A Guide to Undefined Behavior in C and C++ (2010)

jasonthorsness · 2025-03-17T00:22:48 1742170968

This is an area the newer languages get right - I don’t think Rust or Go has any undefined behavior? I wish they would have some kind of super strict mode for C or C++ where compilation fails unless you somehow fix things at the call sites to tell the compiler the behavior you want explicitly.

zyedidia · 2025-03-17T01:13:22 1742174002

I think data races can cause undefined behavior in Go, which can cause memory safety to break down. See https://research.swtch.com/gorace for details.

steveklabnik · 2025-03-17T00:33:34 1742171614

Safe Rust has no undefined behavior. Unsafe Rust does.

jjmarr · 2025-03-17T00:55:24 1742172924

> I wish they would have some kind of super strict mode for C or C++ where compilation fails unless you somehow fix things at the call sites to tell the compiler the behavior you want explicitly.

The C++ language committee _does not_ want to add more annotations to increase memory safety.

anon-3988 · 2025-03-17T01:31:24 1742175084

Not even annotations. The committee standardize this https://en.cppreference.com/w/cpp/container/span/operator_at

So they clearly doesn't care so there's no point convincing them.

tialaramex · 2025-03-17T01:13:16 1742173996

Several programming languages can testify to the fact than a Benevolent Dictator For Life is not a panacea. Several more than testify that having a Committee to design the language is likewise not a panacea. Perhaps uniquely C++ can clarify for us that both is in fact worse than either alone.

almostgotcaught · 2025-03-17T01:24:58 1742174698

you realize UB is basically an escape hatch from the standard for compilers right? it's not like a flaw in the language, it's gaps negotiated by the standards committee (well for the most part i guess). so the reason new languages don't have UB is because new languages don't have multiple implementations (go definitely doesn't, does anyone use rust-gcc?).

Dylan16807 · 2025-03-17T01:34:05 1742175245

You only need implementation-defined behavior to grease the wheels of multiple implementations. You don't need the gaping void of undefined for that use.

There's a big difference between "it'll be some number, not promising which one" and "the program loses definition and anything can break, often even retroactively".

almostgotcaught · 2025-03-17T01:38:11 1742175491

Potato potato. My point is UB isn't an accident it's intentional. Mind you I'm not saying it's great, just that it's not some kind of slipup.

guimplen · 2025-03-17T00:42:24 1742172144

The first example (signed integer overflow) is no longer valid in newer standards of C. Now it should use the two-complement semantics and no UB.

Rusky · 2025-03-17T00:55:19 1742172919

I believe they only standardized the two's-complement representation (so casts to unsigned have a more specific behavior, for example) but they did not make overflow defined.

LegionMammal978 · 2025-03-17T01:57:30 1742176650

Yeah, signed integer overflow is as UB as ever. I've heard the primary reason for it is to avoid the possibility of wraparound on 'for (int i = 0; i < length; i++)' loops where the 'length' is bigger than an int. (Of course, the more straightforward option would be to use proper types like size_t for all your indices, but it's a classic tradition to use nothing but char and int, and people judge compilers based on existing code.)

fsckboy · 2025-03-16T23:35:02 1742168102

my opinion as a very experienced C system programmer:

there must be better sources to guide people than a poorly written and infantilizing article from 15 years ago.

staunton · 2025-03-16T23:50:39 1742169039

Being a very experienced programmer, I'm sure you know many such sources. Can you share any?

ultrarunner · 2025-03-17T00:52:20 1742172740

Perhaps you could draw on your wealth of experience to write one. I’d love to read it!

（评论） (comments)

（评论）
(comments)