diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-07-15 18:32:08 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-07-21 17:37:05 +0200 |
commit | 1196e53b701369d7f0c886f69f3d8f50f54e7412 (patch) | |
tree | 9fce7045ebd5173111f91f4ee1a21e274166037b /doc/undefined.txt | |
parent | ef1b4bdf445644a39060e9d5795d4c63d2272397 (diff) | |
download | ffmpeg-1196e53b701369d7f0c886f69f3d8f50f54e7412.tar.gz |
doc: Add initial documentation explaining undefined behavior and SUINT
Requested-by: Kieran Kunhya <kierank@obe.tv>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'doc/undefined.txt')
-rw-r--r-- | doc/undefined.txt | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/doc/undefined.txt b/doc/undefined.txt new file mode 100644 index 0000000000..e01299bef1 --- /dev/null +++ b/doc/undefined.txt @@ -0,0 +1,47 @@ +Undefined Behavior +------------------ +In the C language, some operations are undefined, like signed integer overflow, +dereferencing freed pointers, accessing outside allocated space, ... + +Undefined Behavior must not occur in a C program, it is not safe even if the +output of undefined operations is unused. The unsafety may seem nit picking +but Optimizing compilers have in fact optimized code on the assumption that +no undefined Behavior occurs. +Optimizing code based on wrong assumptions can and has in some cases lead to +effects beyond the output of computations. + + +The signed integer overflow problem in speed critical code +---------------------------------------------------------- +Code which is highly optimized and works with signed integers sometimes has the +problem that some (invalid) inputs can trigger overflows (undefined behavior). +In these cases, often the output of the computation does not matter (as it is +from invalid input). +In some cases the input can be checked easily in others checking the input is +computationally too intensive. +In these remaining cases a unsigned type can be used instead of a signed type. +unsigned overflows are defined in C. + +SUINT +----- +As we have above established there is a need to use "unsigned" sometimes in +computations which work with signed integers (which overflow). +Using "unsigned" for signed integers has the very significant potential to +cause confusion +as in +unsigned a,b,c; +... +a+b*c; +The reader does not expect b to be semantically -5 here and if the code is +changed by maybe adding a cast, a division or other the signedness will almost +certainly be mistaken. +To avoid this confusion a new type was introduced, "SUINT" is the C "unsigned" +type but it holds a signed "int". +to use the same example +SUINT a,b,c; +... +a+b*c; +here the reader knows that a,b,c are meant to be signed integers but for C +standard compliance / to avoid undefined behavior they are stored in unsigned +ints. + |