[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220227201724.GZ614@gate.crashing.org>
Date: Sun, 27 Feb 2022 14:17:24 -0600
From: Segher Boessenkool <segher@...nel.crashing.org>
To: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
Cc: David Laight <David.Laight@...lab.com>,
Arnd Bergmann <arnd@...db.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jakob <jakobkoschel@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-arch <linux-arch@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>,
Mike Rapoport <rppt@...nel.org>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Brian Johannesmeyer <bjohannesmeyer@...il.com>,
Cristiano Giuffrida <c.giuffrida@...nl>,
"Bos, H.J." <h.j.bos@...nl>
Subject: Re: [RFC PATCH 03/13] usb: remove the usage of the list iterator after the loop
On Sun, Feb 27, 2022 at 07:09:03PM +0100, Miguel Ojeda wrote:
> On Sun, Feb 27, 2022 at 1:09 PM Segher Boessenkool
> <segher@...nel.crashing.org> wrote:
> >
> > How will you define dividing by zero so that its behaviour is reasonable
> > for every program, for example?
>
> The solution is to let the developer specify what they need to happen.
> That choice should include the unsafe possibility (i.e. unchecked),
> because sometimes that is precisely what we need.
Requiring to annotate every place that has UB (or *can* have UB!) by the
user is even less friendly than having so much UB is already :-(
I don't see how you will fit this into the C syntax, btw?
> > Invoking an error handler at runtime
> > has most of the same unwanted effects, except is is never silent. You
>
> It may not be what it is needed in some cases (thus the necessity to
> be able to choose), but at least one can predict what happens and
> different compilers, versions, flags, inputs, etc. would agree.
You need a VM like Java's to get even *close* to that. This is not the
C target: it is slower than wanted/expected, it is hosted instead of
embedded, and it comes with a whole host of issues of its own. One of
the strengths of C is its tiny runtime, a few kB is a lot already!
I completely agree that if you design a new "systems" language, you want
to have much less undefined behaviour than C has. But it is self-
delusion to think you can eradicate all (or even most).
And there are much bigger problems in any case! If you think that if
programmers could no longer write programs that invoke undefined
behaviour they will write much better programs, programs with fewer
serious functionality or security problems, even just a factor of two
better, well...
Segher
Powered by blists - more mailing lists