Comments (8)
hsutter
commented on August 25, 2024
In principle, a conforming compiler should not eliminate the Ensures that depends on the memset, then also eliminate the memset. However, "as-if" would allow eliding them all by treating them as dead writes.
It seems like we need to say something about Ensures being treated as I/O as part of the side effects of the program. Saying that would require (tiny) language support.
Suggestion: What if in SS-assertions, under the definition of Ensures, we added this:
Every access of a named object mentioned in an argument to
Ensuresshall be treated as avolatileaccess.
from cppcoreguidelines.
AndrewPardoe
commented on August 25, 2024
Editors discussed 8 Dec 2015 and on 14 Dec 2015.
from cppcoreguidelines.
hsutter
commented on August 25, 2024
We intend to change the example to something else, and address this particular security example as part of a new security profile (likely with a secure buffer type or wrapper).
from cppcoreguidelines.
AndrewPardoe
commented on August 25, 2024
Andrew, please add an "enhancement" label about security. (Done)
from cppcoreguidelines.
AndrewPardoe
commented on August 25, 2024
Notes: There are a few issues entangled here. Contracts today are macro-based. But when we have contracts as a language feature, compilers are prohibited from propagating any information into or out of contracts that will introduce undefined behavior in the contract.
We need to add a sentence that refers to Ensures and notes that while current compilers may have trouble with this we can at least express the intent.
from cppcoreguidelines.
MikeGitb
commented on August 25, 2024
compilers are prohibited from propagating any information into or out of contracts that will introduce undefined behavior in the contract
I don't understand what this is supposed to mean. The problem is not that there is undefined behavior in the contract check. The problem is the as-if rule: there is no way for a program to read the original contents of the buffer after the memset EXCEPT if it exhibits undefined behavior in some DIFFERENT location (e.g. buffer overflow/reading uninitialized stack variables).
If contracts really are expected to disallow optimizations based on the as-if rule (e.g. via treating the operands as volatile as suggested by Herb) I'm expecting a significant/unacceptable slowdown of c++ programs in the future.
from cppcoreguidelines.
AndrewPardoe
commented on August 25, 2024
Revisited this issue today. We'd like to continue delaying action on it whilst the Committee discusses Contracts.
from cppcoreguidelines.
dksmiffs
commented on August 25, 2024
Suggest:
- preface this issue title with "I.7 " for benefit of new readers
- improve the
// bettercomment in I.7's second example, quoted by @comex in OP. This comment could summarize some of the discussion on this issue thread. Something like:
// better, b/c expresses intent - but even better solution will come with Contracts
from cppcoreguidelines.
Related Issues (20)
- Practice HOT 1
- #include HOT 1
- How to refer to the guidelines, bibtex preferred? HOT 3
- I.2: Avoid non-const global variables, but exempt "file scope" from this rule HOT 2
- C++ Core Guidelines Markdown to HTML HOT 1
- Why isn't the exception safety mentioned in the Reason of R.22? HOT 4
- C++ Core Guidelines Markdown explicit anchor links not working (updated the 20/05/2024)
- Doesn't the title of ES.3 break that very guideline itself? HOT 2
- Section E.27 HOT 1
- Ceil Function in Cpp HOT 3
- Namespace guidelines HOT 2
- Recommend against using RAII only for release functions that can fail, including all IO HOT 1
- Clarify ES.23: Prefer the {}-initializer syntax HOT 1
- Should ES.23 mention that ()-initialization is likely to be preferrable when dealing with containers containing types initializable from the container itself HOT 7
- Exception to ES.63 for base type without any data member HOT 1
- Discourage implicit casting from/to void pointer HOT 1
- Should SF.7 avoid to limit its applicability to when the directive is at global scope?
- the links in I: Interfaces are all broken HOT 1
- gsl::span UB if used over containers of non-implicit lifetime types? HOT 2
- C.20 - "rule of zero" and constructor handling HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cppcoreguidelines.