andrew-appel
commented
6 years ago You are right. It would be a good idea to make signed integer overflow undefined in Verifiable C, even though it is defined in CompCert Clight. This could be accomplished by a small modification to Verifiable C's type-checker. Likely we will do this soon.
The documentation of Verifiable C is misleading about the semantics of signed integer overflow with respect to C standards.
Page 16 of
VC.pdfsaysWhat specification is this referring to? According to C standards, signed integer overflow is undefined behavior; in this document, that is in fact the first example given under the definition of undefined behavior (3.4.3, p22 of this PDF).
One could say that wraparound is allowed as a consequence of the fact that standard-compliant compilers are free to implement undefined behaviors in any way they like. However, if all behaviors are allowed, then the standard does not further need to explicitly allow one in particular, but the excerpt above suggests it does. Perhaps that excerpt is referring to Annex H (H.2.2, p564 of the PDF), but that is not quite a specification. Hence, this formulation is not quite incorrect, but it is confusing for one who knows a bit about C standards.
In any case, CompCert's documentation correctly acknowledges this fact:
I also disagree with the claim that this treatment of undefined behavior is conventional.
VC.pdfcontinues:On the contrary, compilers typically assume that undefined behavior never happens to allow for more optimizations, thus there are no semantics for signed integer overflow. A typical example is that given
x > 0andy > 0, since overflow is undefined, then one can assume thatx+y > 0, which may lead to simplifications, but that assumption is not compatible with wraparound semantics.