Are some undefined behaviors more undefined than others?

Question

Here's what I mean: i++ + i++ is undefined, and so is out-of-bounds writes to an array.

The undefinedness of out-of-bound array writes is understandable: it can potentially be exploited to run arbitrary code, which is as undefined as you can get. Let's call this runtime undefined behavior.

For i++ + i++, however, the story seems to be different. Let's say a compiler generates something. It's undefined what exactly. Very undefined. In fact, it's so undefined that we used to hear cats could get pregnant (although more recently — as of CppCon 2016, I think — people started to realize that undefined behavior can't get a cat pregnant, after all).

However, once we open the box and see what the compiler has generated, and it's not exploitable code (injection, data race, etc. — for example, compiler chose to throw i++ + i++ away altogether), isn't it exactly what will be executed - isn't it perfectly defined from that point on?

In other words, this last case is what we can call compile-time undefined behavior. In cat terms, it's similar to Schrödinger's cat, whose state is unknown until you open the box (see the generated Assembly), at which point you see the actual reality to be executed. (I wonder if undefined behavior make a poisoned dead cat pregnant.)

Of course, undefined behavior is a legal term meant for the standard. The question is about the "behavior" that happens in reality.

Answer 1

"Undefined behavior" is a term that applies to standards. If the standard says the behavior is undefined (or doesn't define it, directly or indirectly) then the implementation of the standard may take any action its authors wish - or let things go their own course, and result in a litter of kittens if so the fate decided. From standard's point of view this is a binary, defined/undefined, no "more" or "less" defined.

Now, besides standards, you have the reality:

So - if a behavior is undefined by standard, the smart, friendly compiler will generate an error, or a warning (or a runtime error and compile-time warning). It's allowed to do so; after all nothing forbids such a reaction!

A slightly less friendly and smart, but still rather friendly and smart compiler will try to create a code that causes least harm. Say, if you didn't initialize your pointer, it will still initialize it to whatever makes most sense, be it nullptr, or the only instance of given class the type of the pointer, or such. This isn't so smart as it obscures bugs, which may bite you if you, say, switch to a different compiler, or the behavior gets standarized and to something else than the compiler produced, or goes against your intentions. Still, it's an approach, and not illegal. Some higher-level languages like Javascript tend to go that way, trying really hard to make sense of faulty code.

Also, if the reaction definitely makes good sense and "saves the day", doing what the author wanted in 99.999% cases - other authors will likely start implementing it too (even if just as a hint for a fix in the warning message) and it may eventually make its way into the standard.

And last but not least, the compiler will apply syntactic rules appropriate to the separate parts, and produce something, likely something that doesn't make much sense. It's unlikely to result in kittens, and you're absolutely not guaranteed the result will be repeatable - but usually it will be repeatable. Say, calling 'delete' on pointer to something that wasn't created with 'new' will about always result in segmentation fault. But that's "only" practice and not guaranteed by any means.

You're unlikely to actually encounter software that would go out of its way to cause definitely undesired or absolutely unrelated results to undefined behavior, so don't spay your cat just yet, but the standard doesn't forbid this. If the author of your software had a really twisted sense of humor, you might face something more creative. Like, the PAM system on Unix, upon encountering lack of the passwd file (all user accounts definitions) telling you upon login "You don't exist. Go away."

Answer 2

The meaning of "undefined" in the C++ standard is behaviour "such as might arise upon use of an erroneous program construct or erroneous data, for which this International Standard imposes no requirements". (This quote directly from ISO/IEC 14882 - the C++ standard of 1998).

There is no provision for concepts of "more" or "less" undefined in this definition. If the standard imposes one or more requirements on required behaviour, the behaviour is not undefined.

Imposing no requirements and imposing one or more requirements are mutually exclusive, not a matter of degree.

Of course, an implementation may do anything it wants, including behaving consistently when presented with code that has some form of undefined behaviour. But what a compiler does has no effect on the standard at all. The standard is the basis for assessing correctness of an implementation (aka compiler, library, etc), not the reverse.

Answer 3

If some action invokes Implementation-Defined behavior, that means

1. The standard defers to an implementer's judgment as to what behavior should result from that action; it makes no effort to forbid implementations from behaving in capricious fashion, but expects that quality implementations intended for a particular target platform and application field will behave in a fashion that would be reasonable for that platform and field.

2. An implementation must specify and document a behavior that will result from the action, whether or not it would be practical to implement and document a behavior from which any code would likely benefit.

By contrast, if an action invokes Undefined Behavior, that means

1. The standard defers to an implementer's judgment as to what behavior should result from that action; it makes no effort to forbid implementations from behaving in capricious fashion, but expects that quality implementations intended for a particular target platform and application field will behave in a fashion that would be reasonable for that platform and field.

2. An implementation need not specify and document a behavior that will result from the action in cases where, in the implementer's judgment, there would not be any value in defining the behavior.

Some compilers don't interpret "Undefined Behavior" as an invitation to exercise judgment but instead as an indication that no judgment is required. When C89 was published, however, the term was widely understood as having having a meaning which differed from Implementation-Defined Behavior only in cases where defining a particular behavior would have been impractical; I've seen no indication that later standards were intended to change that.

Many implementations make no effort to be suitable for all possible purposes. Code cannot be expected to run correctly on implementations which are not designed to be suitable for its purposes, and the fact that code fails when run on unsuitable implementations does not in any way imply that the code is defective unless it failed to specify the requirements an implementation must meet. While there are no standard-recognized categories of implementations and behaviors they should be expected to implement, common sense will go pretty far in cases where compiler writers attempt to exercise judgment.

