←back to thread

A leap year check in three instructions

(hueffner.de)
420 points gnabgib | 1 comments | 15 May 25 21:57 UTC | HN request time: 0.339s | source
Show context
drewg123 ◴[15 May 25 22:47 UTC] No.44000124[source]
I tend to be of the opinion that for modern general purpose CPUs in this era, such micro-optimizations are totally unnecessary because modern CPUs are so fast that instructions are almost free.

But do you know what's not free? Memory accesses[1]. So when I'm optimizing things, I focus on making things more cache friendly.

[1] http://gec.di.uminho.pt/discip/minf/ac0102/1000gap_proc-mem_...

replies(14): >>44000191 #>>44000255 #>>44000266 #>>44000351 #>>44000378 #>>44000418 #>>44000430 #>>44000433 #>>44000478 #>>44000639 #>>44000687 #>>44001113 #>>44001140 #>>44001975 #
PaulKeeble ◴[15 May 25 23:27 UTC] No.44000378[source]
The thing is about these optimisations (assuming they test as higher performance) is that they can get applied in a library and then everyone benefits from the speedup that took some hard graft to work out. Very few people bake their own date API nowadays if they can avoid it since it already exists and techniques like this just speed up every programme whether its on the critical path or not.
replies(1): >>44000391 #
codexb ◴[15 May 25 23:30 UTC] No.44000391[source]
That's basically compilers these days. It used to be that you could try and optimize your code, inline things here and there, but these days, you're not going to beat the compiler optimization.
replies(6): >>44000550 #>>44000584 #>>44000692 #>>44000889 #>>44000980 #>>44001055 #
matheusmoreira ◴[16 May 25 01:07 UTC] No.44000889[source]
These days optimizing compilers are your number one enemy.

They'll "optimize" your code by deleting it. They'll "prove" your null/overflow checks are useless and just delete them. Then they'll "prove" your entire function is useless or undefined and just "optimize" it to a no-op or something. Make enough things undefined and maybe they'll turn the main function into a no-op.

In languages like C, people are well advised to disable some problematic optimizations and explicitly force the compiler to assume some implementation details to make things sane.

replies(1): >>44001068 #
ryao ◴[16 May 25 01:39 UTC] No.44001068[source]
If they prove a NULL check is always false, it means you have dead code.

For example:

  if (p == NULL) return;

  if (p == NULL) doSomething();
It is safe to delete the second one. Even if it is not deleted, it will never be executed.

What is problematic is when they remove something like memset() right before a free operation, when the memset() is needed to sanitize sensitive data like encryption keys. There are ways of forcing compilers to retain the memset(), such as using functions designed not to be optimized out, such as explicit_bzero(). You can see how we took care of this problem in OpenZFS here:

https://github.com/openzfs/zfs/pull/14544

replies(2): >>44001488 #>>44002944 #
matheusmoreira ◴[16 May 25 03:10 UTC] No.44001488[source]
They just think you have lots of dead code because of silly undefined behavior nonsense.

  char *allocate_a_string_please(int n)
  {
      if (n + 1 < n)
          return 0; // overflow

      return malloc(n + 1); // space for the NUL
  }
This code seems okay at first glance, it's a simple integer overflow check that makes sense to anyone who reads it. The addition will overflow when n equals INT_MAX, it's going to wrap around and the function will return NULL. Reasonable.

Unfortunately, we cannot have nice things because of optimizing compilers and the holy C standard.

The compiler "knows" that signed integer overflow is undefined. In practice, it just assumes that integer overflow cannot ever happen and uses this "fact" to "optimize" this program. Since signed integers "cannot" overflow, it "proves" that the condition always evaluates to false. This leads it to conclude that both the condition and the consequent are dead code.

Then it just deletes the safety check and introduces potential security vulnerabilities into the software.

They had to add literal compiler builtins to let people detect overflow conditions and make the compiler actually generate the code they want it to generate.

Fighting the compiler's assumptions and axioms gets annoying at some point and people eventually discover the mercy of compiler flags such as -fwrapv and -fno-strict-aliasing. Anyone doing systems programming with strict aliasing enabled is probably doing it wrong. Can't even cast pointers without the compiler screwing things up.

replies(2): >>44001867 #>>44006492 #
oguz-ismail ◴[16 May 25 04:35 UTC] No.44001867[source]
>if (n + 1 < n)

No one does this

replies(1): >>44004104 #
matheusmoreira ◴[16 May 25 11:33 UTC] No.44004104[source]
Oh people absolutely do this.

Here's a 2018 example.

https://github.com/mruby/mruby/commit/180f39bf4c5246ff77ef71...

https://github.com/mruby/mruby/issues/4062

  while (l >= bsiz - blen) {
      bsiz *= 2;

      if (bsiz < 0)
          mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier");
  }
> bsiz*=2 can become negative.

> However with -O2 the mrb_raise is never triggered, since bsiz is a signed integer.

> Signed integer overflows are undefined behaviour and thus gcc removes the check.

People have even categorized this as a compiler vulnerability.

https://www.kb.cert.org/vuls/id/162289

> C compilers may silently discard some wraparound checks

And they aren't wrong.

The programmer wrote reasonable code that makes sense and perfectly aligns with their mental model of the machine.

The compiler took this code and screwed it up because it violates compiler assumptions about some abstract C machine nobody really cares about.

replies(2): >>44004726 #>>44006869 #
1. ◴[16 May 25 15:49 UTC] No.44006869[source]