[EpicEng]

>Relying on non-standard behavior always ends in tears.

Who's relying on unspecified behavior? Do you mean some theoretical programmer? Well of course that's not a good thing, but I don't see what it has to do with the situation in the story and the MS engineers decideing to change how they implement that unspecified part of the spec.

[tlb]

The kernel programmer did, in this story.

An example of such an information leak is:

  struct foo {
    int a;
    char b;
  }

  void send_foo_01() {
    foo x {0, 1};
    write(fd, &x, sizeof(foo));
  }

which sends 3 bytes of the contents of the stack memory over the network, for almost every compiler except the one in the story. Running in a kernel, that could contain secrets.

[EpicEng]

Sorry, my mistake; yes, the kernel dev is now relying on the compiler to zero out those three bytes. I understand the decision to change this in the compiler, but I think the "fix" would have been to memset in the kernel code. I'd be surprised if they didn't do that, but maybe they can reasonably assume they'll never use another compiler to build the Windows kernel.

[legulere]

Signed integer overflow. It’s undefined because some platforms don’t use two’s complement.

Checking it after the fact is non-portable.

[rurban]

But not in sane compilers, they are better than the standard.

gcc, clang, icc all assume two's complement and happily overflow via -fwrapv. There's no such compiler on the Unisys anymore. They rather emulate two's complement. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2218.htm

[AlexMax]

Thankfully, not for very much longer...

http://wg21.link/P0907r2

C++, but apparently something similar is being considered for C as well.

https://twitter.com/jfbastien/status/989242576598327296?lang...

[JoeAltmaier]

Isn't that mostly theoretical? I can't seem to find any processor that doesn't use 2's complement.

[gh02t]

There are some old architectures that used one's complemeny and there are probably some still in service e.g.

https://en.m.wikipedia.org/wiki/UNIVAC_1100/2200_series

[davidgould]

I had the pleasure of programming on these. Having both positive and negative zeros is special and that they don't compare equal is extra special. And yet -- ones complement arithmetic is not even the oddest thing about Univac 1100s. I think the Univac corporate values statement must have included both "Dare to be different" and "Remember your past".

[JoeAltmaier]

Is anybody writing code for them? Probably not porting modern C anyway.

I assert this 'it might not be two's-complement' excuse is nonsense.

[gh02t]

I seriously doubt it.

I do agree with you, it's not a big deal for most devs. The only place I'd worry about it is systems where it might be expected to be in service for many years or intended to be ported frequently. In that case, you never know what sort of crazy architecture you may end up with in the future.

There's always something a bit icky with not sticking to the spec, but in the grand scheme of things relying on two's complement is not a big deal.

[rurban]

from the proposal http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2218.htm

"Nowadays Unisys emulates their old architecture using x86 CPUs with attached FPGAs for customers who have legacy applications which they’ve been unable to migrate. These applications are unlikely to be well served by modern C++, signed integers are the least of their problem. Post-modern C++ should focus on serving its existing users well, and incoming users should be blissfully unaware of integer esoterica."