Date: Fri, 12 Apr 2024 22:33:50 +0200
Am Freitag, dem 12.04.2024 um 20:27 +0200 schrieb Jens Maurer via Liaison:
> On 12/04/2024 10.27, Jāāā Gustedt via Liaison wrote
..
> > If it is the case that C++ supposes that a `malloc`ed storage instance
> > has a fixed type from the start (we might just not know it yet) then
> > it is not modeling C's behavior correctly, and calling C functions
> > with `malloc`ed storage from C++ becomes hazardous. You may produce
> > non-value representations for the type that C++ is expecting, or even
> > introduce aliasing where the compiler wouldn't expect it.
>
> Well, calling compiler-invisible (non-inline) functions is fairly
> safe, because C++ allows to change the type of memory using
> placement-new or a rather new function std::start_lifetime_as.
> The compiler can't know whether a function call does that or not,
> so it has to assume the worst.
It is very much an essential feature of C that one can
reason locally. Compilers know how to reason locally,
because in many cases they do not see the full program.
Almost all C programs are also not strictly conforming,
but have undefined behavior. Their practical meaning is
inferred by reasoning about individual parts.
A specification strategy that fundamentally relies on
quantifying over all executations of a program to decide
whether the whole program has defined behavior or not,
seems not very useful to me.
Martin
>
> Jens
> _______________________________________________
> Liaison mailing list
> Liaison_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> Link to this post: http://lists.isocpp.org/liaison/2024/04/1378.php
> On 12/04/2024 10.27, Jāāā Gustedt via Liaison wrote
..
> > If it is the case that C++ supposes that a `malloc`ed storage instance
> > has a fixed type from the start (we might just not know it yet) then
> > it is not modeling C's behavior correctly, and calling C functions
> > with `malloc`ed storage from C++ becomes hazardous. You may produce
> > non-value representations for the type that C++ is expecting, or even
> > introduce aliasing where the compiler wouldn't expect it.
>
> Well, calling compiler-invisible (non-inline) functions is fairly
> safe, because C++ allows to change the type of memory using
> placement-new or a rather new function std::start_lifetime_as.
> The compiler can't know whether a function call does that or not,
> so it has to assume the worst.
It is very much an essential feature of C that one can
reason locally. Compilers know how to reason locally,
because in many cases they do not see the full program.
Almost all C programs are also not strictly conforming,
but have undefined behavior. Their practical meaning is
inferred by reasoning about individual parts.
A specification strategy that fundamentally relies on
quantifying over all executations of a program to decide
whether the whole program has defined behavior or not,
seems not very useful to me.
Martin
>
> Jens
> _______________________________________________
> Liaison mailing list
> Liaison_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/liaison
> Link to this post: http://lists.isocpp.org/liaison/2024/04/1378.php
Received on 2024-04-12 20:33:55