value is read other than to determine the 
> value to be stored (6.5) »/
>> Olivier
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20181123/6120c3f2/attachment-0001.html>

More information about the systemsafety mailing list