CppCon 2016: Chandler Carruth “Garbage In, Garbage Out: Arguing about Undefined Behavior..."

Not gonna lie; hearing Chandler criticize the standard put a big ass smile on my face. I've lost count of the number of times I've tried to discuss both possible, and legitimate issues with languages with other developers over the years, only to have them fanboy up and refuse to admit there could be anything wrong with their perfect little language.
This isn't to say I was right in all cases, but the general stubbornness to admit there could possibly be an issue, or that something could be done better, has just absolutely driven me nuts over the years. So frankly it's refreshing to just hear someone else criticize one for a while, much less someone with as much weight and authority as Chandler.

Having Chandler in the committee gives me hope for the future of the language. Good talk as always!

I guess the best thing for the "narrow vs wide contract" is compiler warnings: keeps C/C++ narrow(ness), but not without trying to save us.

47th slide is so confusing... "good" and "bad" words don't correspond to UB...

people are not upset because the effects of violations are latent (hence, write more sanitizers) but because the contracts themselves are stupid

Very insightful talk. Thank you!

x

"Presentation Slides, PDFs, Source Code and other presenter materials are available at: github.com/cppcon/cppcon2016"
I don't see the presentation at the supplied location.

Regarding integer overflow, the sensible behavior would be for the compiler to apply optimizations when it can prove that the overflow won't occur. When it can't prove that overflow won't occur, and it is doing that optimization, that's a security exploit waiting to happen.

Interesting talk. Example why one should prefer signed integers is really great.
I think, the key problem with UB (and why it is so hateful) is that compiler allowed not only do something terrible, but also not to do something. For instance:
for (int i = 0; i < 10; ++i) cout

What happened to expects/ensures/assert? It's still not in the standard afaik. Was there a reason for that?

Why not make the shift more than nr of bits in the type a compile error then? Its super common for these to be compile time known. For the runtime case, make the operator autocast to a range type which has compiler configurable behaviour and can be either free and undefined if wrong, or excepts or performs modulo sizeof(type)*8?

What if you have "char*" that you increment. Does it do same nasty wrap around handling or is it as fast as signed int?

The example on slide 48 actually produces the mathematically correct value when n=0. You would get the same value if the numbers were signed. The issue isn’t the overflow, it’s that 0 should never have been input in the first place (as the resulting 8 bytes are insufficient space for the rtvec_def object).

The biggest issue with undefined behavior to me is that it's poorly named. Undefined behavior doesn't sound scary. It sounds like "I don't know if it's cloudy tomorrow" like nobody's scared of it being cloudy or not tomorrow, they'll still wake up and go to work despite not knowing before hand which it is. They dress up respectively. And then you also see these "this is actually undefined behavior" like in some Sean Parent talks I remember, and it ends up being something that doesn't do anything interesting, really nothing to worry about but the standard has not defined accurately what it should do. And some code depending on undefined behavior. It just doesn't sound too scary because it's such an enigma, nobody just has said what it should be doing so technically it could do anything imaginable and unimaginable (but many times it also won't do anything bad, possibly even desired).
So what I'm understanding is that the committee can't fix bad programming and illegal use of the language?

37:00 Doesn't the math actually work out here to produce the expected result? Chandler says that unsigned multiplication is defined as modular arithmetic, so the calculation should go as follows:
Promote -1 to unsigned -> 2^32 - 1 (or 2^64 - 1, doesn't matter)
(2^32 - 1) * 8 mod 2^32 = 2^32 - 8
8 + (2^32 - 8) mod 2^32 = 0
And 0 is the exact size you would expect when the input is n = 0.

It would be a good thing if the compiler could statically find contract violations compiletime though, a function which takes AcyclicGraph not Graph e.g.

I don't know if you're reading Chandler, but re. the signed/unsigned optimization discussion around 48:00, if you had your druthers would you suggest using signed types even for sizes and such, over size_t? E.g. it looks like the LLVM SmallVector templates' size/max_size/capacity/etc. use size_t. Is that more legacy stuff, or it doing the right thing?

Good documentation of the library and language-features, careful and conscious programming, as well as good compilers should be the ways to not get into undefined territory.. A library which constantly does runtime-checking, or tries to circumvent UB even in obvious cases of contract-misuse does not sound like a good option to me.

36:36 this error is actually not related to overflows at all. it behaves *exactly* as expected: we allocate
16 + (0-1)*8 = 16 + (-1)*8 = 16 - 8 = 8
bytes. so basically, we say that since we don't want any of the 8-byte rtunions, we'll just not allocate any - not even the one in the latter 8 bytes of the 16-byte rtvec_def. which means we'll try to allocate 8 bytes for a 16-byte struct, which is of course an error. but the error is a completely logical error and is not related to overflows at all.

