Most active commenters
  • pcwalton(6)
  • AlotOfReading(4)

←back to thread

C and C++ prioritize performance over correctness (2023)

(research.swtch.com)
93 points endorphine | 13 comments | 3/28/2025, 8:26:00 PM | HN request time: 1.573s | source | bottom
Show context
pcwalton ◴[3/31/2025, 5:18:00 PM] No.43537392[source]

I was disappointed that Russ didn't mention the strongest argument for making arithmetic overflow UB. It's a subtle thing that has to do with sign extension and loops. The best explanation is given by ryg here [1].

As a summary: The most common way given in C textbooks to iterate over an array is "for (int i = 0; i < n; i++) { ... array[i] ... }". The problem comes from these three facts: (1) i is a signed integer; (2) i is 32-bit; (3) pointers nowadays are usually 64-bit. That means that a compiler that can't prove that the increment on "i" won't overflow (perhaps because "n" was passed in as a function parameter) has to do a sign extend on every loop iteration, which adds extra instructions in what could be a hot loop, especially since you can't fold a sign extending index into an addressing mode on x86. Since this pattern is so common, compiler developers are loath to change the semantics here--even a 0.1% fleet-wide slowdown has a cost to FAANG measured in the millions.

Note that the problem goes away if you use pointer-width indices for arrays, which many other languages do. It also goes away if you use C++ iterators. Sadly, the C-like pattern persists.

[1]: https://gist.github.com/rygorous/e0f055bfb74e3d5f0af20690759...

replies(6): >>43537702 #>>43537771 #>>43537976 #>>43538026 #>>43538237 #>>43538348 #
AlotOfReading ◴[3/31/2025, 5:47:00 PM] No.43537702[source]

There's half a dozen better ways that could have been addressed anytime in the past decade.

Anything from making it implementation defined to unspecified behavior to just throwing a diagnostic warning or having a clang-tidy performance rule.

I'm also incredibly suspicious of the idea that FAANG in particular won't accept minor compiler slowdowns for useful safety. Google and Apple for example have both talked publicly about how they're pushing bounds checking by default internally and you can see that in the Apple Buffer hardening RFC and the Abseil hardening modes.

replies(1): >>43537833 #
1. pcwalton ◴[3/31/2025, 6:00:00 PM] No.43537833[source]

> Anything from making it implementation defined to unspecified behavior to just throwing a diagnostic warning or having a clang-tidy performance rule.

To be clear, you're proposing putting a warning on "for (int i = 0; i < n; i++)"? The most common textbook way to write a loop in C?

> I'm also incredibly suspicious of the idea that FAANG in particular won't accept minor compiler slowdowns for useful safety.

I worked on compilers at FAANG for quite a while and know quite well how these teams justify their existence. Telling executives "we cost the company $1M a quarter, but good news, we made the semantics of the language easier for programming language nerds to understand" instead of "we saved the company $10M last quarter" is an excellent strategy for getting the team axed next time downsizing comes around.

replies(4): >>43538103 #>>43538139 #>>43538208 #>>43551655 #
2. frumplestlatz ◴[3/31/2025, 6:27:00 PM] No.43538103[source]

Even if it is the most common method in text books (I’m not sure that’s true), it’s also almost always wrong. The index must always be sized to fit what you’re indexing over.

As for your compiler statement — yes. At least at Apple, there is ongoing clang compiler work, focused on security, that actively makes things slower, and there has been for years.

replies(1): >>43538414 #
3. AlotOfReading ◴[3/31/2025, 6:30:00 PM] No.43538139[source]

No, I'm saying that there could be anything from a one word change to the standard that doesn't affect compilers at all to safety by default with a clang tidy performance warning.

Clang tidy and the core guidelines have already broken the textbook Hello, World! with performance-avoid-endl warning, so I don't see why the common textbook way to write things should be our guiding principle here. Of course, the common textbook way to write things would continue working regardless, it'd just have a negligible performance cost.

replies(1): >>43538290 #
4. agwa ◴[3/31/2025, 6:36:00 PM] No.43538208[source]

> I worked on compilers at FAANG for quite a while and know quite well how these teams justify their existence. Telling executives "we cost the company $1M a quarter, but good news, we made the semantics of the language easier for programming language nerds to understand" instead of "we saved the company $10M last quarter" is an excellent strategy for getting the team axed next time downsizing comes around.

