Re: [PATCH] C undefined behavior fix

From: Joseph S. Myers (
Date: Sat Jan 05 2002 - 16:42:57 EST

On Sat, 5 Jan 2002 wrote:

> I don't particularly like the interpretation stated in DR260, but that
> doesn't matter. It still doesn't give the compiler permission to make
> something "undefined behavior" that the standard says is "implementation
> defined". The standard says an arbitrary integer (arbitrary means there
> are no restrictions on how it was produced) can be converted to a pointer
> and that the implementation must define what the results of this are.
> All DR260 is saying is that the compiler can do certain sorts of deep
> analysis on the code to decide whether my pointer is valid. It doesn't
> apply to the case of casting to an integer, munging, then casting back
> because the the implementation is supposed to provide a rule for when
> such pointers are valid.

It says that a pointer is more than a sequence of bits, that the
provenance of a pointer determines whether it can be used to access an
object to which it points. (This notion is already explicit in the
standard for "restrict" - which has various confusing issues when you go
beyond its intended purpose of making code, to do the sort of things done
in Fortran 77, as fast as in Fortran 77, see
<URL:>. Related are
the exact meaning of "effective type" (see also the question about
type-based aliasing rules in DR#236), and exactly how large the object
that can be accessed through a pointer is (we know that in accesses to a
multidimensional array, each index must be within its bounds, but there
are other problems). See Nick Maclaren's "What is an object?" discussion
- WG14 reflector sequence 9350, but I don't think it's been more widely

In the case of GCC, and casting integers to pointers, a rule has been
provided: the value of the pointer is determined by the bits, and the
provenance, determining what can be accessed, is derived from that of the
integer. This works fine with uses such as masking off a few bits to get
a more aligned pointer, since there we are still accessing the original
object. (I think the bounded pointers work also handles certain
cast-adjust-cast-back cases specially, to preserve the bounds when such
idioms are used rather than creating an unbounded pointer.) Simply
documenting the bits of the pointer, and not what it can access, would not
be sufficient documentation of the results of the cast, but the
documentation describes both.

Joseph S. Myers

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Jan 07 2002 - 21:00:29 EST