30:54 Isn't left-shifting a negative number always UB? "Otherwise, if E1 has a signed type and non-negative value, and E1*2^E2 is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined." (expr.shift, 5.8.0.2, www.open-std.org/JTC1/SC22/WG21/docs/papers/2010/n3092.pdf#page=131, N3092 page 116)

47:53 This should be a compile error. Like, "Error: you can't use 32 bit values for 64 bit pointer indexing". Compiler has all the information for that. No silent promotions to 64 bit is needed. One can use (u)int_fast32_t types for platform specific size.

I thought the title referred to SG12 meetings...

Why when we multiply int and unsigned int at 35:39 we convert int to unsigned, not he other way around, which seems more logical?

the simplest way to detect cyclic graph is to keep a single counter for node traversal and check it against total graph size

I understand that not all UB can be defined, but a lot of them could at least be implementation defined (or require diagnostic output, and not be silent UB).
For example just saying that casting a byte/character pointer type to a pointer of float type is undefined behavior could mean that the compiler can just stop generating instructions for the code after it encountered UB, (since it's UB anyway doesn't matter what the rest of the code would do). But we know that this should be fine on all platforms if the pointer if properly aligned, and it's fine on some platform even if it is not aligned. This could/should be implementation defined even if it just says the behavior is architecture dependent, but the compiler (or toolchain) can guaranty that it will at least output machine code/instructions and not just give up on you.
I'm fine if the compiler says to me "Hey, we don't know what this will do, but at least we tried. Maybe you should look at this once more if this is really what you want." instead of the compiler doing 'Look at this stupid human! I recognize that this is UB, so I'm just gonna stop trying to even generate code, and I'm not gonna tell anyone, not gonna notify the user/programmer'.

10:50 Isn't an infinite loop without side-effects UB in C++? 6.5.0.1 (in stmt.iter) states: "A loop that, outside of the for-init-statement in the case of a for statement,-makes no calls to library I/O functions, and-does not access or modify volatile objects, and-performs no synchronization operations (1.10) or atomic operations (Clause 29) may be assumed by the implementation to terminate. [Note: This is intended to allow compiler transformations, such as removal of empty loops, even when termination cannot be proven.- end note]" (www.open-std.org/JTC1/SC22/WG21/docs/papers/2010/n3092.pdf#page=143, N3092 page 128)

47:20
yes if you size_t that will also also avoid the problem.
How does it avoid the problem? Is there something special about size_t that says that it won't wrap, stopping the compiler from adding extra code?

47:08 - Today it's fairly easy to get enough bits, without having to use the sign bit.
47:26 - The downside of using size_t is if ... is in a data structure it uses more space.
So, we it is easy to get enough bits, except that it's not.
I think that using size_t is the ideal solution. It gives you efficient code *and* it ensures that the code will work if you ever need to sort 10 GB of data. If your structures don't need to support more than 4 GB of data then you can store uint32_t in your structures and load into a size_t local variable.

Yo I'm only 21:00 in but what about dual implementation of things that can exhibit UB? The wide contract shitty slow one runs when a compiler flag is given to say "yo be slow and tell me if I'm stupid", and the narrow contract good and sexy one runs without that flag. Compile with that flag, run the test suite (you wrote full coverage, right?), and away you go.

Isn't incrementing a uint32 the same as incrementing a uint64 but ignoring the higher 32 bits? If so, why can't the compiler generate the optimised code, and make sure it doesn't go on to rely on the higher 32bits?
[I'm talking about slides 49-50]

- I got a crash on gcc/Linux, 64 bits, using: for ( ; bits; bits >>= 1). It was fixed after for (int j=0; j < MAX_MEANINGFUL_BITS; j++, bits >>= 1)
- Inside a gcc header file, it warning us that the reverse iterator, (pointing) to the (reverse) end of a container, may be an INVALID pointer!
- Also on gcc/Linux, I got a Segmentation Fault (not a compile error!) writing:
int some_f () {
blablablablablabla;
extensive calculation ready to be send; //WITHOUT the return keyword.
}

Why UB instead of IB?

I'm having trouble understanding the bug on slide 48.
(size_t)-1 is SIZE_MAX. (SIZE_MAX * 8) rolls over to (SIZE_MAX - 7). 16 + (SIZE_MAX - 7) should roll over to 8? under the assumption that all arithmetic on size_t values takes place modulo some power of two.
Are there multiple conversions that I'm missing or something, please?

I am curious, if any of you knew who "rygorous" is...

It's worth noting that swapping the uint32_t on slide 49 for size_t also does the job. Which one you prefer probably depends on how register limited the other parts of the code are.