Answer 4

I'm going to focus on practical differences in kinds of UB, not just how the ISO standard rates them.

Related: What Every C Programmer Should Know About Undefined Behavior (http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html) has some good stuff about how data-dependent UB allows compilers to assume things won't happen, optimizing the asm. (The ISO C standard has nothing to say about what should happen for paths of execution that do encounter UB, so whatever ends up actually happening in such cases is fine.) e.g. that's why for(int i = 0 ; i<=n ; i++) can be assumed to be non-infinite because signed int overflow isn't defined the way unsigned is. So n = INT_MAX would lead to UB. But the equivalent with unsigned is potentially infinite for n=UINT_MAX.

You're talking about compile-time-visible UB, though, which you could say is "more undefined" because compilers can notice it and do things on purpose. (For example, emit an illegal instruction to make the program fault if it gets to this point.)

Contrast this with cases where the compiler just optimizes according to any guarantees / assumptions it's allowed to make, for code where it doesn't notice the UB at compile time, or the UB only happens with some possible function args so the compiler still has to make asm that works for inputs that don't lead to UB in the abstract machine.

Some interesting examples of non-runtime-visible UB:

• Does the C++ standard allow for an uninitialized bool to crash a program?
• Why does unaligned access to mmap'ed memory sometimes segfault on AMD64? - compilers are allowed to assume that uint16_t* points to a an integer with alignof(uint16_t) alignment. On x86 that can only bite you when the compiler's auto-vectorizing (or possibly when there's compile-time-visible UB like accessing through `uint16_t* at byte offsets that differ by 1.)

For example, in C++ (unlike C¹) it's illegal for execution to fall off the end of a non-void function. Modern GCC and clang optimize accordingly, assuming such paths of execution are never reached and emitting no instructions at all for them, not even a ret.

Let's make some simple examples on Godbolt compiling for x86-64:

int x, y;   // global vars; compiler has to assume assigning to these is a visible side-effect that code in other compilation units could see.

int bad_int_func() {
    x = 0;   // gcc still stores but no ret
    y = 0;   // clang backtracks and emits no instructions for the whole block
    // return 0;
}

compiles like this with GCC11.2 -O2:

bad_int_func():
        mov     DWORD PTR x[rip], 0
        mov     DWORD PTR y[rip], 0
  # missing ret, there'd be one if the function was void

Clang is even more aggressive: we just get the label and no instructions. It didn't emit code for any of the earlier C++ statements in this basic block (sequence of code with no branches or branch targets) that ends by falling off the end.

And yes, both compilers warn about that, e.g. gcc warns twice (even without -Wall or -Wextra): warning: no return statement in function returning non-void [-Wreturn-type] and warning: control reaches end of non-void function [-Wreturn-type]

Where this gets more interesting is in a function with some branches so it's possible for it to be called safely, as part of a well-behaved program. (It would be poor style to write a function exactly like this, but with more complex things, maybe a switch or if(foo) ... return / if (bar) ... return / ..., there can be some paths that the compiler can't prove are never taken in the first place.)

int foo(int a){
    y = 0;

    if (a == 0) {
        y = 1;
        return 0;
    }
    // x = 2;  // if uncommented, GCC does branch.  clang doesn't care

    // return a;  // entirely changes the function vs. no return
}

The only legal path of execution through this function is with a==0, so GCC and clang simply assume that's the case, optimizing away the branch:

foo(int):                                # @foo(int)
        mov     dword ptr [rip + y], 1
        xor     eax, eax
        ret

Of course, this compiles very differently if you compile as C so it's legal to fall off the end without returning a value:

# clang13 -O2 -xc
foo:
        xor     eax, eax
        test    edi, edi
        sete    al                 # tmp = (a == 0)
        mov     dword ptr [rip + y], eax
        xor     eax, eax           # unconditionally return 0
        ret

Since the fall-through path doesn't have a return statement, it doesn't matter what's in the return-value register at that point. Setting it to 0 is what we need for the if() body's return statement, and just unconditionally doing that is much cheaper than compare-and-branching to see if we should zero it or not. (GCC doesn't spot that, and does branch over a y=1 store and an xor eax,eax. It unconditionally did the y=0 store first, even though it did tail duplication with two separate ret instructions :/)

Of course if inlining into a caller that did use the return value, then the same optimizations as with C++ would apply. Like if you put a __builtin_unreachable() there instead of a return.

Footnote 1: In C, it's only UB for the caller to use the return value of such a function, for historical reasons: before void was introduced to the language, every function had a return value, often implicit int. But people didn't bother to put a return 0; at the bottom if they didn't want a return value. (Not just "didn't bother"; saving those bytes of compiler-generated machine code was probably valuable on tiny old machines.)

Answer 5

"see the generated Assembly, at which point you see the actual reality to be executed".

No, that's just another aspect of the Halting problem. Anything could be generated, given UB. You may have a bit of code on hand where you can't even tell if it will halt, let alone what the result would then be.

(Of course, the halting problem also exists within well-defined C++, but you don't have self-modifying C++.)

Now, why is this relevant? The Halting problem doesn't say that all programs are unpredictable, in fact many programs are. The Halting problem merely says that there are three classes of programs, those that certainly halt, those that certainly don't, and a third class where it can't be predicted. So the assumption that you can always determine the behavior of a program from the assembly is untrue. That undermines the logic which asserts that UB will still produce binaries with predictable behavior.