How do compilers know C++ constexpr computations do not trigger undefined behavior?

Question

The C++ standard mandates compilers to check for undefined behavior in C++ constexpr computations.

In this talk, Chandler Carruth states that "you will run out of the ability to detect errors" when checking for UB, and that in the general case, detecting UB is related to the halting problem, so provably impossible to decide.

He is not talking about UB in constexpr, but constexpr computations are as general as a regular programs since C++14, so this still applies.

So what do compilers do when they cannot decide if a program is UB or not? Do they still accept the program and go on compiling with fingers crossed? Or are they more conservative and reject the program, even if it is potentially correct? (My personnal feeling is they do that)

For me, this is of practical importance since I have a constexpr evaluation with non-trivial pointer arithmetics compiling fine with Clang but failing with GCC, and I am pretty sure this not UB. You can say it is a GCC bug, but if UB is undecidable, all compilers are and will be buggy in this regard.

More fundamentally, why is UB-free requested by the standard? Is there a technical reason? Or more a philosophical one ("if the compiler can't check, the programmer can trigger UB, and bad things will result")?

I think this is inconsistent with the rest of C++ that never prevents you from shooting yourself in the foot. I would prefer GCC to accept my constexpr code and crash, or emit trash if UB; rather than not compiling when it does not know if it is UB.

====== EDIT ======

As pointed out by M.M and Nicol Bolas, the standard specifies limitations (even in C++14) so that we are never in a halting problem type of UB. However, I am still wondering if checking for UB is maybe too complex and if compiler heuristics fail, then they flag it (potentially incorrectly) as non-constexpr.

But I have the feeling from the comments that this is more a problem of non-mature implementations.

Answer 1

The point you are missing is that constant expressions only allow for a restricted subset of the language.

If you go outside that, you no longer have a constant expression, and if you are in a context needing one the standard mandates diagnosing the error.

A constexpr-function only has to have at least one input where it is a constant expression, no diagnostic required. All the rest might not be.

In the general case, compilers just note paths leading to UB to prune presumably dead code, and explore the freedom they have in optimizing what remains. They are not required to find all, most, or even any of those opportunities though.

Answer 2

In this talk, Chandler Carruth states that "you will run out of the ability to detect errors" when checking for UB, and that in the general case, detecting UB is related to the halting problem, so provably impossible to decide.

The Halting Problem is when you take a program and try to decide whether the program, if it were to execute, would definitely halt. By definition, the Halting Problem only looks at the program as a locked-off object.

Constant evaluation is... evaluation. You are executing the program, not merely looking at the source code.

Undefined behavior happens when your program's execution does something undefined. Most cases of UB cannot be determined to be well-defined or not just from inspecting the source code. Consider this code:

void foo(void *ptr)
{
  *reinterpret_cast<int*>(ptr) = 20;
}

Is that UB or not? It depends; if a pointer to an int were passed into foo, it would be well-defined. Whether this code is well-defined or not can only be determined by how it is executed.

Constant evaluation requires executing code; that's why we often refer to it as compile-time execution. When you're executing code, it is possible to know if a particular execution of foo has been passed a pointer to an actual int (ignore the fact that reinterpret_cast is forbidden in constexpr code). As such, at evaluation time, you can know whether UB is happening.

So what do compilers do when they cannot decide if a program is UB or not?

That's not actually a thing that can happen. Assuming the specification is complete and without holes, whether an execution of a program exhibits well-defined behavior or not is merely a matter of following the specification.

The problem you're having with GCC vs. Clang is not due to whether UB can be determined or not.

More fundamentally, why is UB-free requested by the standard? Is there a technical reason?

Hypothetically, we could rip all undefined behavior out of C++ or even C. We could have everything be a priori well-defined and remove anything from the language whose evaluation could not be definitely determinable from first principles.

The standard doesn't do that because it would be bad. It would prevent us from doing all kinds of useful, low-level things. It would prevent useful compiler optimizations. And so forth.

None of those reasons apply to compile-time code execution. Especially that whole "useful, low-level things" part. For compiled code, there is an actual real machine that the generated code executes on. So having a back door to talk to the real machine makes sense. At compile-time however, there is no real machine to talk to; there is only the C++-defined abstract machine. So what's the point of allowing UB?

The compiler doesn't generate machine language and execute it; constant evaluation is basically executing a scripting language within the compiler. And like most scripting languages, you want it to evaluate safely and correctly. You want errors (and UB is an error) to be caught quickly and provide a clean error message at the point of failure, rather than dying arbitrarily later in the process.