What's the easiest way to get an std library that uses ssize_t instead of size_t ? Edit: ssize_t may or may not be the type I am looking for (it seems to be intended for negative error codes).

can't find slides for this talk

@~30min
I think the lesson here is don't do bit manipulation with anything but unsigned.

Still think signed int should wrap around. In practice today, portable code needs to use a wrapper around signed integer types which guarantees wraps when needed. That has a penalty, but which processor architecture does not wrap signed ints on addition?

Actually asserts should stay in production release (or production asserts should exists) and not become a precondition which if violated will become UB.

I can't reproduce it - signed and unsigned assembly is nearly identical on both latest gcc and clang: godbolt.org/g/KysL1T

I've never really had an issue with it. It is my job as the programmer to make sure the program does what I want it to do. That means using the language properly.
I've noticed though a lot of the current generation of programmers are more the ones who have issues with it. I think in part this is because of how we were raised.
They are looking for other people or a system to make it easier on them. Were we were taught to make due with the tools we had if we didn't like them create our own.
Don't expect others to solve your problems so much.
I've been programming since 1983. I've never had an issue with pointers in that nature. It is now 2023 that is 40 years without an issue. I don't think I am someone spectacularly exceptional.
So how is this a problem? To me it is just making an issue out of something that has never been an issue to me.

What I would really like is Signed Integer Overflow/Underflow well defined. Its Well defined in java, and I have hashcode functions that can easily Overflow a signed integer, which have to be signed because interop.

Damn, this makes c++ look like a dog's breakfast. I have to decide whether to get into Rust now.

defining behavior for all platforms doesn't mean that the behavior has to be the same for all platforms, how on earth did that implication came about?

48:50 Aren't 32-bit registers available in AMD64 Long Mode?
Also, the comments about wrapping don't make sense because int32_t's will also wrap except at half the distance (from [(2^32)-1] to [-(2^32)]. So there's really no advantage to using int over uint.

Well the conclusion I can draw here is that C++ is a very poor language for most people because almost nobody writes programs which could fit the narrow path which avoiding all the UB/programming issues let you walk on. Not knowingly anyway. Because almost nobody knows enough to manage that or can even hold all the edge cases in their heads.
So most of us are stuck with dealing with the latent bugs, always.
Unless you make (for example) an expensive shift and a cheaper shift where I have to deal with the potential issues. Leaving you more potential for making consistent results across platforms or whatever situation you're in.
Also chandler seems really upset over people making jokes on Twitter. Quite likely nobody thinks your compiler will delete files when there's UB. Or make a male cat pregnant.
Edit:
Watching this again (4 months later), because it's a good talk, I realise that chandler makes the exact suggestion about a slow vs fast shift except he does it for the compression example. I wouldn't mind having a lot of these options. But maybe there should be facilities in the language to express expectations rather than having a bunch of different types that imply behavior. If programmers could annotate when they expect or want modular integer behavior or not you'd have a more pleasing consistency between unsigned and signed types while still having all the benefits of narrow contracts.

bzip example is dishonest. bzip was conceived when there was no 64bit arch around. When compiled for 32bit x86 it's as efficient as the modified code on 64 bit arch. If anything this example demonstrates that C portability is not quite as perfect as one could wish.

"narrow contract" easily includes the set of all absurdly narrow contracts

the Video is broken ? i See always a Grey half of the Screen??

Maybe I'm missing the point, but this sounds like the same kind of defensive talk on c++'s behalf, like Bjarne gave this year, where it all boils down to is: "we can't fix it because we can't do both a and b if and b aren't orthogonal features." I understand some of the reasons given, but do not see a possible solution to any of this.
Ref the shift examples: If this language is supposed to be platform agnostic, why does the shift operator even exist? Sounds like C is violating it's own principle of abstracting the assembly code. Shift is an intrinsic and has no place in a platform agnostic language.
Well. I'm only a regular developer, so maybe it isn't for me to understand what the point of all this is supposed to be.

but I am paying for something I'm not using by having to mask the shift because you're throwing portability down my throat

standards leave too much undefined while compilers act like an AI that exploits every loophole to reach its simplistic objective function which is to make code run faster.

