The provenance memory model for C

(gustedt.wordpress.com)

224 points HexDecOctBin | 1 comments | 30 Jun 25 09:25 UTC | HN request time: 0.277s | source

Show context

b0a04gl ◴[30 Jun 25 15:02 UTC] No.44424206[source]▶

provenance model basically turns memory back into a typed value. finally malloc wont just be a dumb number generator, it'll act more like a capability issuer. and access is not 'is this address in range' anymore, but “does this pointer have valid provenance”. way more deterministic, decouples gcc -wall

replies(1): >>44424492 #

HexDecOctBin ◴[30 Jun 25 15:28 UTC] No.44424492[source]▶

>>44424206 #

Will this create more nasal demons? I always disable strict aliasing, and it's not clear to me after reading the whole article whether provenance is about making sane code illegal, or making previously illegal sane code legal.

replies(3): >>44424935 #>>44425068 #>>44425399 #

1. Diggsey ◴[30 Jun 25 16:50 UTC] No.44425399[source]▶

>>44424492 #

It's standardizing the contract between the programmer and the compiler.

Previously a lot of C code was non-portable because it relied on behaviour that wasn't defined as part of the standard. If you compiled it with the wrong compiler or the wrong flags you might get miscompilations.

The provenance memory model draws a line in the sand and says "all C code on this side of the line should behave in this well defined way". Any optimizations implemented by compiler authors which would miscompile code on that side of the line would need to be disabled.

Assuming the authors of the model have done a good job, the impact on compiler optimizations should be minimized whilst making as much existing C code fall on the "right" side of the line as possible.

For new C code it provides programmers a way to write useful code that is also portable, since we now have a line that we can all hopefully agree on.

↑