Comments on: C Puzzle: Double Trouble

By: Jeroen Mostert

Jeroen Mostert — Sat, 11 Feb 2012 09:24:46 +0000

The aliasing rules are clearly intended to prohibit this sort of thing, but as far as I can tell, they do not. The union members are distinct objects and they are accessed through pointers of the appropriate type. This situation is obviously allowed by the aliasing rules. Equally obviously, though, the pointers to these objects compare equal, so accessing one is accessing a differently-typed object at the same time, something the aliasing rules are supposed to prevent.

It’s possible to reason this is prevented by the aliasing rules, but this causes inconsistency with the rest of the standard, which explicitly allows type-punning through unions (which should likewise be disallowed under this interpretation, through the same reasoning). The standard would need an explicit change to cover both situations in the intended manner.

I think neither the compilers nor the verifiers are buggy — it’s the standard that needs a fix. I disagree with Dan that it’s “impossible” to have sound rules (at the very least, every compiler implementation at a particular optimization level, however obtuse, represents one consistent implementation of a set of rules, however complicated), but the fix in this case would be complicated and inelegant — pointers to union members would need special treatment, likely causing a lot of ugly adjustments to sections that have nothing to do with unions.

By: asdf

asdf — Sat, 11 Feb 2012 02:41:07 +0000

This is offtopic to this post but there is an elegant way to solve your “Iterating Over The Full Range” problem with the inclusive for loop idiom:

for (bool go = true; go; (go = (f != l)) && (++f, true)) {
use(f);
}

// or

do {
use(f);
} while ((f != l) && (++f, true));

// or my favorite which only works in C++ because stupid C99 doesn’t allow variables to be defined in the if expression

#define inclusive_for(init, cond, inc) \
if (bool ar3_d0n3_ = false) {} \
else for (init; !ar3_d0n3_; (ar3_d0n3_ = !(bool)(cond)) || ((inc), false))

inclusive_for (int i = INT_MIN, i != INT_MAX, ++i) {
use(f);
}

By: Ryan Fox

Ryan Fox — Thu, 09 Feb 2012 19:15:05 +0000

From the GCC manual: “Even with -fstrict-aliasing, type-punning is allowed, provided the memory is accessed through the union type. … access by taking the address, casting the resulting pointer and dereferencing the result has undefined behavior, even if the cast uses a union type.”

Also, -fstrict-aliasing is enabled for -O2 but not -O1. I imagine that if you used -fstrict-aliasing without a -O flag, you’d have the same problem.

By: Dan Gohman

Dan Gohman — Thu, 09 Feb 2012 19:10:00 +0000

In your example, the code happens to read from a member of a union which is not the most recently written one. However, it is possible to write similar code which does not have this problem, yet which still exhibits problematic behavior. See the examples in this Defect Report:

http://open-std.org/JTC1/SC22/WG14/www/docs/dr_236.htm

This report is categorized as Closed, however the explanation in the Committee Response is based on reasoning which isn’t obviously supported by the standard.

In general, there does not appear to be any way to have sound type-based aliasing rules in a language that also has non-discriminated unions, untyped (e.g. malloc) memory, and pointers. However, type-based alias rules are considered an important feature, and the committee has chosen to keep it anyway. Consequently, the standard is inconsistent. In practice, each compiler is left to choose for itself the extent to which it is willing to trade safety for optimization.

By: Pascal Cuoq

Pascal Cuoq — Thu, 09 Feb 2012 18:48:56 +0000

Speaking of GCC’s documentation, the last example in this section looks a bit like like John’s program, and it is given as an example what not to do:

http://gcc.gnu.org/onlinedocs/gcc-4.1.1/gcc/Optimize-Options.html#index-fstrict_002daliasing-542

int f() {
a_union t;
int* ip;
t.d = 3.0;
ip = &t.i;
return *ip;
}

The difference is that John’s program reads through the union with fn2 (b.f0);