The problem with undefined behavior in C++ is not that there's a problem with undefined behavior itself. The problem is that C++ considers too many things to be undefined behavior that should not be. Signed integer overflow comes to mind.

the fact that you have programming errors that you cannot detect or would be prohibited to detect is not an argument for anything. it doesn't give you license to make languages unusable by humans by riddling them with UB

a+b is defined behavior on every platform for the native number types that they support. i'm ok with that, i don't want you to abstract over that. my contract is with the platform. you're in my way. just do the optimizations that work best for each platform and stop there. the C standard is misinforming you about what your role should be and it's giving me, the user, a crappy language

I don't see what the problem is. Define what it means for an nullpointer to be dereferenced. On a C6502 it means dereferencing address 0. on linux running on x86 it means a segfault, in kernel code it means a panic. In fact, why bother defining it. Let the hardware manufacturer or the operating system developers decide what it means. Because at the end of the day, this will generate some assembly instructions. xor eax, eax; mov edi, [eax]; or similar will be generated. The cpu will attempt to run that code. What happens next is not your concern anymore. Just generate the assembly like a good little compiler and be done with it.
10:00 well you just defined all the cases. congratulations, your UB is now defined. and what defined it? the implementation and the platform it runs on. that's a programmer's job. writing a program to run on a platform. The program defines the behavior for the platform it was written for. Again, no problem.
20:00 fine, let's talk language features then. Say a standard library function with a narrow API that accepts only sorted containers as an input, take std::equal_range. for example. It's undefined to give it a container which is not sorted. Or is it? I say it is very well defined because the code is right there in the library! It probably gives you the subrange from the first occurrence to the last occurrence that is consecutive to that first occurrence. Whatever it does, just describe it and you're done. Boom, defined behavior. Yes, you might be using it wrong, or you might want exactly what it does anyway. And what it does is described in the code.
25:40 fine. then define it individually for each platform. generate the assembly and let the CPU deal with it. the programmer knows the platform he's dealing with.
27:00 but it already IS implementation defined. on a 32 bit machine this is apparently a bug, even though it does what I would expect on an x86 architecture if I run it on such. and on 64 bit it just runs fine anywhere. What about integer overflow? not a single cpu since at least 1980 has had anything other than 2's complement. why is integer overflow STILL not defined? It's silly is what it is.

The actual Car
Here something tricky involving undefined behivour and no it is not “To Nasal Demons”. By the way, I do NOT work here.

Too Low Preformacne and they pick high power electronics:
We created a blackout.. yes energy used up. Maybe put up the no outlet on the road with deadends or live with blackouts. And yes the second part is nonsense… it really is plugs and power.
Why Its Not Prisoners Dillema:
If it were Prisoner’s Dilema and I am player 2 then I would have the choices there but its not so it can’t be prisoner’s dilemma.. before someone argues it is. By the way, game theroy is actually something I fairly good at.. I know in about a second what the best move is.
The Pointers in Functions Aproach:
Well this program itself has quite a few program optimizations left in it but it is already using very low level C style code.. the kind most people belive to be faster but isn’t and also less mantaible. Pointers without Restrict Alising and not efficient algorithms.. I have the second most effiecnt algorithm.
By the way, data structures and algorithms really are not quantifiable… text and hexadecimal and “colors “ (or just a therotical construct) are not quantive on the level of measurement. Unless you’re a computer sceintest and take a = 64 and b = other number and text being a list of numbers… then yes its quantativive.
The Simplex Algorithm
Without Known Center of Mass known. Builds of the work of Prof. Elegnbogen… his reserch into linear programming. This works on doubles or floats or something that was written as scalars in linear algebra. Without Splitting Vector Quantinities it’s a 1d.. split vectors to get 2d.
Experimental Huerstic
When one part moves whole rest of it is still. Also uses 2d netwonain physics on that one part with rest still. Worked okay on a robot for a few years… later on would be worried it breaks / something goes horribly wrong.
Semi- Definite Quadratic Constraint Quadratic Objective Function
These are allowed to be non-negative on each number..
This one corrects the simplex algorithm for forces that are either quadratic or linear forces involved. By the way, for moving car with moving part, this also has something do with relative motion and possibly adding on another force. Anways, adding another foce is only another row or col in the linear algebrea (after vectors split up).
This still uses the simplifying assumption that the center of mass point is somewhere on the diagram rather than anywhere. Without it.. normative question: should the car continue self driving or be put in manual.
Undefined, Implemention Defined, and In The Standard
First, our code is required to be meeting the C++ standard fully for this, including preconditons and postconditions.
If it is undefined behviour then the optimizer is a little bit less compared to undefined behviour.
The optimizer… uses undefined behivour (which I am okay with). Now here comes the tricky part - it shaves off bits from double or floating point so that it is lower power. Hecne, the execption to R^3. By the way, it is pretty much never a scalar type like that.. polynomial for the real number that it is.
This is where the disagreement is in… undefined behivour here with the shaving off from bits to reduce the energy used.
By the way, in C++ choices they have include: floating point and double type. Use tolerance anaylsis on distances of bridges built - now you have a choice to make.
Which is affected by that other one… I will pick double and let bits be shaved off.
Or if we are allowed this as alterantive: ffastmath without bits not there. Go ask them, I am perfectly fine with the first one.

Sounds like a use case for a language like Rust to me