And yet, Google is willing to take a performance hit of not 0.1% but 0.3% for improved safety: https://security.googleblog.com/2024/11/retrofitting-spatial...

And obviously there are better justifications for this than "we made the semantics of the language easier for programming language nerds to understand".

replies(1): >>43538271 #
5. pcwalton ◴[3/31/2025, 6:42:00 PM] No.43538271[source]

> And obviously there are better justifications for this than "we made the semantics of the language easier for programming language nerds to understand".

There are not. For all the noise that we make on message boards about signed overflow being UB, there are very few actual security problems traceable to it. The problems from it are largely theoretical.

That entire blog post talking about the 0.3% regression illustrates just how much of an effort it is, and how unusual it is, to make those kinds of changes. The reason why Google engineers managed to justify that change is that memory safety results in actual measurable security improvements by enforcing spatial safety. Signed overflow being UB just doesn't make the cut (and let's be clear: at that scale the cost of a 0.3% regression is measured in millions per year).

6. pcwalton ◴[3/31/2025, 6:44:00 PM] No.43538290[source]

Have you measured the performance cost? I highly suspect it is not negligible, given that it's the most common way to write inner loops, which are the most performance-sensitive type of code.

replies(1): >>43538438 #
7. pcwalton ◴[3/31/2025, 6:53:00 PM] No.43538414[source]

> Even if it is the most common method in text books (I’m not sure that’s true), it’s also almost always wrong. The index must always be sized to fit what you’re indexing over.

"The code was wrong, so it was OK that I made it slower" is a message board argument, not a business argument.

> As for your compiler statement — yes. At least at Apple, there is ongoing clang compiler work, focused on security, that actively makes things slower, and there has been for years.

The performance of code that runs on consumer devices has less of a measurable economic impact than that of code that runs on the server.

replies(1): >>43574658 #
8. AlotOfReading ◴[3/31/2025, 6:55:00 PM] No.43538438{3}[source]

There's a range of possible performance costs. Let's talk about the lowest: the standard changes "the behavior is undefined" to "the behavior is unspecified". Everything else is the same, except that suddenly your program still has semantic meaning if there's signed overflow.

Why would that be problematic?

replies(1): >>43538560 #
9. pcwalton ◴[3/31/2025, 7:06:00 PM] No.43538560{4}[source]

What does "unspecified" mean in this context? If you mean "the value of a signed integer is unspecified if it overflows", then I can still construct cases in which you lose the optimization that widens a loop induction variable from 32-bit to 64-bit. For example, take this code:

    for (int i = 0; i != n; i++)
        sum += a[i];

If n is -2, will this function include the element at a[(uint64_t)INT_MAX + 1] in the sum? If signed overflow is UB, then the answer is "maybe", and thus i and n can legally be promoted to 64-bit. If signed overflow is unspecified, but the result must still fit in a 32-bit integer, then the answer is "no", and i and n can't legally be promoted.

replies(1): >>43538650 #
10. AlotOfReading ◴[3/31/2025, 7:14:00 PM] No.43538650{5}[source]

"unspecified" in the standards sense of "unspecified behavior", i.e. any chosen behavior is permissible. The compiler doesn't have to document the behavior and the behavior isn't constrained, it just isn't undefined. That's still better than where we are today.

replies(1): >>43539976 #
11. steveklabnik ◴[3/31/2025, 9:06:00 PM] No.43539976{6}[source]

I looked this up after you mentioned it upthread, I thought you meant implementation-defined, but I learned that yeah, this exists too. The difference is that implementation-defined requires documentation of the choice made, whereas unspecified does not. However,

> the behavior isn't constrained

C++23, at least, does say

> The range of possible behaviors is usually delineated by this document.

So there are sometimes some constraints.

12. UncleMeat ◴[4/1/2025, 9:45:00 PM] No.43551655[source]

I know the team at Google that is doing exactly this. They've very explicitly accepted a small but significant performance overhead in order to improve safety.

13. frumplestlatz ◴[4/3/2025, 8:01:00 PM] No.43574658{3}[source]

> “The code was wrong, so it was OK that I made it slower" is a message board argument, not a business argument.

And yet, here I am, in a business, watching that argument play out in realtime.

> The performance of code that runs on consumer devices has less of a measurable economic impact than that of code that runs on the server.

The performance of the device literally in the entire world’s hands every day is arguably quite a bit more impactful that Facebook having to buy more servers.